Usage of active debug code (pprof enabled)


Enabling Go's net/http/pprof in production environments exposes runtime profiling data via a /debug/pprof endpoint, creating a security vulnerability. This tool is part of Go's standard library and, while useful for debugging, it does not have authentication controls. This can lead to sensitive information leaks about the application's runtime state and environment if left accessible in production.


  • Do not include net/http/pprof in your production code. Remove any imports of this package before deploying to ensure the profiling endpoint is not exposed.
  • Do use build tags for conditional compilation, and only allow profiling in non-production builds.
  • Do configure environment-specific settings to enable or disable profiling endpoints based on the deployment environment.
  • Do implement strong authentication mechanisms if profiling must be enabled in a controlled production scenario to secure the endpoint.


Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_leak_pprof_endpoint

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_leak_pprof_endpoint