@ggolawski this clause seems to be causing many FPs where there are no evidences that Spring Actuators are being used.

See results here https://lgtm.com/query/4456298315122374638/

If EndpointRequest is not used, we need a different way to know that Actuators are indeed enabled.

Having said that, those results may be of interest for a different query in the line of https://vulncat.fortify.com/en/weakness?q=spring%20security%20misconfiguration

Also, for lines 91 and 93 there are some FPs in the form of:

http.authorizeRequests().requestMatchers(EndpointRequest.to("info", "health")).permitAll();

which could be solved by checking that TypeEndpointRequestMatcher matches only EndpointRequestMatcher returned by toAnyEndpoint() or by to() if arguments contains an edpoint other than health and info which are of no interest and public