Features
Automated Pull Request Security Checks
Launchioo is a GitHub App that reviews every pull request with severity-tiered findings and policy-based pass, warn, and fail checks — then reports score, risk index, and actionable results inside GitHub.
Security and code quality built into GitHub
Findings, severity, and policy are separate layers — so teams see clear signal without every warning blocking a merge.
Policy-based PR checks
Critical issues fail the check; high-severity findings warn without blocking. Low items like console.log are flagged but do not fail merges by default.
Rule-based scanning
Deterministic rules scan every added line — secrets, eval, DOM XSS, debug code, and more. Optional launchioo.yml for custom severities and ignores.
Score, risk index & GitHub comments
Each scan reports an informational security score, weighted risk index, and policy status on the PR — with pass, warn, or fail checks your team already uses.
Security score & risk index
Every scan includes an informational 0–100 score and a weighted risk index so teams can compare exposure — separate from pass/warn/fail policy.
Repository monitoring dashboard
Track connected repos, recent scans with policy status, risk trends, and violation breakdowns from one dashboard.
Suppress false positives
Ignore paths via launchioo.yml, file-level ignore lists, or inline launchioo-ignore comments — suppressed findings are logged separately.
What Launchioo scans for
Each finding is tagged critical, high, medium, or low. Policy decides whether the PR check passes, warns, or fails.
Critical
Secrets, API keys, GitHub tokens, private keys, eval()
Fails check by default
High
innerHTML, document.write, and other XSS-prone DOM sinks
Warns (neutral check)
Medium
debugger statements and similar pre-merge cleanup items
Low
console.log, console.warn, TODO/FIXME comments
Flagged, does not fail alone
How policy maps to GitHub checks
| Policy | GitHub check | Typical trigger |
|---|---|---|
| PASS | Success (green) | No critical issues; no policy warnings |
| WARN | Neutral (yellow) | High-severity findings or score below threshold |
| FAIL | Failure (red) | Critical vulnerabilities (when blocking is enabled) |
Security score and risk index are shown on every scan for visibility but do not directly set the check color — policy does. Customize thresholds in launchioo.yml. Learn more.
Ready to secure your pull requests?
Install Launchioo on your GitHub repositories and start getting policy-aware security scans on every pull request.