Launchioo

Documentation

How Launchioo Works

Everything you need to get started — sign up, connect your repos, and start getting automatic feedback on every pull request. New to Launchioo? Browse features or read our security blog.

Sign up with GitHubSign in to install

What is Launchioo?

Launchioo automatically reviews your GitHub pull requests for common security and code quality problems — before code gets merged.

When you open or update a pull request, Launchioo scans the changes and then:

  • Leaves a comment on the PR with score, risk index, and findings
  • Shows a pass, warn, or fail check on the pull request (like your other CI checks)
  • Saves a history of reviews you can view on your dashboard

You keep working in GitHub. Launchioo works out of the box — no config files required. You can optionally add a launchioo.yml at your repo root to tune rules and thresholds.

Getting started

All you need is:

  • A GitHub account
  • Access to the repositories you want to protect (your own repos, or an org you belong to)
  • Permission to install apps on that GitHub account or organization

If you are installing on a company organization, an admin may need to approve the app first. That is normal — ask your GitHub org owner if you do not see the option to install.

Set up in 5 steps

The whole setup takes a few minutes. Here is exactly what to do:

  1. 1

    Create your account

    Click Sign up with GitHub and authorize Launchioo with your GitHub account. We use GitHub to sign you in — there is no separate password to remember.

  2. 2

    Install the GitHub App

    After signing in, click Install GitHub App in the top navigation or from your dashboard. You must be signed in first — we will ask you to log in if you are not.

    GitHub will open and ask where you want to install the app.

  3. 3

    Pick your repositories

    On GitHub, choose:

    • Your personal account or an organization you manage
    • All repositories if you want every repo covered, or Only select repositories to start with just a few

    Click Install. If your organization requires approval, an admin will need to approve the request first.

  4. 4

    Confirm on your dashboard

    GitHub sends you back to Launchioo. Your dashboard should now list the repositories you connected.

    That is it for setup — you are ready to go.

  5. 5

    Open a pull request

    Create a pull request in any connected repo, the same way you always do. Within a short time after opening the PR (or pushing new commits to it), Launchioo will scan your changes and post results on the PR.

    Tip: Draft pull requests are not scanned until you mark them as ready for review.

Using it every day

If you write code

  • Open or update a pull request as usual
  • Wait a moment after each push for the scan to finish
  • Read the Launchioo comment on your PR
  • Check the pass, warn, or fail status in the PR checks area
  • Fix any issues, push again, and the comment updates automatically

If you manage a team

  • Visit your dashboard to see connected repos, recent reviews, and common issues across PRs
  • Optionally require the Launchioo check in GitHub branch protection rules so PRs cannot merge when issues are found
  • To add more repositories later, click Install GitHub App again and update your repository selection on GitHub

What we look for

Launchioo reviews the new lines you add in each pull request and assigns each finding a severity:

  • Critical — secrets, tokens, private keys, eval()
  • High — unsafe DOM patterns such as innerHTML and document.write
  • Mediumdebugger statements
  • Low console.log, console.warn, TODO/FIXME comments
CategoryExamples
Secrets & credentialsAPI keys, JWTs, GitHub tokens, AWS keys, private key material
Unsafe code executioneval() and similar dynamic execution
XSS-prone DOM usageinnerHTML, document.write
Code quality signalsLeftover debug logging, debugger, TODO/FIXME

Findings are grouped by severity. A separate policy decides whether the PR check passes, warns, or fails — not every issue blocks a merge. By default, critical issues fail the check; high issues or a low security score produce a warning (neutral check). Low-severity items like console.log alone do not fail the check.

Understanding results

Policy status (what blocks merges)

Each scan gets a policy outcome — this is what drives the GitHub check, not the numeric score alone:

  • PASS — check is green (success). No critical issues and no policy warnings triggered.
  • WARN — check is yellow (neutral). High-severity issues were found, or the security score fell below your configured threshold. Informational — does not fail the check by default.
  • FAIL — check is red (failure). At least one critical issue was found (when critical blocking is enabled).

Security score & risk index (informational)

Alongside policy status, every scan reports two metrics to help you prioritize:

  • Security Score (0–100) — starts at 100 and deducts points per finding (low −1, medium −3, high −8, critical −12). This is a quality indicator only; it does not directly pass or fail the check.
  • Risk Index — weighted exposure: critical ×10, high ×3, medium ×1. Useful for comparing PRs at a glance on your dashboard.

On your pull request

You will see two things on each scanned PR:

  • A comment from Launchioo — shows security score, risk index, policy status, severity breakdown, and the top issues with file name and line number. The same comment updates when you push new commits.
  • A status check — shows up alongside your other checks as Launchioo Security Scan. Green = pass, yellow = warn, red = fail. Click it for the full report.

On your dashboard

Sign in to see a summary across all your connected repositories:

  • Which repos are connected
  • Recent scans with score, risk index, policy status, and check result
  • A breakdown of the most common issues found

Optional configuration

Launchioo works without any repo setup. For teams that want more control, add a launchioo.yml file at your repository root:

  • Adjust rule severities or disable detection categories
  • Set the score warning threshold and critical blocking behavior
  • Ignore paths such as node_modules/**

You can also suppress individual lines with an inline comment:

// launchioo-ignore: console-log

Or use .launchiooignore / launchioo-ignore-file.json for file-level suppressions. Suppressed findings are logged separately and do not affect score or policy.

Common questions

My PR was not scanned — why?

  • The repository might not have been included when you installed the app — try installing again and selecting it
  • The PR might still be a draft — mark it ready for review first
  • Give it a minute after pushing, then refresh the PR page

My repos are not showing on the dashboard

  • Make sure you are signed in with the same GitHub account you used to install the app
  • Click Install GitHub App again to refresh your repository list
  • If you installed on an organization, confirm an admin approved the installation

Do I need to change anything in my codebase?

No. Once the GitHub App is installed on your repositories, scans run automatically on every pull request. Configuration files are optional — add launchioo.yml only if you want custom rules, thresholds, or ignore paths.

Can I use this on an organization?

Yes. During installation, choose your organization instead of your personal account. Org admins may need to approve the app depending on your organization's settings.

Ready to try it?

Sign up free, connect your repos, and get your first PR review in minutes.

Sign up with GitHubSign in to install