GitHub Repository
Best for: code-aware (white-box) scanning, auto-fix pull requests, scheduled scans Connecting a GitHub repository gives LaunchSafe read access to your source code for deep code-aware analysis. This is the recommended approach for most teams because it enables the full feature set including auto-fix pull requests and branch-specific scanning.How to connect
- Navigate to Integrations → GitHub → Connect GitHub (or connect during onboarding)
- Install the LaunchSafe GitHub App on your organization or personal account
- Select which repositories to grant access to
- Your repositories are now available as targets when creating scans
What LaunchSafe accesses
- Source code — cloned into an encrypted, ephemeral sandbox for analysis. Deleted after the scan completes.
- Dependency manifests —
package.json,package-lock.json,requirements.txt,go.mod,Gemfile.lock,pom.xml,Cargo.toml, and other lockfiles for SCA scanning. - Configuration files —
.env.example,docker-compose.yml, CI configs for context-aware analysis. - Git history — recent commits for tracking when vulnerabilities were introduced (blame analysis).
Branch selection
When creating a scan, you can choose which branch to analyze:- Default branch (
main/master) — baseline security assessment of your production code - Feature branches — catch vulnerabilities before they’re merged. Ideal for PR-triggered scans in CI/CD.
- Release branches — final security gate before deployment
- Any branch — scan historical branches to understand when a vulnerability was introduced
Large repositories
Very large repositories scan fastest when you exclude build artifacts and vendored dependencies. If a repository is too large to clone efficiently, use the ZIP upload method with only the relevant source directories included.Live URL
Best for: black-box scanning, testing deployed applications, compliance-mandated dynamic testing Providing a URL lets LaunchSafe test your running application from the outside — crawling endpoints, submitting payloads, and analyzing responses like a real attacker would.Domain verification
Before LaunchSafe will scan a URL, you must verify that you own the domain. This is a critical security control that prevents unauthorized testing of third-party applications.Enter your URL
During target setup, enter your application’s URL (e.g.,
https://staging.acme.com). LaunchSafe generates a unique verification token for your workspace.Add a DNS TXT record
Add a TXT record to your domain’s DNS configuration:
| Field | Value |
|---|---|
| Type | TXT |
| Name | @ (or your domain root) |
| Value | launchsafe-verify=ls_your_token_here |
| TTL | 300 (or your provider’s default) |
URL guidelines
- Use a staging or test environment when possible to avoid any impact on production users
- Ensure the application is accessible from the internet (LaunchSafe’s sandbox needs to reach it)
- If your application requires authentication, provide credentials in the scan configuration for authenticated crawling
- HTTPS URLs are required — HTTP URLs are automatically upgraded
What LaunchSafe tests
When scanning a URL, LaunchSafe:- Crawls the application to discover all accessible endpoints, forms, and API routes
- Maps the technology stack (server, frameworks, libraries)
- Identifies authentication mechanisms and session management
- Submits attack payloads to every input vector (query params, POST bodies, headers, cookies)
- Analyzes responses for vulnerability indicators
- Verifies findings to minimize false positives
ZIP Archive
Best for: offline analysis, air-gapped environments, codebases not hosted on GitHub Upload a ZIP archive of your source code for white-box analysis without connecting a version control system.How to upload
- During target setup, click Upload ZIP
- Select your archive file (max 500 MB)
- LaunchSafe extracts, indexes, and analyzes the contents
Archive guidelines
For the best scanning results, your ZIP should:- Include the project root — the directory containing your main package manifest (
package.json,requirements.txt, etc.) - Include lockfiles —
package-lock.json,yarn.lock,poetry.lock, etc. are essential for accurate dependency scanning - Exclude build artifacts —
node_modules/,dist/,build/,.next/,venv/— these slow down analysis without adding value - Exclude large binary files — images, videos, compiled binaries, and database dumps
Supported languages and frameworks
LaunchSafe’s white-box scanner supports 20+ languages. The ZIP upload works with any of them:| Language | Frameworks | Package manifest |
|---|---|---|
| JavaScript/TypeScript | React, Next.js, Express, Fastify, NestJS | package.json |
| Python | Django, Flask, FastAPI | requirements.txt, pyproject.toml |
| Go | Gin, Echo, Fiber | go.mod |
| Java | Spring Boot, Jakarta EE | pom.xml, build.gradle |
| Ruby | Rails, Sinatra | Gemfile |
| PHP | Laravel, Symfony | composer.json |
| C# | ASP.NET, .NET Core | .csproj |
| Rust | Actix, Axum, Rocket | Cargo.toml |
Environment variables
For targets that require runtime configuration (database URLs, API keys, feature flags), you can securely provide environment variables:- During target setup or in Settings → Workspace, click Environment Variables
- Add key-value pairs for variables your application needs
- Variables are encrypted with AES-256 at rest and only decrypted inside the scan sandbox
- Variables are deleted when the sandbox is destroyed
Next step
Run Your First Scan
Launch your first security scan and start finding vulnerabilities.