Prerequisites
- A GitHub account with admin access to the repository or organization you want to scan
- The repository must be accessible to the GitHub App (public or private with app installation)
Installation
Navigate to Integrations
In the LaunchSafe dashboard, go to Integrations in the sidebar and click Connect GitHub.
Install the GitHub App
You’ll be redirected to GitHub to install the LaunchSafe GitHub App. Choose whether to install it for:
- All repositories — grants access to every repo in the organization (current and future)
- Select repositories — choose specific repos to grant access to
Authorize
Review the permissions and click Install & Authorize. You’ll be redirected back to LaunchSafe.
Permissions
The LaunchSafe GitHub App requests the following permissions:| Permission | Access level | Purpose |
|---|---|---|
| Repository contents | Read | Clone source code for SAST, SCA, and secret detection scans |
| Pull requests | Read & Write | Create auto-fix PRs with vulnerability remediation |
| Metadata | Read | List repositories, branches, and commit information |
| Checks | Read & Write | Report scan status as GitHub check runs on PRs |
- Issues, discussions, or wikis
- Actions, workflows, or secrets
- Organization members or teams
- Billing or administration
Scanning a repository
Once connected, your GitHub repositories appear as targets when creating a new scan:- Go to New Scan in the sidebar
- Select GitHub Repository as the source
- Choose the repository from the dropdown
- Select the branch to scan (defaults to the default branch)
- Configure scan type and launch
Branch selection
You can scan any branch in your repository. Common patterns:- Default branch (
main/master) — scan your production code for a baseline assessment - Feature branches — scan before merging to catch vulnerabilities early
- Release branches — scan before deployment as a final security gate
Auto-fix pull requests
When LaunchSafe discovers a vulnerability with an available automated fix, it creates a pull request:What gets created
- Branch:
launchsafe/fix-{finding-id}— clearly identified as a LaunchSafe fix - Title: Descriptive title referencing the vulnerability (e.g., “Fix SQL injection in auth.ts”)
- Description: Full context including:
- What vulnerability was found
- Why it’s a security issue
- What the fix does
- Link back to the finding in LaunchSafe
- Changes: The minimal code change required to remediate the vulnerability
Supported auto-fix types
| Vulnerability | Auto-fix action |
|---|---|
| Vulnerable dependency | Bumps package to patched version in lockfile |
| Hardcoded secret | Replaces with environment variable reference |
| Missing input sanitization | Adds parameterized query or input validation |
| Missing security header | Adds middleware or configuration |
| Insecure cookie configuration | Adds Secure, HttpOnly, SameSite flags |
Review process
Auto-fix PRs are suggestions — they should be reviewed like any other pull request:- Review the code changes for correctness
- Run your test suite to verify nothing breaks
- Check that the fix doesn’t introduce regressions
- Merge when satisfied
Revoking access
To disconnect GitHub:- In LaunchSafe: go to Integrations → GitHub → Disconnect
- In GitHub: go to Settings → Applications → LaunchSafe → Uninstall