Security

LaunchGuard requests read-only OAuth access to your GitHub account. The scope is the minimum required to list and clone your repositories. LaunchGuard does not request write access, webhook creation rights, or access to your GitHub organization settings.

Your GitHub access token is encrypted at rest using AES-256-GCM before being stored in the database. Encryption keys are stored as environment variables and are never committed to source control or logged. Tokens are decrypted only at scan time, in server-side code, and are never sent to the client.

Scan reports are stored privately and are accessible only to the authenticated account that ran the scan. Report download links are server-generated and require an active session. Reports are not publicly indexed or shareable.

LaunchGuard performs static analysis only. It reads your source files using an AST parser and pattern-matching rules. It does not install your dependencies, run your build pipeline, execute test suites, or run any code from your repository. Cloned files are deleted immediately after each scan completes.

All payment processing is handled by Stripe. LaunchGuard never receives or stores your card number, CVV, or billing address. Stripe handles PCI DSS compliance for payment data. LaunchGuard stores only the Stripe customer ID and subscription status required to enforce plan limits.