LaunchGuard runs 12 targeted checks on your SaaS codebase — auth gaps, billing logic, cost leaks, and runtime reliability — before your users find them in production.
Static analysis only. Reads source files. Never executes your code.
Free tier: 1 static audit/month · No credit card required
12 production failure patterns
Each check is backed by a real incident category — not theoretical threat models. The kind of bugs that hit your on-call at 2am.
Unguarded API routes. Sessions that outlive logout. JWT secrets with hardcoded fallbacks. Middleware that protects nothing.
Stripe webhook handlers with no idempotency check. Checkout sessions missing price IDs. Subscription state that never activates.
OpenAI SDK called from a client component. No token cap on inference routes. Per-user rate limits missing.
Cron jobs with no distributed lock. fetch() calls with no timeout. Retry amplification hiding in background workers.
Resources queryable without user_id scoping. Subscription lookups that return any user's data. Missing RLS policies.
Required env vars with silent fallbacks. Debug flags active in production. Service clients pointing at staging.
Two audit modes
Start with a static audit — fast, safe, no setup. Add runtime validation when you need to verify the flows actually work end-to-end.
AST-based pattern analysis. Reads your source files without executing anything. Safe to run on any codebase.
Controlled end-to-end flow validation in a sandboxed environment. Exercises real paths without touching production data.
Read-only access to the repos you want audited. No write permissions. No code stored after the scan.
Pin the repository. LaunchGuard checks out the latest commit and runs static analysis against 12 failure patterns.
Structured findings: critical failures, warnings, passed checks. Every finding includes the exact file, line, and fix.
Real incidents, real cost
"We launched and checkout was broken for 20% of users. Stripe was accepting payments but subscriptions never activated."
"A user discovered they could see another account's invoices. The query wasn't scoped by user_id."
"Our webhook silently failed for three days. No alert, no retry — we only noticed when users started emailing."
"Our OpenAI route had no token cap. One bot loop cost us $400 before we noticed the spike."
What you get
Every issue is actionable: location, severity, and exactly what to fix.
Unauthenticated route exposure
POST /api/checkout is reachable without an authenticated session. Any visitor can trigger a Stripe checkout session — billing your account without proving identity.
src/app/api/checkout/route.ts:14
Fix
Add a session guard before route logic: const { data: { user } } = await supabase.auth.getUser(), then return 401 if !user.
Reports export as HTML and JSON. Findings are deduplicated and ranked by production impact.
1 static audit on the free plan. No card required. Upgrade to Pro for 20 static audits and 3 runtime validations per month.
Questions about what LaunchGuard checks or how it works? Read the FAQ →