GoForLaunch Public API
Pro and Agency plans unlock a token-authenticated REST endpoint plus a zero-dependency CLI and a drop-in GitHub Action. Use them to fail a PR when new critical findings appear.
Bearer tokens, issued at /dashboard/api-tokens. Only the SHA-256 hash and a short prefix are stored — the plaintext is shown once.
npx goforlaunch scan . runs the public API from any CI. Zero dependencies, ~150 LOC.
Drop in .github/workflows/goforlaunch-scan.yml — see the snippet on API tokens.
POST /api/v1/scan
curl -X POST https://goforlaunch.dev/api/v1/scan?failOn=critical \
-H "Authorization: Bearer vbs_********************************************" \
-H "Content-Type: application/json" \
-d '{
"repo": "https://github.com/acme/yoga-app",
"branch": "main"
}'Three payload modes are supported on the same endpoint:
{ files: [{ path, content }] }— direct JSON{ repo, branch? }— public GitHub URL or owner/repomultipart/form-datawith azipfield — private repos
Query parameter failOn controls the gating severity: critical (default), high, medium, low, info, any. When findings at or above the threshold exist, the response status is 422 and exitCode is 1.
Response
{
"score": 64,
"summary": { "critical": 1, "high": 2, "medium": 4, "low": 1, "info": 0 },
"findings": [
{
"severity": "critical",
"category": "Secrets",
"title": "Hardcoded secret detected",
"file": "lib/payments.ts",
"line": 3,
"summary": "...",
"fix": "...",
"safeAutoFix": false
}
],
"exitCode": 1,
"failOn": "critical",
"triggeredCount": 1,
"scannedFiles": 84
}GET /api/v1/health
curl https://goforlaunch.dev/api/v1/health
{ "name": "goforlaunch", "version": "1.0", "status": "ok" }Rate limits
30 scans/minute per IP. On overflow you receive HTTP 429 with code: rate_limited. Token-level limits scale with your plan.