LaunchGuard Solana
Sign inScan my repo
Solana-first · Web2-ready

Security review for Solana apps before mainnet.

LaunchGuard Solana runs a 6-engine pipeline across wallet flows, Anchor programs, APIs, dependencies, secrets, Supabase, and deployment config. Solana-first by design — and the same pipeline scales to modern Web2 SaaS, AI apps, and API backends.

Scan my Solana repoView demo report

Built for Solana, Anchor, Next.js, Supabase, Vercel, and AI-native startups.

The reality

Fast-built Solana apps miss the same dangerous patterns over and over.

Vibe-coded MVPs, AI-assisted scaffolds, and pre-mainnet pivots all skip the same checks. By the time a real user — or a real attacker — finds them, the company has already shipped.

Wallet ownership checked only in frontend
Missing Anchor signer / has_one constraints
Private keys leaked through NEXT_PUBLIC_
Supabase tables shipped without RLS
API routes that trust client-supplied amounts
AI endpoints with no rate limit or quota
Multi-engine pipeline
One run. Five engines. One launch score.
LaunchGuard
Solana core scan
Static engines
Semgrep · TruffleHog · OSV
DeepSec
AI code review
Shannon
Authorized validation
Report
Launch readiness
Multi-engine pipeline

One launch score, powered by the engines you already trust.

LaunchGuard orchestrates twelve engines into one normalized model. Every finding is tagged with who detected it, who verified it, and how confident we are.

Core

LaunchGuard Solana Engine

Custom static + heuristic scanner for wallet, Anchor, transaction, payment, API, secrets, RLS, AI endpoint, and Vercel risks.

AI

DeepSec AI Review

External AI code-reasoning engine. Runs locally, exports findings, and revalidates LaunchGuard hits with AI-grade context.

Validation

Shannon Active Validation

Authorized live testing only. Validates selected findings against an approved deployed URL with safe, rate-limited probes.

Industry-grade

Static + dependency engines

Semgrep, TruffleHog, OSV, npm audit, cargo audit, GitHub Actions, Vercel, Supabase RLS — all normalized into one finding model.

Inside the dashboard

A real launch readiness score — not a vanity number.

Every category is weighted and every penalty is traceable to a finding. You always know what is blocking launch and what is just a backlog item.

58
/ 100
Launch readiness
Risky — fix critical issues

Risky — fix critical issues before mainnet launch.

4 blockers7 should fix1 nice to fix

SplitSafe Pay

Solana group expense and settlement app with AI-powered receipt scanning, Wallet Adapter, and Supabase backend.

Findings
10
Engines used
9
Shannon verified
3
Critical
2
High
4
Medium
5
P0CriticalSecretsShannon confirmedConfidence · Very HighFix available

Supabase service role key pattern detected in frontend bundle

TruffleHog actively verified that a Supabase service role key is reachable from the browser bundle. The actual key is not displayed by LaunchGuard. Rotate immediately and move it to a server-only env var.

app/lib/supabase-public.ts
Detected by TruffleHog Gitleaks LaunchGuard DeepSecVerified by TruffleHog
P0CriticalSolana ProgramNot applicableConfidence · Very HighFix available

Missing signer validation in Anchor instruction

An attacker could call this on-chain instruction without proving they are the actual member, letting them settle expenses on behalf of someone else.

programs/splitsafe_pay/src/instructions/settle.rsProgramsplitsafe_pay
Detected by LaunchGuard DeepSec
See the full demo report
Trust by default

A security tool you can actually trust with your repo.

We protect customers the same way we hope our customers protect their users. These are enforced at the system level, not the marketing level.

Read-only by default

We never modify your code or deploy anything. Fix Mode is opt-in and always shows a diff before opening a PR.

No raw secrets stored

TruffleHog matches surface metadata only. Real secret values never reach our database or our logs.

No model training on user code

AI prompts are scoped to the active scan. Your repo is not used to train any base model.

Shannon requires explicit authorization

Active validation only runs after you confirm ownership of the target URL and accept the safety checklist.

FAQ

Common questions from founders and security reviewers.

Is this a smart contract audit?

No. LaunchGuard Solana is a launch-readiness platform, not a formal audit. We orchestrate static, dynamic, and AI engines so teams catch the obvious issues before they ship. Pair us with a dedicated audit firm for institutional-grade assurance.

Does Shannon attack my production system?

Never automatically. Shannon only runs against URLs you explicitly authorize, with strict rate limits and on test accounts. It never brute-forces, DDoSes, or tests third-party domains.

What gets stored in your database?

Project metadata, normalized findings (with redacted snippets), engine evidence summaries, hashed secret fingerprints, and report artifacts. Raw source code is processed in scan workers and not retained long-term.

Can I run LaunchGuard inside my own CI?

Yes — that's the Enterprise / private-CI mode on the roadmap. Engine adapters are designed so the same pipeline can run in our SaaS, your CI, or a self-hosted worker.

Free to start

Launch safely before mainnet.

Connect your repository, choose Solana Launch Audit, and have a defensible security posture in under fifteen minutes.

Scan my Solana repoView demo report