FixVibe

// docs / scans

የScan አይነቶች

FixVibe በሦስት አይነት target ላይ ሦስት አይነት scan ያስኬዳል። እያንዳንዱ የተለየ gating፣ speed፣ እና blast radius አለው — እየፈተኑት ካለው ጋር የሚዛመደውን ይምረጡ።

Passive scan

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Read-only ስለሆነ passive በማንኛውም URL ላይ ሊሄድ ይችላል — domain verification የለም፣ attestation የለም። Trade-off ደግሞ depth ነው: passive input መላክ የሚፈልገውን ሁሉ ያመልጣል።

Passive ምን ይይዛል

  • Missing security header (HSTS፣ CSP፣ frame-options፣ ወዘተ)።
  • Insecure cookie attribute (Secure / HttpOnly / SameSite የሌለው)።
  • Weak TLS configuration፣ expired cert፣ missing HSTS preload።
  • በJS bundle ውስጥ secret (Supabase service key፣ AWS key፣ Stripe sk_፣ ወዘተ)።
  • Exposed source map፣ debug endpoint፣ OpenAPI spec፣ GraphQL introspection።
  • Open Supabase RLS / Firebase rule / Clerk misconfiguration።
  • DNS (subdomain takeover፣ missing SPF/DKIM/DMARC)።
  • Threat-intel listing (Spamhaus፣ URLhaus)።
  • Known CVE ያላቸው outdated framework version-ዎች።

Active scan Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

ለምን gate እናደርገዋለን: attestation flow

Active probe በንድፈ ሀሳብ productionን ሊነካ ይችላል — slow response፣ error spike፣ በtest store ውስጥ garbage data። እንዲህ እንፈልጋለን:

  1. በDNS TXT ወይም HTTP file domain verify ያድርጉ (Account → Domains)።
  2. Authorization attest ያድርጉ — በscan-start ጊዜ ፈቃድ እንዳለዎት የሚናገር አንድ confirmation። በIPዎ፣ user-agentዎ፣ እና timestamp server-stamped ይሆናል; ወደ audit_logs ይጻፋል።

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository scan Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scan ወደ repoዎ ፈጽሞ write አያደርግም እና source code persist አያደርግም — finding evidence ብቻ stored ይሆናል። Quota: እንደ URL scan ተመሳሳይ scansPerMonth bucket።

በAPI trigger ያድርጉ

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonymous one-shot scan

Home page unsigned-up visitor-ዎች በአንድ browser session አንድ passive scan እንዲያስኪዱ ያስችላል። እነዚህ scan-ዎች ከcreation በኋላ በ24 ሰዓት expire ይሆናሉ፣ ከመexpire በፊት sign up ካደረጉ ወደ real account migrate ሊደረጉ ይችላሉ — auth callback በራሱ anonymous scanን ወደ አዲሱ org attach ያደርጋል።

የScan አይነቶች — Docs · FixVibe