FixVibe

// docs / scans

Tipovi skeniranja

FixVibe pokreće tri vrste skeniranja protiv tri vrste meta. Svako ima drugačije uslove pristupa, drugačiju brzinu i drugačiji radijus uticaja — odaberite ono koje odgovara vašem testu.

Pasivno

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Pošto je read-only, passive može raditi protiv bilo kojeg URL — bez domain verification, bez attestation. Kompromis je dubina: passive propušta sve što zahtijeva slanje input za otkrivanje.

Šta passive hvata

  • Nedostajući security headers (HSTS, CSP, frame-options itd.).
  • Nesigurni cookie attributes (bez Secure / HttpOnly / SameSite).
  • Slaba TLS configuration, istekli certs, nedostaje HSTS preload.
  • Secrets u JS bundles (Supabase service keys, AWS keys, Stripe sk_ itd.).
  • Izloženi source maps, debug endpoints, OpenAPI specs, GraphQL introspection.
  • Otvoreni Supabase RLS / Firebase rules / Clerk misconfiguration.
  • DNS (subdomain takeover, nedostaju SPF/DKIM/DMARC).
  • Threat-intel listings (Spamhaus, URLhaus).
  • Zastarjele framework versions sa poznatim CVEs.

Aktivno Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Zašto ga ograničavamo: attestation flow

Active probes teoretski mogu uticati na production — slow responses, error spikes, garbage data in test stores. Tražimo da:

  1. Potvrdite domenu preko DNS TXT ili HTTP file (Account → Domains).
  2. Attest authorization — jedna potvrda u scan-start time da imate dozvolu. Server-stamped s vašim IP, user-agent i timestamp; zapisano u audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans nikada ne pišu u vaš repo i nikada ne persist source code — čuva se samo finding evidence. Quota: isti scansPerMonth bucket kao URL scans.

Pokreni preko API

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonimna jednokratna skeniranja

Home page omogućava unsigned-up visitors da pokrenu jedan passive scan po browser session. Ovi scans expire 24 sata after creation i mogu se migrate u real account ako se sign up prije isteka — auth callback automatski attach anonymous scan na new org.

Tipovi skeniranja — Docs · FixVibe