FixVibe

// docs / scans

Scanningstyper

FixVibe kører tre slags scanninger mod tre slags mål. Hver har forskellig gating, forskellig hastighed og forskellig blast radius — vælg den, der passer til det, du tester.

Passiv

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Fordi den er read-only, kan passiv scanning køres mod enhver URL — ingen domæneverificering, ingen attestering. Afvejningen er dybde: passiv overser alt, der kræver input for at blive opdaget.

Hvad passiv scanning fanger

  • Manglende sikkerhedsheadere (HSTS, CSP, frame-options osv.).
  • Usikre cookie-attributter (ingen Secure / HttpOnly / SameSite).
  • Svag TLS-konfiguration, udløbne certifikater, manglende HSTS preload.
  • Hemmeligheder i JS-bundles (Supabase service keys, AWS-nøgler, Stripe sk_ osv.).
  • Eksponerede source maps, debug-endpoints, OpenAPI-specs, GraphQL-introspection.
  • Åben Supabase RLS / Firebase-regler / Clerk-fejlkonfiguration.
  • DNS (subdomain takeover, manglende SPF/DKIM/DMARC).
  • Threat-intel-lister (Spamhaus, URLhaus).
  • Forældede framework-versioner med kendte CVE'er.

Aktiv Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Hvorfor vi låser det: attestationsflowet

Aktive probes kan teoretisk påvirke produktion — langsomme svar, fejlspidser, skraldedata i testlagre. Vi kræver, at du:

  1. Verificerer domænet via DNS TXT eller en HTTP-fil (Account → Domains).
  2. Attesterer autorisation — en enkelt bekræftelse ved scan-start om, at du har tilladelse. Serverstemplet med din IP, user-agent og tidsstempel; skrevet til audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub-repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo-scanninger skriver aldrig til dit repo og gemmer aldrig kildekode — kun fund-evidens gemmes. Kvote: samme scansPerMonth-bucket som URL-scanninger.

Start via API

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonyme engangsscanninger

Forsiden lader ikke-tilmeldte besøgende køre én passiv scanning pr. browsersession. Disse scanninger udløber 24 timer efter oprettelse og kan migreres til en rigtig konto ved at oprette sig, før de udløber — auth-callbacken knytter automatisk den anonyme scanning til den nye org.

Scanningstyper — Docs · FixVibe