FixVibe

// docs / scans

Mga uri ng scan

Nagpapatakbo ang FixVibe ng tatlong uri ng scan laban sa tatlong uri ng target. Bawat isa ay may ibang gating, bilis, at blast radius โ€” piliin ang tumutugma sa sinusubukan mong i-test.

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Dahil read-only ito, puwedeng patakbuhin ang passive laban sa anumang URL โ€” walang domain verification, walang attestation. Ang kapalit ay lalim: namimiss ng passive ang lahat ng nangangailangan ng pagpapadala ng input para matuklasan.

Ano ang nahuhuli ng passive

  • Nawawalang security headers (HSTS, CSP, frame-options, atbp.).
  • Hindi ligtas na cookie attributes (walang Secure / HttpOnly / SameSite).
  • Mahinang TLS configuration, expired certs, nawawalang HSTS preload.
  • Secrets sa JS bundles (Supabase service keys, AWS keys, Stripe sk_, atbp.).
  • Naka-expose na source maps, debug endpoints, OpenAPI specs, GraphQL introspection.
  • Bukas na Supabase RLS / Firebase rules / Clerk misconfiguration.
  • DNS (subdomain takeover, nawawalang SPF/DKIM/DMARC).
  • Threat-intel listings (Spamhaus, URLhaus).
  • Luma nang framework versions na may kilalang CVEs.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Bakit namin ito nilalagyan ng gate: ang attestation flow

Sa teorya, maaaring maapektuhan ng active probes ang production โ€” mabagal na responses, error spikes, garbage data sa test stores. Hinihiling namin na:

  1. I-verify ang domain sa pamamagitan ng DNS TXT o HTTP file (Account โ†’ Domains).
  2. Mag-attest ng authorization โ€” isang kumpirmasyon sa oras ng scan-start na mayroon kang pahintulot. Server-stamped gamit ang iyong IP, user-agent, at timestamp; isinusulat sa audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard โ†’ Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Hindi kailanman nagsusulat ang repo scans sa repo mo at hindi kailanman nagpe-persist ng source code โ€” finding evidence lang ang ini-store. Quota: parehong scansPerMonth bucket gaya ng URL scans.

I-trigger sa pamamagitan ng API

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard โ†’ Domains. Full reference: /docs/api.

Anonymous one-shot scans

Hinahayaan ng home page ang hindi naka-sign-up na visitors na magpatakbo ng iisang passive scan kada browser session. Nag-e-expire ang mga scan na ito 24 oras matapos malikha at puwedeng i-migrate sa tunay na account sa pamamagitan ng pag-sign up bago sila mag-expire โ€” awtomatikong ikinakabit ng auth callback ang anonymous scan sa bagong org.

Mga uri ng scan โ€” Docs ยท FixVibe