FixVibe

// docs / scans

Mataqali scan

E vakayacora o FixVibe e tolu na mataqali scans ki na tolu na mataqali targets. E duidui na gating, duidui na totolo, ka duidui na blast radius โ€” digitaka na kena e veiganiti kei na ka o via test.

Passive scan

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Ni read-only, passive e rawa ni cici ena URL cava ga โ€” sega ni domain verification, sega ni attestation. Na kena trade-off na depth: e dau calata o passive na ka kece e gadreva na send input me discover.

Na ka e kunea na passive

  • Security headers e yali (HSTS, CSP, frame-options, etc.).
  • Cookie attributes e sega ni taqomaki (no Secure / HttpOnly / SameSite).
  • Weak TLS configuration, expired certs, HSTS preload e yali.
  • Secrets ena JS bundles (Supabase service keys, AWS keys, Stripe sk_, etc.).
  • Source maps e laurai, debug endpoints, OpenAPI specs, GraphQL introspection.
  • Supabase RLS / Firebase rules / Clerk misconfiguration e dola tu.
  • DNS (subdomain takeover, SPF/DKIM/DMARC e yali).
  • Threat-intel listings ni veivakasalataki (Spamhaus, URLhaus).
  • Framework versions makawa kei na CVEs e kilai.

Active scan Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Na vuna keitou gate kina: na attestation flow

Active probes e rawa ni tara production โ€” slow responses, error spikes, garbage data ena test stores. Keitou gadreva mo:

  1. Verify na domain ena DNS TXT se HTTP file (Account โ†’ Domains).
  2. Attest authorization โ€” dua na confirmation ena scan-start time ni tiko nomu permission. Server-stamped kei na nomu IP, user-agent, kei timestamp; written to audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard โ†’ Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository scan Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans e sega ni write ki nomu repo ka sega ni persist source code โ€” finding evidence ga e stored. Quota: same scansPerMonth bucket as URL scans.

Trigger ena API

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard โ†’ Domains. Full reference: /docs/api.

Anonymous one-shot scans sega ni kilai

Na home page e vakatara unsigned-up visitors me ra run e dua ga na passive scan ena browser session yadua. Na scans oqo e expire 24 hours after creation ka rawa ni migrated ki na real account ni sign up ni bera ni expire โ€” na auth callback e attach vakataki koya na anonymous scan ki na org vou.

Mataqali scan โ€” Docs ยท FixVibe