FixVibe

// docs / scans

Skanningarsløg

FixVibe koyrir trý sløg av skanningum móti trimum sløgum av málum. Hvørt slag hevur ymisk gating, ymiskan ferð og ymiskan ávirkanarring — vel tað, sum hóskar til tað, tú testar.

Passiv

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Av tí at hon er read-only, kann passiv koyra móti hvørjari URL — eingin domeniváttan, eingin attestatión. Skiftið er dýpd: passiv missir alt, sum krevur innput fyri at verða funnið.

Hvat passiv finnur

  • Manglandi trygdarheaderar (HSTS, CSP, frame-options, o.s.fr.).
  • Ótrygg cookie-attributt (einki Secure / HttpOnly / SameSite).
  • Veik TLS-konfiguratión, útgingin certs, manglandi HSTS preload.
  • Secrets í JS bundles (Supabase service keys, AWS keys, Stripe sk_, o.s.fr.).
  • Útsett source maps, debug-endpoints, OpenAPI specs, GraphQL introspection.
  • Opin Supabase RLS / Firebase rules / Clerk skeivkonfiguratión.
  • DNS (subdomain takeover, manglandi SPF/DKIM/DMARC).
  • Threat-intel listingar (Spamhaus, URLhaus).
  • Eldri framework-útgávur við kendum CVEs.

Aktiv Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Hví vit gate'a: attestatiónsflogið

Aktivar royndir kunnu í ástøði ávirka framleiðslu — sein svar, feilspíkar, rusksdátur í test stores. Vit krevja, at tú:

  1. Váttar domenið við DNS TXT ella einari HTTP fílu (Account → Domains).
  2. Attesterar heimild — ein einstøk váttan við skanningarbyrjan um, at tú hevur loyvi. Server-stemplað við tínari IP, user-agent og timestamp; skrivað í audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub goymsla Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo-skanningar skriva ongantíð í títt repo og goyma ongantíð keldukotu — bara finding-prógv verða goymd. Kvota: sami scansPerMonth-bucket sum URL-skanningar.

Loysa út umvegis API

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonymar one-shot skanningar

Heimasíðan letur óinnritaðar vitjandi koyra eina passiva skanning fyri hvørja kaga-session. Hesar skanningar renna út 24 tímar eftir stovnan og kunnu flytast til eina veruliga konto við at skráseta seg, áðrenn tær renna út — auth callback bindur sjálvvirkandi ta anonymu skanningina at nýggju org.