Cineálacha scanadh

Éighníomhach

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Toisc go bhfuil sé read-only, is féidir passive a rith i gcoinne aon URL — gan domain verification, gan attestation. Is é an malartú ná doimhneacht: cailleann passive gach rud a éilíonn input a sheoladh chun é a aimsiú.

Cad a aimsíonn passive

• Security headers ar iarraidh (HSTS, CSP, frame-options, etc.).
• Tréithe cookie neamhshlána (gan Secure / HttpOnly / SameSite).
• Cumraíocht TLS lag, certs imithe in éag, HSTS preload ar iarraidh.
• Secrets i JS bundles (Supabase service keys, AWS keys, Stripe sk_, etc.).
• Source maps nochta, debug endpoints, OpenAPI specs, GraphQL introspection.
• Supabase RLS / Firebase rules / Clerk misconfiguration oscailte.
• DNS (subdomain takeover, SPF/DKIM/DMARC ar iarraidh).
• Liostuithe threat-intel (Spamhaus, URLhaus).
• Leaganacha framework as dáta le CVEs aitheanta.

Gníomhach Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Cén fáth a gcuirimid gating air: an sreabhadh attestála

Is féidir le probes gníomhacha, go teoiriciúil, dul i bhfeidhm ar production — freagraí mall, spikes earráide, garbage data i test stores. Éilímid ort:

1. Fíoraigh an domain trí DNS TXT nó HTTP file (Account → Domains).
2. Attest authorization — deimhniú aonair ag am tosaithe scanadh ag rá go bhfuil cead agat. Stampáilte ag an bhfreastalaí le do IP, user-agent, agus timestamp; scríofa chuig audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

Repository GitHub Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Ní scríobhann repo scans chuig do repo riamh agus ní persist source code riamh — stóráiltear finding evidence amháin. Quota: an bucket scansPerMonth céanna le URL scans.

Trigger trí API

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Scans anaithnide aonuaire

Ligeann an home page do chuairteoirí nach bhfuil sínithe isteach scanadh éighníomhach amháin a rith in aghaidh browser session. Téann na scans seo in éag 24 uair tar éis cruthaithe agus is féidir iad a aistriú chuig cuntas fíor trí chlárú sula n-éagann siad — ceanglaíonn an auth callback an anonymous scan leis an org nua go huathoibríoch.