FixVibe

// docs / scans

Seòrsaichean scan

Ruithidh FixVibe trì seòrsaichean scan an aghaidh trì seòrsaichean target. Tha gating eadar-dhealaichte, luaths eadar-dhealaichte, agus blast radius eadar-dhealaichte aig gach fear — tagh am fear a fhreagras air na tha thu a' dèanamh test air.

Fulangach

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Leis gu bheil e read-only, faodaidh passive ruith an aghaidh URL sam bith — gun domain verification, gun attestation. 'S e an trade-off doimhneachd: caillidh passive rud sam bith a dh'fheumas input a chur gus a lorg.

Na ghlacas passive

  • Security headers a dhìth (HSTS, CSP, frame-options, etc.).
  • Buadhan cookie mì-thèarainte (gun Secure / HttpOnly / SameSite).
  • Rèiteachadh TLS lag, certs seachad, HSTS preload a dhìth.
  • Secrets ann an JS bundles (Supabase service keys, AWS keys, Stripe sk_, etc.).
  • Source maps fosgailte, debug endpoints, OpenAPI specs, GraphQL introspection.
  • Supabase RLS / Firebase rules / Clerk misconfiguration fosgailte.
  • DNS (subdomain takeover, SPF/DKIM/DMARC a dhìth).
  • Liostaichean threat-intel (Spamhaus, URLhaus).
  • Tionndaidhean framework seann-fhasanta le CVEs aithnichte.

Gnìomhach Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Carson a chuireas sinn gating air: an sruth attest

Faodaidh probes gnìomhach buaidh a thoirt air production gu teòiridheach — freagairtean slaodach, spikes mhearachdan, garbage data ann an test stores. Tha sinn ag iarraidh ort:

  1. Dearbhaich an domain tro DNS TXT no HTTP file (Account → Domains).
  2. Attest authorization — aon dearbhadh aig àm tòiseachaidh an scan ag ràdh gu bheil cead agad. Air a stampadh leis an fhrithealaiche leis an IP, user-agent, agus timestamp agad; sgrìobhte gu audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

Repository GitHub Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Cha sgrìobh repo scans dhan repo agad a-riamh agus cha persist iad source code a-riamh — chan eil ach finding evidence air a stòradh. Quota: an aon bucket scansPerMonth ri URL scans.

Trigger tro API

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Scans gun ainm aon-ùine

Leigidh an home page le luchd-tadhail nach eil signed-up aon scan fulangach a ruith gach browser session. Thig na scans seo gu crìch 24 uair às dèidh cruthachaidh agus faodar an gluasad gu cunntas fìor le clàradh mus tig iad gu crìch — ceanglaidh an auth callback an anonymous scan ris an org ùr gu fèin-obrachail.

Seòrsaichean scan — Docs · FixVibe