FixVibe

// docs / scans

Nau’o’in bincike

FixVibe yana gudanar da nau’o’in bincike uku a kan nau’o’in targets uku. Kowanne yana da gating daban, sauri daban, da blast radius daban; zaɓi wanda ya dace da abin da kake gwadawa.

Passive na karatu-kawai

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Saboda read-only ne, passive na iya gudana a kan kowace URL: babu domain verification, babu attestering. Abin da ake rasa shi ne zurfi: passive yana rasa duk abin da ke buƙatar aika input don ganowa.

Abin da passive ke kamawa

  • Security headers da suka ɓace (HSTS, CSP, frame-options, da sauransu).
  • Cookie attributes marasa tsaro (babu Secure / HttpOnly / SameSite).
  • TLS configuration mai rauni, certs da suka ƙare, HSTS preload da ya ɓace.
  • Secrets a cikin JS bundles (Supabase service keys, AWS keys, Stripe sk_, da sauransu).
  • Source maps da aka fallasa, debug endpoints, OpenAPI specs, GraphQL introspection.
  • Supabase RLS / Firebase rules / Clerk misconfiguration da suka buɗe.
  • DNS (subdomain takeover, SPF/DKIM/DMARC da suka ɓace).
  • Jerin threat-intel (Spamhaus, URLhaus).
  • Tsoffin versions na frameworks da ke da sanannun CVEs.

Active mai aika payload Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Dalilin gating: tsarin attestering

Active probes na iya shafar production a ka’ida: jinkirin amsoshi, ƙaruwa na errors, datar gwaji marar amfani. Muna buƙatar ka:

  1. Tabbatar da domain ta DNS TXT ko HTTP file (Account → Domains).
  2. Yi attest authorization: tabbaci guda ɗaya a lokacin fara scan cewa kana da izini. Ana buga shi da IP, user-agent, da timestamp ɗinka; ana rubuta shi zuwa audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository ɗinka Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans ba sa rubutawa zuwa repo ɗinka kuma ba sa adana source code; evidence na finding kawai ake adanawa. Quota: bucket ɗaya na scansPerMonth kamar URL scans.

Tayarwa ta API

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonymous one-shot scans na lokaci ɗaya

Shafin gida yana bari baƙi da ba su yi rajista ba su gudanar da passive scan ɗaya a kowace browser session. Waɗannan scans suna ƙarewa sa’o’i 24 bayan ƙirƙira kuma za a iya mayar da su zuwa asusu na gaske idan an yi rajista kafin su ƙare; auth callback yana haɗa anonymous scan ɗin ta atomatik da sabon org.

Nau’o’in bincike — Docs · FixVibe