Cureyên scanê

Pasîv

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Ji ber ku read-only ye, passive dikare li dijî her URLê bixebite — bê piştrastkirina domainê, bê attestation. Berdêla wê kûrahî ye: passive hemû tiştên ku ji bo dîtinê şandina inputê dixwazin ji dest dide.

Passive çi digire

• Headerên ewlehiyê yên tune (HSTS, CSP, frame-options, hwd.).
• Taybetmendiyên cookie yên ne-ewle (bê Secure / HttpOnly / SameSite).
• Veavakirina TLS ya lawaz, certên derbasbûyî, HSTS preload a tune.
• Secrets di JS bundles de (Supabase service keys, AWS keys, Stripe sk_, hwd.).
• Source mapên eşkere, endpointên debug, specên OpenAPI, GraphQL introspection.
• Supabase RLS / Firebase rules / Clerk misconfiguration vekirî.
• DNS (subdomain takeover, SPF/DKIM/DMARC yên tune).
• Lîsteyên threat-intel (Spamhaus, URLhaus).
• Guhertoyên frameworkê yên kevn bi CVE yên naskirî.

Aktîv Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Çima em gate dikin: herika attestation

Active probes bi awayek teorî dikarin bandorê li production bikin — bersivên hêdî, zêdebûna erroran, daneyên çop di storeên testê de. Em ji te dixwazin:

1. Domainê piştrast bike bi DNS TXT an pelek HTTP (Account → Domains).
2. Destûrê attest bike — di dema destpêka scanê de pejirandinek yekane ku dibêje destûra te heye. Bi IP, user-agent, û timestamp-a te ji aliyê serverê ve tê stamped; di audit_logs de tê nivîsandin.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

Repository-a GitHub Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans tu carî li repo-ya te nanivîsin û tu carî source code nayê persist kirin — tenê evidence-a finding tê hilanîn. Quota: heman bucket-a scansPerMonth wekî scanên URL.

Bi API trigger bike

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Scanên anonymous one-shot

Rûpela malê dihêle mêvanên bê-tomar di her session-a browserê de scanek passive yekane bixebitînin. Ev scan 24 demjimêran piştî afirandinê expire dibin û dikarin bi tomarkirinê berî expire bibin veguhezînin ser hesabek rast — auth callback bixwe scan-a anonymous bi org-a nû ve girê dide.