Скан түрлөрү

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Read-only болгандыктан, passive кез келген URL-га карсы жүре алады — domain verification жок, attestation жок. Trade-off — depth: input жиберуди кажет ететин нар бирсениң баарын passive өткөрүп жиберет.

Passive эмнелерди табат

• Жок security headers (HSTS, CSP, frame-options, т.б.).
• Кауипсиз емес cookie attributes (Secure / HttpOnly / SameSite жок).
• Алсыз TLS configuration, expired certs, HSTS preload жок.
• JS bundles ишиндеги secrets (Supabase service keys, AWS keys, Stripe sk_, т.б.).
• Exposed source maps, debug endpoints, OpenAPI specs, GraphQL introspection.
• Ачык Supabase RLS / Firebase rules / Clerk misconfiguration.
• DNS (subdomain takeover, missing SPF/DKIM/DMARC).
• Threat-intel listings (Spamhaus, URLhaus).
• Known CVEs бар outdated framework versions.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Эмне үчүн gate коямыз: attestation flow

Active probes теориялык түрде production-га асер етуи мүмкин — slow responses, error spikes, test stores ишиндеги garbage data. Биз сизден мынаны талап кылабыз:

1. Domain-ди verify кылыңыз — DNS TXT же HTTP file аркылуу (Account → Domains).
2. Attest authorization — scan-start кезинде уруксатыңыз бар екенин айтатын бир confirmation. IP, user-agent жана timestamp-пен server-stamped; audit_logs ишине жазылат.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans эч качан repo-га write етпейди жана source code persist етпейди — гана finding evidence сакталат. Quota: URL scans-пен бирдей scansPerMonth bucket.

API аркылуу trigger ету

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Анонимдүү бир жолку scans

Home page unsigned-up visitors-ка browser session сайын бир passive scan ишке кошууга мүмкиндик береди. Бул scans creation-нан кийин 24 саатта expire болот жана expire болмай турып signup жасасаңыз real account-ка migrated болот — auth callback anonymous scan-ды new org-ка автоматты attach етеди.