Scantypen

Passiv

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Well et read-only ass, kann passiv géint all URL lafen — keng Domänverifikatioun, keng Attestatioun. Den Nodeel ass Déift: passiv verpasst alles, wat Input schécke muss fir et ze entdecken.

Wat passiv fënnt

• Feelend Sécherheetsheaderen (HSTS, CSP, frame-options, asw.).
• Onsécher Cookie-Attributer (kee Secure / HttpOnly / SameSite).
• Schwaach TLS-Konfiguratioun, ofgelaf Zertifikater, feelenden HSTS preload.
• Secrets a JS Bundles (Supabase Service Keys, AWS Keys, Stripe sk_, asw.).
• Exposéiert Source Maps, Debug-Endpunkten, OpenAPI Specs, GraphQL Introspection.
• Oppen Supabase RLS / Firebase Rules / Clerk-Fehlkonfiguratioun.
• DNS (Subdomain Takeover, feelend SPF/DKIM/DMARC).
• Threat-Intel-Listings (Spamhaus, URLhaus).
• Veralt Framework-Versioune mat bekannte CVEs.

Aktiv Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Firwat mir et gate'en: den Attestatiounsfloss

Aktiv Tester kënnen theoretesch Produktioun beaflossen — lues Äntwerten, Feeler-Spikes, Drecksdaten an Test-Stores. Mir verlaangen datt Dir:

1. D'Domän verifizéiert iwwer DNS TXT oder eng HTTP Datei (Account → Domains).
2. Autorisatioun attestéiert — eng eenzeg Confirmatioun beim Scan-Start, datt Dir Erlaabnis hutt. Server-gestempelt mat Ärer IP, User-Agent an Zäitstempel; geschriwwen an audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub Repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo-Scanne schreiwen ni an Äre Repo a späicheren ni Source Code — nëmmen Finding-Evidenz gëtt gespäichert. Quota: déi selwecht scansPerMonth-Bucket wéi URL-Scannen.

Iwwer API ausléisen

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonym One-shot-Scannen

D'Homepage léisst net ugemellt Visiteuren ee passive Scan pro Browser-Sessioun lafen. Dës Scanne lafen 24 Stonnen no der Erstellung of a kënnen op e richtege Kont migréiert ginn, wann Dir Iech registréiert ier se oflafen — den Auth-Callback hänkt den anonyme Scan automatesch un déi nei Org.