ປະເພດການສະແກນ

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

ເພາະມັນ read-only, passive ຈຶ່ງ run ກັບ URL ໃດກໍໄດ້ — ບໍ່ຕ້ອງ verify domain, ບໍ່ຕ້ອງ attestation. trade-off ແມ່ນຄວາມເລິກ: passive ພາດທຸກຢ່າງທີ່ຕ້ອງສົ່ງ input ເພື່ອຄົ້ນພົບ.

Passive ຈັບຫຍັງໄດ້

• Security headers ທີ່ຂາດ (HSTS, CSP, frame-options, etc.).
• Cookie attributes ທີ່ບໍ່ປອດໄພ (ບໍ່ມີ Secure / HttpOnly / SameSite).
• TLS configuration ອ່ອນ, certs ໝົດອາຍຸ, HSTS preload ຂາດ.
• Secrets ໃນ JS bundles (Supabase service keys, AWS keys, Stripe sk_, etc.).
• Source maps, debug endpoints, OpenAPI specs, GraphQL introspection ທີ່ເປີດເຜີຍ.
• Supabase RLS / Firebase rules / Clerk misconfiguration ທີ່ເປີດ.
• DNS (subdomain takeover, SPF/DKIM/DMARC ຂາດ).
• Threat-intel listings (Spamhaus, URLhaus).
• Framework versions ເກົ່າທີ່ມີ CVEs ຮູ້ຈັກແລ້ວ.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

ເປັນຫຍັງເຮົາ gate ມັນ: ຂັ້ນຕອນ attestation

Active probes ອາດກະທົບ production ໃນທາງທິດສະດີ — response ຊ້າ, error spike, ຂໍ້ມູນຂີ້ເຫຍື້ອໃນ test stores. ເຮົາກຳນົດໃຫ້ທ່ານ:

1. ຢືນຢັນໂດເມນ ຜ່ານ DNS TXT ຫຼື HTTP file (Account → Domains).
2. ຢືນຢັນວ່າມີອຳນາດ — ການຢືນຢັນຄັ້ງດຽວໃນເວລາເລີ່ມສະແກນວ່າທ່ານມີອະນຸຍາດ. Server-stamped ດ້ວຍ IP, user-agent, ແລະ timestamp ຂອງທ່ານ; ຂຽນໃສ່ audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans ບໍ່ເຄີຍຂຽນໃສ່ repo ຂອງທ່ານ ແລະບໍ່ເກັບ source code — ເກັບພຽງ finding evidence. Quota: bucket scansPerMonth ດຽວກັບ URL scans.

Trigger ຜ່ານ API

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonymous one-shot scans

ໜ້າຫຼັກໃຫ້ visitors ທີ່ຍັງບໍ່ລົງທະບຽນ run passive scan ໄດ້ 1 ຄັ້ງຕໍ່ browser session. scans ເຫຼົ່ານີ້ໝົດອາຍຸ 24 ຊົ່ວໂມງຫຼັງສ້າງ ແລະ migrate ໄປຫາບັນຊີຈິງໄດ້ໂດຍລົງທະບຽນກ່ອນໝົດອາຍຸ — auth callback ຈະ attach anonymous scan ເຂົ້າ org ໃໝ່ອັດຕະໂນມັດ.