Karazana scan

Passif

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Satria read-only izy, afaka mihazakazaka amin’ny URL rehetra ny passive: tsy mila fanamarinana domain, tsy mila attestation. Ny takalony dia ny halalin’ny fitiliana: tsy mahita zavatra mila fandefasana input ny passive.

Izay azon’ny passive tratrarina

• Security headers tsy ampy (HSTS, CSP, frame-options, sns.).
• Toetra cookie tsy azo antoka (tsy misy Secure / HttpOnly / SameSite).
• Configuration TLS malemy, certs lany daty, HSTS preload tsy ampy.
• Secrets ao amin’ny JS bundles (lakilen’ny service Supabase, lakile AWS, Stripe sk_, sns.).
• Source maps miseho, debug endpoints, OpenAPI specs, GraphQL introspection.
• Supabase RLS / Firebase rules / Clerk misconfiguration misokatra.
• DNS (subdomain takeover, SPF/DKIM/DMARC tsy ampy).
• Lisitra threat-intel (Spamhaus, URLhaus).
• Framework versions lany andro misy CVE fantatra.

Aktifa Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Antony hametrahana fefy: ny fikorianan’ny attestation

Mety hisy fiantraikany amin’ny production ara-teôria ny probes active: valiny miadana, fiakaran’ny errors, na data fako ao amin’ny test stores. Takianay ianao mba:

1. Hanamarina ny domain amin’ny DNS TXT na rakitra HTTP (Kaonty → Domains).
2. Hanamarina fa manana alalana: fanekena tokana amin’ny fotoana fanombohana scan milaza fa manana permission ianao. Asiana tombo-kase amin’ny server miaraka amin’ny IP, user-agent, ary timestamp-nao; soratana ao amin’ny audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

Repo GitHub Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Tsy manoratra ao amin’ny repo-nao mihitsy ny repo scans ary tsy mitahiry source code; evidence an’ny finding ihany no tehirizina. Quota: bucket scansPerMonth mitovy amin’ny URL scans.

Ampandehano amin’ny API

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Scan anonyme indray mandeha

Ny pejy fandraisana dia mamela mpitsidika mbola tsy nisoratra anarana hanao scan passive tokana isaky ny session navigateur. Lany daty 24 ora aorian’ny famoronana ireo scan ireo ary azo afindra amin’ny kaonty tena izy raha misoratra anarana ianao alohan’ny hahalany daty azy; ny auth callback dia mampifandray ho azy ny scan anonyme amin’ny org vaovao.