Типови скенирања

Пасивно

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Бидејќи е read-only, passive може да работи против кој било URL — без domain verification, без attestation. Компромисот е depth: passive промашува сè што бара испраќање input за откривање.

Што фаќа passive

• Недостасуваат security headers (HSTS, CSP, frame-options итн.).
• Небезбедни cookie attributes (без Secure / HttpOnly / SameSite).
• Слаба TLS configuration, истечени certs, недостасува HSTS preload.
• Secrets во JS bundles (Supabase service keys, AWS keys, Stripe sk_ итн.).
• Изложени source maps, debug endpoints, OpenAPI specs, GraphQL introspection.
• Отворени Supabase RLS / Firebase rules / Clerk misconfiguration.
• DNS (subdomain takeover, недостасуваат SPF/DKIM/DMARC).
• Threat-intel listings (Spamhaus, URLhaus).
• Застарени framework versions со познати CVEs.

Активно Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Зошто го ограничуваме: attestation flow

Active probes теоретски можат да влијаат на production — slow responses, error spikes, garbage data in test stores. Бараме да:

1. Потврдите domain преку DNS TXT или HTTP file (Account → Domains).
2. Потврдите authorization — една потврда при scan-start time дека имате дозвола. Server-stamped со вашиот IP, user-agent и timestamp; запишано во audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans никогаш не пишуваат во вашиот repo и никогаш не persist-ираат source code — се складира само finding evidence. Quota: истиот scansPerMonth bucket како URL scans.

Стартување преку API

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Анонимни еднократни скенирања

Home page им дозволува на unsigned-up visitors да стартуваат едно passive scan по browser session. Овие scans истекуваат 24 часа по creation и можат да се migrate-ираат во real account ако се sign up пред да истечат — auth callback автоматски го attach-ува anonymous scan кон new org.