Scan төрлүүд

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Read-only тул passive ямар ч URL дээр ажиллаж болно — domain verification байхгүй, attestation байхгүй. Trade-off нь depth: input илгээж байж илрэх бүхнийг passive алдана.

Passive юу илрүүлдэг вэ

• Дутуу security headers (HSTS, CSP, frame-options гэх мэт).
• Аюултай cookie attributes (Secure / HttpOnly / SameSite байхгүй).
• Сул TLS configuration, expired certs, missing HSTS preload.
• JS bundles дахь secrets (Supabase service keys, AWS keys, Stripe sk_ гэх мэт).
• Ил гарсан source maps, debug endpoints, OpenAPI specs, GraphQL introspection.
• Нээлттэй Supabase RLS / Firebase rules / Clerk misconfiguration.
• DNS (subdomain takeover, SPF/DKIM/DMARC дутуу).
• Threat-intel жагсаалтууд (Spamhaus, URLhaus).
• Known CVEs-тэй outdated framework versions.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Яагаад gate хийдэг вэ: attestation flow

Active probes production-д онолын хувьд нөлөөлж болно — slow responses, error spikes, test stores дахь garbage data. Бид дараахыг шаарддаг:

1. Domain verify хийх — DNS TXT эсвэл HTTP file ашиглана (Account → Domains).
2. Attest authorization — scan-start time дээр танд permission байгаа гэсэн single confirmation. Таны IP, user-agent, timestamp-тай server-stamped; audit_logs руу бичигдэнэ.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans таны repo руу хэзээ ч write хийхгүй, source code persist хийхгүй — зөвхөн finding evidence хадгалагдана. Quota: URL scans-тэй ижил scansPerMonth bucket.

API-аар trigger хийх

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Нэргүй нэг удаагийн scans

Home page нь unsigned-up visitors-д browser session бүрт single passive scan ажиллуулах боломж өгдөг. Эдгээр scans creation-оос 24 hours дараа expire болно; expire болохоос өмнө sign up хийвэл real account руу migrated болно — auth callback anonymous scan-ыг new org-д automatik attach хийнэ.