FixVibe

// docs / scans

Tipi ta' scans

FixVibe iħaddem tliet tipi ta' scans kontra tliet tipi ta' targets. Kull wieħed għandu gating differenti, veloċità differenti, u blast radius differenti — agħżel dak li jaqbel ma' dak li qed tittestja.

Passiv

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Minħabba li huwa read-only, passive jista' jimxi kontra kwalunkwe URL — l-ebda domain verification, l-ebda attestation. Il-kompromess huwa l-fond: passive jitlef dak kollu li jeħtieġ li jintbagħat input biex jinstab.

X'jaqbad passive

  • Security headers neqsin (HSTS, CSP, frame-options, eċċ.).
  • Attributi tal-cookies mhux siguri (mingħajr Secure / HttpOnly / SameSite).
  • Konfigurazzjoni TLS dgħajfa, certs skaduti, HSTS preload nieqes.
  • Secrets f'JS bundles (Supabase service keys, AWS keys, Stripe sk_, eċċ.).
  • Source maps esposti, debug endpoints, OpenAPI specs, GraphQL introspection.
  • Supabase RLS / Firebase rules / Clerk misconfiguration miftuħa.
  • DNS (subdomain takeover, SPF/DKIM/DMARC neqsin).
  • Listi ta' threat-intel (Spamhaus, URLhaus).
  • Verżjonijiet ta' frameworks antiki b'CVEs magħrufa.

Attiv Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Għaliex inpoġġuh wara gating: il-fluss ta' attestazzjoni

Probes attivi jistgħu teoretikament jaffettwaw production — responses bil-mod, żidiet fl-errors, data bla valur fi test stores. Neħtieġu li:

  1. Tivverifika d-domain permezz ta' DNS TXT jew HTTP file (Account → Domains).
  2. Tattesta l-awtorizzazzjoni — konferma waħda fil-ħin tal-bidu tal-scan li tgħid li għandek permess. Immarkata mis-server bl-IP, user-agent, u timestamp tiegħek; miktuba f<code>audit_logs</code>.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

Repository GitHub Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans qatt ma jiktbu fir-repo tiegħek u qatt ma jippersistu source code — tinħażen biss finding evidence. Quota: l-istess bucket scansPerMonth bħal URL scans.

Trigger permezz tal-API

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Scans anonimi ta' darba

Il-home page tħalli viżitaturi mhux signed-up iħaddmu scan passiv wieħed għal kull browser session. Dawn l-iscans jiskadu 24 siegħa wara l-ħolqien u jistgħu jiġu migrati għal kont reali billi tirreġistra qabel jiskadu — l-auth callback awtomatikament iwaħħal l-anonymous scan mal-org il-ġdid.

Tipi ta' scans — Docs · FixVibe