Akaakuu sakatta'iinsaa

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Sababni inni read-only ta'eef, passive URL kamiinuu irratti hojjachuu danda'a: mirkaneessa domeenii hin barbaadu, attestation hin barbaadu. Waliigalteen garuu gadi-fageenya dha: passive waan input erguu gaafatu hunda bira hin ga'u.

Passive maal qabata

• Security headers dhabaman (HSTS, CSP, frame-options, kkf.).
• Amaloota cookie nageenya hin qabne (Secure / HttpOnly / SameSite hin jiru).
• Qindaa'ina TLS laafaa, certificates yeroon darbe, HSTS preload dhabame.
• Iccitii JS bundles keessa jiran (Supabase service keys, AWS keys, Stripe sk_, kkf.).
• Source maps banaa, debug endpoints, OpenAPI specs, GraphQL introspection.
• Supabase RLS / Firebase rules / Clerk misconfiguration banaa.
• DNS (subdomain takeover, SPF/DKIM/DMARC dhabame).
• Tarreewwan threat-intel (Spamhaus, URLhaus).
• Gosa framework durii CVEs beekaman qabu.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Maaliif gate goona: adeemsa attestation

Qorannoowwan active teoriidhaan production irratti dhiibbaa geessisuu danda'u: deebii suuta, error spikes, deetaa faayidaa hin qabne test stores keessatti. Nuti akka ati kana gootu gaafanna:

1. Domeenii mirkaneessi karaa DNS TXT ykn HTTP file (Account → Domains).
2. Eeyyama kee mirkaneessi — yeroo scan jalqabdu si'a tokko qofa hayyama qabda jettee mirkaneessita. IP, user-agent, fi timestamp keetiin server-stamped ta'a; gara audit_logstti barreeffama.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans gonkumaa repo kee irratti hin barreessan, source code hin kuusan; evidence argannoo qofa kuusama. Quota: bucket scansPerMonth walfakkaataa kan URL scans.

API irraa jalqabi

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Sakatta'iinsa anonymous si'a-tokkoo

Fuulli mana daawwattoota hin galmoofneef browser session tokko keessatti sakatta'iinsa passive tokko akka gaggeessan ni hayyama. Sakatta'iinsonni kun uumamanii sa'aatii 24 booda ni dhumu; osoo hin dhumin dura yoo galmooftan gara herrega dhugaa jijjiiramuu danda'u; auth callback scan anonymous sana gara org haaraa ofumaan maxxansa.