// docs / scans
Scan ପ୍ରକାର
FixVibe ତିନି ପ୍ରକାର target ବିରୁଦ୍ଧରେ ତିନି ପ୍ରକାର scan ଚଲାଏ। ପ୍ରତ୍ୟେକର gating, speed, ଓ blast radius ଅଲଗା — ଆପଣ ଯାହା test କରୁଛନ୍ତି ତାହା ସହିତ ମେଳ ଥିବାଟି ବାଛନ୍ତୁ।
Passive scan
Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.
ଏହା read-only ଥିବାରୁ passive ଯେକୌଣସି URL ବିରୁଦ୍ଧରେ ଚାଲିପାରେ — domain verification ନାହିଁ, attestation ନାହିଁ। Trade-off ହେଉଛି depth: passive input ପଠାଇଲେ ମାତ୍ର ମିଳୁଥିବା ସବୁକିଛି miss କରେ।
Passive କ’ଣ ଧରେ
- Missing security header (HSTS, CSP, frame-options, ଇତ୍ୟାଦି)।
- Insecure cookie attribute (Secure / HttpOnly / SameSite ନଥିବା)।
- Weak TLS configuration, expired cert, missing HSTS preload।
- JS bundle ଭିତରେ secret (Supabase service key, AWS key, Stripe sk_, ଇତ୍ୟାଦି)।
- Exposed source map, debug endpoint, OpenAPI spec, GraphQL introspection।
- Open Supabase RLS / Firebase rule / Clerk misconfiguration।
- DNS (subdomain takeover, missing SPF/DKIM/DMARC)।
- Threat-intel listing (Spamhaus, URLhaus)।
- Known CVE ସହିତ outdated framework version।
Active scan Hobby+
Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.
ଆମେ କାହିଁକି gate କରୁ: attestation flow
Active probe ସିଦ୍ଧାନ୍ତତଃ production କୁ ପ୍ରଭାବିତ କରିପାରେ — slow response, error spike, test store ରେ garbage data। ଆମେ ଆପଣଙ୍କୁ ଏଗୁଡ଼ିକ ଦରକାର କରୁ:
- DNS TXT କିମ୍ବା HTTP file ମାଧ୍ୟମରେ domain verify କରନ୍ତୁ (Account → Domains)।
- Authorization attest କରନ୍ତୁ — scan-start ସମୟରେ ଏକମାତ୍ର confirmation ଯେ ଆପଣଙ୍କ ପାଖରେ permission ଅଛି। ଆପଣଙ୍କ IP, user-agent, ଓ timestamp ସହିତ server-stamped;
audit_logsକୁ ଲେଖାଯାଏ।
For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.
GitHub repository scan Pro+
Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.
Repo scan ଆପଣଙ୍କ repo କୁ କେବେ write କରେ ନାହିଁ ଏବଂ source code persist କରେ ନାହିଁ — କେବଳ finding evidence store ହୁଏ। Quota: URL scan ପରି ସେହି scansPerMonth bucket।
API ମାଧ୍ୟମରେ trigger କରନ୍ତୁ
curl -X POST https://fixvibe.app/api/v1/scans \
-H "Authorization: Bearer fxv_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.
Anonymous one-shot scan
Home page unsigned-up visitor ମାନଙ୍କୁ ପ୍ରତି browser session ଗୋଟିଏ passive scan ଚଲାଇବାକୁ ଦିଏ। ଏହି scan ଗୁଡ଼ିକ creation ପରେ 24 ଘଣ୍ଟାରେ expire ହୁଏ ଏବଂ expire ହେବା ପୂର୍ବରୁ sign up କଲେ real account କୁ migrate କରାଯାଇପାରେ — auth callback ସ୍ୱୟଂଚାଳିତ ଭାବେ anonymous scan କୁ ନୂଆ org ସହିତ attach କରେ।