د scan ډولونه

غیر فعال

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

ځکه چې read-only دی، passive د هر URL پر ضد run کېدای شي — domain verification نشته، attestation نشته. Trade-off depth دی: passive هغه څه miss کوي چې discover کولو لپاره input لېږلو ته اړتیا لري.

Passive څه نیسي

• Missing security headers (HSTS، CSP، frame-options، او نور).
• Insecure cookie attributes (Secure / HttpOnly / SameSite نشته).
• Weak TLS configuration، expired certs، missing HSTS preload.
• په JS bundles کې secrets (Supabase service keys، AWS keys، Stripe sk_، او نور).
• Exposed source maps، debug endpoints، OpenAPI specs، GraphQL introspection.
• Open Supabase RLS / Firebase rules / Clerk misconfiguration.
• DNS (subdomain takeover، missing SPF/DKIM/DMARC).
• Threat-intel listings (Spamhaus، URLhaus).
• Outdated framework versions چې known CVEs لري.

فعال Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

ولې یې gate کوو: attestation flow

Active probes په نظري ډول production اغېزمنولی شي — slow responses، error spikes، په test stores کې garbage data. موږ له تاسو غواړو:

1. Domain verify کړئ د DNS TXT یا HTTP file له لارې (Account → Domains).
2. Authorization attest کړئ — د scan-start پر وخت یوه confirmation چې تاسو permission لرئ. ستاسو IP، user-agent، او timestamp سره server-stamped؛ audit_logs ته written.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans ستاسو repo ته هېڅکله write نه کوي او source code هېڅکله persist نه کوي — یوازې finding evidence stored کېږي. Quota: د URL scans په شان هماغه scansPerMonth bucket.

د API له لارې trigger

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonymous one-shot scans

Home page unsigned-up visitors ته په هر browser session کې یو passive scan چلولو اجازه ورکوي. دا scans له creation وروسته 24 hours کې expire کېږي او که له expire مخکې sign up وشي real account ته migrated کېدای شي — auth callback په اوتومات ډول anonymous scan نوي org ته attach کوي.