FixVibe

// docs / scans

Qhaway rikch'akuna

FixVibe runs three kinds of qhawaykuna against three kinds of targets. Each has different gating, different speed, hinallataq different blast radius — pick chay one that matches what qan're testing.

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Because it's read-only, passive atin run against any URL — mana dominio verification, mana attestation. The trade-off kan depth: passive misses everything that requires sending input man discover.

What passive catches

  • Missing seguridad headers (HSTS, CSP, frame-options, etc.).
  • Insecure cookie attributes (mana Secure / HttpOnly / SameSite).
  • Weak TLS configuration, expired certs, missing HSTS preload.
  • Secrets in JS bundles (Supabase service keys, AWS keys, Stripe sk_, etc.).
  • Exposed source maps, debug endpoints, OpenAPI specs, GraphQL introspection.
  • Open Supabase RLS / Firebase rules / Clerk misconfiguration.
  • DNS (subdomain takeover, missing SPF/DKIM/DMARC).
  • Threat-intel listings (Spamhaus, URLhaus).
  • Outdated framework versions wan known CVEs.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Why ñuqayku gate it: chay attestation flow

Active probes atin theoretically affect production — slow responses, pantay spikes, garbage willakuy in test stores. We require qan man:

  1. Verify chay dominio via DNS TXT utaq an HTTP file (Account → Dominiokuna).
  2. Attest authorization — a single confirmation at qhaway-start time saying qan have permission. Server-stamped wan niyki IP, user-agent, hinallataq timestamp; written man audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo qhawaykuna never write man niyki repo hinallataq never persist source code — only tarisqa evidence kan stored. Quota: same scansPerMonth bucket as URL qhawaykuna.

Trigger via API

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonymous one-shot qhawaykuna

The home page lets unsigned-up visitors run a single passive qhaway per browser session. These qhawaykuna expire 24 hours after creation hinallataq atin be migrated man a real yupay by signing up before they expire — chay auth callback automatically attaches chay anonymous qhaway man chay musuq org.

Qhaway rikch'akuna — Docs · FixVibe