Scan جا قسم

غير فعال

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

ڇو ته اهو read-only آهي، passive ڪنهن به URL خلاف run ٿي سگهي ٿو — domain verification نه، attestation نه. Trade-off depth آهي: passive اهو سڀ miss ڪري ٿو جيڪو discover ڪرڻ لاءِ input موڪلڻ گهرجي.

Passive ڇا پڪڙي ٿو

• Missing security headers (HSTS، CSP، frame-options، وغيره).
• Insecure cookie attributes (Secure / HttpOnly / SameSite نه).
• Weak TLS configuration، expired certs، missing HSTS preload.
• JS bundles ۾ secrets (Supabase service keys، AWS keys، Stripe sk_، وغيره).
• Exposed source maps، debug endpoints، OpenAPI specs، GraphQL introspection.
• Open Supabase RLS / Firebase rules / Clerk misconfiguration.
• DNS (subdomain takeover، missing SPF/DKIM/DMARC).
• Threat-intel listings (Spamhaus، URLhaus).
• Known CVEs سان outdated framework versions.

فعال Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

اسان ان کي gate ڇو ڪريون ٿا: attestation flow

Active probes نظرياتي طور production کي affect ڪري سگهن ٿا — slow responses، error spikes، test stores ۾ garbage data. اسان توهان کان گهرون ٿا:

1. Domain verify ڪريو DNS TXT يا HTTP file ذريعي (Account → Domains).
2. Authorization attest ڪريو — scan-start وقت هڪ confirmation ته توهان وٽ permission آهي. توهان جي IP، user-agent، ۽ timestamp سان server-stamped؛ audit_logs ۾ written.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans توهان جي repo ۾ ڪڏهن به write نٿا ڪن ۽ source code persist نٿا ڪن — صرف finding evidence stored ٿئي ٿو. Quota: URL scans جهڙو ساڳيو scansPerMonth bucket.

API ذريعي trigger

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonymous one-shot scans

Home page unsigned-up visitors کي هر browser session ۾ هڪ passive scan هلائڻ ڏئي ٿو. اهي scans creation کان 24 hours پوءِ expire ٿين ٿا ۽ expire ٿيڻ کان اڳ sign up ڪرڻ سان real account ڏانهن migrated ٿي سگهن ٿا — auth callback پاڻمرادو anonymous scan کي new org سان attach ڪري ٿو.