// docs / scans

Scan වර්ග

FixVibe target වර්ග තුනකට විරුද්ධව scan වර්ග තුනක් ධාවනය කරයි. එක් එක් එකට වෙනස් gating, වෙනස් speed, සහ වෙනස් blast radius ඇත — ඔබ පරීක්ෂා කරන දෙයට ගැළපෙන එක තෝරන්න.

Passive (නිෂ්ක්‍රීය)

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

එය read-only බැවින්, passive ඕනෑම URL එකකට run කළ හැක — domain verification නැත, attestation නැත. Trade-off එක depth වේ: input යවීමෙන් පමණක් සොයාගත හැකි සියල්ල passive මගහරී.

Passive අල්ලාගන්නා දේ

Missing security headers (HSTS, CSP, frame-options, ආදිය).
අසුරක්ෂිත cookie attributes (Secure / HttpOnly / SameSite නැත).
දුර්වල TLS configuration, expired certs, missing HSTS preload.
JS bundles තුළ secrets (Supabase service keys, AWS keys, Stripe sk_, ආදිය).
නිරාවරණය වූ source maps, debug endpoints, OpenAPI specs, GraphQL introspection.
විවෘත Supabase RLS / Firebase rules / Clerk misconfiguration.
DNS (subdomain takeover, missing SPF/DKIM/DMARC).
Threat-intel listings (Spamhaus, URLhaus).
Known CVEs සහිත outdated framework versions.

Active (සක්‍රීය) Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

අපි එය gate කරන්නේ ඇයි: attestation flow

Active probes production වෙත theory අනුව බලපෑ හැක — slow responses, error spikes, test stores තුළ garbage data. අපි ඔබගෙන් ඉල්ලා සිටින්නේ:

DNS TXT හෝ HTTP file හරහා (Account → Domains) domain එක verify කරන්න.
Authorization attest කරන්න — scan-start වේලාවේ, ඔබට අවසර ඇතැයි පවසන තනි confirmation එකක්. ඔබගේ IP, user-agent, සහ timestamp සමඟ server-stamped; audit_logs වෙත ලියනු ලැබේ.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository scan Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans ඔබගේ repo වෙත කිසිදා write නොකරන අතර source code persist නොකරයි — stored වන්නේ finding evidence පමණි. Quota: URL scans සමඟම එකම scansPerMonth bucket.

API හරහා trigger කරන්න

curl

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonymous one-shot scans (එක්වර scans)

Home page එක unsigned-up visitors ට browser session එකකට single passive scan එකක් run කිරීමට ඉඩ දෙයි. මෙම scans නිර්මාණයෙන් පැය 24කට පසු expire වන අතර expire වීමට පෙර sign up වීමෙන් real account එකකට migrate කළ හැක — auth callback එක anonymous scan එක new org එකට automatically attach කරයි.