FixVibe

// docs / scans

Ituaiga scan

E tamo'e e FixVibe ituaiga scans e tolu faasaga i ituaiga targets e tolu. E eseese gating, eseese saoasaoa, ma eseese blast radius β€” filifili le mea e fetaui ma lau suega.

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Talu ai e read-only, e mafai ona tamo'e passive i so o se URL β€” e leai se domain verification, leai se attestation. O le trade-off o le depth: e misi e passive mea uma e manaomia ai le lafo input ina ia iloa.

Mea e maua e passive

  • Security headers ua misi (HSTS, CSP, frame-options, etc.).
  • Cookie attributes le saogalemu (leai Secure / HttpOnly / SameSite).
  • Weak TLS configuration, expired certs, missing HSTS preload.
  • Secrets i JS bundles (Supabase service keys, AWS keys, Stripe sk_, etc.).
  • Exposed source maps, debug endpoints, OpenAPI specs, GraphQL introspection.
  • Open Supabase RLS / Firebase rules / Clerk misconfiguration.
  • DNS (subdomain takeover, missing SPF/DKIM/DMARC).
  • Threat-intel listings (Spamhaus, URLhaus).
  • Outdated framework versions ma known CVEs.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Aisea e gate ai: le attestation flow

Active probes e mafai ona aafia production β€” slow responses, error spikes, garbage data i test stores. Matou te manaomia oe e:

  1. Faamaonia le domain e ala i DNS TXT po o se HTTP file (Account β†’ Domains).
  2. Attest authorization β€” se confirmation e tasi i le scan-start time e faapea e iai sau permission. Server-stamped ma lau IP, user-agent, ma timestamp; tusia i audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard β†’ Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans e le tusia lava i lau repo ma e le persist source code β€” na o finding evidence e stored. Quota: bucket scansPerMonth lava e tasi ma URL scans.

Trigger via API

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard β†’ Domains. Full reference: /docs/api.

Anonymous one-shot scans

E faatagaina e le home page unsigned-up visitors e tamo'e se passive scan e tasi i browser session taitasi. O nei scans e expire 24 hours pe a uma creation ma e mafai ona migrate i se real account pe a sign up a'o le'i expire β€” e attach otometi e le auth callback le anonymous scan i le org fou.

Ituaiga scan β€” Docs Β· FixVibe