Aina za skani

Tulivu

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Kwa sababu ni read-only, skani tulivu inaweza kuendeshwa dhidi ya URL yoyote — hakuna uthibitishaji wa kikoa, hakuna attestation. Bei ya kubadilishana ni kina: skani tulivu hukosa kila kitu kinachohitaji kutuma input ili kugunduliwa.

Kinachonaswa na skani tulivu

• Headers za usalama zinazokosekana (HSTS, CSP, frame-options, n.k.).
• Sifa zisizo salama za cookie (hakuna Secure / HttpOnly / SameSite).
• Usanidi dhaifu wa TLS, vyeti vilivyoisha muda, HSTS preload inayokosekana.
• Siri katika JS bundles (Supabase service keys, AWS keys, Stripe sk_, n.k.).
• Source maps zilizo wazi, debug endpoints, OpenAPI specs, GraphQL introspection.
• Supabase RLS iliyo wazi / Firebase rules / usanidi mbaya wa Clerk.
• DNS (subdomain takeover, SPF/DKIM/DMARC inayokosekana).
• Orodha za threat-intel (Spamhaus, URLhaus).
• Matoleo ya framework yaliyopitwa na wakati yenye CVEs zinazojulikana.

Amilifu Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Kwa nini tunaidhibiti: mtiririko wa attestation

Vipimo amilifu vinaweza kinadharia kuathiri production — majibu polepole, ongezeko la errors, data taka kwenye test stores. Tunakutaka:

1. Uthibitishe kikoa kupitia DNS TXT au faili ya HTTP (Account → Domains).
2. Uthibitishe idhini — uthibitisho mmoja wakati wa kuanza skani ukisema una ruhusa. Server huweka IP yako, user-agent, na timestamp; huandikwa kwenye audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

Hazina ya GitHub Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Skani za repo haziandiki chochote kwenye repo yako na hazihifadhi source code — huhifadhiwa ushahidi wa ugunduzi pekee. Kota: bucket ile ile ya scansPerMonth kama skani za URL.

Anzisha kupitia API

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Skani za mara moja bila akaunti

Ukurasa wa nyumbani huruhusu wageni ambao hawajajiandikisha kuendesha skani moja tulivu kwa kila browser session. Skani hizi huisha muda saa 24 baada ya kuundwa na zinaweza kuhamishwa kwenye akaunti halisi kwa kujisajili kabla hazijaisha — auth callback huiambatanisha kiotomatiki skani ya anonymous kwenye org mpya.