Намудҳои скан

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Азбаски он read-only аст, passive метавонад зидди ҳар URL иҷро шавад — бе domain verification, бе attestation. Trade-off чуқурӣ аст: passive ҳама чизеро, ки барои discover фиристодани input мехоҳад, аз даст медиҳад.

Passive чиро меёбад

• Security headers-и гумшуда (HSTS, CSP, frame-options ва ғайра).
• Атрибутҳои cookie-и insecure (бе Secure / HttpOnly / SameSite).
• Конфигуратсияи заифи TLS, cert-ҳои expired, HSTS preload-и гумшуда.
• Secrets дар JS bundles (Supabase service keys, AWS keys, Stripe sk_ ва ғайра).
• Source maps, debug endpoints, OpenAPI specs, GraphQL introspection-и exposed.
• Supabase RLS / Firebase rules / Clerk misconfiguration-и кушода.
• DNS (subdomain takeover, SPF/DKIM/DMARC-и гумшуда).
• Рӯйхатшавии threat-intel (Spamhaus, URLhaus).
• Версияҳои кӯҳнаи framework бо CVE-ҳои маълум.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Чаро онро gate мекунем: ҷараёни attestation

Active probes назариявӣ метавонанд ба production таъсир расонанд — slow responses, error spikes, garbage data дар test stores. Мо аз шумо талаб мекунем:

1. Доменро тасдиқ кунед тавассути DNS TXT ё HTTP file (Account → Domains).
2. Authorization-ро attest кунед — як тасдиқи ягона дар вақти scan-start, ки шумо иҷозат доред. Бо IP, user-agent ва timestamp-и шумо server-stamped мешавад; ба audit_logs навишта мешавад.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans ҳеҷ гоҳ ба repo-и шумо наменависанд ва source code-ро persist намекунанд — танҳо finding evidence нигоҳ дошта мешавад. Quota: ҳамон bucket-и scansPerMonth мисли URL scans.

Trigger тавассути API

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Сканҳои anonymous one-shot

Home page ба меҳмонони unsigned-up иҷозат медиҳад, ки барои ҳар browser session як passive scan иҷро кунанд. Ин scan-ҳо 24 соат пас аз creation expire мешаванд ва агар пеш аз expire шудан sign up кунед, ба ҳисоби воқеӣ migrate мешаванд — auth callback scan-и anonymous-ро худкор ба org-и нав attach мекунад.