// docs / scans
ዓይነታት scan
FixVibe ኣብ ሰለስተ ዓይነት ዒላማታት ሰለስተ ዓይነት scans የካይድ። ነፍሲ ወከፎም ዝተፈላለየ gating፣ ዝተፈላለየ ፍጥነት፣ ዝተፈላለየ blast radius ኣለዎም፤ ምስቲ ትፍትኖ ዘለኻ ዝሰማማዕ ምረጽ።
Passive
Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.
Read-only ስለዝኾነ፣ passive ኣብ ዝኾነ URL ክካየድ ይኽእል፤ domain verification የለን፣ attestation የለን። እቲ trade-off ግን depth እዩ: passive ነቲ input ምልኣኽ ዘድልዮ ነገር ኩሉ ይስሕቶ።
Passive እንታይ ይሕዝ
- ዝጎደሉ security headers (HSTS, CSP, frame-options, ወዘተ)።
- ዘይውሑሳት cookie attributes (Secure / HttpOnly / SameSite የለን)።
- ድኹም TLS configuration፣ ዝሓለፈ certs፣ ዝጎደለ HSTS preload።
- Secrets ኣብ JS bundles (Supabase service keys, AWS keys, Stripe sk_, ወዘተ)።
- ዝተቓልዑ source maps፣ debug endpoints፣ OpenAPI specs፣ GraphQL introspection።
- ዝተኸፍተ Supabase RLS / Firebase rules / Clerk misconfiguration።
- DNS (subdomain takeover፣ ዝጎደለ SPF/DKIM/DMARC)።
- Threat-intel listings (Spamhaus, URLhaus)።
- ዝኣረጉ framework versions ምስ ዝፍለጡ CVEs።
Active Hobby+
Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.
ስለምንታይ ንገድቦ: ናይ attestation መስርሕ
Active probes ብ theory production ክጸልዉ ይኽእሉ: ዝደንጎዩ መልስታት፣ error spikes፣ garbage data ኣብ test stores። ንሕና ካባኻ እዚ ንጠልብ:
- Domain ኣረጋግጽ ብ DNS TXT ወይ HTTP file (Account → Domains)።
- ፍቓድ ኣረጋግጽ — ኣብ scan-start time ሓንቲ ምርግጋጽ ፍቓድ ከምዘለካ ትብል። ብ IPኻ፣ user-agentካ፣ timestamp ኣብ server ይሕተም፤ ናብ
audit_logsይጽሓፍ።
For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.
GitHub repository Pro+
Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.
Repo scans ኣብ repoካ ፈጺሞም ኣይጽሕፉን፣ source code ድማ ፈጺሞም ኣይዕቅቡን፤ finding evidence ጥራይ ይዕቀብ። Quota: ከም URL scans ተመሳሳሊ scansPerMonth bucket።
ብ API ኣበግስ
curl -X POST https://fixvibe.app/api/v1/scans \
-H "Authorization: Bearer fxv_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.
Anonymous one-shot scans
Home page ዘይተመዝገቡ በጻሕቲ ኣብ ሓደ browser session ሓደ passive scan ከካይዱ የፍቅድ። እዞም scans ድሕሪ ፍጥረቶም 24 ሰዓት ይጠፍኡ፣ ቅድሚ ምጥፍኦም ብምምዝጋብ ናብ ናይ ብሓቂ account ክግዓዙ ይኽእሉ፤ auth callback ነቲ anonymous scan ብርእሱ ናብ ሓድሽ org የተሓሕዞ።