FixVibe

// docs / scans

Scan görnüşleri

FixVibe üç dürli nyşana garşy üç dürli scan işleýär. Her biriniň gating-i, tizligi we blast radius-y başga — synaýan zadyňyza laýyk gelýänini saýlaň.

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Read-only bolany üçin passive islendik URL-a garşy işläp biler — domain verification ýok, attestation ýok. Trade-off çuňluk: passive input ibermek arkaly tapylýan zatlary sypdyrýar.

Passive nämäni tutýar

  • Ýiten security headers (HSTS, CSP, frame-options we ş.m.).
  • Insecure cookie attributes (Secure / HttpOnly / SameSite ýok).
  • Gowşak TLS konfigurasiýasy, expired certs, ýiten HSTS preload.
  • JS bundles içindäki secrets (Supabase service keys, AWS keys, Stripe sk_ we ş.m.).
  • Exposed source maps, debug endpoints, OpenAPI specs, GraphQL introspection.
  • Açyk Supabase RLS / Firebase rules / Clerk misconfiguration.
  • DNS (subdomain takeover, ýiten SPF/DKIM/DMARC).
  • Threat-intel listings (Spamhaus, URLhaus).
  • Known CVEs bolan köne framework versions.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Näme üçin gate edýäris: attestasiýa akymy

Active probes teoriýa boýunça production-a täsir edip biler — slow responses, error spikes, test stores içinde garbage data. Biz sizden şulary talap edýäris:

  1. Domeni tassyklaň DNS TXT ýa-da HTTP file arkaly (Account → Domains).
  2. Authorization-y attest ediň — scan-start wagtynda rugsadyňyzyň bardygyny aýdýan ýekeje tassyklama. IP, user-agent we timestamp bilen server-stamped; audit_logs içine ýazylýar.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans repo-ňyza hiç wagt ýazmaýar we source code-y hiç wagt persist etmeýär — diňe finding evidence saklanýar. Quota: URL scans bilen şol bir scansPerMonth bucket.

API arkaly trigger

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonymous one-shot scans

Home page unsigned-up visitors üçin browser session başyna bir passive scan işletmäge rugsat berýär. Bu scans creation-dan 24 sagat soň expire bolýar we expire bolmanka sign up edilse hakyky hasaba migrated bolýar — auth callback anonymous scan-y awtomatik täze org-a attach edýär.

Scan görnüşleri — Docs · FixVibe