FixVibe

// docs / scans

Ngaahi fa'ahinga scan

'Oku fakalele 'e FixVibe ha ngaahi scan 'e tolu ki ha ngaahi target 'e tolu. 'Oku kehekehe e gating, speed, mo e blast radius — fili e me'a 'oku fe'unga mo e me'a 'oku ke test.

Passive scan

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Koe'uhi 'oku read-only, 'e lava passive 'o run ki ha URL pe — 'ikai domain verification, 'ikai attestation. Ko e trade-off ko depth: 'oku miss 'e passive e me'a kotoa 'oku fiema'u send input ke discover.

Me'a 'oku ma'u 'e passive

  • Security headers 'oku mole (HSTS, CSP, frame-options, etc.).
  • Cookie attributes 'oku 'ikai malu (no Secure / HttpOnly / SameSite).
  • TLS configuration vaivai, certs kuo expire, HSTS preload 'oku mole.
  • Secrets 'i JS bundles (Supabase service keys, AWS keys, Stripe sk_, etc.).
  • Source maps exposed, debug endpoints, OpenAPI specs, GraphQL introspection.
  • Supabase RLS / Firebase rules / Clerk misconfiguration 'oku open.
  • DNS (subdomain takeover, SPF/DKIM/DMARC 'oku mole).
  • Ngaahi threat-intel listings (Spamhaus, URLhaus).
  • Outdated framework versions mo known CVEs.

Active scan Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Ko e ha 'oku mau gate ai: attestation flow

'E lava active probes 'o uesia production — slow responses, error spikes, garbage data 'i test stores. 'Oku mau fiema'u ke ke:

  1. Verify e domain 'aki DNS TXT pe HTTP file (Account → Domains).
  2. Attest authorization — confirmation 'e taha 'i scan-start time 'oku ke ma'u permission. Server-stamped mo ho'o IP, user-agent, mo timestamp; written to audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository scan Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans 'oku 'ikai tohi ki ho'o repo pea 'ikai persist source code — finding evidence pe 'oku stored. Quota: same scansPerMonth bucket mo URL scans.

Trigger 'aki e API

curl
curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonymous one-shot scans 'ikai hingoa

Home page 'oku tuku unsigned-up visitors ke run ha passive scan 'e taha per browser session. 'Oku expire e scans ni 24 hours after creation pea lava migrate ki ha real account 'aki sign up kimu'a 'i he expire — 'oku attach 'otometiki 'e he auth callback e anonymous scan ki he org fo'ou.

Ngaahi fa'ahinga scan — Docs · FixVibe