Skan turlari

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Read-only bo‘lgani uchun passive istalgan URL’da ishlashi mumkin — domain verification yo‘q, attestation yo‘q. Trade-off — depth: input yuborishni talab qiladigan hamma narsani passive o‘tkazib yuboradi.

Passive nimalarni tutadi

• Yo‘q security headers (HSTS, CSP, frame-options va boshqalar).
• Xavfsiz bo‘lmagan cookie attributes (Secure / HttpOnly / SameSite yo‘q).
• Zaif TLS configuration, expired certs, HSTS preload yo‘q.
• JS bundles ichidagi secrets (Supabase service keys, AWS keys, Stripe sk_ va boshqalar).
• Exposed source maps, debug endpoints, OpenAPI specs, GraphQL introspection.
• Ochiq Supabase RLS / Firebase rules / Clerk misconfiguration.
• DNS (subdomain takeover, missing SPF/DKIM/DMARC).
• Threat-intel listings (Spamhaus, URLhaus).
• Known CVEs bor outdated framework versions.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Nega gate qilamiz: attestation flow

Active probes nazariy jihatdan production’ga ta’sir qilishi mumkin — slow responses, error spikes, test stores ichida garbage data. Biz sizdan quyidagilarni talab qilamiz:

1. Domain’ni verify qiling — DNS TXT yoki HTTP file orqali (Account → Domains).
2. Attest authorization — scan-start paytida ruxsatingiz borligini aytadigan yagona confirmation. IP, user-agent va timestamp bilan server-stamped; audit_logs ga yoziladi.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans hech qachon repo’ga write qilmaydi va source code persist qilmaydi — faqat finding evidence saqlanadi. Quota: URL scans bilan bir xil scansPerMonth bucket.

API orqali trigger qilish

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonim bir martalik scans

Home page unsigned-up visitors’ga browser session uchun bitta passive scan yuritishga imkon beradi. Bu scans creation’dan 24 soat o‘tgach expire bo‘ladi va expire bo‘lishidan oldin signup qilsangiz real account’ga migrated bo‘ladi — auth callback anonymous scan’ni new org’ga avtomatik attach qiladi.