Irú àyẹ̀wò

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Nítorí pé ó jẹ́ read-only, passive lè ṣiṣẹ́ lórí URL eyikeyi — kò nílò domain verification, kò nílò attestation. Ohun tí o fi ń san ni ìjinlẹ̀: passive máa ń padanu ohun gbogbo tó nílò fífi input ránṣẹ́ láti ṣàwárí.

Ohun tí passive máa ń rí

• Security headers tó sonù (HSTS, CSP, frame-options, àti bẹ́ẹ̀ bẹ́ẹ̀ lọ).
• Cookie attributes tí kò ní ààbò (kò sí Secure / HttpOnly / SameSite).
• TLS configuration aláìlera, certs tó ti parí, HSTS preload tó sonù.
• Secrets nínú JS bundles (Supabase service keys, AWS keys, Stripe sk_, àti bẹ́ẹ̀ bẹ́ẹ̀ lọ).
• Source maps tó hàn síta, debug endpoints, OpenAPI specs, GraphQL introspection.
• Supabase RLS / Firebase rules / Clerk misconfiguration tó ṣí síta.
• DNS (subdomain takeover, SPF/DKIM/DMARC tó sonù).
• Threat-intel listings (Spamhaus, URLhaus).
• Àwọn version framework atijọ́ tó ní CVEs tí a mọ̀.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Ìdí tí a fi ń ṣàkóso rẹ: ìlànà attestation

Active probes lè ní ipa lórí production ní ìmọ̀ràn — responses tó lọra, error spikes, data asán nínú test stores. A béèrè pé kí o:

1. Fìdí domain náà múlẹ̀ nípasẹ̀ DNS TXT tàbí HTTP file (Account → Domains).
2. Jẹ́wọ́ àṣẹ — ìmúdájú kan nígbà bẹ̀rẹ̀ scan tó sọ pé o ní ìyọ̀nda. Server máa stamp IP rẹ, user-agent, àti timestamp; a kọ ọ sí audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Repo scans kì í kọ sí repo rẹ, wọn kì í sì persist source code — evidence finding nìkan ni a fipamọ́. Quota: bucket scansPerMonth kan náà bí URL scans.

Bẹ̀rẹ̀ nípasẹ̀ API

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Anonymous one-shot scans

Ojúewé ilé jẹ́ kí alejo tí kò forúkọ sílẹ̀ ṣe passive scan kan ṣoṣo fún browser session. Àwọn scans wọ̀nyí máa expire lẹ́yìn wákàtí 24 láti ìgbà tí a dá wọn, a sì lè gbe wọn lọ sí account gidi bí o bá forúkọ sílẹ̀ kí wọ́n tó expire — auth callback máa so anonymous scan mọ org tuntun laifọwọyi.