Izinhlobo zokuskena

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Ngoba kuyi-read-only, i-passive ingasebenza kunoma iyiphi i-URL — akukho ukuqinisekiswa kwe-domain, akukho attestation. Ukuhwebelana kukukujula: i-passive igeja konke okudinga ukuthumela input ukuze kutholakale.

Okubanjwa ukuskena okuthule

• Ama-security headers angekho (HSTS, CSP, frame-options, njll.).
• Izimpawu ze-cookie ezingaphephile (akukho Secure / HttpOnly / SameSite).
• Ukucushwa kwe-TLS okubuthakathaka, izitifiketi eziphelelwe yisikhathi, HSTS preload engekho.
• Izimfihlo ku-JS bundles (Supabase service keys, AWS keys, Stripe sk_, njll.).
• Ama-source maps avulekile, debug endpoints, OpenAPI specs, GraphQL introspection.
• Supabase RLS evulekile / Firebase rules / ukucushwa kabi kwe-Clerk.
• DNS (subdomain takeover, SPF/DKIM/DMARC engekho).
• Izinhlu ze-threat-intel (Spamhaus, URLhaus).
• Izinguqulo ze-framework eziphelelwe yisikhathi ezine-CVEs ezaziwayo.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

Kungani sikuvimba: ukugeleza kwe-attestation

Ama-probe asebenzayo angathinta i-production ngokomqondo — izimpendulo ezihamba kancane, ukwanda kwamaphutha, idatha engcolile kuma-test stores. Sikucela ukuthi:

1. Uqinisekise i-domain nge-DNS TXT noma ngefayela le-HTTP (Account → Domains).
2. Ufake i-attest authorization — ukuqinisekisa okukodwa ngesikhathi sokuqala ukuskena okusho ukuthi unemvume. I-server iyagxiviza i-IP yakho, user-agent, ne-timestamp; kubhalwa ku-audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

I-repository ye-GitHub Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Ukuskena kwe-repo akubhali ku-repo yakho futhi akugcini source code — kugcinwa kuphela ubufakazi be-finding. I-quota: ibhakede elifanayo le-scansPerMonth nokuskena kwe-URL.

Qalisa nge-API

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Ukuskena okukodwa kwe-anonymous

Ikhasi lasekhaya livumela izivakashi ezingabhalisanga ukusebenzisa ukuskena okukodwa okuthule ku-browser session ngayinye. Lokhu kuskena kuphelelwa isikhathi emahoreni angu-24 ngemva kokudalwa futhi kungathuthelwa ku-akhawunti yangempela ngokubhalisa ngaphambi kokuphelelwa yisikhathi — i-auth callback inamathisela ngokuzenzakalelayo i-anonymous scan ku-org entsha.