스캔 유형

패시브

Available on every tier. A passive scan never submits forms or uses owner credentials — it fetches the URL like a normal browser, renders the page, and checks crawlability, search presentation, structured content, media, performance, accessibility, forms, mobile/i18n, and runtime signals against 90+ quality checks.

Because it's read-only, passive can run against any URL you are authorized to scan. The trade-off is depth: passive misses private dashboards, account flows, checkout states, and owner-only routes.

What passive catches

• Broken crawl/indexation controls: robots, sitemap, noindex, canonicals, 4xx/5xx pages.
• Weak search presentation: missing or duplicated titles, snippets, favicon, and Open Graph metadata.
• Semantic content and schema issues: heading skips, missing main landmarks, thin content, invalid JSON-LD.
• Media quality issues: missing alt text, weak alt text, missing dimensions, and lazy-loaded hero images.
• Performance delivery risks: heavy payloads, too many scripts, third-party pressure, and font volume.
• Accessibility and form defects: missing language, skip links, button names, labels, and autocomplete hints.
• Mobile, PWA, i18n, runtime, failed-request, and blank-render signals.
• Live monitoring signals on paid plans: certificate, DNS, and external listing changes.
• Repo-connected template and quality-tooling patterns on paid plans.

Owner-depth Hobby+

Owner-depth scans reuse the website-quality modules against verified domains and, optionally, authenticated/private routes through a short-lived test-account header you provide. Available on the Hobby plan and higher tiers (Pro, Unlimited), and requires domain ownership verification.

Why we gate it: the attestation flow

Owner-depth scans can crawl private URLs or account states when configured. We require you to:

1. Verify the domain via DNS TXT or an HTTP file (Account -> Domains).
2. Attest authorization — a single confirmation at scan-start time saying you own or have permission to scan the site. Server-stamped with your IP, user-agent, and timestamp; written to audit_logs.

For scheduled re-scans, the attestation is recorded once at first verification and inherited by every subsequent run until you disable the schedule. REST API and MCP starts remain passive-only; owner-depth scans must be started from the website UI.

GitHub repository Pro+

Repo scans skip the URL phases entirely. They pull a tarball of your default branch over the FixWeb GitHub App (or your OAuth token), process the source in memory, and emit findings against checks under the code.* namespace: crawl-control files, template image issues, metadata patterns, and missing quality automation.

Repo 스캔은 repo에 절대 쓰지 않으며 source code도 저장하지 않습니다. finding evidence만 저장합니다. Quota는 URL 스캔과 같은 scansPerMonth bucket을 사용합니다.

API로 트리거

curl -X POST https://fixweb.app/api/v1/scans \
  -H "Authorization: Bearer fxw_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

Owner-depth mode is not exposed via API — the attestation flow is on-site only, by design. Full reference: /docs/api.

익명 one-shot 스캔

홈 페이지에서는 가입하지 않은 방문자가 브라우저 세션당 패시브 스캔을 한 번 실행할 수 있습니다. 이 스캔은 생성 후 24시간 뒤 만료되며, 만료 전에 가입하면 실제 계정으로 마이그레이션할 수 있습니다. auth callback이 익명 스캔을 새 org에 자동으로 연결합니다.