Safety Modes
FireScan has three safety modes that control what operations are permitted.
Probe Mode
Default mode. Read-only operations.
bash
firescan > scan --allWhat it does:
- Tests read permissions
- Enumerates accessible paths
- Checks service configurations
- Never modifies data
Use for:
- Production testing
- Initial reconnaissance
- Black box assessments
- Bug bounties (unless scope allows more)
Test Mode
Safe write operations with cleanup tracking.
bash
firescan > scan --write --testWhat it does:
- Creates test data in isolated paths (prefixed with
firescan-test-) - Tracks all created resources
- Tests write permissions
- Validates security rules
Data markers:
json
{
"firescan_test_marker": true,
"timestamp": 1705318965,
"cleanup_required": true
}Use for:
- Permission testing
- Security rule validation
- Staging/development environments
- With explicit approval on production
Confirmation required:
⚠️ TEST MODE WARNING
Continue with test mode? (y/N):Audit Mode
Deep testing. Potentially destructive.
bash
firescan > scan --authattack --auditWhat it does:
- Tests on real paths
- Advanced attack techniques
- JWT manipulation
- Comprehensive security testing
Use for:
- Security audits with authorization
- Development environments only
- When you have written permission
- With backups in place
Confirmation required:
Type "I UNDERSTAND THE RISKS" to continue:Choosing a mode
| Scenario | Mode |
|---|---|
| Production app, no approval | Probe |
| Production app, approved testing | Probe or Test |
| Staging/dev environment | Test or Audit |
| Security audit with authorization | Audit |
| Bug bounty | Probe (check scope) |
Default behavior
All scans use probe mode unless you specify --test or --audit:
bash
scan --all # Probe mode
scan --write --test # Test mode
scan --authattack --audit # Audit modeNext
- Scan Types - Learn about scan types
- API Reference - Scan command details