Platform Capabilities
One install. Seven capabilities. Prompt-driven. CVE autopatch, PR review, CI hardening, guardrail review, audit packets, and more.
CVE/GHSA autopatch
Report a vulnerability. XOR writes the fix, adds a failing test, and opens a PR with CI passing. Cost range: $2.64 to $76.54 per fix.
PR code review
XOR reads the full diff, flags security risks and unsafe patterns, posts inline review comments with specific fix suggestions. Uncertainty stop: if confidence is low, XOR says so instead of guessing.
One install. Seven capabilities. Prompt-driven.
Every capability works the same way: mention @xor-hardener in a PR or issue comment, describe what you need, and XOR does the work. No configuration files. You can also use explicit commands (see the Command Reference).
CVE/GHSA autopatch
Report a vulnerability. XOR writes the fix, adds a failing test, and opens a PR with CI passing.
@xor-hardener Minimal autopatch for CVE-2024-1234.
Add a failing test. Keep CI green. Target the main branch.
Without XOR
20-45 min triage + 1-4 hours fix
With XOR
Under 15 min. PR with test included.
At $150/hr fully loaded cost, manual triage costs $75-$600 per CVE. XOR range: $2.64 to $76.54, 8x to 227x cheaper.
PR code review
XOR reads the full diff, flags security risks and unsafe patterns, and posts inline review comments with specific fix suggestions. If confidence is low, XOR says so instead of guessing.
@xor-hardener /review
GitHub Actions hardening
Pins actions to SHA instead of tags and reduces workflow permissions to least-privilege per job. CI stays green. GitHub Actions supply chain attacks rose 350% in 2025 (StepSecurity).
@xor-hardener Pin actions by SHA and reduce workflow permissions per job. Keep CI green.
Guardrail review
When a PR deletes or refactors risky code, XOR reviews the change, flags what could go wrong, and stops when its confidence is low. No false positives from guessing.
PR audit packet
After CI passes, XOR compiles evidence: files changed, commit SHAs, tests added, CI job URLs, linked issues, reviewer sign-offs. One comment, everything an auditor needs. For 1,000 PRs per quarter, this saves 250-500 hours of audit prep.
Green-build autopatch
When a test fails in CI, XOR reads the failure log, diagnoses the root cause, and opens a PR with the smallest safe diff to restore a green build.
OSV dependency review
XOR reads an osv-scanner output, triages exploitable vs. noise vulnerabilities, and proposes minimal version bumps with PRs for safe updates.
[NEXT STEPS]
Go deeper
FAQ
How many capabilities does XOR have?
Seven: CVE/GHSA autopatch, PR code review, GitHub Actions hardening, guardrail review, PR audit packet, green-build autopatch (coming soon), and OSV dependency review (coming soon).
Do I need to memorize commands?
No. XOR reads natural language. Comment '@xor-hardener Review this PR for security issues' and XOR decides which capability applies. You can also use explicit commands like /review.
What is the economic impact of automated patching?
At $150/hr fully loaded engineering cost, each manually triaged CVE costs $75-$600. XOR's benchmark data shows $2.64 to $76.54 per automated fix, 8x to 227x cheaper than manual work.
Automated Vulnerability Patching and PR Review
Patches CVEs automatically. Reviews every AI-generated PR with a pass/fail verification report.
Getting Started with XOR GitHub App
Install in 2 minutes. First result in 15. One-click GitHub App install, first auto-review walkthrough, and engineering KPI triad.
Dependabot Verification
Dependabot bumps versions. XOR verifies they're safe to merge. Reachability analysis, EPSS/KEV enrichment, and structured verdicts.
Compliance Evidence
Machine-readable evidence for every triaged vulnerability. VEX statements, verification reports, and audit trails produced automatically.
Compatibility and Prerequisites
Languages, build systems, CI platforms, and repository types supported by XOR. What you need to get started.
Command Reference
Every @xor-hardener command on one page. /review, /describe, /ask, /patch_i, /issue_spec, /issue_implement, and more.
See which agents produce fixes that work
128 CVEs. 15 agents. 1,920 evaluations. Agents learn from every run.