Command Reference
Every @xor-hardener command on one page. /review, /describe, /ask, /patch_i, /issue_spec, /issue_implement, and more.
Quick reference
9 commands: /review, /describe, /ask, /ask_line, /issue_spec, /issue_implement, /issue_ask, /test_i, /patch_i. All available via natural language or explicit command syntax.
Automatic triggers
Dependabot PR → automatic triage. XOR-labeled PR → /describe + /review. Push to PR branch → configurable re-checks.
Every command. One page.
Mention @xor-hardener followed by a command or a plain-English prompt. Both work. XOR reads your intent, decides which capability applies, and runs it.
Quick reference
| Command | Where | What it does |
|---|---|---|
| /review | PR comment | Security-focused code review with inline suggestions |
| /describe | PR comment | Generate a structured PR description |
| /ask [question] | PR comment | Ask a question about the PR code |
| /ask_line | Line comment | Ask about specific lines in "Files changed" |
| /issue_spec | Issue comment | Generate a specification for an issue |
| /issue_implement | Issue comment | Implement a solution and open a PR |
| /issue_ask [question] | Issue comment | Ask a question about an issue |
| /test_i | PR or issue | Extract or generate test cases |
| /patch_i | PR or issue | Generate patches from an issue spec |
Natural language prompts
You don't need to memorize commands. Examples:
@xor-hardener Review this PR for security issues.
@xor-hardener This issue describes a bug in our auth flow. Write a spec for fixing it, then open a PR with the fix.
@xor-hardener Pin all actions in this workflow to SHA. Reduce permissions to least-privilege.
@xor-hardener What does this function do? Is it safe to remove the null check on line 42?
Automatic triggers
Dependabot opens a PR
XOR triages automatically with reachability + EPSS/KEV/CVSS
PR labeled with XOR label
XOR runs /describe + /review
Push to PR branch
XOR re-runs configured checks (configurable)
The two-step issue workflow
For larger work items:
Step 1: /issue_spec
XOR reads the issue, researches the codebase, and posts either questions (if it needs context) or a plan (if it has enough information).
Step 2: /issue_implement
XOR reads the approved plan, generates patches, creates a branch, and opens a PR with the fix and updated tests. You approve the plan before code is written.
[NEXT STEPS]
Start using XOR
FAQ
Do I need to use explicit commands?
No. XOR reads natural language. 'Review this PR for security issues' works the same as /review. Explicit commands are available for precision.
Which commands run automatically?
Dependabot PR triage runs automatically. PRs labeled with an XOR label get /describe + /review. Push-triggered checks are configurable.
What is the two-step issue workflow?
Step 1: /issue_spec posts a plan after researching the codebase. Step 2: /issue_implement generates patches and opens a PR. You approve the plan before code is written.
Automated Vulnerability Patching and PR Review
Patches CVEs automatically. Reviews every AI-generated PR with a pass/fail verification report.
Getting Started with XOR GitHub App
Install in 2 minutes. First result in 15. One-click GitHub App install, first auto-review walkthrough, and engineering KPI triad.
Platform Capabilities
One install. Seven capabilities. Prompt-driven. CVE autopatch, PR review, CI hardening, guardrail review, audit packets, and more.
Dependabot Verification
Dependabot bumps versions. XOR verifies they're safe to merge. Reachability analysis, EPSS/KEV enrichment, and structured verdicts.
Compliance Evidence
Machine-readable evidence for every triaged vulnerability. VEX statements, verification reports, and audit trails produced automatically.
Compatibility and Prerequisites
Languages, build systems, CI platforms, and repository types supported by XOR. What you need to get started.
See which agents produce fixes that work
128 CVEs. 15 agents. 1,920 evaluations. Agents learn from every run.