[COMPATIBILITY]

Compatibility and Prerequisites

Languages, build systems, CI platforms, and repository types supported by XOR. What you need to get started.

Language support

Python (pip, Poetry, Pipenv), JavaScript/TypeScript (npm, yarn, pnpm), Java (Maven, Gradle), Go (modules), Rust (Cargo), C/C++ (Make, CMake, Meson). Ruby partial, .NET planned.

Common blockers

No test suite (~20%), private dependencies (~15%), complex builds (~10%), flaky tests (~25%), missing build commands (~5%). XOR has mitigations for each.

Languages supported

Repository types

36.8-62.7%

Pass rate range across agents

What XOR supports today

Languages, build systems, CI platforms, and repository types supported by XOR's GitHub App. If your stack isn't listed, contact us.

Language and build system support

Language	Build systems	Status
Python	pip, Poetry, Pipenv	[SUPPORTED]
JavaScript/TypeScript	npm, yarn, pnpm	[SUPPORTED]
Java	Maven, Gradle	[SUPPORTED]
Go	go modules	[SUPPORTED]
Rust	Cargo	[SUPPORTED]
C/C++	Make, CMake, Meson	[SUPPORTED]
Ruby	Bundler	[PARTIAL]
.NET	NuGet	[PLANNED]

CI/CD integration

CI platform	Integration	Status
GitHub Actions	Native (webhook)	[SUPPORTED]
GitLab CI	Webhook relay	[PLANNED]
Jenkins	Webhook relay	[PLANNED]
CircleCI	Webhook relay	[PLANNED]

Repository types

Single-repo

Standard flow. Fully supported.

Monorepo

Per-package triage scoped to affected module.

Private dependencies

Read-only mirror includes private deps.

Forked repos

Analysis runs on XOR's mirror, not your fork.

Archived repos are not supported (GitHub doesn't create PRs on archived repos).

Common blockers

No test suite (~20% of repos)

XOR generates a verification harness from CVE details. Lower confidence, but triage still runs.

Private/internal dependencies (~15%)

Read-only mirror includes private deps. Corporate proxy? Self-hosted option available.

Complex build: Docker-in-Docker, GPU (~10%)

XOR builds in isolated containers. Contact us for custom environments.

Flaky tests (~25%)

XOR retries and distinguishes flaky failures from genuine regressions.

Missing build commands (~5%)

XOR attempts auto-detection. If it fails, you see a comment asking for instructions.

[NEXT STEPS]

Get started

Installation guide →

Benchmark methodology →

Capabilities →

FAQ

Which languages does XOR support?

Python, JavaScript/TypeScript, Java, Go, Rust, and C/C++ are fully supported. Ruby has partial support. .NET is planned.

Does XOR work with monorepos?

Yes. XOR scopes triage to the affected module within a monorepo. Private dependencies are included via the read-only mirror.

What if my repo has no test suite?

XOR generates a verification harness from CVE details. Confidence is lower than when existing tests cover the vulnerable path, but triage still runs. About 20% of repos have no test suite.

[RELATED TOPICS]

Patch verification

XOR writes a verifier for each vulnerability, then tests agent-generated patches against it. If the fix passes, it ships. If not, the failure feeds back into the agent harness.

Automated vulnerability patching

AI agents generate fixes for known CVEs. XOR verifies each fix and feeds outcomes back into the agent harness so future patches improve.

Benchmark Results

62.7% pass rate. $2.64 per fix. Real data from 1,664 evaluations.

Benchmark Results

62.7% pass rate. $2.64 per fix. Real data from 1,664 evaluations.

Agent Cost Economics

Fix vulnerabilities for $2.64–$52 with agents. 100x cheaper than incident response. Real cost data.

Agent Configurations

13 agent-model configurations evaluated on real CVEs. Compare Claude Code, Codex, Gemini CLI, Cursor, and OpenCode.

Benchmark Methodology

How CVE-Agent-Bench evaluates 13 coding agents on 128 real vulnerabilities. Deterministic, reproducible, open methodology.

Agent Environment Security

AI agents run with real permissions. XOR verifies tool configurations, sandbox boundaries, and credential exposure.

Security Economics for Agentic Patching

Security economics for agentic patching. ROI models backed by verified pass/fail data and business-impact triage.

Validation Process

25 questions we ran against our own data before publishing. Challenges assumptions, explores implications, extends findings.

Cost Analysis

10 findings on what AI patching costs and whether it is worth buying. 1,664 evaluations analyzed.

Bug Complexity

128 vulnerabilities scored by difficulty. Floor = every agent fixes it. Ceiling = no agent can.

Agent Strategies

How different agents approach the same bug. Strategy matters as much as model capability.

Execution Metrics

Per-agent session data: turns, tool calls, tokens, and timing. See what happens inside an agent run.

Pricing Transparency

Every cost number has a source. Published pricing models, measurement methods, and provider rates.

Automated Vulnerability Patching and PR Review

Automated code review, fix generation, GitHub Actions hardening, safety checks, and learning feedback. One-click install on any GitHub repository.

Getting Started with XOR GitHub App

Install in 2 minutes. First result in 15. One-click GitHub App install, first auto-review walkthrough, and engineering KPI triad.

Platform Capabilities

One install. Seven capabilities. Prompt-driven. CVE autopatch, PR review, CI hardening, guardrail review, audit packets, and more.

Dependabot Verification

Dependabot bumps versions. XOR verifies they're safe to merge. Reachability analysis, EPSS/KEV enrichment, and structured verdicts.

Compliance Evidence

Machine-readable evidence for every triaged vulnerability. VEX statements, verification reports, and audit trails produced automatically.

Command Reference

Every @xor-hardener command on one page. /review, /describe, /ask, /patch_i, /issue_spec, /issue_implement, and more.

Continuous Learning from Verified Agent Runs

A signed record of every agent run. See what the agent did, verify it independently, and feed the data back so agents improve.

Signed Compliance Evidence for AI Agents

A tamper-proof record of every AI agent action. Produces evidence for SOC 2, EU AI Act, PCI DSS, and more. Built on open standards so auditors verify independently.

Compliance Evidence and Standards Alignment

How XOR signed audit trails produce evidence for SOC 2, EU AI Act, PCI DSS, NIST, and other compliance frameworks.

Agentic Third-Party Risk

33% of enterprise software will be agentic by 2028. 40% of those projects will be canceled due to governance failures. A risk overview for CTOs.

MCP Server Security

17 attack types across 4 surfaces. 7.2% of 1,899 open-source MCP servers contain vulnerabilities. Technical deep-dive with defense controls.

How Agents Get Attacked

20% jailbreak success rate. 42 seconds average. 90% of successful attacks leak data. Threat landscape grounded in published research.

Governing AI Agents in the Enterprise

92% of AI vendors claim broad data usage rights. 17% commit to regulatory compliance. Governance frameworks from NIST, OWASP, EU CRA, and Stanford CodeX.

OWASP Top 10 for Agentic Applications

The OWASP Agentic Top 10 mapped to real-world attack data and XOR capabilities. A reference page for security teams.

See which agents produce fixes that work

128 CVEs. 13 agents. 1,664 evaluations. Agents learn from every run.