Compatibility and Prerequisites
Languages, build systems, CI platforms, and repository types supported by XOR. What you need to get started.
Language support
Python (pip, Poetry, Pipenv), JavaScript/TypeScript (npm, yarn, pnpm), Java (Maven, Gradle), Go (modules), Rust (Cargo), C/C++ (Make, CMake, Meson). Ruby partial, .NET planned.
Common blockers
No test suite (~20%), private dependencies (~15%), complex builds (~10%), flaky tests (~25%), missing build commands (~5%). XOR has mitigations for each.
What XOR supports today
Languages, build systems, CI platforms, and repository types supported by XOR's GitHub App. If your stack isn't listed, contact us.
Language and build system support
| Language | Build systems | Status |
|---|---|---|
| Python | pip, Poetry, Pipenv | [SUPPORTED] |
| JavaScript/TypeScript | npm, yarn, pnpm | [SUPPORTED] |
| Java | Maven, Gradle | [SUPPORTED] |
| Go | go modules | [SUPPORTED] |
| Rust | Cargo | [SUPPORTED] |
| C/C++ | Make, CMake, Meson | [SUPPORTED] |
| Ruby | Bundler | [PARTIAL] |
| .NET | NuGet | [PLANNED] |
Language ecosystem details
XOR's language support varies by completeness. Python, JavaScript/TypeScript, Java, and Go have full test suite integration and vulnerability detection. Rust and C/C++ support core verification but may have gaps in complex build scenarios. Ruby is supported via Bundler but test frameworks vary; contact us if your test runner isn't recognized.
For languages not in the table: XOR can still attempt analysis if your repo has a standard build command and test suite. We recommend starting with a small PR or test CVE to validate compatibility before relying on the platform for critical paths. Success rates depend on how closely your project follows language conventions.
CI/CD integration
| CI platform | Integration | Status |
|---|---|---|
| GitHub Actions | Native (webhook) | [SUPPORTED] |
| GitLab CI | Webhook relay | [PLANNED] |
| Jenkins | Webhook relay | [PLANNED] |
| CircleCI | Webhook relay | [PLANNED] |
Repository types
Single-repo
Standard flow. Fully supported.
Monorepo
Per-package triage scoped to affected module.
Private dependencies
Read-only mirror includes private deps.
Forked repos
Analysis runs on XOR's mirror, not your fork.
Archived repos are not supported (GitHub doesn't create PRs on archived repos).
Common blockers
No test suite (~20% of repos)
XOR generates a verification harness from CVE details. Lower confidence, but triage still runs.
Private/internal dependencies (~15%)
Read-only mirror includes private deps. Corporate proxy? Self-hosted option available.
Complex build: Docker-in-Docker, GPU (~10%)
XOR builds in isolated containers. Contact us for custom environments.
Flaky tests (~25%)
XOR retries and distinguishes flaky failures from genuine regressions.
Missing build commands (~5%)
XOR attempts auto-detection. If it fails, you see a comment asking for instructions.
[NEXT STEPS]
Get started
FAQ
Which languages does XOR support?
Python, JavaScript/TypeScript, Java, Go, Rust, and C/C++ are fully supported. Ruby has partial support. .NET is planned.
Does XOR work with monorepos?
Yes. XOR scopes triage to the affected module within a monorepo. Private dependencies are included via the read-only mirror.
What if my repo has no test suite?
XOR generates a verification harness from CVE details. Confidence is lower than when existing tests cover the vulnerable path, but triage still runs. About 20% of repos have no test suite.
Automated Vulnerability Patching and PR Review
Patches CVEs automatically. Reviews every AI-generated PR with a pass/fail verification report.
Getting Started with XOR GitHub App
Install in 2 minutes. First result in 15. One-click GitHub App install, first auto-review walkthrough, and engineering KPI triad.
Platform Capabilities
One install. Seven capabilities. Prompt-driven. CVE autopatch, PR review, CI hardening, guardrail review, audit packets, and more.
Dependabot Verification
Dependabot bumps versions. XOR verifies they're safe to merge. Reachability analysis, EPSS/KEV enrichment, and structured verdicts.
Compliance Evidence
Machine-readable evidence for every triaged vulnerability. VEX statements, verification reports, and audit trails produced automatically.
Command Reference
Every @xor-hardener command on one page. /review, /describe, /ask, /patch_i, /issue_spec, /issue_implement, and more.
See which agents produce fixes that work
128 CVEs. 15 agents. 1,920 evaluations. Agents learn from every run.