Skip to main content
XOR
[DEPENDABOT]

Dependabot Verification

Dependabot bumps versions. XOR verifies they're safe to merge. Reachability analysis, EPSS/KEV enrichment, and structured verdicts.

Automated triage

Every Dependabot PR gets: CVE parsing, reachability analysis via Semgrep and SCALIBR, EPSS/KEV/CVSS enrichment, and a structured verdict. No @xor-hardener mention needed.

Cost dynamics

Without XOR: 200+ Dependabot PRs triaged per month at 20-45 min each. With XOR: automatic triage, 70-80% noise filtered by reachability analysis, 13 min median time from CVE to merged fix.

70-80%
Noise filtered by reachability
13 min
Median time to verified fix
0 min
Engineer triage time

Dependabot bumps versions. XOR verifies they're safe to merge.

Every Dependabot PR gets a structured triage: reachability analysis, exploitability assessment, EPSS/KEV enrichment, and a clear verdict. No manual triage. This runs automatically, no @xor-hardener mention needed.

How it works

[undefined]


Reachability analysis
XOR checks whether your code actually calls the vulnerable function, not just whether the dependency is present. Static analysis via Semgrep and SCALIBR against your repository's call graph. The analysis runs on XOR's read-only mirror, not on your infrastructure.
A typical org with 50 repos sees 200+ Dependabot PRs per month. 70-80% of flagged vulnerabilities are not reachable in the application's actual code paths. Reachability filtering eliminates that noise.


Exploitability scoring
Three public data sources, correlated:
EPSS
Probability of exploitation in next 30 days (0-1 scale)
CISA KEV
Already exploited in the wild
CVSS v3.1
Attack vector, complexity, privileges, impact
EXPLOITABLE: Reachable AND (EPSS > 0.1 OR in CISA KEV OR CVSS ≥ 7.0)
NOT EXPLOITABLE: Not reachable, or reachable but all risk indicators low
NEEDS REVIEW: Reachable but metrics are mixed, human judgment needed


Improved PRs
When the verdict is EXPLOITABLE, XOR opens a new PR superseding the Dependabot PR:
  1. Same version bump as Dependabot
  2. Regression test covering the vulnerable code path
  3. Pinned transitive dependencies if the advisory affects downstream packages
  4. Verification evidence: "Exploit reproduced pre-fix, fails post-fix"


Verdict lifecycle
Each Dependabot PR receives one structured comment from XOR, visible to all team members. The comment includes the reachability decision, exploitability metrics, and a recommended action. If your code changes and reachability status changes, mention @xor-hardener re-analyze to run triage again. XOR logs every verdict in your compliance trail for audit purposes.


Economic impact
Without XOR
200+ PRs/month triaged manually, 20-45 min each
Monthly cost: $10,000-$22,500 at $150/hr
With XOR
200+ PRs/month triaged automatically
70-80% noise filtered. 13 min median fix time.
Costs decrease as verification coverage grows. Each triaged vulnerability adds a regression test, reducing unknowns on future CVEs.


[NEXT STEPS]
Related documentation
Getting started →Compliance evidence →Benchmark economics →
FAQ
How does XOR work with Dependabot?
XOR intercepts every Dependabot PR automatically. It runs reachability analysis, enriches with EPSS/KEV/CVSS data, and posts a verdict: EXPLOITABLE, NOT EXPLOITABLE, or NEEDS REVIEW.
What is reachability analysis?
XOR checks whether your code actually calls the vulnerable function, not just whether the dependency is present. 70-80% of Dependabot alerts are not reachable in application code paths.
What happens when a vulnerability is exploitable?
XOR opens an improved PR that supersedes the Dependabot PR: same version bump, plus a regression test, pinned transitive dependencies, and verification evidence.
[RELATED TOPICS]
Automated Vulnerability Patching and PR Review
Patches CVEs automatically. Reviews every AI-generated PR with a pass/fail verification report.
Getting Started with XOR GitHub App
Install in 2 minutes. First result in 15. One-click GitHub App install, first auto-review walkthrough, and engineering KPI triad.
Platform Capabilities
One install. Seven capabilities. Prompt-driven. CVE autopatch, PR review, CI hardening, guardrail review, audit packets, and more.
Compliance Evidence
Machine-readable evidence for every triaged vulnerability. VEX statements, verification reports, and audit trails produced automatically.
Compatibility and Prerequisites
Languages, build systems, CI platforms, and repository types supported by XOR. What you need to get started.
Command Reference
Every @xor-hardener command on one page. /review, /describe, /ask, /patch_i, /issue_spec, /issue_implement, and more.
See which agents produce fixes that work
128 CVEs. 15 agents. 1,920 evaluations. Agents learn from every run.