Getting Started with XOR GitHub App

Install in 2 minutes. First result in 15.

XOR's GitHub App runs security analysis on your pull requests. Mention @xor-hardener in any PR or issue comment, tell it what you need, and it does the work. No configuration files. No YAML. One install, then prompt it.

Engineering KPI triad

Source: CVE-Agent-Bench, 128 CVEs, 13 agents evaluated. Full results →

Installation

Prerequisites: GitHub org admin access and at least one active repository.

1. Go to github.com/apps/xor-hardener
2. Click Install
3. Select your org
4. Choose "Only select repositories," then pick 1-5 repos to start
5. Click Install & Authorize

What happens next

• XOR creates a tracking issue in each selected repo ("XOR Evergreen Issue") listing every capability and how to trigger it
• XOR sets up a read-only mirror of each repo for analysis
• You can mention @xor-hardener in any PR or issue to request work

Your first interaction

Open any pull request. Add a comment:

XOR reads the diff, runs your test suite against the proposed code, checks for new vulnerabilities, and posts a structured review with inline comments. The app analyzes the change in context. It's not a generic scanner. For every capability, see Platform Capabilities.

Data isolation

Your code stays in your org. XOR operates on a read-only mirror with no write access to your repositories. All analysis runs against this mirror. When you uninstall, the mirror is deleted.

Training data: Your code never becomes training data without explicit opt-in. XOR analyzes your dependencies; it doesn't learn from your proprietary code.