Command Reference
Every @xor-hardener command on one page. /review, /describe, /ask, /patch_i, /issue_spec, /issue_implement, and more.
Quick reference
9 commands: /review, /describe, /ask, /ask_line, /issue_spec, /issue_implement, /issue_ask, /test_i, /patch_i. All available via natural language or explicit command syntax.
Automatic triggers
Dependabot PR → automatic triage. XOR-labeled PR → /describe + /review. Push to PR branch → configurable re-checks.
Every command. One page.
Mention @xor-hardener followed by a command or a plain-English prompt. Both work. XOR reads your intent, decides which capability applies, and runs it.
Quick reference
| Command | Where | What it does |
|---|---|---|
| /review | PR comment | Security-focused code review with inline suggestions |
| /describe | PR comment | Generate a structured PR description |
| /ask [question] | PR comment | Ask a question about the PR code |
| /ask_line | Line comment | Ask about specific lines in "Files changed" |
| /issue_spec | Issue comment | Generate a specification for an issue |
| /issue_implement | Issue comment | Implement a solution and open a PR |
| /issue_ask [question] | Issue comment | Ask a question about an issue |
| /test_i | PR or issue | Extract or generate test cases |
| /patch_i | PR or issue | Generate patches from an issue spec |
Natural language prompts
You don't need to memorize commands. Examples:
@xor-hardener Review this PR for security issues.
@xor-hardener This issue describes a bug in our auth flow. Write a spec for fixing it, then open a PR with the fix.
@xor-hardener Pin all actions in this workflow to SHA. Reduce permissions to least-privilege.
@xor-hardener What does this function do? Is it safe to remove the null check on line 42?
Automatic triggers
Dependabot opens a PR
XOR triages automatically with reachability + EPSS/KEV/CVSS
PR labeled with XOR label
XOR runs /describe + /review
Push to PR branch
XOR re-runs configured checks (configurable)
The two-step issue workflow
For larger work items:
Step 1: /issue_spec
XOR reads the issue, researches the codebase, and posts either questions (if it needs context) or a plan (if it has enough information).
Step 2: /issue_implement
XOR reads the approved plan, generates patches, creates a branch, and opens a PR with the fix and updated tests. You approve the plan before code is written.
[NEXT STEPS]
Start using XOR
FAQ
Do I need to use explicit commands?
No. XOR reads natural language. 'Review this PR for security issues' works the same as /review. Explicit commands are available for precision.
Which commands run automatically?
Dependabot PR triage runs automatically. PRs labeled with an XOR label get /describe + /review. Push-triggered checks are configurable.
What is the two-step issue workflow?
Step 1: /issue_spec — XOR researches the codebase and posts a plan. Step 2: /issue_implement — XOR generates patches and opens a PR. You approve the plan before code is written.
Patch verification
XOR writes a verifier for each vulnerability, then tests agent-generated patches against it. If the fix passes, it ships. If not, the failure feeds back into the agent harness.
Automated vulnerability patching
AI agents generate fixes for known CVEs. XOR verifies each fix and feeds outcomes back into the agent harness so future patches improve.
Benchmark Results
62.7% pass rate. $2.64 per fix. Real data from 1,664 evaluations.
Benchmark Results
62.7% pass rate. $2.64 per fix. Real data from 1,664 evaluations.
Agent Cost Economics
Fix vulnerabilities for $2.64–$52 with agents. 100x cheaper than incident response. Real cost data.
Agent Configurations
13 agent-model configurations evaluated on real CVEs. Compare Claude Code, Codex, Gemini CLI, Cursor, and OpenCode.
Benchmark Methodology
How CVE-Agent-Bench evaluates 13 coding agents on 128 real vulnerabilities. Deterministic, reproducible, open methodology.
Agent Environment Security
AI agents run with real permissions. XOR verifies tool configurations, sandbox boundaries, and credential exposure.
Security Economics for Agentic Patching
Security economics for agentic patching. ROI models backed by verified pass/fail data and business-impact triage.
Validation Process
25 questions we ran against our own data before publishing. Challenges assumptions, explores implications, extends findings.
Cost Analysis
10 findings on what AI patching costs and whether it is worth buying. 1,664 evaluations analyzed.
Bug Complexity
128 vulnerabilities scored by difficulty. Floor = every agent fixes it. Ceiling = no agent can.
Agent Strategies
How different agents approach the same bug. Strategy matters as much as model capability.
Execution Metrics
Per-agent session data: turns, tool calls, tokens, and timing. See what happens inside an agent run.
Pricing Transparency
Every cost number has a source. Published pricing models, measurement methods, and provider rates.
Automated Vulnerability Patching and PR Review
Automated code review, fix generation, GitHub Actions hardening, safety checks, and learning feedback. One-click install on any GitHub repository.
Getting Started with XOR GitHub App
Install in 2 minutes. First result in 15. One-click GitHub App install, first auto-review walkthrough, and engineering KPI triad.
Platform Capabilities
One install. Seven capabilities. Prompt-driven. CVE autopatch, PR review, CI hardening, guardrail review, audit packets, and more.
Dependabot Verification
Dependabot bumps versions. XOR verifies they're safe to merge. Reachability analysis, EPSS/KEV enrichment, and structured verdicts.
Compliance Evidence
Machine-readable evidence for every triaged vulnerability. VEX statements, verification reports, and audit trails produced automatically.
Compatibility and Prerequisites
Languages, build systems, CI platforms, and repository types supported by XOR. What you need to get started.
Continuous Learning from Verified Agent Runs
A signed record of every agent run. See what the agent did, verify it independently, and feed the data back so agents improve.
Signed Compliance Evidence for AI Agents
A tamper-proof record of every AI agent action. Produces evidence for SOC 2, EU AI Act, PCI DSS, and more. Built on open standards so auditors verify independently.
Compliance Evidence and Standards Alignment
How XOR signed audit trails produce evidence for SOC 2, EU AI Act, PCI DSS, NIST, and other compliance frameworks.
Agentic Third-Party Risk
33% of enterprise software will be agentic by 2028. 40% of those projects will be canceled due to governance failures. A risk overview for CTOs.
MCP Server Security
17 attack types across 4 surfaces. 7.2% of 1,899 open-source MCP servers contain vulnerabilities. Technical deep-dive with defense controls.
How Agents Get Attacked
20% jailbreak success rate. 42 seconds average. 90% of successful attacks leak data. Threat landscape grounded in published research.
Governing AI Agents in the Enterprise
92% of AI vendors claim broad data usage rights. 17% commit to regulatory compliance. Governance frameworks from NIST, OWASP, EU CRA, and Stanford CodeX.
OWASP Top 10 for Agentic Applications
The OWASP Agentic Top 10 mapped to real-world attack data and XOR capabilities. A reference page for security teams.
See which agents produce fixes that work
128 CVEs. 13 agents. 1,664 evaluations. Agents learn from every run.