XOR Evergreen Issue #1
Description
XOR Security_AppSec Abilities
| Ability | Trigger comment (top of Issue/PR) + Preview | Required input (templates / context) | What XOR does |
|---|---|---|---|
| CVE/GHSA → Autopatch PR | @xor-hardener Minimal autopatch for advisory; add failing test; keep CI green. Preview: Advisory Issue · Fix PR #386 · PR #389 |
Issue using XOR: Autopatch request with GHSA/CVE/OSV link, repro/failing test, target branch. | Creates branch + PR with minimal fix, updates/adds test, links advisory + short risk note; ensures CI passes. |
| PR audit packet (evidence-linked) | @xor-hardener Compile audit packet for this PR after checks; link SHAs, tests, CI, reviewers. Preview: PR Review #387 |
Run on the autopatch PR after CI/checks complete. | Posts single evidence packet (comment/artifact) linking files/SHAs, tests added, CI/checks URLs, Issue ref, reviewers. |
| Harden GitHub Actions (pin + least-privilege) | @xor-hardener Pin actions by SHA and reduce workflow permissions per job; keep CI green. Preview: Issue #388 · PR #389 |
PR that modifies .github/workflows/*.yml + note runners/secrets actually needed. |
Reviews and proposes/commits SHA-pinned actions and least-privilege permissions per job with rationale; keeps CI green. |
| Guardrail review (stop on low confidence) | @xor-hardener Review risky refactor; flag unsafe changes; don't flag risks if confidence is low. Preview: PR-Review + fix suggestions – |
PR that deletes/refactors something potentially risky. | Leaves inline review with risk call-outs and uncertainty stop, concrete next steps; no writes unless clearly safe. |
XOR DevSecOps_Platform Abilities
| Ability | Trigger comment (top of Issue/PR) + Preview | Required input (templates / context) | What XOR does |
|---|---|---|---|
| Green-build autopatch (fix failing CI) (coming soon) | @xor-hardener Diagnose failing test and restore green CI with the smallest safe diff. Preview: – |
PR with one failing test; include failing job log snippet in PR body. | Produces small diff to restore green CI, plus comment explaining root cause and why the fix is minimal, with link to passing run. |
| OSV dependency review → patch plan (coming soon) | @xor-hardener Summarize OSV scan; triage exploitable vs not; propose minimal version bumps. Preview: – |
Issue using XOR: OSV dependency review; attach/paste osv-scanner JSON; note ecosystems. |
Posts triage table and prioritized patch plan; if safe, opens minimal bump PR(s) referencing the Issue. |
| Workflow permissions audit (least-privilege) (coming soon) | @xor-hardener Audit workflow permissions; propose per-job least-privilege YAML patch. Preview: – |
PR that adds/changes a workflow with broad permissions. | Proposes YAML patch with per-job permissions map + rationale; optionally commits; CI remains green. |
XOR Compliance_GRC Abilities
| Ability | Trigger comment (top of Issue/PR) + Preview | Required input (templates / context) | What XOR does |
|---|---|---|---|
| PR audit packet (evidence-linked) | @xor-hardener Compile audit packet for this PR after checks; link SHAs, tests, CI, reviewers. Preview: PR #387 (also #386 / #389) |
Run on the autopatch PR after CI/checks complete. | Posts single evidence packet linking files/SHAs, tests added, CI/checks URLs, Issue ref, reviewers. |
| Repo controls → live evidence map (coming soon) | @xor-hardener Map repo controls to evidence (tests, pipelines, scanners); list gaps and next steps. Preview: – |
Issue using XOR: Map controls to evidence listing tests/build/code-scanning pipelines. | Publishes control → evidence table with live links to jobs, suites, scanners, artifacts; adds gap list + next actions. |