Risks and mitigations for GitHub Copilot coding agent

How do Copilot Codierungsassistent's built-in security protections mitigate known risks?

In diesem Artikel

Copilot coding agent is an autonomous agent that has access to your code and can push changes to your repository. This entails certain risks.

Where possible, GitHub has applied appropriate mitigations. This gives Copilot coding agent a strong base of built-in security protections that you can supplement by following best practice guidance.

Unvalidated code can introduce vulnerabilities

By default, Copilot coding agent checks code it generates for security issues and gets a second opinion on its code with Copilot code review. It attempts to resolve issues identified prior to completing the pull request. This improves code quality and reduces the likelihood of the code generated by Copilot coding agent introducing problems such as hardcoded secrets, insecure dependencies, and other vulnerabilities. Copilot coding agent's security validation does not require a GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security license.

  • CodeQL is used to identify code security issues.
  • Newly introduced dependencies are checked against the GitHub Advisory Database for malware advisories, and for any CVSS-rated High or Critical vulnerabilities.
  • Secret scanning is used to detect sensitive information such as API keys, tokens, and other secrets.
  • Details about the analysis performed and the actions taken by Copilot coding agent can be reviewed in the session log. See Tracking GitHub Copilot's sessions.

Optionally, you can disable one or more of the code quality and security validation tools used by Copilot coding agent. See Configuring settings for GitHub Copilot coding agent.

Copilot coding agent can push code changes to your repository

To mitigate this risk, GitHub:

  • Limits who can trigger the agent. Only users with write access to the repository can trigger Copilot coding agent to work. Comments from users without write access are never presented to the agent.
  • Limits the branch the agent can push to. Copilot coding agent only has the ability to push to a single branch. When the agent is triggered by mentioning @copilot on an existing pull request, Copilot has write access to the pull request's branch. In other cases, a new copilot/ branch is created for Copilot, and the agent can only push to that branch. The agent is also subject to any branch protections and required checks for the working repository.
  • Limits the agent's credentials. Copilot coding agent can only perform simple push operations. It cannot directly run git push or other Git commands.
  • Requires human review before merging. Draft pull requests created by Copilot coding agent must be reviewed and merged by a human. Copilot coding agent cannot mark its pull requests as "Ready for review" and cannot approve or merge a pull request.
  • Restricts GitHub Actions workflow runs. By default, workflows are not triggered until Copilot coding agent's code is reviewed and a user with write access to the repository clicks the Approve and run workflows button. Optionally, you can configure Copilot to allow workflows to run automatically. See Reviewing a pull request created by GitHub Copilot.
  • Prevents the user who asked Copilot coding agent to create a pull request from approving it. This maintains the expected controls in the "Required approvals" rule and branch protection. See Available rules for rulesets.

Copilot coding agent has access to sensitive information

Copilot coding agent has access to code and other sensitive information, and could leak it, either accidentally or due to malicious user input.

To mitigate this risk, GitHub restricts Copilot coding agent's access to the internet. See Customizing or disabling the firewall for GitHub Copilot coding agent.

AI prompts can be vulnerable to injection

Users can include hidden messages in issues assigned to Copilot coding agent or comments left for Copilot coding agent as a form of prompt injection.

To mitigate this risk, GitHub filters hidden characters before passing user input to Copilot coding agent: For example, text entered as an HTML comment in an issue or pull request comment is not passed to Copilot coding agent.

Administrators can lose sight of agents' work

To mitigate this risk, Copilot coding agent is designed to be auditable and traceable.

  • Copilot coding agent's commits are authored by Copilot, with the developer who assigned the issue or requested the change to the pull request marked as the co-author. This makes it easier to identify code generated by Copilot coding agent and who started the task.
  • Session logs and audit log events are available to administrators.
  • The commit message for each agent-authored commit includes a link to the agent session logs, for code review and auditing. See Tracking GitHub Copilot's sessions.