Agente de programación Copilot is an autonomous agent that has access to your code and can push changes to your repository. This entails certain risks.
Where possible, GitHub has applied appropriate mitigations. This gives Agente de programación Copilot a strong base of built-in security protections that you can supplement by following best practice guidance.
Unvalidated code can introduce vulnerabilities
De forma predeterminada, Agente de programación Copilot comprueba el código que genera para problemas de seguridad y obtiene una segunda opinión sobre su código con revisión de código Copilot. Intenta resolver los problemas identificados antes de completar la solicitud de incorporación de cambios. Esto mejora la calidad del código y reduce la probabilidad de que el código generado por Agente de programación Copilot introduzca problemas como secretos codificados de forma rígida, dependencias no seguras y otras vulnerabilidades. Agente de programación Copilot's security validation does not require a GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security license.
- CodeQL is used to identify code security issues.
- Newly introduced dependencies are checked against the GitHub Advisory Database for malware advisories, and for any CVSS-rated High or Critical vulnerabilities.
- Secret scanning is used to detect sensitive information such as API keys, tokens, and other secrets.
- Details about the analysis performed and the actions taken by Agente de programación Copilot can be reviewed in the session log. See Seguimiento de las sesiones de GitHub Copilot.
Optionally, you can disable one or more of the code quality and security validation tools used by Agente de programación Copilot. See Configuración de opciones para el agente de codificación de GitHub Copilot.
Agente de programación Copilot can push code changes to your repository
To mitigate this risk, GitHub:
- Limits who can trigger the agent. Only users with write access to the repository can trigger Agente de programación Copilot to work. Comments from users without write access are never presented to the agent.
- Limits the branch the agent can push to. Agente de programación Copilot only has the ability to push to a single branch. When the agent is triggered by mentioning
@copiloton an existing pull request, Copilot has write access to the pull request's branch. In other cases, a newcopilot/branch is created for Copilot, and the agent can only push to that branch. The agent is also subject to any branch protections and required checks for the working repository. - Limits the agent's credentials. Agente de programación Copilot can only perform simple push operations. It cannot directly run
git pushor other Git commands. - Requires human review before merging. Draft pull requests created by Agente de programación Copilot must be reviewed and merged by a human. Agente de programación Copilot cannot mark its pull requests as "Ready for review" and cannot approve or merge a pull request.
- Restricts GitHub Actions workflow runs. By default, workflows are not triggered until Agente de programación Copilot's code is reviewed and a user with write access to the repository clicks the Approve and run workflows button. Optionally, you can configure Copilot to allow workflows to run automatically. See Revisión de una solicitud de incorporación de cambios creada por GitHub Copilot.
- Prevents the user who asked Agente de programación Copilot to create a pull request from approving it. This maintains the expected controls in the "Required approvals" rule and branch protection. See Reglas disponibles para conjuntos de reglas.
Agente de programación Copilot has access to sensitive information
Agente de programación Copilot has access to code and other sensitive information, and could leak it, either accidentally or due to malicious user input.
To mitigate this risk, GitHub restricts Agente de programación Copilot's access to the internet. See Personalización o deshabilitación del firewall para el agente de codificación de GitHub Copilot.
AI prompts can be vulnerable to injection
Users can include hidden messages in issues assigned to Agente de programación Copilot or comments left for Agente de programación Copilot as a form of prompt injection.
To mitigate this risk, GitHub filters hidden characters before passing user input to Agente de programación Copilot: For example, text entered as an HTML comment in an issue or pull request comment is not passed to Agente de programación Copilot.
Administrators can lose sight of agents' work
To mitigate this risk, Agente de programación Copilot is designed to be auditable and traceable.
- Agente de programación Copilot's commits are authored by Copilot, with the developer who assigned the issue or requested the change to the pull request marked as the co-author. This makes it easier to identify code generated by Agente de programación Copilot and who started the task.
- Session logs and audit log events are available to administrators.
- The commit message for each agent-authored commit includes a link to the agent session logs, for code review and auditing. See Seguimiento de las sesiones de GitHub Copilot.