Copilotコーディングエージェント is an autonomous agent that has access to your code and can push changes to your repository. This entails certain risks.
Where possible, GitHub has applied appropriate mitigations. This gives Copilotコーディングエージェント a strong base of built-in security protections that you can supplement by following best practice guidance.
Unvalidated code can introduce vulnerabilities
既定では、Copilotコーディングエージェント は、セキュリティの問題について生成されたコードをチェックし、Copilotコード レビュー を使用してコードに関する第二の意見を得ます。 プル要求を完了する前に特定された問題の解決を試みます。 これにより、コードの品質が向上し、ハードコーディングされたシークレット、安全でない依存関係、その他の脆弱性などの問題が Copilotコーディングエージェント によって生成される可能性が低くなります。 Copilotコーディングエージェント's security validation does not require a GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security license.
- CodeQL is used to identify code security issues.
- Newly introduced dependencies are checked against the GitHub Advisory Database for malware advisories, and for any CVSS-rated High or Critical vulnerabilities.
- Secret scanning is used to detect sensitive information such as API keys, tokens, and other secrets.
- Details about the analysis performed and the actions taken by Copilotコーディングエージェント can be reviewed in the session log. See GitHub Copilot のセッションを追跡する.
Optionally, you can disable one or more of the code quality and security validation tools used by Copilotコーディングエージェント. See GitHub Copilot コーディング エージェントの設定の構成.
Copilotコーディングエージェント can push code changes to your repository
To mitigate this risk, GitHub:
- Limits who can trigger the agent. Only users with write access to the repository can trigger Copilotコーディングエージェント to work. Comments from users without write access are never presented to the agent.
- Limits the branch the agent can push to. Copilotコーディングエージェント only has the ability to push to a single branch. When the agent is triggered by mentioning
@copiloton an existing pull request, Copilot has write access to the pull request's branch. In other cases, a newcopilot/branch is created for Copilot, and the agent can only push to that branch. The agent is also subject to any branch protections and required checks for the working repository. - Limits the agent's credentials. Copilotコーディングエージェント can only perform simple push operations. It cannot directly run
git pushor other Git commands. - Requires human review before merging. Draft pull requests created by Copilotコーディングエージェント must be reviewed and merged by a human. Copilotコーディングエージェント cannot mark its pull requests as "Ready for review" and cannot approve or merge a pull request.
- Restricts GitHub Actions workflow runs. By default, workflows are not triggered until Copilotコーディングエージェント's code is reviewed and a user with write access to the repository clicks the Approve and run workflows button. Optionally, you can configure Copilot to allow workflows to run automatically. See GitHub Copilotによって作成されたプル要求の確認.
- Prevents the user who asked Copilotコーディングエージェント to create a pull request from approving it. This maintains the expected controls in the "Required approvals" rule and branch protection. See ルールセットで使用できるルール.
Copilotコーディングエージェント has access to sensitive information
Copilotコーディングエージェント has access to code and other sensitive information, and could leak it, either accidentally or due to malicious user input.
To mitigate this risk, GitHub restricts Copilotコーディングエージェント's access to the internet. See GitHub Copilot コーディング エージェントのファイアウォールのカスタマイズまたは無効化.
AI prompts can be vulnerable to injection
Users can include hidden messages in issues assigned to Copilotコーディングエージェント or comments left for Copilotコーディングエージェント as a form of prompt injection.
To mitigate this risk, GitHub filters hidden characters before passing user input to Copilotコーディングエージェント: For example, text entered as an HTML comment in an issue or pull request comment is not passed to Copilotコーディングエージェント.
Administrators can lose sight of agents' work
To mitigate this risk, Copilotコーディングエージェント is designed to be auditable and traceable.
- Copilotコーディングエージェント's commits are authored by Copilot, with the developer who assigned the issue or requested the change to the pull request marked as the co-author. This makes it easier to identify code generated by Copilotコーディングエージェント and who started the task.
- Session logs and audit log events are available to administrators.
- The commit message for each agent-authored commit includes a link to the agent session logs, for code review and auditing. See GitHub Copilot のセッションを追跡する.