Security validation for third-party coding agents
Quick Answer
GitHub has launched automatic security validation for third-party coding agents like Claude and OpenAI Codex, ensuring that all generated code is analyzed for vulnerabilities using CodeQL and other tools.
Quick Take
GitHub has launched automatic security validation for third-party coding agents like Claude and OpenAI Codex, ensuring that all generated code is analyzed for vulnerabilities using CodeQL and other tools. This feature, available by default, extends the same protections already in place for GitHub Copilot, enhancing security across repositories without requiring an Advanced Security license.
Key Points
- Third-party coding agents now receive automatic security validation for generated code.
- Code is analyzed for vulnerabilities and sensitive information like API keys.
- Protection is enabled by default and follows existing Copilot settings.
- No GitHub Advanced Security license is required for these validations.
- Hundreds of potential security leaks have been prevented since October 2025.
📖 Reader Mode
~2 min readSecurity validation for third-party coding agents is now generally available. GitHub supports third-party coding agents (including Claude and OpenAI Codex) that work directly within your repositories to implement features, fix bugs, and improve test coverage. Now, code generated by these agents receives the same automatic security validation already available for GitHub Copilot cloud agent. Learn more by reading Risks and mitigations for GitHub Copilot cloud agent.
When a third-party coding agent creates code in your repository, GitHub now automatically analyzes it for potential security vulnerabilities using CodeQL, checks newly introduced dependencies against the GitHub Advisory Database, and uses GitHub secret scanning to detect sensitive information such as API keys and tokens. If the analysis finds any issues, the agent attempts to resolve them before finalizing the pull request.
Since we released automatic code validation for Copilot cloud agent in October 2025, we’ve proactively prevented hundreds of potential security leaks and vulnerabilities. Extending this protection to third-party agents helps ensure that every line of agent-generated code undergoes the same security checks, regardless of which coding agent wrote it.
These security validations are on by default and follow your repository’s Copilot settings for which validation tools to use. If you’ve already enabled security validation for Copilot cloud agent, third-party agents will automatically receive the same protections. Security validation doesn’t require a GitHub Advanced Security license. See Configuring agent settings for more information.
— Originally published at github.blog
Want this in your inbox every morning?
Daily brief at your local 8am — bilingual EN/中文, free.
More from GitHub Copilot Changelog
See more →Copilot usage metrics now include more of your active users
GitHub Copilot now enhances usage metrics by incorporating server-side telemetry, revealing previously unreported active users. This update increases daily active user counts and improves report consistency, addressing gaps caused by client-side telemetry failures.
