Dedicated security review command now available in Copilot CLI
Quick Answer
GitHub Copilot CLI now includes an experimental /security-review command that allows developers to analyze local code changes for security vulnerabilities.
Quick Take
GitHub Copilot CLI now includes an experimental /security-review command that allows developers to analyze local code changes for security vulnerabilities. This feature provides actionable insights on high-impact issues across 11 categories, enhancing the security of code before it reaches production.
Key Points
- /security-review analyzes local code changes for high-confidence security findings.
- It flags vulnerabilities across 11 categories, including injection flaws and XSS.
- The command offers actionable suggestions directly in the terminal.
- This feature complements existing tools like GitHub code scanning and Dependabot.
- To use it, enable experimental mode in Copilot CLI and run the command.
📖 Reader Mode
~1 min readYou can now run a security review on your code changes directly from GitHub Copilot CLI. The new /security-review slash command is shipping as an experimental feature in public preview, giving you a fast, AI-driven way to catch security vulnerabilities before they reach production code.
What it does
/security-review analyzes your local code changes and returns:
- High-confidence security findings, scored by severity and confidence.
- Actionable suggestions you can apply without leaving the terminal.
- A focused review that lives in your existing workflow.
The scan flags high-impact vulnerabilities across 11 categories, including injection flaws, XSS, broken access control and path traversal, SSRF, insecure deserialization and prototype pollution, weak cryptography, hardcoded credentials, sensitive data leaks, authentication and CORS failures, security misconfigurations, supply-chain risks like unpinned dependencies, and cross-prompt injection (XPIA) against LLM-integrated code
This is a Copilot-driven scan that doesn’t rely on GitHub code scanning, Dependabot, or GitHub secret scanning. It complements those tools by giving you a lightweight, on-demand way to review your changes before you commit.
This is an experimental command. To try it, turn on experimental mode in Copilot CLI, then run /security-review in any project to scan your current changes.
Join the discussion and share your feedback within the GitHub Community.
— Originally published at github.blog
Want this in your inbox every morning?
Daily brief at your local 8am — bilingual EN/中文, free.
More from GitHub Copilot Changelog
See more →Copilot usage metrics now include more of your active users
GitHub Copilot now enhances usage metrics by incorporating server-side telemetry, revealing previously unreported active users. This update increases daily active user counts and improves report consistency, addressing gaps caused by client-side telemetry failures.
