GitHub Adds On-Demand Security Reviews to the Copilot App
GitHub has added the /security-review command to the GitHub Copilot app in public preview. The command examines current workstream changes, returns prioritized findings with severity and confidence, and suggests fixes that developers can apply and check again inside Copilot. GitHub says it targets common vulnerability classes and complements code scanning, Dependabot, and secret scanning; the same concept was already available in Copilot CLI. Availability does not establish detection accuracy, coverage, or a safe auto-fix rate. LDS recommends running the review against seeded vulnerable and clean changes, measuring precision, recall, severity calibration, duplicate findings, repair regressions, and developer override behavior before treating it as a release gate.
What happened
GitHub has added the /security-review slash command to the GitHub Copilot app in public preview. It examines the developer's current workstream changes, returns prioritized findings labeled by severity and confidence, and suggests fixes that can be applied and checked again without leaving the app.
GitHub says the command targets common vulnerability classes including injection, cross-site scripting, insecure data handling, path traversal, and weak cryptography. It is available during preview across Copilot plans and extends a security-review workflow previously released for Copilot CLI. GitHub positions it as a complement to code scanning, Dependabot, and secret scanning rather than a replacement.
The release confirms availability, not effectiveness. GitHub has not published an independent benchmark showing the app's precision, recall, severity calibration, or repair safety across real repositories.
Security context
An AI review operates on a change set and surrounding context, while static analysis can use language-specific data flow and known rules. The tools may find different defects. A useful workflow preserves both signals and records why a finding was accepted, suppressed, or fixed.
| Evaluation layer | Useful test | Failure to watch |
|---|---|---|
| Detection | Seed known vulnerable changes | Missed or invented issue |
| Severity | Compare with expert rating | Urgent label on low-risk code |
| Context | Vary nearby files and configuration | Finding changes without code change |
| Repair | Apply suggestion and rerun tests | Security fix creates regression |
| Clean-code control | Review known-safe changes | Excessive false positives |
For practitioners
Teams should build a repository-specific test pack containing known vulnerabilities, fixed versions, intentionally safe patterns, generated code, configuration changes, and dependency updates. Measure precision, recall, duplicate rate, review latency, and the proportion of suggested patches that pass security and functional tests.
Do not allow a model-generated repair to bypass normal review. Every applied change should preserve the original finding, suggested patch, final diff, test result, reviewer decision, and tool version. Sensitive code also requires a clear data-handling assessment.
Editorial analysis
LDS sees the app integration as a useful shift-left convenience, particularly for developers who do not work primarily in a terminal. Its value depends on disciplined evaluation and layered controls. A confident explanation can improve triage, but confidence is not proof that a vulnerability is exploitable or that a patch is complete.
What to watch
Watch benchmark disclosures, enterprise controls, data-handling documentation, audit exports, custom rule support, false-positive management, and whether GitHub connects accepted findings to code-scanning evidence.
Key Points
- 1GitHub's Copilot app can now run on-demand security reviews over current code changes during a public preview.
- 2The feature prioritizes findings and suggests fixes, but GitHub has not published independent detection or repair-safety benchmarks.
- 3LDS recommends seeded-vulnerability, clean-control, severity, regression, data-handling, and reviewer-override tests before making it a release gate.
Scoring Rationale
An impact score of 5.5 reflects a useful security workflow added to a widely used coding tool, tempered by public-preview status and missing independent effectiveness benchmarks.
Sources
Primary source and supporting public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems


