Skip to content
AI Security in Practice AI Security in Practice

GitHub Copilot Security: The 5 Mistakes Every Team Makes

Series: AI Security Do’s and Don’ts
Pillar: 5: Governance, Risk and Compliance
Difficulty: Intermediate
Author: Paul Lawlor
Date: 20 February 2026
Reading time: 11 minutes

Most organisations deploy GitHub Copilot by enabling licences and telling developers to get started. The security controls that matter most (content exclusions, public code filtering, and audit logging) remain unconfigured because nobody treated the rollout as a security decision.

Contents

Section titled “Contents”
  1. The rollout that skipped security
  2. How Copilot works and what it exposes
  3. The don’ts: five common mistakes
  4. The do’s: six defensive strategies
  5. The organisational challenge
  6. The path forward
  7. Further reading
  8. Notes

The rollout that skipped security

Section titled “The rollout that skipped security”

A mid-sized consultancy purchased GitHub Copilot Business licences for eighty developers. The IT team enabled the organisation, assigned seats, and sent a message to the engineering Slack channel: ‘Copilot is live. Install the extension and you’re good to go.’ No policies were configured. No content exclusions were set. The suggestions matching public code policy was left unconfigured. The developers were productive within the hour.

Three weeks later, a senior engineer reviewing a pull request noticed something unremarkable but wrong. A colleague’s error handler was logging the full request object (headers, cookies, and the Authorization bearer token) to the team’s shared logging service. The code was syntactically clean, well-commented, and had been accepted from a Copilot suggestion during a late-night debugging session. It passed the linter. It passed the unit tests. It would have passed most cursory code reviews.

The reviewer flagged it and checked the week’s other merged pull requests. Fourteen of them contained similarly verbose logging patterns generated by Copilot: request bodies with session tokens, stack traces that included environment variable values, error messages that exposed internal API paths. None of these were malicious. All of them were the kind of patterns that appear frequently in public repositories (tutorial code, Stack Overflow answers, abandoned projects) and that Copilot synthesises without distinguishing between educational examples and production-safe code.

The consultancy had no content exclusions configured, so Copilot’s context window included .env files, credential directories, and Terraform state across every repository. The suggestions matching public code policy, which can block Copilot from suggesting code that matches public repositories, had not been configured, so matching suggestions flowed through without organisational oversight. Audit logging was not available on their plan tier.

Nothing was breached. The logging service was internal. But the incident exposed a systemic gap: the organisation had deployed a tool that influences more lines of code per week than any individual developer, and had configured none of the security controls that GitHub provides for exactly this purpose.

Why this matters now

Section titled “Why this matters now”

GitHub Copilot is the most widely adopted AI coding assistant in enterprise environments. It now spans multiple capability levels: inline code completions, chat, agent mode in the IDE, and a coding agent that works autonomously on issues and pull requests.1 Each capability level carries different security implications, a distinction explored in depth in The Autonomy Ladder (Essay C in this series).

The OWASP Top 10 for LLM Applications (2025) identifies Sensitive Information Disclosure (LLM02) as a core risk for applications that process code context through cloud-hosted models.2 The NCSC Guidelines for Secure AI System Development require organisations to apply security controls throughout the AI system lifecycle, not just at deployment.3 GitHub provides the controls. Most organisations have not configured them.

This essay covers the five most common mistakes teams make when deploying GitHub Copilot, six defensive strategies grounded in GitHub’s own documentation and OWASP guidance, and the organisational changes needed to secure Copilot at scale.

How Copilot works and what it exposes

Section titled “How Copilot works and what it exposes”

GitHub Copilot operates through a client-server architecture. The IDE extension (available for VS Code, Visual Studio, JetBrains, and Neovim) sends context from the developer’s current workspace to GitHub’s cloud infrastructure. This context includes the open file, neighbouring files, imported libraries, comments, and recent edits. GitHub’s model processes this context and returns code suggestions that appear as inline ghost text or chat responses.1

The security-relevant features are controlled through organisation and enterprise policies. Content exclusions specify file paths and glob patterns that Copilot must never read for context, the equivalent of .gitignore for AI.4 Copilot also checks suggestions against an index of public repositories on GitHub.com using approximately 150 characters of surrounding context. The suggestions matching public code privacy policy determines what happens when a match is found: if set to Blocked, the suggestion is discarded entirely; if set to Allowed, the suggestion is shown with a code reference identifying the source repository and licence type.5 Matches typically occur in less than one per cent of suggestions, but the policy matters for both licence compliance and security.6

Three plan tiers determine which controls are available. Copilot Free and Pro provide individual settings with no organisational enforcement. Copilot Business adds organisation-level policies, content exclusions, and centralised seat management. Copilot Enterprise adds audit log streaming, repository indexing, and integration with enterprise identity providers.7 The critical distinction: on Free and Pro plans, security configuration is per-developer and unenforceable. On Business and Enterprise, it can be enforced centrally with no user override.

Enterprise policies cascade. When an enterprise owner defines a policy, it applies to all organisations and cannot be overridden at the organisation level. When the enterprise owner delegates by selecting ‘No policy,’ the most restrictive or least restrictive organisation policy applies depending on the feature. The suggestions matching public code policy is classified as a privacy policy, and privacy policies use the most restrictive rule: if any organisation blocks matching suggestions, the block applies to the user everywhere.8

The don’ts: five common mistakes

Section titled “The don’ts: five common mistakes”

Don’t 1: Treat Copilot as an IDE plugin rather than development infrastructure

Section titled “Don’t 1: Treat Copilot as an IDE plugin rather than development infrastructure”

The most common mistake is deploying Copilot without a security review, change request, or policy update. Teams enable licences the same way they approve a syntax highlighting extension. But Copilot transmits code context to an external cloud service, generates code that enters production systems, and, with agent mode and the coding agent, can execute commands and create pull requests autonomously.1 The NCSC Guidelines for Secure AI System Development state that security must be a core requirement throughout the lifecycle of an AI system, not an afterthought.3 Deploying Copilot without configuring its security controls is deploying infrastructure without hardening it.

Don’t 2: Skip content exclusions for sensitive file paths

Section titled “Don’t 2: Skip content exclusions for sensitive file paths”

Without content exclusions, Copilot reads every file in the developer’s workspace for context. This includes .env files, credential directories, private keys, Terraform state, and anything else the developer has open.4 The context is transmitted to GitHub’s servers for processing. Even with GitHub’s data handling commitments, the transmission itself creates risk. If Copilot never sees sensitive files, it cannot include their contents in suggestions or send them as context. Content exclusions are the simplest control with the highest impact, and they default to empty.

Don’t 3: Leave the suggestions matching public code policy unblocked

Section titled “Don’t 3: Leave the suggestions matching public code policy unblocked”

The suggestions matching public code privacy policy controls whether Copilot can suggest code that matches public GitHub repositories.5 When the policy is set to Blocked, matching suggestions are discarded before the developer sees them. This prevents two risks simultaneously: licence compliance violations from copyleft code appearing in commercial projects, and reproduction of known vulnerable patterns from public repositories. Some teams set the policy to Allowed because blocking reduces the volume of suggestions. On Business and Enterprise plans, the organisation can enforce the Blocked setting with no user override.6 Leaving the policy at Allowed, or worse unconfigured, means matching suggestions reach the developers working under the most pressure, exactly when the risk is highest.

Don’t 4: Deploy without static analysis in the CI/CD pipeline

Section titled “Don’t 4: Deploy without static analysis in the CI/CD pipeline”

Copilot has no built-in security validation. It generates code based on statistical patterns, not security best practices. When it suggests eval(userInput), pickle.loads(data), or a SQL query built with string concatenation, the suggestion is syntactically correct and functionally plausible, but insecure. OWASP identifies Improper Output Handling (LLM05) as a key risk: insufficient validation of LLM-generated outputs before they reach downstream systems.9 Without mandatory static analysis in the CI/CD pipeline, AI-generated vulnerabilities pass through the same merge process as human-written code, with no additional scrutiny.

Don’t 5: Assume the training data produces secure suggestions

Section titled “Don’t 5: Assume the training data produces secure suggestions”

Copilot’s model was trained on public repositories. Public repositories contain a mixture of production code, tutorial examples, abandoned proofs of concept, and Stack Overflow answers from a decade ago. The OWASP LLM Top 10 lists Supply Chain vulnerabilities (LLM03) as a significant risk, noting that training data can introduce biases and vulnerabilities.10 When Copilot suggests crypto.createHash('md5') or an authentication check using loose equality, it is synthesising patterns that appear frequently in its training corpus. The model does not distinguish between code that was written for a tutorial and code that belongs in production.

The do’s: six defensive strategies

Section titled “The do’s: six defensive strategies”

Do 1: Block suggestions matching public code, organisation-wide, with no user override

Section titled “Do 1: Block suggestions matching public code, organisation-wide, with no user override”

Navigate to your organisation’s Copilot policies and set the suggestions matching public code privacy policy to Blocked. This discards any suggestion that significantly matches public repositories before the developer sees it. On Enterprise plans, set this at the enterprise level so organisation owners cannot weaken it. Because this is a privacy policy, the most restrictive rule applies when a user belongs to multiple organisations: if any organisation blocks matching suggestions, the block applies everywhere.8 This is the single highest-value configuration change. It addresses both licence risk and the reproduction of known vulnerable patterns in a single setting.

Do 2: Configure content exclusions for all sensitive file patterns

Section titled “Do 2: Configure content exclusions for all sensitive file patterns”

Set content exclusions at the organisation level in Copilot policies.4 Essential patterns include:

**/.env*
**/secrets/**
**/*.key
**/*.pem
**/*.pfx
**/terraform.tfstate
**/credentials.*
**/.ssh/**

Test the exclusions by opening an excluded file. Copilot should indicate that content exclusions apply. Review and update the exclusion list quarterly as infrastructure evolves. This control eliminates an entire category of risk: if Copilot cannot read sensitive files, it cannot leak their contents through suggestions or context transmission.

Do 3: Integrate static analysis as a mandatory CI/CD gate

Section titled “Do 3: Integrate static analysis as a mandatory CI/CD gate”

Add Semgrep or CodeQL (or both) as required status checks on protected branches. Configure rulesets that target common AI-generated vulnerability patterns: injection flaws, weak cryptography, hardcoded credentials, and dangerous function calls.

- name: Perform CodeQL Analysis
  uses: github/codeql-action/analyze@v3
  with:
    languages: javascript, python

Set branch protection rules so that pull requests cannot merge if high-severity findings are present.11 Track the ratio of static analysis findings in AI-generated code versus human-written code over time. This data tells you whether your Copilot configuration needs tuning and where developer training should focus.

Do 4: Use CODEOWNERS to enforce review on security-critical paths

Section titled “Do 4: Use CODEOWNERS to enforce review on security-critical paths”

Define a CODEOWNERS file that requires security team approval for changes to authentication, authorisation, payment processing, cryptographic operations, and infrastructure-as-code:

/src/auth/**           @security-team
/src/payments/**       @security-team
/infrastructure/**     @security-team @platform-team

Configure branch protection to require approval from code owners before merge.12 This ensures that AI-generated changes to high-risk code paths receive the same scrutiny as any other change, regardless of how they were produced.

Do 5: Enable audit logging and stream to your SIEM

Section titled “Do 5: Enable audit logging and stream to your SIEM”

On Copilot Enterprise, enable audit log streaming to your security information and event management platform.7 GitHub provides Copilot usage metrics (including acceptance rates, active users, and language breakdowns) through the Copilot metrics API and dashboard.13 Set alerts for anomalous patterns: usage in repositories marked as restricted, acceptance rates that deviate significantly from the team baseline, or activity outside normal working hours. Without audit logging and usage monitoring, you have no visibility into how Copilot is being used across the organisation, and no way to detect when usage patterns indicate a configuration or process gap.

Do 6: Update your Secure Development Lifecycle to account for AI-generated code

Section titled “Do 6: Update your Secure Development Lifecycle to account for AI-generated code”

Most organisations deployed Copilot without updating their SDL policies, creating a gap where AI-generated code bypasses existing controls. Close this gap explicitly. Define which code categories require enhanced review when AI-generated: authentication logic, cryptographic operations, database queries, and PII handling at minimum. Update your incident response playbook with AI-specific scenarios: when a vulnerability is traced to an AI-generated suggestion, the runbook should include searching the codebase for similar patterns using static analysis rules, since the same suggestion may have been accepted by multiple developers. The NCSC Guidelines recommend that security controls be applied throughout the AI system lifecycle, including operational monitoring and update management.3

The organisational challenge

Section titled “The organisational challenge”

The configuration gap

Section titled “The configuration gap”

Most organisations that deploy Copilot configure the licence assignments and nothing else. Content exclusions remain empty. The suggestions matching public code policy is not set to Blocked. Audit logging is not enabled (or not available on their plan tier). The result is a tool that transmits code context to an external service, generates suggestions drawn from public repositories, and produces code that enters production, all without the security controls that the vendor provides and the organisation’s own risk appetite would require.

The evolving capability problem

Section titled “The evolving capability problem”

Copilot is no longer just an autocomplete tool. It now includes chat, agent mode with MCP server support, and a coding agent that works autonomously on issues.1 A security policy written for inline completions does not cover a tool that can execute commands and create pull requests. The autonomy ladder framework from Essay C in this series provides a structured way to assess which controls are appropriate at each capability level. If your Copilot policy was written when the tool only offered completions, it needs updating.

The visibility problem

Section titled “The visibility problem”

Without audit logging, organisations cannot answer basic questions: how much AI-generated code is entering the codebase? Which repositories have the highest Copilot usage? Are content exclusions configured consistently across all organisations in the enterprise? The UK AI Playbook for Government expects organisations to maintain an AI systems inventory.14 Copilot is an AI system component. Its configuration, usage patterns, and security posture belong in that inventory.

The path forward

Section titled “The path forward”

Three actions to take this week

Section titled “Three actions to take this week”

  1. Configure content exclusions. Set organisation-level content exclusions for .env files, credential directories, private keys, and infrastructure state files. This takes minutes and eliminates the most straightforward data exposure risk. Content exclusions require a Business or Enterprise plan. If you are on Free or Pro, this control is not available, which is one of the strongest reasons to upgrade.

  2. Block public code matches. Set the suggestions matching public code privacy policy to Blocked at the organisation or enterprise level, with no user override. This is the single most effective control for preventing licence violations and the reproduction of known vulnerable patterns.

  3. Add static analysis gates. If you do not already have SAST in your CI/CD pipeline, add CodeQL or Semgrep as a required status check on protected branches. If you already have SAST, verify that rulesets cover the vulnerability patterns most commonly generated by AI tools: injection, weak cryptography, and hardcoded credentials.

Looking ahead

Section titled “Looking ahead”

Copilot’s capabilities continue to expand. Agent mode and the coding agent introduce the same agentic security considerations covered in The MCP Trap (Essay B) and The Autonomy Ladder (Essay C) in this series. MCP server support in Copilot adds a supply chain dimension that requires the controls described in Essay B: approved server registries, least privilege, and dependency auditing.15

The fundamental principle remains the same: Copilot is development infrastructure, not a plugin. It influences more code than any individual developer. Configure it with the same rigour you apply to your CI/CD pipeline, your source control policies, and your cloud infrastructure.

What to do now

Section titled “What to do now”

Review your Copilot configuration against the six controls in this essay. Close the gaps. Share the checklist with your engineering lead, security team, and anyone responsible for developer tooling policy.

The controls exist. The documentation is clear. The only question is whether your organisation has configured them.

Further reading

Section titled “Further reading”
  1. GitHub Copilot Documentation: concepts, policies, and enterprise setup. Available at: https://docs.github.com/en/copilot/concepts
  2. GitHub Copilot Trust Center: security, privacy, and compliance documentation. Available at: https://copilot.github.trust.page
  3. OWASP Top 10 for LLM Applications (2025): LLM01 through LLM10. Available at: https://genai.owasp.org/llm-top-10/
  4. NCSC Guidelines for Secure AI System Development: secure design, development, deployment, and operation. Available at: https://www.ncsc.gov.uk/files/Guidelines-for-secure-AI-system-development.pdf
  5. UK AI Playbook for Government (2025): Principles 3, 4, and 5. Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html
  6. Other essays in this series: The MCP Trap (Essay B), The Autonomy Ladder (Essay C)

Notes

Section titled “Notes”

Footnotes

Section titled “Footnotes”

  1. GitHub, ‘Concepts for GitHub Copilot,’ GitHub Copilot Documentation. Covers completions, chat, agents (including the coding agent), and MCP support. Available at: https://docs.github.com/en/copilot/concepts 2 3 4

  2. OWASP, ‘Top 10 for Large Language Model Applications (2025),’ LLM02: Sensitive Information Disclosure. ‘Sensitive information can affect both the LLM and its application context. This includes personal identifiable information (PII), financial details, health records, confidential business data, security credentials, and legal documents.’ Available at: https://genai.owasp.org/llmrisk/llm022025-sensitive-information-disclosure/

  3. NCSC, CISA, NSA, and international partners, ‘Guidelines for Secure AI System Development,’ November 2023. ‘Security must be a core requirement, not just in the development phase, but throughout the life cycle of the system.’ Available at: https://www.ncsc.gov.uk/files/Guidelines-for-secure-AI-system-development.pdf 2 3

  4. GitHub, ‘Content exclusion for GitHub Copilot,’ GitHub Copilot Documentation. Content exclusions specify file paths that Copilot must not use for context. Configured at the organisation level on Business and Enterprise plans. Available at: https://docs.github.com/en/copilot/concepts/context/content-exclusion 2 3

  5. GitHub, ‘GitHub Copilot code referencing,’ GitHub Copilot Documentation. ‘Copilot code referencing compares potential code suggestions and the surrounding code of about 150 characters against an index of all public repositories on GitHub.com.’ When matching suggestions are allowed, code references show the source repository and licence type. ‘Typically, matches to public code occur in less than one percent of Copilot suggestions.’ Available at: https://docs.github.com/en/copilot/concepts/completions/code-referencing 2

  6. GitHub, ‘GitHub Copilot policies to control availability of features and models,’ GitHub Copilot Documentation. Organisation owners set policies to control feature availability. Enterprise owners can define policies for the whole enterprise or delegate to organisation owners. Available at: https://docs.github.com/en/copilot/concepts/policies 2

  7. GitHub, ‘Managing policies and features for GitHub Copilot in your enterprise,’ GitHub Copilot Documentation. Enterprise-level controls including AI controls for Copilot, agents, and MCP. Available at: https://docs.github.com/en/copilot/how-tos/administer/enterprises/managing-policies-and-features-for-copilot-in-your-enterprise 2

  8. GitHub, ‘Feature availability when GitHub Copilot policies conflict in organizations,’ GitHub Copilot Documentation. For privacy-sensitive policies like suggestions matching public code, the most restrictive organisation policy applies. Available at: https://docs.github.com/en/copilot/reference/feature-availability-enterprise 2

  9. OWASP, ‘Top 10 for Large Language Model Applications (2025),’ LLM05: Improper Output Handling. ‘Improper Output Handling refers specifically to insufficient validation, sanitization, and handling of the outputs generated by large language models.’ Available at: https://genai.owasp.org/llmrisk/llm052025-improper-output-handling/

  10. OWASP, ‘Top 10 for Large Language Model Applications (2025),’ LLM03: Supply Chain. ‘LLM supply chains are susceptible to various vulnerabilities, which can affect the integrity of training data, models, and deployment.’ Available at: https://genai.owasp.org/llmrisk/llm032025-supply-chain/

  11. GitHub, ‘About CodeQL,’ GitHub CodeQL Documentation. Semantic code analysis with security-focused query suites. Available at: https://codeql.github.com/docs/codeql-overview/about-codeql/

  12. GitHub, ‘About code owners,’ GitHub Documentation. CODEOWNERS files define individuals or teams responsible for code in a repository and enforce review requirements. Available at: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners

  13. GitHub, ‘GitHub Copilot usage metrics,’ GitHub Copilot Documentation. Usage metrics including acceptance rates, active users, and language breakdowns. Available at: https://docs.github.com/en/copilot/concepts/copilot-metrics

  14. UK Government, ‘Artificial Intelligence Playbook for the UK Government,’ Section: Creating an AI systems inventory. ‘To provide a comprehensive view of all deployed AI systems within an organisation or programme, organisations should set up an AI and machine learning (ML) systems inventory.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html

  15. GitHub, ‘MCP server usage in your company,’ GitHub Copilot Documentation. MCP server management for enterprises, including the MCP servers in Copilot policy. Available at: https://docs.github.com/en/copilot/concepts/mcp-management