SecurityDeveloper Tools

GitHub Copilot App Now Has /security-review — Free for All

GitHub Copilot app security review slash command interface

GitHub shipped /security-review to its Copilot desktop app on July 14, putting AI-powered pre-commit vulnerability scanning in front of every Copilot user — including those on the free tier — without requiring a terminal. The same scan has been in Copilot CLI since June, locked behind an experimental mode flag that most developers never enabled. The app integration removes that barrier. You open a project, make changes, type one command, and get scored findings with inline fix suggestions before a single line reaches a pull request.

That distinction matters more than it sounds. Security features no one finds do not improve security. A terminal flag with opt-in has a very different adoption curve than a slash command in the interface you already have open.

What /security-review Does

The command scans your current working diff — the changes you have made but not yet committed — and returns findings ranked by severity and confidence. GitHub has tuned it for five high-impact vulnerability classes: injection flaws, cross-site scripting, insecure data handling, path traversal, and weak cryptography. Findings arrive with a confidence score (GitHub filters low-confidence results to limit noise) and actionable fix suggestions you can apply and re-verify without switching context.

Using it takes four steps:

  1. Open a project in the GitHub Copilot app.
  2. Make your code changes.
  3. Type /security-review in the chat.
  4. Review findings by severity, apply suggested fixes, re-run to confirm.

The whole loop — scan, review finding, apply fix, confirm — happens inside the Copilot app. No terminal, no dashboard switch, no ticket.

Three Security Features, One Day

GitHub did not ship this alone. July 14 also brought two companion features that together close a security loop GitHub has been building toward for over a year.

The first is AI-powered detections surfacing directly on pull requests. These cover a gap CodeQL has always had: it handles deep semantic analysis for supported languages, but misses Shell/Bash, Dockerfiles, Terraform, and PHP. The new AI detections do not. In a 30-day internal test, the system processed more than 170,000 findings with over 80% positive developer feedback. Results appear in the PR alongside standard code scanning findings.

The second is agentic autofix. When Copilot finds a code scanning alert, you assign it to Copilot directly. Copilot then explores the relevant files, proposes a fix, reruns CodeQL to confirm the fix works, and opens a draft PR. The process takes two to four minutes. In 2025, this approach closed more than 460,000 security alerts — cutting average resolution time from 1.29 hours to 0.66 hours.

LayerToolWhen It Runs
Pre-commit/security-review (Copilot app or CLI)Before you commit
PR reviewAI-powered detectionsOn pull request
Post-detectionAgentic autofixAfter alert is found

What It Does Not Replace

/security-review is a fast first pass, not a full security audit. It scans your current diff, not your entire codebase. It cannot replace CodeQL for deep semantic analysis, Dependabot for dependency vulnerability tracking, or secret scanning for hardcoded credentials. The CLI version has a BYOK offline mode (COPILOT_OFFLINE=true) for regulated environments; the app version has not confirmed equivalent support.

False positives are real. GitHub’s LLM-based scanning ships with a confidence threshold to filter out weak signals, but independent reviews of similar tools put false-positive rates in the 15–25% range. You will occasionally triage a finding that turns out to be a non-issue. That is the cost of a pre-commit scan that runs in seconds with no configuration.

What it gives you in return is coverage most teams do not have today: a security check before code leaves your machine, available on every Copilot plan, requiring nothing more than a slash command. ByteIota covered the CLI version when it shipped in June — the app integration is a different story because it expands reach to the developers who never touch the terminal version.

Enable It Now

If you have the GitHub Copilot app installed, /security-review is available in public preview today at no additional cost. Run it on your next change set before you commit. Treat it as your first security filter, and leave CodeQL and the rest of your scanning stack to catch what it misses. That is what it was built for. The official GitHub changelog has the full feature details.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:Security