cd /news/artificial-intelligence/github-copilot-app-now-has-security-… · home topics artificial-intelligence article
[ARTICLE · art-60704] src=byteiota.com ↗ pub= topic=artificial-intelligence verified=true sentiment=↑ positive

GitHub Copilot App Now Has /security-review — Free for All

GitHub released /security-review for its Copilot desktop app on July 14, providing free AI-powered pre-commit vulnerability scanning to all users without requiring a terminal. The tool scans uncommitted code changes for five high-impact vulnerability classes and offers inline fix suggestions, while companion features add AI-powered detections on pull requests and agentic autofix to close security alerts faster.

read4 min views1 publishedJul 15, 2026
GitHub Copilot App Now Has /security-review — Free for All
Image: Byteiota (auto-discovered)

GitHub shipped /security-review

to its Copilot desktop app on July 14, putting AI-powered pre-commit vulnerability scanning in front of every Copilot user — including those on the free tier — without requiring a terminal. The same scan has been in Copilot CLI since June, locked behind an experimental mode flag that most developers never enabled. The app integration removes that barrier. You open a project, make changes, type one command, and get scored findings with inline fix suggestions before a single line reaches a pull request.

That distinction matters more than it sounds. Security features no one finds do not improve security. A terminal flag with opt-in has a very different adoption curve than a slash command in the interface you already have open.

What /security-review Does #

The command scans your current working diff — the changes you have made but not yet committed — and returns findings ranked by severity and confidence. GitHub has tuned it for five high-impact vulnerability classes: injection flaws, cross-site scripting, insecure data handling, path traversal, and weak cryptography. Findings arrive with a confidence score (GitHub filters low-confidence results to limit noise) and actionable fix suggestions you can apply and re-verify without switching context.

Using it takes four steps:

  • Open a project in the GitHub Copilot app.
  • Make your code changes.
  • Type /security-review

in the chat. - Review findings by severity, apply suggested fixes, re-run to confirm.

The whole loop — scan, review finding, apply fix, confirm — happens inside the Copilot app. No terminal, no dashboard switch, no ticket.

Three Security Features, One Day #

GitHub did not ship this alone. July 14 also brought two companion features that together close a security loop GitHub has been building toward for over a year.

The first is AI-powered detections surfacing directly on pull requests. These cover a gap CodeQL has always had: it handles deep semantic analysis for supported languages, but misses Shell/Bash, Dockerfiles, Terraform, and PHP. The new AI detections do not. In a 30-day internal test, the system processed more than 170,000 findings with over 80% positive developer feedback. Results appear in the PR alongside standard code scanning findings.

The second is agentic autofix. When Copilot finds a code scanning alert, you assign it to Copilot directly. Copilot then explores the relevant files, proposes a fix, reruns CodeQL to confirm the fix works, and opens a draft PR. The process takes two to four minutes. In 2025, this approach closed more than 460,000 security alerts — cutting average resolution time from 1.29 hours to 0.66 hours.

| Layer | Tool | When It Runs |

|---|---|---|
| Pre-commit | `/security-review` (Copilot app or CLI) | Before you commit |

| PR review | AI-powered detections | On pull request | | Post-detection | Agentic autofix | After alert is found |

What It Does Not Replace #

/security-review

is a fast first pass, not a full security audit. It scans your current diff, not your entire codebase. It cannot replace CodeQL for deep semantic analysis, Dependabot for dependency vulnerability tracking, or secret scanning for hardcoded credentials. The CLI version has a BYOK offline mode (COPILOT_OFFLINE=true

) for regulated environments; the app version has not confirmed equivalent support.

False positives are real. GitHub’s LLM-based scanning ships with a confidence threshold to filter out weak signals, but independent reviews of similar tools put false-positive rates in the 15–25% range. You will occasionally triage a finding that turns out to be a non-issue. That is the cost of a pre-commit scan that runs in seconds with no configuration.

What it gives you in return is coverage most teams do not have today: a security check before code leaves your machine, available on every Copilot plan, requiring nothing more than a slash command. ByteIota covered the CLI version when it shipped in June — the app integration is a different story because it expands reach to the developers who never touch the terminal version.

Enable It Now #

If you have the GitHub Copilot app installed, /security-review is available in public preview today at no additional cost. Run it on your next change set before you commit. Treat it as your first security filter, and leave CodeQL and the rest of your scanning stack to catch what it misses. That is what it was built for. The official GitHub changelog has the full feature details.

── more in #artificial-intelligence 4 stories · sorted by recency
── more on @github 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/github-copilot-app-n…] indexed:0 read:4min 2026-07-15 ·