GitHub just shipped the most useful security feature in the Copilot app since Code Scanning — and it is a slash command. No experimental-mode opt-in. No terminal incantation. No Copilot Business upgrade gate. Type the command in the Copilot desktop app, and an LLM scans your uncommitted diff for injection, XSS, weak cryptography, path traversal, and insecure data handling before a single character of vulnerable code reaches your repo. This is the first time GitHub Copilot's pre-commit vulnerability scanning is available to every subscriber — Free tier included — and the timing is not coincidental.
GitHub Copilot is, by GitHub's own positioning, the largest single source of AI-generated code in the world. Veracode's 2025 GenAI Code Security Report tested more than 100 large language models across 80 representative programming tasks and found that 45% of AI-generated code introduces at least one OWASP vulnerability. GitHub is, in other words, simultaneously the entity most responsible for the volume of potentially vulnerable AI code reaching developer machines and the entity now shipping a pre-commit tool to catch it before it lands in a pull request. That is a rare honest loop: ship the fire, ship the extinguisher, give both away to the same audience.
When you invoke the command in the Copilot desktop app, three things happen, in order. The app captures your workstream diff — the set of uncommitted changes sitting in your working tree. It submits that diff to GitHub's cloud-hosted Copilot model routing infrastructure, where LLM inference runs against the changed code. It returns a prioritized list of findings scored by severity and confidence.
[[DIAGRAM: developer types slash command → Copilot app captures workstream diff → diff posted to cloud-hosted Copilot model routing → LLM inference scans for OWASP classes → prioritized findings returned → developer reviews before git commit]]
Five vulnerability classes are in scope, and the picks are not arbitrary. All five map directly to the OWASP Top 10, and all five are the precise categories Veracode identified as the ones AI-generated code introduces most frequently:
../
-style escapes from a supposed chroot.The scanner is tuned to where the actual AI-generated failure rate is highest, not to a generic "lint for vulns" checklist. That is the right shape for a fast local check. You are not running a full SAST pass against your repo — you are running the five checks that, statistically, are most likely to be wrong in the diff the AI just helped you write.
The headline win is "AI scans AI code before it lands in your repo," and that is real. The under-discussed win is the intervention point. A finding that costs the developer 30 seconds to fix during the edit becomes a 30-minute triage session once it is in a pull request, and a sprint-long incident if it ships to production. The cost of a security finding rises by roughly an order of magnitude per stage of the pipeline it survives, and the only stage cheaper than "during edit" is "during generation" — which Copilot cannot do without becoming a different product.
This is also where GitHub's existing security stack stops short, and where the new command slots in cleanly. CodeQL, the static analysis engine behind GitHub Code Scanning, performs taint analysis and dataflow tracking across the full repository using a semantic graph of the codebase. Dependabot handles known dependency vulnerabilities at the manifest level. Neither runs on uncommitted code at the developer's machine — both are repository-wide and CI-bound. The new slash command is the local, fast, model-driven layer that catches the obvious stuff before the slower, deeper, repository-wide scanners ever see the diff.
| Layer | Runs on | Catches | Misses |
|---|---|---|---|
| Copilot pre-commit slash command | Uncommitted diff, developer machine | 5 OWASP classes, model-inferred patterns | Architectural mistakes, missing authz, cross-platform drift |
| CodeQL | Full repo, CI | Taint flows, dataflow, semantic bugs | Speed, local pre-commit coverage |
| Dependabot | Manifest files, CI | Known dependency CVEs | First-party code, novel vuln patterns |
Read the rows as a stack, not as competitors. The slash command is not replacing CodeQL — it is the upstream filter that means CodeQL has less to wade through.
The flow is intentionally short. There is no settings panel to find, no YAML to commit, no .copilot/config.toml
to author.
git commit
is the goal state.Two things worth flagging in the workflow:
git commit
block on findings, you will be wiring something around it yourself.The label "AI security tool" invites over-trust. The slash command is a fast, model-driven check against a known-good list of OWASP categories, and OWASP categories are necessary but not sufficient.
Things it will not flag:
requireRole('admin')
on a route handler. The scanner looks for vulnerable patterns, not for missing checks.useUserStore()
hook that does not exist in your codebase, or used a Button
variant you do not ship. These do not fail the scanner, but they fail the next person who opens the file.[[COMPARE: OWASP vulnerabilities the AI scanner catches (injection, XSS, weak crypto, path traversal, insecure data handling) vs what it cannot catch (cross-platform UI drift, hallucinated component APIs, missing authorization, architectural mistakes, conventions that do not match the rest of the codebase)]]
The fix for the last two is the durable layer underneath the AI churn: a pinned, shared component API that gives every model — security-scanning or code-generating — a single source of truth to read from. When the same <Card>
resolves on web, iOS, and Android from one import, there is nothing for the LLM to hallucinate differently across surfaces, and nothing for a code reviewer to second-guess. That kind of convention is what AI tools actually respect at scale, and it is the part of the stack that does not change when the model does.
The trajectory here is not "AI replaces your AppSec team." It is "AI catches the cheap, high-frequency patterns at edit time so the human security reviewers can spend their hours on the architectural and authorization gaps that actually require judgment." A pre-commit LLM check against five OWASP classes is the bottom rung of that ladder. The next rungs are obvious: same model, broader category set; same model, repo-aware context (so it stops flagging patterns your codebase has explicitly hardened against); same model, post-commit summary feeding the PR review queue.
GitHub shipped the bottom rung on July 14. The rungs above it are the ones worth watching — and the durable developer experience underneath them is the convention-pinned codebase that all of them, security-scanning or code-generating, will read from. That part is yours to build, and it is the part that does not change when the model does.
The pre-commit scanner is a genuine step forward, and it is worth using today. The convention layer underneath it is the part that does not move when the model does — and that is the part worth investing in once the news cycle moves on.