# Stop GitHub Copilot From Sabotaging Your Terraform Security > Source: > Published: 2026-06-27 10:03:46+00:00 [Security](https://www.devclubhouse.com/c/security)Article # Stop GitHub Copilot From Sabotaging Your Terraform Security AI autocompletions silently introduce insecure IaC patterns that pass local validation but fail in production. [Emeka Okafor](https://www.devclubhouse.com/u/emeka_okafor) You write a resource block, hit Tab, and your AI assistant autocompletes a security group. The syntax is perfect HCL. It passes `terraform validate` without a whisper. The initial plan shows a clean diff. But under the hood, the suggestion just opened ports 0 to 65535 to `0.0.0.0/0` or set `publicly_accessible = true` on your RDS instance. This is the core of the [GitHub Copilot](https://github.com/features/copilot) Terraform security problem. The suggestions are syntactically valid, pass local checks, and still compromise your security posture on the first apply. We cannot treat AI assistants like junior developers who just need a standard code review. Instead, we must build automated, IDE-level and CI/CD-level guardrails specifically designed to neutralize AI-generated infrastructure risks before they reach a state file. ## The Anatomy of an AI-Generated IaC Failure AI-driven infrastructure suggestions fail quietly, but they follow highly predictable patterns: **The Public Database Default:** In roughly 60% of database completions observed in public trackers, Copilot sets`publicly_accessible = true` on`aws_db_instance` resources. It also systematically defaults`deletion_protection = false` on RDS clusters, Cloud SQL instances, and Azure PostgreSQL servers. To an engineer unfamiliar with the specific codebase, these look like reasonable defaults.**The Kubernetes Bypass:** In Kubernetes manifests, Copilot frequently suggests`hostNetwork: true` as a quick fix for DNS resolution issues inside pods, bypassing network policies entirely. It also quietly drops`readOnlyRootFilesystem` from`securityContext` blocks.**The Correctness Traps:** Copilot frequently suggests`lifecycle { ignore_changes = all }` as a quick way to silence drift warnings. This is a correctness trap that masks real infrastructure divergence.**The Multi-Tab Leak:** Copilot Chat in VS Code reads all open editor tabs for context. If you have`prod.tfvars` open while asking Copilot to generate a staging config, it can echo production account IDs, bucket names, and state key paths directly into the generated output. ## Why General-Purpose LLMs Struggle with Infrastructure To fix this, we have to understand why it happens. It is not a failure of the developer, but a structural limitation of how LLMs handle infrastructure as code. First, there is massive training data skew. Public repositories over-represent quick-start guides, tutorials, and blog posts. These resources intentionally skip security hardening to keep examples short and readable. Copilot's probability distribution has learned from this corpus. It favors insecure defaults because those values appear constantly in "getting started" content. For example, the [Checkov](https://www.checkov.io) check `CKV_AWS_57` exists specifically because S3 buckets with public ACLs are incredibly common in public training data. Second, Copilot has no state awareness. It has no access to your `.tfstate` file, your module outputs, or your backend configuration. It generates module references like `module.vpc.private_subnet_ids` based on pattern matching. If your actual module structure does not match that pattern, the code compiles but fails at plan time with an undeclared module error. Third, context window truncation causes syntax regression. In files over roughly 300 lines, Copilot often loses the top-of-file provider block and version constraints. It begins generating syntax valid for Terraform 0.12 or 0.13 (such as unnecessary `${var.name}` interpolation or deprecated `list()` and `map()` constructors) inside a codebase running modern [Terraform](https://www.terraform.io) 1.7.x. ## Hardening the IDE with Copilot Instructions and Custom Agents We cannot rely solely on manual code reviews to catch these issues. Instead, we must inject machine-readable constraints directly into the AI's generation loop. For organizations using GitHub Copilot for Business or Enterprise, the fastest intervention is the `.github/copilot-instructions.md` file. Supported as of Q1 2025, this file instructs Copilot to follow repo-specific rules during both inline completions and chat sessions. Create a file at `.github/copilot-instructions.md` with explicit directives: ``` # Copilot Instructions - IaC Repository ## Security Rules (apply to all Terraform and Kubernetes suggestions) - Never suggest `0.0.0.0/0` in security group ingress or egress rules. - Always include `lifecycle { prevent_destroy = true }` on stateful resources (aws_db_instance, aws_s3_bucket, aws_rds_cluster). - Default encryption to `true` for all storage resources. - Set `publicly_accessible = false` on all database resources. - Set `deletion_protection = true` on all database and cache resources. - Never suggest `lifecycle { ignore_changes = all }`. - Pin all provider versions using the `~>` pessimistic constraint. ``` For teams managing complex cloud environments, you can take this further by using custom Copilot agents and skills inside VS Code. By placing reusable knowledge packets in `.github/skills/` and agent definitions in `.github/agents/` , you can force Copilot to query specific tools or standards before generating code. For example, an agent can be configured to call an Azure or AWS best-practices tool first, load your internal module patterns, and only then output the HCL. This brings security feedback directly into the IDE, shortening the feedback loop before a pull request is even opened. ## Building the CI/CD Safety Net While IDE-level guardrails reduce the volume of bad suggestions, they are not a replacement for automated enforcement. Every AI-generated line of code must be treated with the same skepticism as an untrusted third-party pull request. Your CI/CD pipeline must act as the final gate. This means running static analysis tools like Checkov, tfsec, or [CodeQL](https://codeql.github.com) on every commit. If Copilot slips a `publicly_accessible = true` past a developer, the pipeline must block the merge. Furthermore, establish a strict policy regarding open editor tabs. Developers should close sensitive files like `prod.tfvars` or deployment secrets before initiating Copilot Chat sessions to prevent lateral information exposure. Copilot is an excellent accelerator for typing boilerplate HCL, but left unguided, it is a liability generator. By implementing `.github/copilot-instructions.md` and backing it up with automated CI scanning, you can keep the speed of AI-assisted development without inheriting its worst habits. ## Sources & further reading - [Fix GitHub Copilot Terraform Security Risks Before They Hit Prod](https://dev.to/oleksandr_kuryzhev_42873f/fix-github-copilot-terraform-security-risks-before-they-hit-prod-1f6j)— dev.to - [Security Overview · copilot-workshops/copilot-terraform · GitHub](https://github.com/copilot-workshops/copilot-terraform/security)— github.com - [GitHub for Beginners: Security best practices with GitHub Copilot - The GitHub Blog](https://github.blog/ai-and-ml/github-copilot/github-for-beginners-security-best-practices-with-github-copilot/)— github.blog - [Building Better Azure Terraform Modules with GitHub Copilot Agents and Skills - Thomas Thornton Blog](https://thomasthornton.cloud/building-better-azure-terraform-modules-with-github-copilot-agents-and-skills/)— thomasthornton.cloud - [GitHub Copilot Security: Risks, Built-In Controls, and Best Practices](https://checkmarx.com/learn/ai-security/top-5-github-copilot-security-risks-9-ways-to-mitigate-them/)— checkmarx.com [Emeka Okafor](https://www.devclubhouse.com/u/emeka_okafor)· Security Editor Emeka has spent over a decade tracking threat actors, vulnerability disclosures, and the evolving landscape of application security, bringing a sharp continent-spanning perspective to his reporting. He's known for translating dense CVE advisories into clear, actionable context that developers and security teams alike actually read. ## Discussion 0 No comments yet Be the first to weigh in.