
GitHub brings Copilot security reviews into its desktop app
GitHub's Copilot app now has a public-preview /security-review command for scanning in-flight code changes.
GitHub has added an on-demand security review command to the GitHub Copilot app, moving one of Copilot's code-checking workflows closer to the moment when developers are still shaping a change. The new /security-review slash command is shipping in public preview, according to a July 14 GitHub Changelog post.
The feature scans in-flight workstream changes from inside the Copilot app and returns high-confidence security findings, severity and confidence scores, and suggested fixes that can be applied and checked again without leaving the coding environment. GitHub says the same AI-driven vulnerability scanning was already available in Copilot CLI; the update brings it into the app interface used for day-to-day coding assistance.
What GitHub says it checks
GitHub describes the review as a lightweight complement to its existing application-security tools rather than a replacement for full repository scanning. The company says the command is tuned for common, high-impact bug classes, including injection flaws, cross-site scripting, insecure data handling, path traversal, and weak cryptography. That positioning matters because the review is aimed at local or active changes, while tools such as code scanning, Dependabot, and secret scanning continue to serve broader repository and dependency workflows.
During the preview, GitHub says the command is available to Copilot Free, Pro, Business, and Enterprise users. To try it, developers open a project in the Copilot app, make code changes, and run /security-review to scan those changes. The announcement does not claim the feature can find every vulnerability or replace human review, but it does make security feedback more immediate for teams that already rely on Copilot during implementation.
Why it matters
The release reflects a wider shift in developer tooling: security checks are increasingly being pulled forward from pull-request gates and scheduled scans into the edit loop itself. Earlier feedback can help developers fix risky patterns before code lands, which may reduce rework for security teams and reviewers. It also raises the bar for how clearly AI-assisted findings are prioritized, explained, and verified, especially in enterprise environments where false positives and noisy alerts can slow remediation.
For organizations using GitHub's security stack, the public preview is another sign that Copilot is becoming a workflow surface for remediation as well as code generation. The practical test will be whether the app-level review produces findings that developers trust enough to act on while changes are still fresh.
Sources
Cover photo by Jakub Zerdzicki on Pexels, used under the Pexels License.
CyberOGZ Team






Comments (0)
Leave a Comment