Dedicated security review command now available in Copilot CLI

You can now run a security review on your code changes directly from GitHub Copilot CLI. The new /security-review slash command is shipping as an experimental feature in public preview, giving you a fast, AI-driven way to catch security vulnerabilities before they reach production code.

What it does

/security-review analyzes your local code changes and returns:

• High-confidence security findings, scored by severity and confidence.
• Actionable suggestions you can apply without leaving the terminal.
• A focused review that lives in your existing workflow.

The scan flags high-impact vulnerabilities across 11 categories, including injection flaws, XSS, broken access control and path traversal, SSRF, insecure deserialization and prototype pollution, weak cryptography, hardcoded credentials, sensitive data leaks, authentication and CORS failures, security misconfigurations, supply-chain risks like unpinned dependencies, and cross-prompt injection (XPIA) against LLM-integrated code

This is a Copilot-driven scan that doesn’t rely on GitHub code scanning, Dependabot, or GitHub secret scanning. It complements those tools by giving you a lightweight, on-demand way to review your changes before you commit.

This is an experimental command. To try it, turn on experimental mode in Copilot CLI, then run /security-review in any project to scan your current changes.

Join the discussion and share your feedback within the GitHub Community.