GitHub Copilot CLI adds an experimental security review command
GitHub Copilot CLI now has an experimental /security-review command that checks local code changes for high-impact vulnerability patterns before commit.
GitHub Copilot CLI now includes /security-review, an experimental public-preview command for scanning local code changes before commit. GitHub says the command returns high-confidence findings with severity and confidence scoring, plus suggestions that stay inside the terminal workflow. It is not a replacement for GitHub code scanning, Dependabot, or secret scanning; GitHub frames it as an on-demand Copilot-driven review layer.
Key takeaways
/security-reviewruns inside GitHub Copilot CLI after experimental mode is enabled.- GitHub says it analyzes local changes and reports high-confidence security findings with severity and confidence.
- The command targets common high-impact classes such as injection flaws, cross-site scripting, insecure data handling, path traversal, and weak cryptography.
- GitHub explicitly says the scan does not rely on code scanning, Dependabot, or secret scanning.
- breaking.watch independently surfaced the GitHub changelog item in its release-note monitoring feed.
Practical LinkLoot angle
This is useful as a fast pre-commit checkpoint for developers already using Copilot CLI. Put it before pull-request creation, not after CI, so the review catches security mistakes while the diff is still small. Teams should treat it as a local assistant review: helpful for triage and habit-building, weak as a formal control unless it is paired with deterministic scanners and branch protection.
| Tool or check | Best use | Limitation | Source |
|---|---|---|---|
Copilot CLI /security-review | Quick AI review of current local changes | Experimental public preview; not a compliance control by itself | GitHub |
| GitHub code scanning | Repository-level static analysis and alerts | Requires setup and supported analyzers | GitHub docs/product context |
| Dependabot | Dependency vulnerability alerts and update help | Does not review arbitrary local code changes | GitHub product context |
| Secret scanning | Detecting exposed tokens and credentials | Does not replace code vulnerability review | GitHub product context |
For a LinkLoot workflow, add the command to a local release checklist for risky edits: auth, file upload, webhook handling, payment callbacks, admin actions, and database query changes. Keep the output in the pull-request notes only when it found something material or changed the patch, so review comments stay useful instead of becoming ritual noise.
What to verify before you act
Check whether your Copilot CLI policy allows experimental mode. If your organization manages Copilot centrally, the command may be unavailable or subject to admin settings. Verify how findings are generated, stored, and billed before you run it on sensitive repositories, because AI-assisted review can involve code context that your security team may want documented.
Do not remove existing scanners because this command exists. GitHub says it complements code scanning, Dependabot, and secret scanning; that wording matters. Use it to catch issues earlier, then keep deterministic CI and required review gates as the source of record.
Source check
GitHub confirms the /security-review command, its public-preview status, the experimental-mode requirement, local-change focus, finding format, and vulnerability classes. breaking.watch confirms the changelog item appeared in an independent release-note monitoring feed.
It is an experimental Copilot CLI slash command that reviews local code changes for security issues before commit.
For broader tooling decisions, compare this with LinkLoot's guide to AI agent tools and keep the final merge gate anchored in repeatable checks.