GitHub adds a REST API to audit Copilot cloud agent repository settings

Q: Is the endpoint generally stable?

The documentation marks it as public preview, so teams should expect possible changes and monitor GitHub’s changelog.

Q: Who should use this API?

Platform, security, and developer-experience teams that need to audit Copilot cloud agent settings across multiple repositories.

GitHub changelog editorial image for new releases.GitHub Changelog

AI & AutomationMay 18, 2026

@ZachasAuthorADMIN

GitHub now exposes repository-level Copilot cloud agent configuration through a REST API, giving platform teams a faster way to audit MCP settings, enabled review tools, workflow approvals, and firewall configuration.

GitHub now lets teams retrieve a repository’s Copilot cloud agent configuration through a REST API endpoint. The announcement says the endpoint can be used to audit MCP configuration, enabled review tools, Actions workflow approval settings, and firewall configuration. For teams rolling out coding agents across many repositories, the practical value is governance: you can compare agent settings without manually opening every repo.

Key takeaways

The new endpoint is GET /repos/{owner}/{repo}/copilot/cloud-agent/configuration.
GitHub’s documentation lists the endpoint as public preview, so response fields and behavior may still change.
The response schema covers MCP configuration, CodeQL, Copilot code review, secret scanning, dependency vulnerability checks, workflow approval requirements, firewall status, and custom allowlists.
The changelog positions the API as an audit path for repository-level Copilot cloud agent configuration, not as a full policy engine.

Practical LinkLoot angle

If your organization allows Copilot cloud agents in production repositories, this endpoint is most useful as a scheduled inventory check. A platform team can pull the configuration for critical repos, compare it against an expected baseline, and flag repositories where firewall settings, workflow approval, or security review tools drift away from policy.

Option	Best use	Limitation	Source
GitHub UI review	One-off repository checks	Slow for many repos	GitHub changelog
REST API audit	Scheduled checks across repositories	Public preview; requires authentication and repo access	GitHub docs
Internal policy dashboard	Executive or security reporting	Needs your own storage and baseline logic	Derived workflow

A simple workflow is: list repositories, request each repo’s Copilot cloud agent configuration, store the returned fields with a timestamp, and alert only when a security-sensitive value changes. That keeps the automation narrow: it observes configuration drift instead of trying to rewrite settings automatically.

What to verify before you act

Check whether your GitHub plan and token scopes allow access to the endpoint before building a dashboard around it. The docs state that OAuth app tokens and classic personal access tokens need the repo scope, and the endpoint can return 401, 403, or 404 when authentication, permissions, or repository availability do not line up. Because the endpoint is marked public preview, pin your parser to the fields you actually need and log unknown fields instead of failing the whole audit.

FAQ

What does the Copilot cloud agent configuration API return?

GitHub’s docs list MCP configuration, enabled review tools, workflow approval settings, firewall status, recommended allowlist status, and a custom allowlist.

Is the endpoint generally stable?

Who should use this API?

For more agent workflow ideas, see LinkLoot’s guide to AI agent tools.

Sources & links

References, demos, and supporting links.

GitHub Changelog announcementgithub.blogPrimary GitHub REST API documentationdocs.github.com