GitHub Engineering

GitHub EngineeringApr 1, 2026

Run multiple agents at once with /fleet in Copilot CLI

Why it matters: /fleet significantly boosts productivity by moving from sequential to parallel AI-assisted coding. It allows engineers to automate complex, multi-file refactors and documentation tasks simultaneously, drastically reducing the time spent waiting for AI responses on large-scale changes.

The /fleet command introduces an orchestrator that decomposes complex tasks into independent work items for parallel execution by multiple subagents.
The orchestrator manages task dependencies, polling for completion of prerequisite items before dispatching subsequent waves of agents.
Users can optimize parallelization by providing structured prompts that map tasks to specific files, modules, or deliverables.
Supports custom agents defined in .github/agents/, allowing specific models and instructions for different task types like documentation or refactoring.
Includes a non-interactive mode via the --no-ask-user flag for terminal-based automation and CI/CD integration.
Real-time monitoring of background subagent activity is available through the /tasks command.

#mlp #culture

Read original

GitHub EngineeringMar 31, 2026

Agent-driven development in Copilot Applied Science

Why it matters: This article demonstrates how AI agents can automate high-level intellectual toil, not just boilerplate code. It provides a blueprint for agent-first repositories where maintaining clean architecture and documentation becomes the primary driver for massive, automated development velocity.

Automated the analysis of agent trajectories—complex JSON logs of thought processes—using a custom tool called eval-agents.
Leveraged the Copilot SDK and Model Context Protocol (MCP) servers to build agents with access to specialized tools and skills.
Adopted a 'planning before acting' prompting strategy, treating agents like senior engineers through verbose, conversational guidance.
Prioritized architectural health, including frequent refactoring and documentation, as a prerequisite for effective agent-driven contributions.
Shifted from 'trust but verify' to 'blame the process,' focusing on improving system guardrails rather than individual agent outputs.
Achieved high development velocity, creating 11 new agents and 4 skills in three days with a team of five contributors.

#mlp #culture

Read original

GitHub EngineeringMar 30, 2026

GitHub for Beginners: Getting started with GitHub security

Why it matters: Security is a shared responsibility; even small projects inherit risks from third-party dependencies. GitHub's integrated tools automate vulnerability detection and remediation, allowing developers to secure their supply chain without significant manual overhead.

GitHub Advanced Security (GHAS) provides a suite of tools including Dependabot, secret scanning, and CodeQL to automate vulnerability detection.
Secret scanning identifies leaked credentials in commits, prompting developers to revoke compromised keys and secure their infrastructure.
Dependabot monitors third-party libraries for known vulnerabilities and automatically generates pull requests for security updates.
Code scanning with CodeQL analyzes source code to find risky patterns and potential exploits during the development lifecycle.
These features are available by default for public repositories and can be enabled via the repository settings under the Security tab.

#security

Read original

GitHub EngineeringMar 26, 2026

What’s coming to our GitHub Actions 2026 security roadmap

Why it matters: CI/CD pipelines are prime targets for supply chain attacks. GitHub's roadmap moves to secure-by-design infrastructure, providing engineers with deterministic dependencies, granular policy controls, and real-time observability to protect sensitive code and credentials.

Introducing workflow-level dependency locking to ensure deterministic, auditable CI/CD runs with cryptographic commit SHA verification.
Transitioning to immutable releases for the Actions ecosystem to prevent malicious code propagation via mutable tags and branches.
Implementing policy-driven execution via GitHub rulesets to centrally manage workflow triggers and allowed event types.
Enhancing credential security with scoped, least-privileged tokens to limit the blast radius of compromised CI environments.
Deploying real-time observability through an optional agent on runners to detect suspicious processes and unauthorized network activity.
Enforcing network boundaries to restrict egress traffic, preventing data exfiltration from CI/CD runners during execution.

#security #sre

Read original

GitHub EngineeringMar 26, 2026

A year of open source vulnerability trends: CVEs, advisories, and malware

Why it matters: This report highlights that while historical vulnerability backlogs are shrinking, new security threats and malware in open source ecosystems are increasing. Engineers must remain vigilant as the volume of new advisories rises, particularly in popular ecosystems like Maven, Go, and npm.

GitHub reviewed 4,101 advisories in 2025, the lowest total since 2021, primarily due to the exhaustion of historical vulnerability backlogs.
Newly reported vulnerabilities actually increased by 19% year-over-year, showing that the rate of new security threats is still rising.
The GitHub Advisory Database now tracks over 24,000 reviewed advisories and has seen a significant surge in malware-related entries.
Maven, Composer, and Go were the most active ecosystems for security advisories in 2025, with Go seeing a 6% increase due to targeted audits.
Malware advisories have reached over 20,000 cumulative entries, highlighting a shift in the threat landscape toward malicious package injections.

#security #data

Read original

GitHub EngineeringMar 25, 2026

Updates to GitHub Copilot interaction data usage policy

Why it matters: This update changes how developer data is handled for AI training. Engineers using individual tiers must decide whether to contribute their code patterns to improve Copilot's accuracy or opt out to maintain privacy, while enterprise users remain protected by default.

Starting April 24, GitHub will use interaction data from Copilot Free, Pro, and Pro+ users for AI model training.
Copilot Business and Enterprise users are exempt from this policy change and their data will not be used for training.
Users can opt out through their GitHub privacy settings, and all previous opt-out preferences will be honored.
Collected data includes code snippets, context, repository structure, file names, and user feedback on suggestions.
Data may be shared with Microsoft but will not be shared with third-party AI model providers.
The initiative aims to improve model accuracy and security pattern suggestions using real-world developer workflows.

#mlp #data #security

Read original

GitHub EngineeringMar 24, 2026

Building AI-powered GitHub issue triage with the Copilot SDK

Why it matters: The Copilot SDK allows engineers to build custom AI tools for specific workflows. This server-side architecture pattern enables secure, scalable integration of LLMs into mobile and web apps, automating high-toil tasks like issue triage while protecting credentials.

The Copilot SDK requires a Node.js runtime and the Copilot CLI to be installed on the system PATH, necessitating a server-side integration for mobile apps.
The SDK follows a strict lifecycle of start, createSession, sendAndWait, disconnect, and stop; failing to clean up sessions causes resource leaks.
Server-side implementation ensures API tokens remain secure and allows for centralized logging and monitoring of AI requests.
The integration uses JSON-RPC to communicate between the SDK and the local Copilot CLI process.
Effective AI summaries are achieved through structured prompt engineering, feeding the model issue titles, descriptions, and labels for context.
Developers can configure specific models like GPT-4 and must handle permission requests using patterns such as approveAll.

#mobile #mlp #security

Read original

GitHub EngineeringMar 23, 2026

GitHub expands application security coverage with AI‑powered detections

Why it matters: This bridges security gaps in infrastructure-as-code and scripts that traditional static analysis misses. By integrating AI-driven detections and automated fixes into the PR workflow, engineers can resolve vulnerabilities faster and maintain high security standards without leaving their tools.

GitHub is introducing AI-powered security detections to complement CodeQL's deep semantic static analysis.
The new system expands security coverage to ecosystems like Shell/Bash, Dockerfiles, Terraform (HCL), and PHP.
Detections are integrated directly into the pull request workflow, surfacing risks like SQL injection and insecure crypto early.
Copilot Autofix provides review-ready remediation suggestions, reducing average resolution time from 1.29 hours to 0.66 hours.
Internal testing across 170,000 findings resulted in over 80% positive developer feedback.
The hybrid detection model is part of GitHub's agentic platform, aiming to evolve toward deeper AI-augmented analysis.

#security #mlp #sre

Read original

GitHub EngineeringMar 19, 2026

Rethinking open source mentorship in the AI era

Why it matters: AI is flooding open source with plausible but often shallow contributions. Engineers must adapt mentorship and review strategies using frameworks like the 3 Cs to prevent maintainer burnout and ensure the long-term sustainability of the software ecosystem.

AI-generated pull requests have significantly lowered the cost of code creation while increasing the review and debugging burden on maintainers.
Traditional signals of contributor quality, such as code cleanliness and turnaround time, are no longer reliable indicators of project understanding.
The '3 Cs' framework (Comprehension, Context, Continuity) provides a strategic lens for maintainers to filter and prioritize mentorship efforts.
Projects are adopting new policies like requiring approved issues before PR submissions and mandatory AI-usage disclosures to manage contribution volume.
The emergence of AGENTS.md allows maintainers to provide machine-readable instructions specifically for AI coding agents and LLMs.
Strategic mentorship remains the primary 'multiplier effect' for scaling open source communities and preventing maintainer burnout.

#culture #mlp

Read original

GitHub EngineeringMar 19, 2026

How Squad runs coordinated AI agents inside your repository

Why it matters: Squad simplifies multi-agent AI development by moving orchestration into the repository. By using versioned markdown for memory and independent specialist agents, it provides a transparent, scalable way to automate complex coding tasks without heavy external infrastructure.

Squad is an open-source CLI tool that initializes a preconfigured AI agent team (lead, frontend, backend, and tester) directly within a project repository.
It utilizes a 'drop-box' pattern for shared memory, where architectural decisions and project history are stored in versioned markdown files for persistence and legibility.
The system employs repository-native orchestration, using a thin coordinator to route tasks to specialists that run in parallel with independent context windows.
An internal review protocol ensures code quality by having a separate tester agent validate implementations, preventing the original author agent from reviewing its own work.
Agent identities and memories are defined by plain-text 'charters' and 'history' files stored in the .squad/ directory, making the AI's context portable and versionable.

#mlp #dist

Read original

Page 3 of 11

Prev 1 2 3 4 5...11 Next