Get started with GitHub Copilot coding agent >
These updates transform AI from a simple autocomplete tool into a sophisticated background agent that handles end-to-end tasks. By automating code review and security checks, it reduces manual toil and ensures higher quality PRs with significantly less human intervention.
You open an issue before lunch. By the time you’re back, there’s a pull request waiting.
That’s what GitHub Copilot coding agent is built for. It works in the background, fixing bugs, adding tests, cleaning up debt, and comes back with a pull request when it’s done. While you’re writing code in your editor with Copilot in real time, the coding agent is handling the work you’ve delegated.
A few recent updates make that handoff more useful. Here’s what shipped and how to start using it.
Visual learner? Watch the video above! ☝️
The Agents panel now includes a model picker.
Before, every background task ran on a single default model. You couldn’t pay for a more robust model to complete harder work or prioritize speed on routine tasks.
Now you can. Use a faster model for straightforward work like adding unit tests. Upgrade your model for a gnarly refactor or integration tests with real edge cases. If you’d rather not think about it, leave it on auto.
To get started:
Model selection is available for Copilot Pro and Pro+ users now, with support for Business and Enterprise coming soon.
Learn more about model selection with Copilot coding agent. 👉
The painful part of reviewing agent output has always been the cleanup. You open the diff and there it is: logic that technically works, but nobody would write it that way.
Copilot coding agent now reviews its own changes using Copilot code review before it opens the pull request. It gets feedback, iterates, and improves the patch. By the time you’re tagged for review, someone already went through it.
In one session, the agent caught that its own string concatenation was overly complex and fixed it before the pull request landed. That kind of thing used to be your problem.
To get started:
Review the pull request when prompted. Copilot requests your review only after it has iterated.
Learn more about Copilot code review + Copilot coding agent. 👉
Just like with human-generated code, AI-generated code can introduce real risks: vulnerable patterns, secrets accidentally committed, dependencies with known CVEs. The difference is it does it faster. And you really don’t want to find that in review.
Copilot coding agent now runs code scanning, secret scanning, and dependency vulnerability checks directly inside its workflow. If a dependency has a known issue, or something looks like a committed API key, it gets flagged before the pull request opens.
Code scanning is normally part of GitHub Advanced Security. With Copilot coding agent, you get it for free.
To get started:
Learn more about security scanning in Copilot coding agent. 👉
A short prompt leaves a lot to judgment. And that judgment isn’t always consistent with how your team actually works.
Custom agents let you codify it. Create a file under .github/agents/ and define a specific approach. A performance optimizer agent, for example, can be wired to benchmark first, make the change, then measure the difference before opening a pull request.
In a recent GitHub Checkout demo, that’s exactly what happened. The agent benchmarked a lookup, made a targeted fix, and came back with a 99% improvement on that one function. Small scope, real data, no guessing.
You can share custom agents across your org or enterprise too, so the same process applies everywhere teams are using the coding agent.
To get started:
.github/agents/ in your repo.Learn more about creating custom agents. 👉
Sometimes you start something in the cloud and want to finish it locally. Sometimes you’re deep in your terminal and want to hand something off without losing your flow. Either way, switching contexts used to mean starting the conversation over.
Now it doesn’t. Pull a cloud session into your terminal and you get the branch, the logs, and the full context. Or press & in the CLI to push work back to the cloud and keep going on your end.
To get started:
&) in the CLI to delegate work back to the cloud and keep going locally.Learn more about Copilot coding agent + CLI handoff. 👉
Copilot coding agent has come a long way. Model selection, self-review, security scanning, custom agents, CLI handoff—and that’s just what shipped recently. The team is actively working on private mode, planning before coding, and using the agent for things that don’t even need a pull request, like summarizing issues or generating reports. There’s a lot more coming. Stay tuned.
Share feedback on what ships next in GitHub Community discussions.
Get started with GitHub Copilot coding agent >
The post What’s new with GitHub Copilot coding agent appeared first on The GitHub Blog.
Continue reading on the original blog to support the author
Read full articleAs AI agents integrate into CI/CD, they introduce risks like prompt injection and credential theft. This architecture provides a blueprint for running non-deterministic agents safely within trusted environments by enforcing strict isolation, secret redaction, and governed execution.
This framework enables engineers to leverage LLMs for deep security audits, moving beyond simple pattern matching to find complex logic flaws. By open-sourcing these taskflows, GitHub allows teams to automate high-quality vulnerability research and improve software supply chain security.
Slash commands transform the Copilot CLI from a chat interface into a precise developer tool. By providing predictable, keyboard-driven shortcuts for context management and model selection, they minimize context switching and improve the reliability of AI-assisted terminal workflows.
Triaging security alerts is often manual and repetitive. This framework allows engineers to automate human-like reasoning to filter false positives at scale, combining the precision of CodeQL with the pattern-matching flexibility of LLMs to find real vulnerabilities faster.