Skip to content

Commit b9c8dc0

Browse files
jc-clarkCopilotsubatoi
authored
Copilot CLI /security-review GA (#61935)
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
1 parent 116ae8c commit b9c8dc0

4 files changed

Lines changed: 6 additions & 1 deletion

File tree

content/copilot/how-tos/copilot-cli/cli-best-practices.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -335,7 +335,9 @@ Pair with {% data variables.copilot.copilot_cli_short %} to develop tests.
335335

336336
### Code review assistance
337337

338+
* ``/security-review Review my current local changes for security issues. Prioritize high-severity findings and suggest remediations I can apply before opening a pull request.``
338339
* ``/review Use Opus 4.5 and Codex 5.2 to review the changes in my current branch against `main`. Focus on potential bugs and security issues.``
340+
* Triage high-severity findings first, validate your fixes, then continue through your normal pull request review workflow.
339341

340342
### Git operations
341343

content/copilot/reference/copilot-cli-reference/cli-command-reference.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -246,7 +246,7 @@ These are the slash commands you can use from within an interactive CLI session.
246246
| `/rubber-duck [PROMPT]` | Consult the rubber duck agent for a second opinion on plans, code, and tests. See [AUTOTITLE](/copilot/concepts/agents/copilot-cli/rubber-duck). |
247247
| `/sandbox [enable\|disable]` | Enable, disable, or configure OS-level sandboxing that restricts filesystem and network access for shell commands, MCP/LSP servers, and built-in file/web tools. Run `/sandbox` with no arguments to open the policy dialog. |
248248
| `/search [QUERY]`, `/find [QUERY]` | Search the conversation timeline. {% data reusables.copilot.experimental %} |
249-
| `/security-review [PROMPT]` | Run the security review agent to analyze changes for vulnerabilities. |
249+
| `/security-review [PROMPT]` | Run a focused security review of active local code changes and return prioritized vulnerability findings with remediation suggestions. This command is not a full repository security audit. |
250250
| `/session [info\|checkpoints [n]\|files\|plan\|rename [NAME]\|cleanup\|prune\|delete [ID]\|delete-all]`, `/sessions [info\|checkpoints [n]\|files\|plan\|rename [NAME]\|cleanup\|prune\|delete [ID]\|delete-all]` | Show session information and manage sessions. The `info` subcommand shows session details including the session link (when available). Subcommands: `info`, `checkpoints`, `files`, `plan`, `rename`, `cleanup`, `prune`, `delete`, `delete-all`. |
251251
| `/settings [show KEY\|KEY\|KEY VALUE]`,<br>`/config [show KEY\|KEY\|KEY VALUE]` | Open the settings editor, open it focused on a specific setting (`KEY`), set a setting inline (`KEY VALUE`), or display a setting's current value (`show KEY`). See [AUTOTITLE](/copilot/how-tos/copilot-cli/customize-copilot/change-settings). |
252252
| `/share [file\|html\|gist] [session\|research] [PATH]`, `/export [file\|html\|gist] [session\|research] [PATH]` | Share the session to a Markdown file, interactive HTML file, or {% data variables.product.github %} gist. |

content/copilot/tutorials/roll-out-at-scale/enable-developers/integrate-ai-agents.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,8 @@ To meet a tight deadline, you want to speed up each stage for both developers an
6161

6262
{% data variables.product.prodname_copilot_short %} can update multiple files at once and, with the developer's authorization, run commands for actions like installing dependencies or running tests.
6363

64+
1. Before opening a pull request, the developer runs `/security-review` to identify likely vulnerabilities in active local changes and apply remediations.
65+
6466
1. The developer reviews the diff and chooses which code to keep.
6567

6668
## 3. Test with an MCP server

content/copilot/tutorials/roll-out-at-scale/govern-at-scale/maintain-codebase-standards.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,7 @@ To improve the quality of {% data variables.product.prodname_copilot_short %}'s
7070
With strong guardrails in place, developers should already be enabled to use AI effectively. However, it is important to provide training on AI tools and create a culture where best practices are encouraged, rather than just enforced.
7171

7272
1. Communicate your governance settings and your company's expectations for how developers should use {% data variables.product.prodname_copilot_short %}. For example, if all agent work should be thoroughly reviewed, ensure this process is established and communicated.
73+
1. Encourage developers to run `/security-review` in {% data variables.copilot.copilot_cli_short %} before opening a pull request or requesting review. Treat this as a lightweight check, then continue with your standard pull request review process. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-cli/cli-best-practices#code-review-assistance).
7374
1. Create onboarding resources such as internal documentation or videos. For a starting point, share existing resources like [AUTOTITLE](/copilot/get-started/best-practices) and [AUTOTITLE](/copilot/tutorials/copilot-cookbook).
7475
1. Offer ongoing training and support, such as workshops. In successful rollouts, many companies identify "champions" who can train others on how to use {% data variables.product.prodname_copilot_short %} effectively.
7576

0 commit comments

Comments
 (0)