« All posts

GitHub Copilot Now Catches Vulnerabilities Before You Commit

GitHub Copilot's new slash command scans uncommitted code for OWASP vulnerabilities like injection and XSS before it ever reaches your repo.

GitHub has added a slash command to the Copilot desktop app that scans uncommitted diffs with an LLM before code ever reaches a repository. The check targets five OWASP categories — injection, XSS, weak cryptography, path traversal, and insecure data handling — and is available to every subscriber, including the Free tier, with no configuration required.

The timing follows Veracode's 2025 finding that 45% of AI-generated code introduces at least one OWASP vulnerability. GitHub is effectively the largest source of that AI-generated code and is now also shipping the tool meant to catch its own risk early. Because the scan runs locally on the developer's uncommitted diff, it acts as a fast upstream filter ahead of repo-wide, CI-bound tools like CodeQL and Dependabot, catching cheap fixes before they become expensive pull-request or production issues.

The feature has clear limits: it does not flag architectural mistakes, missing authorization checks, cross-platform UI drift, or hallucinated component APIs. There is also no native pre-commit hook yet — it's an editor-time check inside the Copilot app, not a CI gate, so teams wanting a hard commit block will need to wire that themselves.