Security with GitHub Copilot

1. Security with GitHub Copilot

Welcome back! You can now write test suites, catch edge cases, and improve existing tests with Copilot. Now it's time to tackle something that's easy to overlook but impossible to ignore — security.

2. When bugs become vulnerabilities

Some bugs aren't just bugs — they're security vulnerabilities. And the tricky part? Vulnerable code often looks identical to working code. It may pass tests, reviews, and even ship to production without anyone noticing. The good news is that Copilot can act as a security reviewer, catching these issues before they ever reach your users.

3. A vulnerable function

Here's what that looks like in practice. This function fetches a user by building a query with an f-string. If that username comes from user input — say, a login form — an attacker can inject arbitrary SQL. They could bypass authentication entirely, dump the whole users table, or even delete your database. This is SQL injection, one of the most common vulnerabilities on the web.

4. Asking Copilot to review

To catch this, select the function, open the Copilot chat, and ask: "Review this code for security vulnerabilities." Copilot identifies the SQL injection risk, explains why it's dangerous, and suggests a fix.

5. Before and after

Here's the fix Copilot suggests. The vulnerable version drops user input straight into the SQL string, so the database can't tell what's a query and what's data. Copilot rewrites it as a parameterized query, where the input is passed as a separate argument through a placeholder. The database always treats it as a literal value, never as executable code.

6. Security prompts that work

SQL injection is just one example, but the real skill is knowing how to prompt Copilot for different security tasks. For targeted reviews, select a block of code and ask Copilot to check it for specific vulnerabilities. For a broader scan, use @workspace to search your entire codebase.

7. Running a security audit

Let's take the last approach even further. You can ask Copilot to audit your full project with a prompt like "Review this project for security vulnerabilities, focusing on OWASP Top 10." Copilot scans across files, flags potential issues, and prioritizes them by severity. It won't replace a professional security test, but as a first pass during development, it catches the most common mistakes before they ever reach a reviewer.

8. From review to prevention

So far, we've been finding and fixing issues in existing code. But what if you could prevent them in the first place? You can prompt Copilot to generate defensive code from the start, for example, by adding input validation with type checks and length limits. Instead of catching vulnerabilities after the fact, you're building security in while you write. And you can take this idea even further.

9. Bake security into every suggestion

What if Copilot applied these patterns automatically, every time it generates code? Remember the custom instructions file from the previous chapter? You can add security standards directly to your copilot-instructions.md file. Rules like "use parameterized queries," "never hardcode credentials," or "validate all user input." Copilot reads these on every request, so the code it suggests is secure by default.

10. Language-specific security rules

For language-specific rules, create a separate security.instructions.md file with an applyTo block, for example, targeting all Python files with rules about the secrets module or Jinja2 escaping. With these in place, security stops being something you check for at the end and becomes part of how you write code every day.

11. Let's practice!

Now it's your turn to put these security skills into practice — let's go!

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.