Skip to content
News Product launch

GitHub Copilot CLI ships /security-review command to catch vulnerabilities before commit

· by Pondero Newsdesk

The short version

GitHub shipped a new /security-review slash command in Copilot CLI on June 10, 2026 as an experimental public-preview feature. The LLM-driven scan analyzes local code changes for injection flaws, cross-site scripting, path traversal, and weak cryptography before a developer commits.

GitHub Copilot CLI ships /security-review command to catch vulnerabilities before commit

GitHub shipped a dedicated /security-review slash command in Copilot CLI on June 10, 2026, giving developers an on-demand LLM-driven scan of their local code changes before they commit. The command is available now as an experimental feature in public preview.

What

The new /security-review command runs entirely inside the terminal. Per GitHub's changelog entry, it analyzes the current set of local code changes and returns three outputs: high-confidence security findings scored by severity and confidence level, actionable suggestions a developer can apply without leaving the terminal, and a focused review scoped to the changed code rather than the full repository.

GitHub stated the scan targets common, high-impact vulnerability classes. The list it published covers injection flaws, cross-site scripting, insecure data handling, path traversal, and weak cryptography. The scan runs on a Copilot model rather than routing through GitHub's existing tooling. Per the changelog, /security-review does not rely on GitHub code scanning, Dependabot, or GitHub secret scanning; it sits alongside those tools as a lightweight, on-demand layer.

To try it, a developer enables experimental mode in Copilot CLI, then runs /security-review in any project directory.

Context

The command arrived one day after a related security push. On June 9, 2026, GitHub made security validation for third-party coding agents generally available. Per that changelog entry, when a third-party coding agent (including Claude and OpenAI Codex) creates code inside a repository, GitHub now automatically runs CodeQL analysis on it, checks new dependencies against the GitHub Advisory Database, and applies secret scanning to catch exposed API keys and tokens. If the analysis surfaces issues, the agent attempts to resolve them before finalizing the pull request.

GitHub said it originally launched automatic code validation for its own Copilot cloud agent in October 2025. The June 9 extension brought the same checks to third-party agents. The feature is on by default and does not require a GitHub Advanced Security license.

Why it matters

These two releases reflect a pattern GitHub is pushing hard: security checks that run at agent generation time and at pre-commit time, not only in post-merge CI. Developers using AI coding agents have no guarantee the suggested code is free of common vulnerability classes. A CLI-resident scan that runs before git add closes part of that gap without requiring a separate security tool or a PR-level review cycle.

The "experimental" label matters here. GitHub has not published accuracy data for the /security-review scan, and the vulnerability classes it targets (injection, XSS, path traversal, weak crypto) are well-known but not exhaustive. Developers should treat the feature as a triage layer, not a replacement for code review or static analysis.

What to watch next

GitHub said feedback can be shared via the GitHub Community discussion thread. A graduation from experimental to general availability will depend on how the command performs across the range of languages and codebases developers throw at it. No GA timeline has been published.

Sources