Configuring settings for GitHub Copilot coding agent

Learn how to configure settings for Copilot coding agent

In this article

Enabling or disabling built-in code quality and security validation tools

By default, Copilot coding agent checks code it generates for security issues and gets a second opinion on its code with Copilot code review. It attempts to resolve issues identified prior to completing the pull request. This improves code quality and reduces the likelihood of the code generated by Copilot coding agent introducing problems such as hardcoded secrets, insecure dependencies, and other vulnerabilities.

Optionally, you can choose to disable these tools to help Copilot work faster or avoid conflicts with other code quality or security products you're using.

You must be a repository administrator to configure these settings.

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Code & automation" section of the sidebar, click Copilot then Coding agent.

  4. In the "Validation tools" section, toggle the tool, or tools, you want to enable or disable.

Allowing GitHub Actions workflows to run automatically when Copilot pushes

By default, GitHub Actions workflows will not run automatically when Copilot pushes changes to a pull request.

GitHub Actions workflows can be privileged and have access to sensitive secrets. Inspect the proposed changes in the pull request and ensure that you are comfortable running your workflows on the pull request branch. You should be especially alert to any proposed changes in the .github/workflows/ directory that affect workflow files.

To allow GitHub Actions workflows to run, click the Approve and run workflows button in the pull request's merge box.

Screenshot of the merge box on a pull request from Copilot with the "Approve and run workflows" button.

Optionally, you can configure Copilot coding agent to allow GitHub Actions workflows to run without human intervention.

Warning

Allowing GitHub Actions workflows to run without approval may allow unreviewed code written by Copilot to gain write access to your repository or access your GitHub Actions secrets.

You must be a repository administrator to configure these settings.

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Code & automation" section of the sidebar, click Copilot then coding agent.

  4. In the "Actions workflow approval" section, disable the Require approval for workflow runs setting.