Quality assurance · Production

How GitHub's agentic security principles make AI agents as secure as possible

The problem

Agentic AI products introduce three classes of security risk: data exfiltration when agents have internet access, ambiguity around impersonation and action attribution, and prompt injection by malicious users hiding directives from repository maintainers.

Workflow diagram · grounded in source
1
User assigns issue to Copilot
trigger
“when someone assigns the Copilot coding agent to an issue”
2
Context visibility enforcement
validation
“we display the files from which context is generated and attempt to remove any invisible or masked information via Unicode or HTML tags before passing it to the agent”
3
Firewall limits external access
validation
“We apply a firewall to the Copilot coding agent to limit its ability to access potentially harmful external resources. This allows users to configure the agent's network access and block any unwanted connections. To balance security and …”
4
Sensitive information restricted
validation
“We only give Copilot information that is absolutely necessary for it to function. This means that things like CI secrets and files outside the current repository are not automatically passed to agents. Specific sensitive content, such as…”
5
Agent creates pull request
ai_action
“the Copilot coding agent is only able to create pull requests; it is not able to commit directly to a default branch”
6
Human validates and triggers CI
human_review
“Pull requests created by Copilot do not run CI automatically; a human user must validate the code and manually run GitHub Actions”
7
Action attribution recorded
output
“pull requests created by the Copilot coding agent are co-committed by the user who initiated the action. Pull requests are generated using the Copilot identity to make it clear that they were AI-generated.”
Reported outcome

GitHub built its hosted agents to maximize interpretability, minimize autonomy, and reduce anomalous behavior through a set of security rules covering context visibility, firewalling, access limitation, reversibility, action attribution, and authorized context gathering.

Reported stack
Copilot coding agentGitHub IssuesGitHub ActionsCopilot ChatMCP
Source
https://github.blog/ai-and-ml/github-copilot/how-githubs-agentic-security-principles-make-our-ai-agents-as-secure-as-possible/
Read source ↗

Frequently asked questions

What did this team achieve with this AI workflow?

GitHub built its hosted agents to maximize interpretability, minimize autonomy, and reduce anomalous behavior through a set of security rules covering context visibility, firewalling, access limitation, reversibility,…

What tools did this team use?

Copilot coding agent, GitHub Issues, GitHub Actions, Copilot Chat, MCP.

How is this quality assurance AI workflow structured?

User assigns issue to Copilot → Context visibility enforcement → Firewall limits external access → Sensitive information restricted → Agent creates pull request → Human validates and triggers CI → Action attribution recorded.