Add /security-review command for automated vulnerability detection #1133
Description
Describe the feature or problem you'd like to solve
GitHub Copilot CLI currently lacks a dedicated command for automated security reviews. Competing tools like Claude Code have implemented /security-review commands that help developers identify vulnerabilities before committing code. Given Microsoft and GitHub's commitment to security as a top priority, GitHub Copilot CLI should provide equivalent or superior security analysis capabilities.
Proposed solution
Add a /security-review command that:
- Analyzes code for common vulnerabilities (SQL injection, XSS, authentication flaws, insecure data handling, dependency issues)
- Provides detailed explanations and remediation guidance
- Integrates seamlessly into the developer workflow
- Can be run on-demand before commits via CLI or as part of CI/CD pipelines via CLI injection in a GH action.
Benefits:
- Shifts security left by catching vulnerabilities during development
- Reduces security debt and remediation costs
- Aligns with Microsoft's security-first principles 👈🏽
- Maintains feature parity with competing AI coding assistants
- Leverages Copilot's existing code understanding capabilities
Example prompts or workflows
-
Pre-commit security check:
> /security-review Analyzing codebase for security vulnerabilities... Found 3 potential issues in src/api/users.js -
Targeted file review:
> /security-review src/auth/*.ts Reviewing authentication modules... ⚠️ Weak password validation detected in src/auth/login.ts -
Dependency vulnerability scan:
> /security-review --dependencies Checking for known vulnerabilities in dependencies... Critical: lodash@4.17.20 has prototype pollution vulnerability -
Configuration review:
> /security-review --config Analyzing security configurations... ℹ️ CORS policy may be too permissive in config/server.js -
Post-fix verification:
> /security-review src/db/queries.js ✅ No SQL injection vulnerabilities detected
Additional context
- Competitive landscape: Claude Code already offers this feature, putting GitHub Copilot CLI at a disadvantage
- Microsoft security commitment: As part of Microsoft's Secure Future Initiative, developer tools should actively prevent security vulnerabilities. I mention this as a FTE of Microsoft and knowing this is shared responsibility between MSFT & GitHub.
- Integration opportunity: Could integrate with GitHub Advanced Security, Dependabot, and CodeQL for comprehensive analysis
- User adoption: Security-focused commands lower barriers to secure coding practices, especially for junior developers
- Claude Release announcement: https://support.claude.com/en/articles/11932705-automated-security-reviews-in-claude-code
Example:
