From 7bdd8fc7f813dda72296cde80bfde1aea6ecd848 Mon Sep 17 00:00:00 2001 From: Jenni C <97056108+dihydroJenoxide@users.noreply.github.com> Date: Thu, 4 Jun 2026 11:40:17 -0700 Subject: [PATCH 1/5] Adding eu models to data residency and fixing note (#61576) --- .../data-residency/github-copilot-with-data-residency.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/content/admin/data-residency/github-copilot-with-data-residency.md b/content/admin/data-residency/github-copilot-with-data-residency.md index aabef4cdb599..a0c61806f4e7 100644 --- a/content/admin/data-residency/github-copilot-with-data-residency.md +++ b/content/admin/data-residency/github-copilot-with-data-residency.md @@ -40,7 +40,9 @@ The enforcement happens at multiple levels: ## Available AI models by region -The models available for {% data variables.product.prodname_copilot_short %} vary by region. {% data reusables.copilot.model-compliance.models-intro %} +The models available for {% data variables.product.prodname_copilot_short %} vary by region. + +{% data reusables.copilot.model-compliance.models-intro %} > [!NOTE] Some models listed may only be available as utility models. See [AUTOTITLE](/copilot/concepts/models/utility-models). @@ -56,6 +58,9 @@ The models available for {% data variables.product.prodname_copilot_short %} var * {% data variables.copilot.copilot_gpt_52 %} * {% data variables.copilot.copilot_gpt_53_codex %} * {% data variables.copilot.copilot_gpt_54 %} +* {% data variables.copilot.copilot_gpt_54_mini %} +* {% data variables.copilot.copilot_gpt_54_nano %} +* {% data variables.copilot.copilot_gpt_55 %} * {% data variables.copilot.copilot_claude_haiku_45 %} * {% data variables.copilot.copilot_claude_sonnet_45 %} * {% data variables.copilot.copilot_claude_opus_45 %} From 24a46c924062c11c8eabb9f9ad09008acd5dcb9e Mon Sep 17 00:00:00 2001 From: Jenni C <97056108+dihydroJenoxide@users.noreply.github.com> Date: Thu, 4 Jun 2026 12:17:41 -0700 Subject: [PATCH 2/5] updating spark plan availability (#61574) Co-authored-by: Claire W <78226508+crwaters16@users.noreply.github.com> --- content/copilot/concepts/spark.md | 1 + content/copilot/tutorials/spark/build-apps-with-spark.md | 2 +- content/copilot/tutorials/spark/deploy-from-cli.md | 2 +- content/copilot/tutorials/spark/prompt-tips.md | 2 +- content/copilot/tutorials/spark/your-first-spark.md | 2 +- data/reusables/copilot/differences-cfi-cfb-table.md | 2 +- 6 files changed, 6 insertions(+), 5 deletions(-) diff --git a/content/copilot/concepts/spark.md b/content/copilot/concepts/spark.md index 852199c414ab..fdb676ac0eb9 100644 --- a/content/copilot/concepts/spark.md +++ b/content/copilot/concepts/spark.md @@ -4,6 +4,7 @@ shortTitle: Spark intro: 'Learn about building and deploying intelligent apps with natural language using {% data variables.product.prodname_spark %}.' versions: feature: spark +product: '{% data variables.copilot.copilot_pro_plus_short %} and {% data variables.copilot.copilot_enterprise_short %}' contentType: concepts category: - Learn about Copilot diff --git a/content/copilot/tutorials/spark/build-apps-with-spark.md b/content/copilot/tutorials/spark/build-apps-with-spark.md index 081cd67acc2f..113b79c11ba0 100644 --- a/content/copilot/tutorials/spark/build-apps-with-spark.md +++ b/content/copilot/tutorials/spark/build-apps-with-spark.md @@ -5,7 +5,7 @@ allowTitleToDifferFromFilename: true intro: 'Learn how to build and deploy an intelligent web app with natural language using {% data variables.product.prodname_spark %}.' versions: feature: spark -product: '{% data variables.copilot.copilot_pro_plus_short %}, {% data variables.copilot.copilot_max_short %}, {% data variables.copilot.copilot_enterprise_short %}' +product: '{% data variables.copilot.copilot_pro_plus_short %}, {% data variables.copilot.copilot_enterprise_short %}' redirect_from: - /copilot/tutorials/building-ai-app-prototypes - /copilot/tutorials/build-apps-with-spark diff --git a/content/copilot/tutorials/spark/deploy-from-cli.md b/content/copilot/tutorials/spark/deploy-from-cli.md index f49af34e0a61..ff92e7d08cef 100644 --- a/content/copilot/tutorials/spark/deploy-from-cli.md +++ b/content/copilot/tutorials/spark/deploy-from-cli.md @@ -5,7 +5,7 @@ intro: 'Learn how to deploy your {% data variables.product.prodname_spark_short allowTitleToDifferFromFilename: true versions: feature: spark -product: '{% data variables.copilot.copilot_pro_plus_short %}, {% data variables.copilot.copilot_max_short %}, {% data variables.copilot.copilot_enterprise_short %}' +product: '{% data variables.copilot.copilot_pro_plus_short %}, {% data variables.copilot.copilot_enterprise_short %}' category: - Rapid prototyping - Author and optimize with Copilot diff --git a/content/copilot/tutorials/spark/prompt-tips.md b/content/copilot/tutorials/spark/prompt-tips.md index b23576eaa93e..8a7e9775236c 100644 --- a/content/copilot/tutorials/spark/prompt-tips.md +++ b/content/copilot/tutorials/spark/prompt-tips.md @@ -5,7 +5,7 @@ intro: 'Learn how to get the best results when you are describing your app idea allowTitleToDifferFromFilename: true versions: feature: spark -product: 'Anyone with a {% data variables.copilot.copilot_pro_plus_short %}, {% data variables.copilot.copilot_max_short %}, or {% data variables.copilot.copilot_enterprise_short %} license can use {% data variables.product.prodname_spark_short %}.' +product: 'Anyone with a {% data variables.copilot.copilot_pro_plus_short %}, or {% data variables.copilot.copilot_enterprise_short %} license can use {% data variables.product.prodname_spark_short %}.' contentType: tutorials category: - Rapid prototyping diff --git a/content/copilot/tutorials/spark/your-first-spark.md b/content/copilot/tutorials/spark/your-first-spark.md index b625fd73682b..9c079f23b594 100644 --- a/content/copilot/tutorials/spark/your-first-spark.md +++ b/content/copilot/tutorials/spark/your-first-spark.md @@ -4,7 +4,7 @@ shortTitle: Your first spark intro: 'Learn how to build your first {% data variables.product.prodname_spark %} app in minutes, without writing any code.' versions: feature: spark -product: 'Anyone with a {% data variables.copilot.copilot_pro_plus_short %}, {% data variables.copilot.copilot_max_short %}, or {% data variables.copilot.copilot_enterprise_short %} license can use {% data variables.product.prodname_spark_short %}.' +product: 'Anyone with a {% data variables.copilot.copilot_pro_plus_short %} or {% data variables.copilot.copilot_enterprise_short %} license can use {% data variables.product.prodname_spark_short %}.' redirect_from: - /copilot/tutorials/building-your-first-app-in-minutes-with-github-spark - /copilot/tutorials/spark/easy-apps-with-spark diff --git a/data/reusables/copilot/differences-cfi-cfb-table.md b/data/reusables/copilot/differences-cfi-cfb-table.md index e3ffc0adb123..b61a36b9817c 100644 --- a/data/reusables/copilot/differences-cfi-cfb-table.md +++ b/data/reusables/copilot/differences-cfi-cfb-table.md @@ -82,7 +82,7 @@ Each plan comes with an allowance of {% data variables.product.prodname_ai_credi | Audit logs | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} |{% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | Content exclusion | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_cli_short %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| {% data variables.product.prodname_spark %} ({% data variables.release-phases.public_preview %}) | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | +| {% data variables.product.prodname_spark %} ({% data variables.release-phases.public_preview %}) | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% endrowheaders %} From 5f69fed314ec458c63ed27a1ff087896da99e54b Mon Sep 17 00:00:00 2001 From: Tim Rogers Date: Thu, 4 Jun 2026 13:02:12 -0700 Subject: [PATCH 3/5] [2026-06-04] One-click fixes for failing Actions with Copilot cloud agent - available for Copilot Pro and Pro+ (#61428) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> --- .../cloud-agent/use-cloud-agent-on-github.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/content/copilot/how-tos/use-copilot-agents/cloud-agent/use-cloud-agent-on-github.md b/content/copilot/how-tos/use-copilot-agents/cloud-agent/use-cloud-agent-on-github.md index 6de31ee821cd..212c0a5215b4 100644 --- a/content/copilot/how-tos/use-copilot-agents/cloud-agent/use-cloud-agent-on-github.md +++ b/content/copilot/how-tos/use-copilot-agents/cloud-agent/use-cloud-agent-on-github.md @@ -127,9 +127,6 @@ When creating a new repository, you can ask {% data variables.product.prodname_c ## Fixing a failing {% data variables.product.prodname_actions %} workflow run -> [!NOTE] -> This feature is only available to {% data variables.copilot.copilot_business_short %} and {% data variables.copilot.copilot_enterprise_short %} users. - When an {% data variables.product.prodname_actions %} workflow run fails on a pull request branch, you can ask {% data variables.product.prodname_copilot_short %} to investigate and fix the failure. 1. On {% data variables.product.github %}, navigate to the failing workflow run job page. From c8ff1849a51e60b7f6503e9046f550715008ff30 Mon Sep 17 00:00:00 2001 From: Joe Clark <31087804+jc-clark@users.noreply.github.com> Date: Thu, 4 Jun 2026 13:15:19 -0700 Subject: [PATCH 4/5] Migrate RAI content to application card template (#59611) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> --- .../responsible-use/code-quality.md | 101 ----- .../code-security/responsible-use/index.md | 8 +- .../responsible-ai-generic-secrets.md | 101 ----- .../responsible-ai-regex-generator.md | 71 ---- .../responsible-use-autofix-code-scanning.md | 134 ------- .../security-and-quality-ai-features.md | 296 +++++++++++++++ .../writing-for-github-docs/templates.md | 55 +-- content/copilot/how-tos/copilot-cli/index.md | 2 +- content/copilot/responsible-use/agents.md | 351 ++++++++++++++++++ .../responsible-use/chat-in-github-mobile.md | 33 -- .../copilot/responsible-use/chat-in-github.md | 161 -------- .../responsible-use/chat-in-your-ide.md | 188 ---------- content/copilot/responsible-use/chat.md | 238 ++++++++++++ .../copilot/responsible-use/code-review.md | 96 ----- .../copilot/responsible-use/copilot-cli.md | 175 --------- .../responsible-use/copilot-cloud-agent.md | 193 ---------- .../copilot-code-completion.md | 124 ------- .../copilot-commit-message-generation.md | 68 ---- .../copilot-in-github-desktop.md | 71 ---- .../copilot-in-windows-terminal.md | 102 ----- .../copilot/responsible-use/copilot-spaces.md | 110 ------ content/copilot/responsible-use/index.md | 20 +- .../responsible-use/inline-suggestions.md | 185 +++++++++ .../responsible-use/pull-request-summaries.md | 104 ------ content/copilot/responsible-use/spark.md | 113 ------ .../responsible-use-of-github-models.md | 1 - .../about-copilot-in-github-support.md | 1 - .../application-card-agentic-ai-caution.md | 2 + ...pplication-card-consequential-decisions.md | 2 + ...lication-card-evaluate-legal-regulatory.md | 2 + ...-evaluation-data-for-quality-and-safety.md | 2 + .../copilot/application-card-evaluations.md | 2 + .../rai/copilot/application-card-intro.md | 4 + .../copilot/application-card-overreliance.md | 2 + ...ication-card-release-assessment-process.md | 2 + ...cation-card-risk-and-safety-evaluations.md | 10 + .../rai/copilot/enterprise-fpt-link.md | 1 + .../tests/unit/rai-app-card-structure.ts | 8 - 38 files changed, 1127 insertions(+), 2012 deletions(-) delete mode 100644 content/code-security/responsible-use/code-quality.md delete mode 100644 content/code-security/responsible-use/responsible-ai-generic-secrets.md delete mode 100644 content/code-security/responsible-use/responsible-ai-regex-generator.md delete mode 100644 content/code-security/responsible-use/responsible-use-autofix-code-scanning.md create mode 100644 content/code-security/responsible-use/security-and-quality-ai-features.md create mode 100644 content/copilot/responsible-use/agents.md delete mode 100644 content/copilot/responsible-use/chat-in-github-mobile.md delete mode 100644 content/copilot/responsible-use/chat-in-github.md delete mode 100644 content/copilot/responsible-use/chat-in-your-ide.md create mode 100644 content/copilot/responsible-use/chat.md delete mode 100644 content/copilot/responsible-use/code-review.md delete mode 100644 content/copilot/responsible-use/copilot-cli.md delete mode 100644 content/copilot/responsible-use/copilot-cloud-agent.md delete mode 100644 content/copilot/responsible-use/copilot-code-completion.md delete mode 100644 content/copilot/responsible-use/copilot-commit-message-generation.md delete mode 100644 content/copilot/responsible-use/copilot-in-github-desktop.md delete mode 100644 content/copilot/responsible-use/copilot-in-windows-terminal.md delete mode 100644 content/copilot/responsible-use/copilot-spaces.md create mode 100644 content/copilot/responsible-use/inline-suggestions.md delete mode 100644 content/copilot/responsible-use/pull-request-summaries.md delete mode 100644 content/copilot/responsible-use/spark.md create mode 100644 data/reusables/rai/copilot/application-card-agentic-ai-caution.md create mode 100644 data/reusables/rai/copilot/application-card-consequential-decisions.md create mode 100644 data/reusables/rai/copilot/application-card-evaluate-legal-regulatory.md create mode 100644 data/reusables/rai/copilot/application-card-evaluation-data-for-quality-and-safety.md create mode 100644 data/reusables/rai/copilot/application-card-evaluations.md create mode 100644 data/reusables/rai/copilot/application-card-intro.md create mode 100644 data/reusables/rai/copilot/application-card-overreliance.md create mode 100644 data/reusables/rai/copilot/application-card-release-assessment-process.md create mode 100644 data/reusables/rai/copilot/application-card-risk-and-safety-evaluations.md create mode 100644 data/reusables/rai/copilot/enterprise-fpt-link.md diff --git a/content/code-security/responsible-use/code-quality.md b/content/code-security/responsible-use/code-quality.md deleted file mode 100644 index 3826f39f862f..000000000000 --- a/content/code-security/responsible-use/code-quality.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: Responsible use of GitHub Code Quality -shortTitle: Code quality -intro: Use {% data variables.product.prodname_code_quality %} responsibly by understanding its purposes, capabilities, and limitations. -versions: - feature: code-quality -contentType: rai -redirect_from: - - /code-security/code-quality/responsible-use/code-quality -category: - - Improve code quality ---- - -> [!NOTE] -> {% data variables.product.prodname_code_quality %} is currently in {% data variables.release-phases.public_preview %} and subject to change. -> During {% data variables.release-phases.public_preview %}, {% data variables.product.prodname_code_quality_short %} will not be billed, although {% data variables.product.prodname_code_quality_short %} scans will consume {% data variables.product.prodname_actions %} minutes. - -## About {% data variables.product.prodname_code_quality %} - -{% data variables.product.prodname_code_quality %} helps users improve code reliability, maintainability, and overall project health by surfacing actionable feedback and offering automatic fixes for any findings in pull requests and on the default branch. - -When you enable {% data variables.product.prodname_code_quality_short %}, two types of analysis run: - -* **{% data variables.product.prodname_codeql %} quality queries** run using {% data variables.product.prodname_code_scanning %} analysis and identify problems with the maintainability, reliability, or style of code. This runs on changed code in all pull requests against the default branch. It also runs periodically on the full default branch. - -* **Large Language Model (LLM)-powered analysis** provides additional insights into potential quality concerns beyond what is covered by deterministic engines like {% data variables.product.prodname_codeql %}. This runs automatically on files changed in recent pushes to the default branch. These findings are displayed in {% data variables.product.prodname_code_quality_short %}'s **{% data variables.code-quality.recent_suggestions %}** dashboard, under the **{% data variables.product.prodname_security_and_quality_tab %}** tab of the repository. - -When a quality issue is detected by either type of analysis, **{% data variables.copilot.copilot_autofix_short %}** suggests a relevant fix that can be reviewed and applied by developers. - -On pull requests, {% data variables.product.prodname_code_quality_short %} results are displayed as comments left by the `github-code-quality` bot, which includes a suggested autofix wherever possible. - -## LLM-powered analysis for recent pushes - -After each push to the default branch, the LLM analyzes recently changed files for maintainability, reliability, and other quality issues. {% data variables.product.prodname_code_quality_short %} inspects your code and provides feedback using a combination of natural language processing and machine learning. - -### Input processing - -The code changes are combined with other relevant, contextual information to form a prompt, and that prompt is sent to a large language model. - -### Language model analysis - -The prompt is then passed through the {% data variables.product.prodname_copilot_short %} language model, which is a neural network that has been trained on a large body of text data. The language model analyzes the input prompt. - -### Response generation - -The language model generates a response based on its analysis of the input prompt. This response can take the form of natural language suggestions and code suggestions. - -### Output formatting - -The response generated by {% data variables.product.prodname_code_quality_short %} is presented to the user directly, providing code feedback linked to specific lines of specific files. Where {% data variables.product.prodname_code_quality_short %} has provided a code suggestion, the suggestion is presented as a suggested change, which can be applied with a couple of clicks. - -## {% data variables.copilot.copilot_autofix %} suggestions - -On pull requests, {% data variables.product.prodname_code_quality_short %} results found by {% data variables.product.prodname_code_scanning %} analysis send input to the LLM. If the LLM can generate a potential fix, the `github-code-quality` bot posts a comment with a suggested change directly in the pull request. - -In addition, users can request autofix generation for results in the default branch. - -For more information on the suggestion generation process for {% data variables.copilot.copilot_autofix %}, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning). - -## Use case for {% data variables.product.prodname_code_quality %} - -The goal of {% data variables.product.prodname_code_quality %} is to: - -* Surface code quality issues across your repository, so developers and repository administrators can quickly identify, prioritize and report on areas of risk. -* Accelerate remediation work by offering {% data variables.copilot.copilot_autofix_short %} suggestions for results found by scans of the default branch, as well as for findings in recent pushes to the default branch. -* Quickly provide actionable feedback on a developer's code. On pull requests, {% data variables.product.prodname_code_quality_short %} combines information on best practices with details of the codebase and findings to suggest a potential fix to the developer. - -## Improving the performance of {% data variables.product.prodname_code_quality %} - -If you encounter any issues or limitations with suggested fixes on pull requests, we recommend that you provide feedback by using the thumbs up and thumbs down buttons on the `github-code-quality` bot's comments. This can help {% data variables.product.github %} to improve the tool and address any concerns or limitations. - -## Limitations of {% data variables.product.prodname_code_quality %} - -### Limitations of {% data variables.product.prodname_code_quality_short %}'s LLM-powered analysis - -{% data variables.product.prodname_code_quality_short %}'s LLM-powered analysis uses the same underlying language model and analysis engine as {% data variables.copilot.copilot_code-review %}. Therefore, it shares similar limitations when analyzing code quality. Key considerations include: - -* Incomplete detection -* False positives -* Code suggestion accuracy -* Potential biases - -For detailed information about these limitations, see [AUTOTITLE](/copilot/responsible-use/code-review). - -You should always review the findings surfaced by {% data variables.product.prodname_code_quality %}'s LLM-powered analysis to verify their accuracy and applicability to your codebase. - -### Limitations of {% data variables.copilot.copilot_autofix_short %} - -{% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_code_quality_short %} findings won't be able to generate a fix for every finding in every situation. The feature operates on a best-effort basis and is not guaranteed to succeed 100% of the time. - -When you review a suggestion from {% data variables.copilot.copilot_autofix_short %}, you must always consider the limitations of AI and edit the changes as needed before you accept the changes. You should always carefully review and verify {% data variables.copilot.copilot_autofix_short %} suggestions before applying them. - -For more information on the limitations of {% data variables.copilot.copilot_autofix_short %}, the quality of {% data variables.copilot.copilot_autofix_short %} suggestions, and the best way to mitigate its limitations, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning) - -## Provide feedback - -You can provide feedback on {% data variables.product.prodname_code_quality %} in the [community discussion](https://github.com/orgs/community/discussions/177488). - -## Next steps - -See how {% data variables.product.prodname_code_quality %} works on your default branch to surface code quality issues and help you understand your repository's code health at a glance. See [AUTOTITLE](/code-security/code-quality/get-started/quickstart). diff --git a/content/code-security/responsible-use/index.md b/content/code-security/responsible-use/index.md index 7b14ac4b5934..edccbd5196fb 100644 --- a/content/code-security/responsible-use/index.md +++ b/content/code-security/responsible-use/index.md @@ -7,11 +7,9 @@ versions: ghes: '*' ghec: '*' contentType: rai -children: - - /responsible-use-autofix-code-scanning - - /responsible-ai-generic-secrets - - /responsible-ai-regex-generator - - /code-quality redirect_from: - /code-security/code-quality/responsible-use +children: + - /security-and-quality-ai-features --- + diff --git a/content/code-security/responsible-use/responsible-ai-generic-secrets.md b/content/code-security/responsible-use/responsible-ai-generic-secrets.md deleted file mode 100644 index 56fee89d126a..000000000000 --- a/content/code-security/responsible-use/responsible-ai-generic-secrets.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: Responsible detection of generic secrets with Copilot secret scanning -shortTitle: Copilot secret scanning -intro: Learn how {% data variables.secret-scanning.copilot-secret-scanning %} uses AI responsibly to scan and create alerts for unstructured secrets, such as passwords. -allowTitleToDifferFromFilename: true -product: '{% data reusables.rai.secret-scanning.copilot-secret-scanning-gated-feature %}' -versions: - feature: secret-scanning-ai-generic-secret-detection - fpt: '*' -redirect_from: - - /code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning - - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning - - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/responsible-ai-generic-secrets - - /code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets - - /code-security/secret-scanning/copilot-secret-scanning -contentType: rai -category: - - Protect your secrets ---- - - - -## About {% data variables.secret-scanning.generic-secret-detection %} with {% data variables.secret-scanning.copilot-secret-scanning %} - -{% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %} is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that identifies unstructured secrets (passwords) in your source code and then generates an alert. - -{% data reusables.rai.secret-scanning.copilot-secret-scanning-generic-secrets-subscription-note %} - -{% data variables.product.prodname_GH_secret_protection %} users can already receive {% data variables.secret-scanning.alerts %} for partner or custom patterns found in their source code, but unstructured secrets are not easily discoverable. {% data variables.secret-scanning.copilot-secret-scanning %} uses large language models (LLMs) to identify this type of secret. - -When a password is detected, an alert is displayed in the "Generic" list of {% data variables.product.prodname_secret_scanning %} alerts (under the **{% data variables.product.prodname_security_and_quality_tab %}** tab of the repository, organization, or enterprise), so that maintainers and security managers can review the alert and, where necessary, remove the credential or implement a fix. - -{% data reusables.rai.secret-scanning.generic-secret-detection-policy-note %} The feature must then be enabled for repositories and organizations. - -### Input processing - -Input is limited to text (typically code) that a user has checked into a repository. The system provides this text to the LLM along with a meta prompt asking the LLM to find passwords within the scope of the input. The user does not interact with the LLM directly. - -The system scans for passwords using the LLM. No additional data is collected by the system, other than what is already collected by the existing {% data variables.product.prodname_secret_scanning %} feature. - -### Output and display - -The LLM scans for strings that resemble passwords and verifies that the identified strings included in the response actually exist in the input. - -These detected strings are surfaced as alerts on the {% data variables.product.prodname_secret_scanning %} alerts page, but they are displayed in an additional list that is separate from regular {% data variables.secret-scanning.alerts %}. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. {% ifversion secret-scanning-ai-generic-secret-detection %}For information on how to view alerts for generic secrets, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% endif %} - -## Improving the performance of {% data variables.secret-scanning.generic-secret-detection %} - -To improve the performance of {% data variables.secret-scanning.generic-secret-detection %}, we recommend closing false positive alerts appropriately. - -### Verify the accuracy of alerts and close as appropriate - -Since {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %} may generate more false positives than the existing {% data variables.product.prodname_secret_scanning %} feature for partner patterns, it's important that you review the accuracy of these alerts. When you verify an alert to be a false positive, be sure to close the alert and mark the reason as "False positive" in the {% data variables.product.prodname_dotcom %} UI. The {% data variables.product.prodname_dotcom %} development team will use information on false positive volume and detection locations to improve the model. {% data variables.product.prodname_dotcom %} does not have access to the secret literals themselves. - -## Limitations of {% data variables.secret-scanning.generic-secret-detection %} - -When using {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %}, you should consider the following limitations. - -### Limited scope - -{% data variables.secret-scanning.generic-secret-detection-caps %} currently only looks for instances of passwords in git content. The feature does not look for other types of generic secrets, and it does not look for secrets in non-git content, such as {% data variables.product.prodname_github_issues %}. - -### Potential for false positive alerts - -{% data variables.secret-scanning.generic-secret-detection-caps %} may generate more false positive alerts when compared to the existing {% data variables.product.prodname_secret_scanning %} feature (which detects partner patterns, and which has a very low false positive rate). To mitigate this excess noise, alerts are grouped in a separate list from partner pattern alerts, and security managers and maintainers should triage each alert to verify its accuracy. - -### Potential for incomplete reporting - -{% data variables.secret-scanning.generic-secret-detection-caps %} may miss instances of credentials checked into a repository. The LLM will improve over time. You retain ultimate responsibility for ensuring the security of your code. - -### Limitations by design - -{% data variables.secret-scanning.generic-secret-detection-caps %} has the following limitations by design: - -* {% data variables.secret-scanning.copilot-secret-scanning %} will not detect secrets that are obviously fake or test passwords, or passwords with low entropy. -* {% data variables.secret-scanning.copilot-secret-scanning %} will only detect a maximum of 100 passwords per push. -* If five or more detected secrets within a single file are marked as false positive, {% data variables.secret-scanning.copilot-secret-scanning %} will stop generating new alerts for that file. -* {% data variables.secret-scanning.copilot-secret-scanning %} does not detect secrets in generated or vendored files. -* {% data variables.secret-scanning.copilot-secret-scanning %} does not detect secrets in encrypted files. -* {% data variables.secret-scanning.copilot-secret-scanning %} does not detect secrets in file types: SVG, PNG, JPEG, CSV, TXT, SQL, or ITEM. -* {% data variables.secret-scanning.copilot-secret-scanning %} does not detect secrets in test code. {% data variables.secret-scanning.copilot-secret-scanning %} skips detections when both conditions are met: - * The file path contains "test", "mock", or "spec", AND - * The file extension is `.cs`, `.go`, `.java`, `.js`, `.kt`, `.php`, `.py`, `.rb`, `.scala`, `.swift`, or `.ts`. - -## Evaluation of {% data variables.secret-scanning.generic-secret-detection %} - -{% data variables.secret-scanning.generic-secret-detection-caps %} has been subject to Responsible AI Red Teaming and {% data variables.product.prodname_dotcom %} will continue to monitor the efficacy and safety of the feature over time. - -{% ifversion secret-scanning-ai-generic-secret-detection %} - -## Next steps - -* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/enabling-ai-powered-generic-secret-detection) -* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) - -{% endif %} - -## Further reading - -* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning){% ifversion ghec %} -* [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-to-manage-the-use-of-generic-secret-detection-for-secret-scanning-in-your-enterprises-repositories){% endif %} diff --git a/content/code-security/responsible-use/responsible-ai-regex-generator.md b/content/code-security/responsible-use/responsible-ai-regex-generator.md deleted file mode 100644 index 9d33ea47b77c..000000000000 --- a/content/code-security/responsible-use/responsible-ai-regex-generator.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -title: Responsible generation of regular expressions with Copilot secret scanning -shortTitle: Regular expressions generator -intro: Learn about the capabilities and limitations of the {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} in helping you to define custom patterns to extend the capabilities of {% data variables.product.prodname_secret_scanning %}. -product: '{% data reusables.rai.secret-scanning.copilot-secret-scanning-gated-feature %}' -allowTitleToDifferFromFilename: true -versions: - feature: secret-scanning-custom-pattern-ai-generated -redirect_from: - - /code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns - - /code-security/secret-scanning/about-generating-regular-expressions-with-ai - - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai - - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/responsible-use-ai-regex-generator - - /code-security/secret-scanning/copilot-secret-scanning/responsible-use-ai-regex-generator - - /code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator -contentType: rai -category: - - Protect your secrets ---- - - - -## About generating regular expressions with {% data variables.secret-scanning.copilot-secret-scanning %} - -{% data variables.product.prodname_secret_scanning_caps %} scans repositories for a predefined set of secrets from our partner program, as well as custom patterns that are user-defined. Custom patterns are formatted as regular expressions. - -{% data reusables.rai.secret-scanning.copilot-secret-scanning-expression-generator-subscription-note %} - -Regular expressions can be challenging for people to write. {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} makes it possible for you to define your custom patterns without knowledge of regular expressions. Within the existing custom pattern page, you can launch a generative AI experience where you input a text description of what pattern you would like to detect, include optional example strings that should be detected, and get matching regular expressions in return. - -### Input processing - -Users input a text description of what they would like to detect, and optional example strings that should be detected. - -### Response generation and output formatting - -{% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} uses GPT-3.5-Turbo and the {% data variables.product.prodname_copilot %} API to generate regular expressions that match your input. - -The model returns up to three regular expressions for you to review. You can click on the regular expression to get an AI-generated plain language description of the regular expression. - -Some results may be quite similar, and some results may not find every instance of the secret that the pattern is intended to detect. It is also possible that the regular expression generator may produce results which are invalid or inappropriate. - -When you click **Use result** on a regular expression, the expression and any examples inputted will be copied over to the main custom pattern form. There, you can perform a dry run of the pattern to see how it performs across your repository or organization. For more information on how to define a custom pattern for your repository or organization, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). - -## Improving performance when generating regular expressions with AI - -To enhance performance and address some of the limitations of {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}, there are various measures that you can adopt. For more information on the limitations of the {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}, see [Limitations of generating regular expressions with AI](#limitations-of-generating-regular-expressions-with-ai). - -### Use {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} as a tool, not a replacement - -While the {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} is a powerful tool to create custom patterns without you having to write regular expressions yourself, it is important to use it as a tool rather than a replacement for manual input. You should carefully validate the performance of the results by performing a dry run across your organization or repository. It's a good idea to run the pattern on a repository (or repositories) that are representative of the repositories in your organization. In some cases, it may be beneficial to modify a generated regular expression to more fully meet your needs. You remain ultimately responsible for any custom patterns you decide to use. - -## Limitations of generating regular expressions with AI - -Depending on factors such as your input description and examples, you may experience different levels of performance when using {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}. You need to be as specific as possible with your description, and provide different types of examples of tokens that match your pattern, to be sure that the regular expression encompasses all the patterns you want {% data variables.product.prodname_secret_scanning %} to search for. - -Also, the model used by the {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} has been trained on natural language content written predominantly in English. As a result, you may notice differing performance when providing the generator with natural language input prompts in languages other than English. - -Note that {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} is only suitable for creating regular expressions to detect structured patterns. - -## Next steps - -* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-copilot-secret-scanning) -* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) - -## Further reading - -* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) -* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) -* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning) -* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) diff --git a/content/code-security/responsible-use/responsible-use-autofix-code-scanning.md b/content/code-security/responsible-use/responsible-use-autofix-code-scanning.md deleted file mode 100644 index e2bf3a9d38d1..000000000000 --- a/content/code-security/responsible-use/responsible-use-autofix-code-scanning.md +++ /dev/null @@ -1,134 +0,0 @@ ---- -title: Responsible use of Copilot Autofix for code scanning -shortTitle: Copilot Autofix for code scanning -intro: Learn how {% data variables.product.github %} uses AI to suggest potential fixes for {% data variables.product.prodname_code_scanning %} alerts and find out how best to mitigate limitations in the AI suggestions. -allowTitleToDifferFromFilename: true -product: '{% data reusables.rai.code-scanning.gated-feature-autofix %}' -versions: - feature: code-scanning-autofix -redirect_from: - - /code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning - - /code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning -contentType: rai -category: - - Find and fix code vulnerabilities ---- - -## About {% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_code_scanning %} - -{% data variables.copilot.copilot_autofix %} is an expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts so they can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase and from {% data variables.product.prodname_code_scanning %} analysis. {% data variables.copilot.copilot_autofix %} is available for {% data variables.product.prodname_codeql %} analysis. - -{% data reusables.rai.code-scanning.copilot-autofix-note %} - -{% data variables.copilot.copilot_autofix_short %} generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. {% data variables.copilot.copilot_autofix_short %} uses internal {% data variables.product.prodname_copilot %} APIs interfacing with the large language model {% data variables.copilot.copilot_gpt_53_codex %} from OpenAI, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes. - -{% data variables.copilot.copilot_autofix_short %} is allowed by default and enabled for every repository using {% data variables.product.prodname_codeql %}, but you can choose to opt out and disable {% data variables.copilot.copilot_autofix_short %}. To learn how to disable {% data variables.copilot.copilot_autofix_short %} at the enterprise, organization and repository levels, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning). - -In an organization's security overview dashboard, you can view the total number of code suggestions generated on open and closed pull requests in the organization for a given time period. For more information, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights#autofix-suggestions). - -## Developer experience - -{% data variables.product.prodname_code_scanning_caps %} users can already see security alerts to analyze their pull requests. However, developers often have little training in secure coding so fixing these alerts requires substantial effort. They must first read and understand the alert location and description, and then use that understanding to edit the source code to fix the vulnerability. - -{% data variables.copilot.copilot_autofix_short %} lowers the barrier of entry to developers by combining information on best practices with details of the codebase and alert to suggest a potential fix to the developer. Instead of starting with a search for information about the vulnerability, the developer starts with a code suggestion that demonstrates a potential solution for their codebase. The developer evaluates the potential fix to determine whether it is the best solution for their codebase and to ensure that it maintains the intended behavior. - -After committing a suggested fix or modified fix, the developer should always verify that continuous integration testing (CI) for the codebase continues to pass and that the alert is shown as resolved before they merge their pull request. - -## Supported languages for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} - -{% data variables.copilot.copilot_autofix_short %} supports fix generation for a subset of queries included in the default and security-extended {% data variables.product.prodname_codeql %} query suites for {% data variables.code-scanning.codeql_autofix_languages %}. For more information on these query suites, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#built-in-codeql-query-suites). - -## Suggestion generation process - -When {% data variables.copilot.copilot_autofix_short %} is enabled for a repository, {% data variables.product.prodname_code_scanning %} alerts that are identified send input to the LLM. If the LLM can generate a potential fix, the fix is shown as a suggestion. - -{% data variables.product.prodname_dotcom %} sends the LLM a variety of data from the {% data variables.product.prodname_code_scanning %} analysis. For example: - -* {% data variables.product.prodname_codeql %} alert data in SARIF format. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning). -* Code from the current version of the branch. - * Short snippets of code around each source location, sink location, and any location referenced in the alert message or included on the flow path. - * First ~10 lines from each file involved in any of those locations. -* Help text for the {% data variables.product.prodname_codeql %} query that identified the problem. For examples, see [{% data variables.product.prodname_codeql %} query help](https://codeql.github.com/codeql-query-help/). - -Any {% data variables.copilot.copilot_autofix_short %} suggestions are generated and stored within the {% data variables.product.prodname_code_scanning %} backend. They are displayed as suggestions. No user interaction is needed beyond enabling {% data variables.product.prodname_code_scanning %} on the codebase and creating a pull request. - -The process of generating fixes does not gather or utilize any customer data beyond the scope outlined above. Therefore, the use of this feature is governed by the existing terms and conditions associated with {% data variables.product.prodname_AS %}. Moreover, data handled by {% data variables.copilot.copilot_autofix_short %} is strictly not employed for LLM training purposes. For more information on {% data variables.product.prodname_AS %} terms and conditions, see [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security){% ifversion fpt %}.{% else %} in the Free, Pro, & Team documentation.{% endif %} - -## Limitations and non-determinism of {% data variables.copilot.copilot_autofix_short %} - -{% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_code_scanning %} alerts won't be able to generate a fix for every alert in every situation. The feature operates on a best-effort basis and is not guaranteed to succeed 100% of the time. - -### When a {% data variables.copilot.copilot_autofix_short %} suggestion may not be generated - -Several factors can prevent {% data variables.copilot.copilot_autofix_short %} from successfully generating a suggested fix. - -* _Non-determinism:_ The underlying large language model is a generative model and is therefore non-deterministic. This means that even with the same alert and code, it might fail to produce a viable suggestion, or the suggestion might vary across attempts. -* _Problem complexity and context:_ Some security alerts, such as those that require tracing data flow across a complex, multi-file codebase or those that represent subtle logic flaws, could be difficult for the model to resolve. -* _File size:_ If the affected code is within a very large file or repository, the context provided to the LLM may be truncated. The model needs sufficient context to understand the surrounding code logic and safely apply a fix; when this context is limited, the feature will not attempt a fix. -* _Language and framework coverage:_ While {% data variables.copilot.copilot_autofix_short %} supports a growing list of languages and CodeQL alerts, it doesn't cover every possible alert type or language. - -## Quality of suggestions - -{% data variables.product.prodname_dotcom %} uses an automated test harness to continuously monitor the quality of suggestions from {% data variables.copilot.copilot_autofix_short %}. This allows us to understand how the suggestions generated by the LLM change as the model develops. - -The test harness includes a set of over 2,300 alerts from a diverse set of public repositories where the highlighted code has test coverage. Suggestions for these alerts are tested to see how good they are, that is, how much a developer would need to edit them before committing them to the codebase. For many of the test alerts, suggestions generated by the LLM could be committed as-is to fix the alert while continuing to successfully pass all the existing CI tests. - -In addition, the system is stress-tested to check for any potential harm (often referred to as red teaming), and a filtering system on the LLM helps prevent potentially harmful suggestions being displayed to users. - -### How GitHub tests suggestions - -We test the effectiveness of suggestions by merging all suggested changes, unedited, before running {% data variables.product.prodname_code_scanning %} and the repository's unit tests on the resulting code. - -1. Was the {% data variables.product.prodname_code_scanning %} alert fixed by the suggestion? -1. Did the fix introduce any new {% data variables.product.prodname_code_scanning %} alerts? -1. Did the fix introduce any syntax errors that {% data variables.product.prodname_code_scanning %} can detect? -1. Has the fix changed the output of any of the repository tests? - -In addition, we spot check many of the successful suggestions and verify that they fix the alert without introducing new problems. When one or more of these checks failed, our manual triage showed that in many cases the proposed fix was nearly correct but needed some minor modifications that a user could identify and manually perform. - -### Effectiveness on other projects - -The test set contains a broad range of different types of projects and alerts. We predict that suggestions for other projects using languages supported by {% data variables.copilot.copilot_autofix_short %} should follow a similar pattern. - -* {% data variables.copilot.copilot_autofix_short %} is likely to add a code suggestion to the majority of alerts. -* When developers evaluate the suggestions we expect that the majority of fixes can be committed without editing or with minor updates to reflect the wider context of the code. -* A small percentage of suggested fixes will reflect a significant misunderstanding of the codebase or the vulnerability. - -However, each project and codebase is unique, so developers may need to edit a larger percentage of suggested fixes before committing them. {% data variables.copilot.copilot_autofix_short %} provides valuable information to help you resolve {% data variables.product.prodname_code_scanning %} alerts, but ultimately it remains your responsibility to evaluate the proposed change and ensure the security and accuracy of your code. - -> [!NOTE] -> Fix generation for supported languages is subject to LLM operational capacity. In addition, each suggested fix is tested before it is added to a pull request. If no suggestion is available, or if the suggested fix fails internal testing, then no suggestion is displayed. - -## Limitations of suggestions - -When you review a suggestion from {% data variables.copilot.copilot_autofix_short %}, you must always consider the limitations of AI and edit the changes as needed before you accept the changes. You should also consider updating the CI testing and dependency management for a repository before enabling {% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_code_scanning %}. For more information, see [Mitigating the limitations of suggestions](#mitigating-the-limitations-of-suggestions). - -### Limitations of code suggestions - -* _Human languages:_ The system primarily uses English data, including the prompts sent to the system, the code seen by the LLMs in their datasets, and the test cases used for internal evaluation. Suggestions generated by the LLM may have a lower success rate for source code and comments written in other languages and using other character sets. -* _Syntax errors:_ The system may suggest fixes that are not syntactically correct code changes, so it is important to run syntax checks on pull requests. -* _Location errors:_ The system may suggest fixes that are syntactically correct code but are suggested at the incorrect location, which means that if a user accepts a fix without editing the location they will introduce a syntax error. -* _Semantic errors_: The system may suggest fixes that are syntactically valid but that change the semantics of the program. The system has no understanding of the programmer or codebase’s intent in how the code should behave. Having good test coverage helps developers verify that a fix does not change the behavior of the codebase. -* _Security vulnerabilities and misleading fixes:_ The system may suggest fixes that fail to remediate the underlying security vulnerability and/or introduce new security vulnerabilities. -* _Partial fixes:_ The system may suggest fixes that only partially address the security vulnerability, or only partially preserve the intended code functionality. The system sees only a small subset of the code in the codebase and does not always produce globally optimal or correct solutions. - -### Limitations of dependency suggestions - -Sometimes a suggested fix includes a change in the dependencies of the codebase. If you use a dependency management system, any changes will be highlighted automatically for the developer to review. Before merging a pull request always verify that any dependency changes are secure and maintain the intended behavior of the codebase. - -* _New or updated dependencies:_ The system may suggest adding or updating software dependencies as part of a suggested fix. For example, by suggesting changing the `package.json` file for JavaScript projects to add dependencies from npm. -* _Unsupported or insecure dependencies:_ The system does not know which versions of an existing dependency are supported or secure. -* _Fabricated dependencies:_ The system has incomplete knowledge of the dependencies published in the wider ecosystem. This can lead to suggestions that add a new dependency on malicious software that attackers have published under a statistically probable dependency name. - -## Mitigating the limitations of suggestions - -The best way to mitigate the limitations of suggestions from {% data variables.copilot.copilot_autofix_short %} is to follow best practices. For example, using CI testing of pull requests to verify functional requirements are unaffected and using dependency management solutions, such as the dependency review API and action. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). - -It is important to remember that the author of a pull request retains responsibility for how they respond to review comments and suggested code changes, whether proposed by colleagues or automated tools. Developers should always look at suggestions for code changes critically. If needed, they should edit the suggested changes to ensure that the resulting code and application are correct, secure, meet performance criteria, and satisfy all other functional and non-functional requirements for the application. - -## Next steps - -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts) -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts-on-a-pull-request) -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#generating-suggested-fixes-for-code-scanning-alerts) -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning) diff --git a/content/code-security/responsible-use/security-and-quality-ai-features.md b/content/code-security/responsible-use/security-and-quality-ai-features.md new file mode 100644 index 000000000000..15c8d7188447 --- /dev/null +++ b/content/code-security/responsible-use/security-and-quality-ai-features.md @@ -0,0 +1,296 @@ +--- +title: 'Application card: GitHub security and quality AI features' +shortTitle: Security and quality AI features +intro: Use GitHub's AI-powered code security and code quality features responsibly by understanding their purposes, capabilities, and limitations. +versions: + fpt: '*' + ghec: '*' +redirect_from: + - /code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning + - /code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning + - /code-security/responsible-use/responsible-use-autofix-code-scanning + - /code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning + - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning + - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/responsible-ai-generic-secrets + - /code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets + - /code-security/secret-scanning/copilot-secret-scanning + - /code-security/responsible-use/responsible-ai-generic-secrets + - /code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns + - /code-security/secret-scanning/about-generating-regular-expressions-with-ai + - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai + - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/responsible-use-ai-regex-generator + - /code-security/secret-scanning/copilot-secret-scanning/responsible-use-ai-regex-generator + - /code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator + - /code-security/responsible-use/responsible-ai-regex-generator + - /code-security/code-quality/responsible-use/code-quality + - /code-security/responsible-use/code-quality +contentType: rai +category: + - Responsible use +--- + +## What is an Application Card? + +{% data reusables.rai.copilot.application-card-intro %} + +## 1. Overview + +GitHub's security and quality platform includes several AI-powered capabilities that help developers find and fix security vulnerabilities, detect leaked secrets, and improve code quality. This application card covers the following experiences: + +* **Copilot Autofix for code scanning**: Automatically generates fix suggestions for CodeQL alerts on pull requests and the default branch. +* **Generic secret detection**: Uses a model to identify unstructured secrets in source code that deterministic pattern matching cannot find. +* **Custom pattern regex generator**: Uses AI to generate regular expressions for custom secret scanning patterns from natural language descriptions. +* **GitHub Code Quality**: Surfaces code quality issues and offers LLM-powered fix suggestions on pull requests and the default branch. + +Copilot Autofix is an expansion of code scanning that provides users with targeted recommendations to help them fix code scanning alerts, avoiding the introduction of new security vulnerabilities. Potential fixes are generated automatically by large language models (LLMs) using data from the codebase and from code scanning analysis. Copilot Autofix is available for CodeQL analysis and does not require a GitHub Copilot subscription. + +Code scanning users can already see security alerts on their pull requests. However, developers often have little training in secure coding, so fixing these alerts requires substantial effort. Copilot Autofix lowers the barrier of entry by combining information on best practices with details of the codebase and alert to suggest a potential fix. Instead of starting with a search for information about the vulnerability, the developer starts with a code suggestion that demonstrates a potential solution for their codebase. The developer evaluates the potential fix to determine whether it is the best solution for their codebase and to ensure that it maintains the intended behavior. + +Secret scanning's generic secret detection is an AI-powered expansion of secret scanning that identifies unstructured secrets in source code or other GitHub surfaces and generates an alert. GitHub Secret Protection and GitHub Advanced Security users can already receive secret scanning alerts for partner or custom patterns found in their source code, but unstructured secrets are not easily discoverable. Secret scanning uses models to identify these secrets. When a finding is detected, an alert is displayed in the "Generic" list of secret scanning alerts (under the **{% octicon "shield" aria-hidden="true" aria-label="shield" %} {% ifversion security-and-quality-tab %}Security and quality{% else %}Security{% endif %}** tab of the repository, organization, or enterprise), so that maintainers and security managers can review the alert and, where necessary, remove the credential or implement a fix. Generic secret detection does not require a GitHub Copilot subscription. + +Secret scanning's custom pattern regular expression generator makes it possible to define custom secret scanning patterns without knowledge of regular expressions. Users input a natural language description of what they want to detect, along with optional example strings, and the generator produces up to three candidate regular expressions. These patterns can then be validated via the dry-run mechanism before being deployed as custom patterns. The regular expression generator does not require a GitHub Copilot subscription. + +GitHub Code Quality helps users improve code reliability, maintainability, and overall project health by surfacing actionable feedback and offering automatic fixes for findings in pull requests and on the default branch. When Code Quality is enabled, two types of analysis run: CodeQL quality queries identify problems with the maintainability, reliability, or style of code, and LLM-powered analysis provides additional insights beyond what deterministic engines can find. When a quality issue is detected, Copilot Autofix suggests a relevant fix. On pull requests, results are displayed as comments left by the `github-code-quality` bot. On the default branch, LLM-powered findings are displayed in the **AI findings** dashboard under the **{% octicon "shield" aria-hidden="true" aria-label="shield" %} {% ifversion security-and-quality-tab %}Security and quality{% else %}Security{% endif %}** tab. + +The primary supported language for GitHub Code Security AI features is English. + +## 2. Key terms + +The following list provides a glossary of key terms related to GitHub Code Security AI features: + +* **CodeQL**: GitHub's semantic code analysis engine for identifying security vulnerabilities in source code. +* **Copilot Autofix**: GitHub's LLM-powered feature that automatically generates fix suggestions for code scanning alerts. Copilot Autofix is available for CodeQL analysis and does not require a GitHub Copilot subscription. +* **Large language model (LLM)**: A type of neural network trained on a large body of text data that can generate, analyze, and transform natural language and code. Copilot Autofix uses one or more LLMs to process code scanning alerts and produce fix suggestions. +* **AI detection for secret scanning**: AI-powered capabilities that extend secret scanning, including generic secret detection. Does not require a GitHub Copilot subscription. +* **Generic secret detection**: AI identification of unstructured secrets (such as passwords) that are not covered by partner or custom patterns. Generic secret detection uses models to scan for password-like strings in source code. +* **Custom pattern**: A user-defined regular expression used by secret scanning to detect secrets that match a specific format. The custom pattern regular expression generator helps create these patterns from natural language descriptions. +* **SARIF**: Static Analysis Results Interchange Format—the standard format CodeQL uses to report code scanning findings, including alert locations and descriptions. +* **GitHub Code Quality**: A feature that surfaces code quality issues and offers LLM-powered fixes. Code Quality combines CodeQL quality queries with LLM-powered analysis to identify maintainability, reliability, and style issues. +* **AI findings**: The dashboard under the **{% octicon "shield" aria-hidden="true" aria-label="shield" %} {% ifversion security-and-quality-tab %}Security and quality{% else %}Security{% endif %}** tab where LLM-powered Code Quality findings for the default branch are displayed. + +## 3. Key features or capabilities + +The key features and capabilities outlined here describe what GitHub Code Security AI features are designed to do and how they perform across supported tasks. + +* **Automated fix suggestions for security alerts**: Copilot Autofix automatically generates code change suggestions for CodeQL alerts found on pull requests and on the default branch. Each suggestion includes both the proposed code change and a natural language explanation of the fix. +* **Alert-to-fix translation**: Copilot Autofix translates the description and location of a code scanning alert into actionable code changes that may resolve the underlying security vulnerability. The system uses CodeQL alert data in SARIF format, surrounding code snippets, and query help text to generate relevant fixes. +* **Multi-language support**: Copilot Autofix supports fix generation for a subset of queries included in the default and security-extended CodeQL query suites for C#, C/C++, Go, Java/Kotlin, Swift, JavaScript/TypeScript, Python, Ruby, and Rust. For more information on these query suites, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#built-in-codeql-query-suites). +* **AI-powered password detection**: Secret scanning's generic secret detection scans repository content using AI to identify unstructured secrets (like passwords) that deterministic pattern matching cannot find. Detected secrets are surfaced as alerts in the secret scanning alert list under the **{% octicon "shield" aria-hidden="true" aria-label="shield" %} {% ifversion security-and-quality-tab %}Security and quality{% else %}Security{% endif %}** tab. +* **AI-powered regular expression generation**: Secret scanning's regular expression generator takes a natural language description of the pattern you want to detect, along with optional example strings, and produces up to three candidate regular expressions. Each result includes an AI-generated plain language description, and you can validate patterns via a dry run before deployment. +* **Code quality issue detection**: GitHub Code Quality runs CodeQL quality queries on changed code in pull requests and periodically on the full default branch. These queries identify maintainability, reliability, and style issues. +* **LLM-powered code quality analysis**: After each push to the default branch, an LLM analyzes recently changed files for quality issues beyond what deterministic engines can find. Findings are displayed in the **AI findings** dashboard. +* **Automated fix suggestions for quality findings**: When a quality issue is detected by either type of analysis, Copilot Autofix generates a fix suggestion. On pull requests, the `github-code-quality` bot posts a comment with the suggested change. + +## 4. Intended uses + +GitHub Code Security AI features can be used in multiple scenarios across a variety of industries. Some examples of use cases include: + +* **Accelerating remediation of security vulnerabilities**: Use Copilot Autofix to quickly generate fix suggestions for CodeQL alerts, reducing the time and expertise required to address security issues found during code scanning. +* **Reducing the barrier to secure coding**: Copilot Autofix helps developers with limited secure-coding training. Instead of researching vulnerabilities independently, developers start with a code suggestion that demonstrates a potential solution for their codebase. +* **Streamlining pull request review**: When code scanning finds alerts on a pull request, Copilot Autofix provides suggested fixes inline, helping developers resolve security issues before merging. +* **Fixing alerts on the default branch**: Copilot Autofix can also generate fix suggestions for existing alerts on the default branch, helping teams reduce their backlog of security findings. +* **Detecting leaked passwords in source code**: Use generic secret detection to find unstructured secrets in repositories that fall outside the coverage of partner and custom secret scanning patterns. +* **Triaging credentials with contextual alerts**: When a password is detected, an alert with AI-detection context is displayed in the alerts list, enabling maintainers and security managers to review the finding and take action. +* **Creating custom secret scanning patterns without regex expertise**: Use the regular expression generator to define custom patterns by describing what you want to detect in natural language, removing the need to write regular expressions manually. +* **Validating generated patterns before deployment**: After generating regular expressions, use the dry-run mechanism to test patterns across your repository or organization before deploying them as custom patterns. +* **Surfacing code quality issues across a repository**: Use GitHub Code Quality to identify maintainability, reliability, and style issues so developers and administrators can quickly prioritize areas of risk. +* **Accelerating remediation of code quality findings**: Copilot Autofix suggests fixes for quality findings, combining information on best practices with details of the codebase to propose a potential fix directly on the pull request or in the AI findings dashboard. +* **Providing actionable feedback on pull requests**: The `github-code-quality` bot posts comments with suggested fixes on pull requests, helping developers address quality issues before merging. + +## 5. Models and training data + +Copilot Autofix uses internal GitHub Copilot APIs interfacing with the large language models, which produce both suggested fixes in code and explanatory text for those fixes. + +Generic secret detection uses models to scan for unstructured secrets. + +The custom pattern regular expression generator uses LLMs and the GitHub Copilot API to generate regular expressions that match user-provided descriptions and examples. + +GitHub Code Quality's LLM-powered analysis uses Copilot language models to analyze recently changed files for quality issues. The CodeQL quality queries component does not use an LLM. Copilot Autofix for Code Quality findings uses the same LLM pipeline as Copilot Autofix for code scanning. + +For a comparison of the models available for Copilot, see [AUTOTITLE](/copilot/reference/ai-models/model-comparison). For the full list of supported models, see [AUTOTITLE](/copilot/reference/ai-models/supported-models). For information on where models are hosted, see [AUTOTITLE](/copilot/reference/ai-models/model-hosting). To learn more about the data used to train the foundation models behind GitHub security and quality, see [What data has GitHub Copilot been trained on?](https://github.com/features/copilot#faq) in the GitHub Copilot FAQ. + +Data handled by Copilot Autofix is not employed for LLM training purposes. The use of this feature is governed by the existing terms and conditions associated with GitHub Advanced Security. For more information, see [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security){% ifversion fpt %}.{% else %} in the Free, Pro, & Team documentation.{% endif %} + +## 6. Performance + +When Copilot Autofix is enabled for a repository, code scanning alerts are processed through the following pipeline: + +1. **Input processing**: When a code scanning alert is identified, GitHub assembles the relevant data into a prompt for the language model. This data includes: + * CodeQL alert data in SARIF format + * Code from the current version of the branch, including short snippets around each source location, sink location, and any location referenced in the alert message or flow path + * The first ~10 lines from each file involved in any of those locations + * Help text for the CodeQL query that identified the problem +1. **Language model analysis**: The assembled prompt is sent to the language model, which analyzes the alert context, code structure, and query help information. +1. **Response generation**: The model generates a potential fix, including both the proposed code change and an explanatory text describing the fix. +1. **Output formatting**: The suggestion is stored within the code scanning backend and displayed as an inline suggestion on the pull request or alert detail page. No user interaction is needed beyond enabling code scanning on the codebase and creating a pull request. + +### Differences by experience + +**AI secret detection** processes input and produces output as follows: + +1. **Input processing**: Input is limited to text (typically code) that a user has checked into a repository. The system provides this text to the model along with a meta prompt asking the model to find unstructured secrets within the scope of the input. The user does not interact with the model directly. Multiple models may be used to validate a single finding. +1. **Model analysis**: The model scans for strings that resemble unstructured secrets like passwords. +1. **Response generation**: The model verifies that the identified strings included in the response actually exist in the input. +1. **Output formatting**: Detected strings are surfaced as alerts on the secret scanning alerts page in a separate list from regular secret scanning alerts. Each alert notes that it was detected using AI.{% ifversion secret-scanning-ai-generic-secret-detection %} For information on how to view alerts for generic secrets, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% endif %} + +**Custom pattern regex generator** processes input and produces output as follows: + +1. **Input processing**: Users input a natural language text description of the pattern they want to detect, along with optional example strings that should be matched. +1. **Language model analysis**: The description and examples are sent to the LLM via the GitHub Copilot API, which generates regular expressions matching the input. +1. **Response generation**: The model returns up to three candidate regular expressions. Each result includes an AI-generated plain language description. Some results may be quite similar, and some may not match every instance of the intended pattern. +1. **Output formatting**: Results are displayed in the custom pattern definition form. When you click **Use result**, the expression and any examples are copied to the main custom pattern form, where you can perform a dry run to validate the pattern across your repository or organization. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). + +**GitHub Code Quality LLM-powered analysis** processes input and produces output as follows: + +1. **Input processing**: After each push to the default branch, recently changed files are combined with other relevant contextual information to form a prompt. The prompt is sent to a Copilot language model. +1. **Language model analysis**: The language model analyzes the code for maintainability, reliability, and other quality issues. +1. **Response generation**: The model generates a response that can include natural language suggestions and code suggestions linked to specific lines. +1. **Output formatting**: Findings are displayed in the **AI findings** dashboard under the **{% octicon "shield" aria-hidden="true" aria-label="shield" %} {% ifversion security-and-quality-tab %}Security and quality{% else %}Security{% endif %}** tab. Where Code Quality provides a code suggestion, it is presented as a suggested change that can be applied with a couple of clicks. + +**Copilot Autofix for Code Quality findings** on pull requests: + +1. **Input processing**: Code quality findings from CodeQL analysis on a pull request are sent to the LLM along with surrounding code context. +1. **Language model analysis**: The LLM analyzes the finding and generates a potential fix. +1. **Response generation**: If the LLM can generate a fix, it produces a suggested code change. +1. **Output formatting**: The `github-code-quality` bot posts a comment on the pull request with the suggested change. Users can also request autofix generation for results on the default branch. + +## 7. Limitations + +Understanding GitHub Code Security AI features' limitations is crucial to determine if it is used within safe and effective boundaries. While we encourage customers to leverage GitHub Code Security AI features in their innovative solutions or applications, it's important to note that GitHub Code Security AI features was not designed for every possible scenario. We encourage users to refer to [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms) as well as the following considerations when choosing a use case: + +* **Non-determinism**: Copilot Autofix uses a generative model that is non-deterministic. Even with the same alert and code, it might fail to produce a viable suggestion, or the suggestion might vary across attempts. +* **Problem complexity and context**: Some security alerts—such as those that require tracing data flow across a complex, multi-file codebase, or those that represent subtle logic flaws—could be difficult for the model to resolve. +* **File size**: If the affected code is within a very large file or repository, the context provided to the LLM may be truncated. When the context is limited, the feature will not attempt a fix. +* **Language and framework coverage**: While Copilot Autofix supports a growing list of languages and CodeQL alerts, it doesn't cover every possible alert type or language. +* **LLM operational capacity**: Fix generation is subject to LLM operational capacity. If no suggestion is available, or if a suggested fix fails internal testing, no suggestion is displayed. +* **English-centric data**: The system primarily uses English data, including the prompts, the code in the LLM's training datasets, and the test cases used for internal evaluation. Suggestions may have a lower success rate for source code and comments in other languages. +* **Syntax errors**: The system may suggest fixes that are not syntactically correct code changes. +* **Location errors**: The system may suggest fixes at incorrect locations. Accepting such a fix without editing the location may introduce a syntax error. +* **Semantic errors**: The system may suggest fixes that are syntactically valid but change the semantics of the program. The system has no understanding of the programmer's intent. +* **Security vulnerabilities and misleading fixes**: The system may suggest fixes that fail to remediate the underlying vulnerability or introduce new vulnerabilities. +* **Partial fixes**: The system may suggest fixes that only partially address the security vulnerability or only partially preserve intended code functionality. +* **Dependency changes**: Suggested fixes may include adding or updating software dependencies. The system does not know which dependency versions are supported or secure, and may suggest fabricated dependencies published under statistically probable names. Always verify dependency changes before merging. + +### Limitations specific to AI secret detection + +* **Incomplete reporting**: AI secret detection may miss instances of credentials checked into a repository. AI detection for secrets will improve over time. You retain ultimate responsibility for ensuring the security of your code. +* **Test code**: AI secret detection may not detect secrets in test code. Secret scanning skips detections when certain conditions are met, such as: + * The file path contains "test", "mock", or "spec" + * The file extension is `.cs`, `.go`, `.java`, `.js`, `.kt`, `.php`, `.py`, `.rb`, `.scala`, `.swift`, or `.ts`. + +### Limitations specific to the custom pattern regex generator + +* **Incomplete pattern coverage**: Generated regular expressions may not match all intended tokens. The quality of results depends on the specificity and clarity of the input description. +* **Invalid or inappropriate results**: The generator may produce regular expressions that are invalid or inappropriate for the intended use case. +* **Structured patterns only**: The regular expression generator is only suitable for creating patterns to detect structured, predictable formats—not free-form text matching. +* **English-centric performance**: The model was trained predominantly on English-language content. Performance may be lower when providing natural language input prompts in languages other than English. +* **Similar results**: Some of the returned regular expressions may be quite similar to each other, reducing the effective number of distinct candidate patterns. + +### Limitations specific to GitHub Code Quality + +* **Shared limitations with Copilot code review**: Code Quality's LLM-powered analysis uses the same underlying language model and analysis engine as Copilot code review. It shares similar limitations, including incomplete detection, false positives, code suggestion accuracy, and potential biases. For more information, see [AUTOTITLE](/copilot/responsible-use/code-review). +* **Best-effort autofix**: Copilot Autofix for Code Quality findings operates on a best-effort basis and is not guaranteed to generate a fix for every finding. +* **Review required**: You must always review suggestions from Copilot Autofix and edit changes as needed before accepting them. + +## 8. Evaluations + +{% data reusables.rai.copilot.application-card-evaluations %} + +### Performance and quality evaluations + +GitHub Security AI features are evaluated across its supported surfaces using a combination of industry-standard benchmarks (e.g., SWE-Bench) and internally developed evaluation suites. Benchmark tasks are sourced from public open-source repositories and synthetic scenarios; no real user queries or customer code are used without permission. Each evaluation includes multiple independent runs to account for nondeterminism in model outputs. Key metrics include resolution rate (percentage of tasks successfully completed), token efficiency, latency, and tool call reliability. Models are re-evaluated when updates are made and monitored continuously in production via error rates, response latency, and aggregate usage patterns. + +### Performance and quality evaluation methods + +New models undergo a staged evaluation process before deployment to Code Security, Code Quality, and Secret Protection. Integrator teams run benchmark suites specific to their surface, testing the model on representative coding tasks such as bug fixes, code generation, and multi-file refactoring. Results are reviewed against established baselines and existing production models. Models must meet or exceed baseline performance across key metrics like resolution rate, token efficiency, and latency, before advancing to the next stage. + +### Risk and safety evaluations + +{% data reusables.rai.copilot.application-card-risk-and-safety-evaluations %} + +### Evaluation data for quality and safety + +{% data reusables.rai.copilot.application-card-evaluation-data-for-quality-and-safety %} + +### Custom evaluations + +GitHub uses an automated test harness to continuously monitor the quality of Copilot Autofix suggestions. The test harness includes a set of over 2,300 alerts from a diverse set of public repositories where the highlighted code has test coverage. Suggestions for these alerts are tested to determine how much a developer would need to edit them before committing them to the codebase. For many of the test alerts, suggestions generated by the LLM could be committed as-is to fix the alert while continuing to successfully pass all existing CI tests. + +GitHub tests the effectiveness of suggestions by merging all suggested changes, unedited, before running code scanning and the repository's unit tests on the resulting code: + +1. Was the code scanning alert fixed by the suggestion? +1. Did the fix introduce any new code scanning alerts? +1. Did the fix introduce any syntax errors that code scanning can detect? +1. Has the fix changed the output of any of the repository tests? + +In addition, GitHub spot-checks many successful suggestions and verifies that they fix the alert without introducing new problems. When one or more of these checks fail, manual triage showed that in many cases the proposed fix was nearly correct but needed some minor modifications that a user could identify and manually perform. + +The system is also stress-tested to check for potential harm (red teaming), and a filtering system on the LLM helps prevent potentially harmful suggestions from being displayed to users. + +AI secret detection has been subject to Responsible AI Red Teaming and GitHub continues to monitor the efficacy and safety of the feature over time. + +Custom pattern regex generator results are validated through the dry-run mechanism, which allows users to test generated patterns across their repository or organization before deploying them as custom patterns. This built-in validation step helps ensure that generated regular expressions perform as expected before they are used in production. + +GitHub Code Quality's LLM-powered analysis shares the evaluation framework of Copilot code review. Copilot Autofix suggestions for Code Quality findings follow the same test harness as Copilot Autofix for code scanning. + +## 9. Safety components and mitigations + +* **Human-in-the-loop review**: Copilot Autofix presents all suggestions as proposed code changes that require explicit developer review and acceptance before being applied. Developers must evaluate each suggestion and verify it maintains the codebase's intended behavior. +* **Content filtering**: A filtering system on the LLM detects and prevents potentially harmful suggestions from being displayed to users. The system is stress-tested through red teaming to identify potential vulnerabilities. +* **Internal quality testing**: Suggestions that fail internal testing are not displayed to users. Fix generation is only shown when the system has sufficient confidence in the suggestion's quality. +* **Opt-in/opt-out controls**: Copilot Autofix is allowed by default and enabled for every repository using CodeQL, but administrators can disable Copilot Autofix at the enterprise, organization, and repository levels. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning). +* **No training on customer data**: Data handled by Copilot Autofix is not employed for LLM training purposes. The use of this feature is governed by the existing terms and conditions associated with GitHub Advanced Security. +* **False positive feedback loop**: When users close a generic secret detection alert and mark the reason as "False positive," GitHub uses the false positive volume to improve the model. GitHub does not have access to the secret literals themselves. +* **Dry-run validation for generated patterns**: Generated regular expressions from the custom pattern regex generator must go through a dry-run validation step before deployment. Users explicitly import a result into the custom pattern form and test it across their repository or organization, ensuring patterns perform as expected before they are used in production. +* **Explicit user action required**: The regex generator does not automatically deploy patterns. Users must click **Use result** to copy a generated expression into the custom pattern form, then manually save and enable the pattern. +* **Feedback mechanism for Code Quality**: Users can provide feedback on Code Quality suggestions using the thumbs up and thumbs down buttons on the `github-code-quality` bot's comments, helping GitHub improve suggestion quality. +* **Preview-gated availability**: GitHub Code Quality is available as a preview, allowing organizations to evaluate the feature before broader adoption. + +## 10. Best practices for deploying and adopting GitHub Code Security AI features + +Responsible AI is a shared commitment between GitHub and its customers. While GitHub builds AI applications with safety, fairness, and transparency at the core, customers play a critical role in deploying and using these technologies responsibly within their own contexts. To support this partnership, we offer the following best practices for deployers and end users to help customers implement responsible AI effectively. + +* **Exercise caution and evaluate outcomes when using GitHub Security AI features for consequential decisions or in sensitive domains**: {% data reusables.rai.copilot.application-card-consequential-decisions %} +* **Evaluate legal and regulatory considerations**: {% data reusables.rai.copilot.application-card-evaluate-legal-regulatory %} +* **Always review suggestions before accepting**: Evaluate the proposed code change to ensure it correctly fixes the security vulnerability without changing the intended behavior of your code. Having good test coverage helps verify that a fix does not change the behavior of the codebase. +* **Verify CI tests pass**: After committing a suggested fix or modified fix, always verify that continuous integration testing (CI) for the codebase continues to pass and that the alert is shown as resolved before merging your pull request. +* **Review dependency changes carefully**: If a suggested fix includes changes to dependencies, verify that any added or updated dependencies are secure, supported, and maintain the intended behavior of the codebase. Use dependency management solutions, such as the dependency review API and action, to evaluate changes. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). +* **Close false positive alerts appropriately**: Since AI secret detection may generate more false positives than partner pattern detection, review the accuracy of each alert. When you verify an alert to be a false positive, close the alert and mark the reason as "False positive" in the GitHub UI. This feedback helps improve the model. +* **Validate generated regex patterns with a dry run**: When using the custom pattern regex generator, always perform a dry run across representative repositories before deploying a generated pattern organization-wide. +* **Be specific with descriptions**: To improve the quality of generated regular expressions, be as specific as possible with your natural language descriptions and include diverse example strings that represent the patterns you want to detect. +* **Review all generated patterns**: Carefully review each of the generated regular expressions, including the AI-generated plain language descriptions, and consider modifying results to more fully meet your needs. You remain ultimately responsible for any custom patterns you decide to use. +* **Review Code Quality findings before applying fixes**: Always verify the accuracy and applicability of Code Quality findings and Autofix suggestions to your codebase before accepting them. +* **Provide feedback on Code Quality suggestions**: Use the thumbs up and thumbs down buttons on the `github-code-quality` bot's comments to help improve the tool and address any concerns or limitations. +* **Exercise human oversight when appropriate**: Human oversight is an important safeguard when interacting with AI applications. While we continuously improve our AI applications, AI might still make mistakes. The outputs generated may be inaccurate, incomplete, biased, misaligned, or irrelevant to your intended goals. This could happen due to various reasons, such as ambiguity in the inputs or limitations of the underlying models. As such, users should review the responses generated by GitHub Code Security AI features and verify that they match their expectations and requirements. +* **Be aware of the risk of overreliance**: {% data reusables.rai.copilot.application-card-overreliance %} +* **Exercise caution when designing agentic AI in sensitive domains**: {% data reusables.rai.copilot.application-card-agentic-ai-caution %} +* **Enable CI testing on pull requests**: Ensure continuous integration testing is in place before enabling Copilot Autofix, so that functional requirements are verified after developers apply fixes. +* **Use dependency management solutions**: Enable dependency review on pull requests to catch potentially risky dependency changes introduced by Autofix suggestions. +* **Review security overview metrics**: Use your organization's security overview dashboard to view the total number of Copilot Autofix suggestions generated on open and closed pull requests for a given time period. For more information, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights#autofix-suggestions). +* **Evaluate false-positive volume for secret detection**: Evaluate the false-positive volume and establish triage processes for the alerts list. +* **Monitor Code Quality suggestion volume and quality**: Evaluate the volume and quality of Code Quality suggestions and adjust enablement as appropriate for your organization. + +## 11. Learn more about GitHub Security AI features + +For additional guidance on the responsible use of GitHub Security AI features, we recommend reviewing the following documentation: + +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts) +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts-on-a-pull-request) +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#generating-suggested-fixes-for-code-scanning-alerts) +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning) +* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security) +* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/enabling-ai-powered-generic-secret-detection) +* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning){% ifversion ghec %} +* [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-to-manage-the-use-of-generic-secret-detection-for-secret-scanning-in-your-enterprises-repositories){% endif %} +* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-copilot-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning) +* [AUTOTITLE](/code-security/code-quality/get-started/quickstart) +* [AUTOTITLE](/copilot/responsible-use/code-review) +* [Community discussion for Code Quality feedback](https://github.com/orgs/community/discussions/177488) + +### Learn more about responsible AI + +* [Microsoft AI principles](https://www.microsoft.com/en-us/ai/responsible-ai) +* [Microsoft responsible AI resources](https://www.microsoft.com/en-us/ai/responsible-ai-resources) +* [Microsoft Azure Learning courses on responsible AI](https://docs.microsoft.com/en-us/learn/paths/responsible-ai-business-principles/) diff --git a/content/contributing/writing-for-github-docs/templates.md b/content/contributing/writing-for-github-docs/templates.md index 6108fdaea765..387881a1ed9a 100644 --- a/content/contributing/writing-for-github-docs/templates.md +++ b/content/contributing/writing-for-github-docs/templates.md @@ -401,7 +401,11 @@ This section can simply link out to https://docs.github.com/en/actions/configuri Use this template for responsible AI application or platform service cards published in {% data variables.product.prodname_docs %}. For examples of published cards, see the articles in [AUTOTITLE](/copilot/responsible-use). - + ```yaml {% raw %}--- @@ -505,7 +509,12 @@ Keep the boilerplate language to introduce the section and replace APPLICATION-O APPLICATION-OR-PLATFORM-SERVICE leverages a variety of AI models to power the experience that users see. Some examples include LIST-MODELS-HERE. To learn more about the data used to train the foundation models behind APPLICATION-OR-PLATFORM-SERVICE, refer to the linked model cards to find the relevant data cards. {% comment %} -Instructions: Keep the boilerplate language and replace APPLICATION-OR-PLATFORM-SERVICE with the name of the application or platform service. Then list a few examples of models powering the application and hyperlink the model cards where the text says LIST-MODELS-HERE. Prioritize listing GitHub models if relevant. If there are OpenAI models, link to the Azure OpenAI Service transparency note +Instructions: Keep the boilerplate language and replace APPLICATION-OR-PLATFORM-SERVICE with the name of the application or platform service. Then list a few examples of models powering the application and hyperlink the model cards where the text says LIST-MODELS-HERE. Prioritize listing GitHub models if relevant. If there are OpenAI models, link to the Azure OpenAI Service transparency note. + +For Copilot features, you can link to these reference pages: +- [AUTOTITLE](/copilot/reference/ai-models/model-comparison) +- [AUTOTITLE](/copilot/reference/ai-models/supported-models) +- [AUTOTITLE](/copilot/reference/ai-models/model-hosting) {% endcomment %} ## 6. Performance @@ -648,54 +657,28 @@ Use plain English, avoid technical jargon, and explain any acronyms. Keep the to Responsible AI is a shared commitment between GitHub and its customers. While GitHub builds AI applications with safety, fairness, and transparency at the core, customers play a critical role in deploying and using these technologies responsibly within their own contexts. To support this partnership, we offer the following best practices for deployers and end users to help customers implement responsible AI effectively. -### Deployers and end-users should - - **Exercise caution and evaluate outcomes when using APPLICATION-OR-PLATFORM-SERVICE for consequential decisions or in sensitive domains**: {% data reusables.rai.copilot.application-card-consequential-decisions %} - **Evaluate legal and regulatory considerations**: {% data reusables.rai.copilot.application-card-evaluate-legal-regulatory %} - -{% comment %} -Instructions: Replace APPLICATION-OR-PLATFORM-SERVICE with the name of the AI application or platform service. Otherwise, do not modify this text. If there are other best practices for both deployers and end-users, include them in this section. Format the best practice as such: - -* SHORT-BEST-PRACTICE-DESCRIPTION: 3-5 sentences explaining the best practice and why deployers and end-users should consider applying the best practice. Use plain English, avoid technical jargon, and explain any acronyms. Keep the tone professional. -{% endcomment %} - -### End-users should - -FREE-TEXT - - **Exercise human oversight when appropriate**: Human oversight is an important safeguard when interacting with AI applications. While we continuously improve our AI applications, AI might still make mistakes. The outputs generated may be inaccurate, incomplete, biased, misaligned, or irrelevant to your intended goals. This could happen due to various reasons, such as ambiguity in the inputs or limitations of the underlying models. As such, users should review the responses generated by APPLICATION-OR-PLATFORM-SERVICE and verify that they match their expectations and requirements. - **Be aware of the risk of overreliance**: {% data reusables.rai.copilot.application-card-overreliance %} - **Exercise caution when designing agentic AI in sensitive domains**: {% data reusables.rai.copilot.application-card-agentic-ai-caution %} {% comment %} -Instructions: Consider the questions below as guidance to describe best practices to end-users. You do not have to answer all the questions because the relevance of each question may differ for your application/platform. Use your own discretion and you are encouraged to expand beyond the suggested questions to include any best practices that could benefit end-users. +Instructions: Replace APPLICATION-OR-PLATFORM-SERVICE with the name of the AI application or platform service. The boilerplate bullet points above must not be modified. If there are additional best practices specific to this application or platform, add them as new bullet points below the boilerplate items. Format each best practice as such: + +* **SHORT-BEST-PRACTICE-DESCRIPTION**: 3-5 sentences explaining the best practice and why deployers and end-users should consider applying the best practice. Use plain English, avoid technical jargon, and explain any acronyms. Keep the tone professional. + +Consider the following questions as guidance for additional best practices: - How can the customer/end users provide feedback or flag concerns about the application/platform? - What makes a prompt clear and effective? Provide an example specific to your application. - How can an end-user monitor and detect performance drift? - -Format the best practice as such: - -* SHORT-BEST-PRACTICE-DESCRIPTION: 3-5 sentences explaining the best practice and why end-users should consider applying the best practice. Use plain English, avoid technical jargon, and explain any acronyms. Keep the tone professional. Replace APPLICATION-OR-PLATFORM-SERVICE with the name of the AI application or platform service. If there is a risk of overreliance for the AI application or platform service, explain why -{% endcomment %} - -### Deployers should - -FREE-TEXT - -{% comment %} -Instructions: Consider the questions below as guidance to describe best practices for deployers. You do not have to answer all the questions because the relevance of each question may differ for your application/platform. Use your own discretion, and you are encouraged to expand beyond the suggested questions to include any best practices that could benefit deployers. - - What security vulnerabilities should the customer/end user be aware of and how can they protect against these vulnerabilities? -- How can the customer configure the platform/application to optimize their intended use case? Explain these steps clearly, this is also an opportunity to build upon the intended use case examples earlier in the doc. -- What settings can the customer configure that may affect safety (e.g., content classifier thresholds)? It's okay to describe at a high level here and link to additional documentation. +- How can the customer configure the platform/application to optimize their intended use case? +- What settings can the customer configure that may affect safety (e.g., content classifier thresholds)? - What additional testing might be required when considering different use cases? -- Describe how users can resolve predictable or known failures (tip: consider the issues mentioned in the limitations section) +- Describe how users can resolve predictable or known failures (tip: consider the issues mentioned in the limitations section). - How can the customer monitor and detect performance drift? - -Format the best practice as such: - -* SHORT-BEST-PRACTICE-DESCRIPTION: 3-5 sentences explaining the best practice and why end-users should consider applying the best practice. Use plain English, avoid technical jargon, and explain any acronyms. Keep the tone professional. {% endcomment %} ## 11. Learn more about APPLICATION-OR-PLATFORM-SERVICE diff --git a/content/copilot/how-tos/copilot-cli/index.md b/content/copilot/how-tos/copilot-cli/index.md index 36dc7ab4747c..fc94e8fb8540 100644 --- a/content/copilot/how-tos/copilot-cli/index.md +++ b/content/copilot/how-tos/copilot-cli/index.md @@ -44,7 +44,7 @@ children: - /content/copilot/reference/copilot-cli-reference/cli-plugin-reference - /content/copilot/reference/copilot-cli-reference/cli-programmatic-reference - /content/copilot/reference/hooks-reference - - /content/copilot/responsible-use/copilot-cli + - /content/copilot/responsible-use/agents - /content/copilot/tutorials/copilot-cli-hooks - /customize-copilot/add-custom-instructions - /customize-copilot/add-mcp-servers diff --git a/content/copilot/responsible-use/agents.md b/content/copilot/responsible-use/agents.md new file mode 100644 index 000000000000..390fe9c8de8e --- /dev/null +++ b/content/copilot/responsible-use/agents.md @@ -0,0 +1,351 @@ +--- +title: 'Application card: GitHub Copilot Agents' +shortTitle: Agents +intro: 'Learn how to use GitHub Copilot agentic features responsibly by understanding their purposes, capabilities, and limitations.' +versions: + feature: copilot +redirect_from: + - /early-access/copilot/code-review/responsible-use-of-copilot-code-review + - /early-access/copilot/code-reviews/responsible-use-of-copilot-code-review + - /early-access/copilot/code-reviews/responsible-use-of-copilot-code-reviews + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-code-review + - /copilot/responsible-use-of-github-copilot-features/code-review + - /copilot/responsible-use/code-review + - /early-access/copilot/coding-agent/responsible-use-of-copilot-coding-agent + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-copilot-coding-agent-on-githubcom + - /copilot/responsible-use-of-github-copilot-features/copilot-coding-agent + - /copilot/responsible-use/copilot-coding-agent + - /copilot/responsible-use/copilot-cloud-agent + - /copilot/github-copilot-in-the-cli/about-github-copilot-in-the-cli + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-in-the-cli + - /copilot/responsible-use-of-github-copilot-features/copilot-in-the-cli + - /copilot/responsible-use/copilot-in-the-cli + - /copilot/responsible-use/copilot-cli + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-spark + - /copilot/responsible-use-of-github-copilot-features/spark + - /copilot/responsible-use/spark +contentType: rai +category: + - Responsible use +--- + +## What is an Application Card? + +{% data reusables.rai.copilot.application-card-intro %} + +## 1. Overview + +GitHub Copilot includes several agentic features that go beyond suggestion and conversation—they can review code, take action on your behalf, and build applications. This card covers the following experiences: + +* **Copilot code review**: Reviews pull request diffs and metadata on GitHub.com, producing feedback comments and suggested changes. +* **Copilot cloud agent**: An asynchronous agent on GitHub.com that can create branches, write code, and open pull requests in response to assigned issues. The cloud agent runs in an ephemeral, firewalled environment with automated security scanning. +* **Copilot CLI**: A command-line tool that can create and modify files, execute commands, and perform multi-step tasks. All actions require explicit permission prompts and are scoped to the current directory. +* **Copilot SDK**: A programmatic library that allows developers to build custom AI-powered applications using Copilot. The SDK communicates with Copilot CLI over JSON-RPC and supports custom agents, MCP server integrations, lifecycle hooks, and session management. +{% ifversion spark %} +* **GitHub Spark (preview)**: A managed app-building experience where an agent writes code and runs commands in a development environment. Spark provides a managed runtime and can add inference capabilities via the GitHub Models SDK. +{% endif %} + +These features share common principles—human oversight, review of outputs, and responsible use—but differ in their execution environments, permissions, and data flows. The sections below describe each experience in context. + +## 2. Key terms + +The following list provides a glossary of key terms related to GitHub Copilot Agents: + +* **Code suggestion**: A specific code change proposed by Copilot code review as part of its feedback on a pull request. Code suggestions are presented as suggested changes that can be applied with a couple of clicks. +* **Content filtering**: A safety system that scans prompts and responses to detect and block harmful, offensive, or insecure content before it is shown to the user. +* **Custom instructions**: Natural language descriptions of coding style and best practices that a repository maintainer can configure to guide Copilot code review's feedback. Custom instructions help Copilot understand the conventions and standards of a specific codebase. +* **Hallucination**: A phenomenon where a language model generates output that sounds plausible but is factually incorrect, unsupported by the provided context, or entirely fabricated. In code review, hallucination can manifest as feedback that highlights problems that do not exist or are based on misunderstandings of the code. +* **Large language model (LLM)**: A type of neural network trained on a large body of text data that can generate, analyze, and transform natural language and code. Copilot Agents use one or more LLMs to process context and produce responses. +* **Ephemeral development environment**: A temporary, isolated compute environment created for each cloud agent session. The environment is destroyed after the session ends, ensuring that no state persists between runs. +* **Firewall**: A network-level control enabled by default for the cloud agent that prevents outbound connections to unauthorized hosts, protecting against accidental or malicious exfiltration of code or data. +* **AI credit**: A unit of consumption for Copilot features. Each use of Copilot code review consumes AI credits. +* **Permission prompt**: An interactive confirmation step in Copilot CLI that asks the user to approve an action—such as modifying a file, executing a command, or accessing files outside the current directory—before the agent proceeds. Permission prompts are a key safety mechanism for local agentic execution. +* **Copilot SDK**: A programmatic library (`@github/copilot-sdk`) that lets developers build custom AI-powered applications by creating sessions, sending prompts, and receiving streaming responses from Copilot. The SDK communicates with Copilot CLI over JSON-RPC. +* **JSON-RPC**: The communication protocol used between the Copilot SDK and Copilot CLI. The SDK sends structured requests to the CLI process, which handles model interaction and tool execution. +* **Custom agent (SDK)**: A named agent configuration within the SDK that has its own system prompt, scoped tools, and optional MCP servers. The SDK runtime can automatically delegate to sub-agents based on user intent. +* **Hooks (SDK)**: Lifecycle callbacks in the Copilot SDK that let developers inject custom logic at specific points during a session, such as before or after tool use, on session start or end, and on error. +{% ifversion spark %} +* **Managed runtime**: The fully managed hosting environment provided by GitHub Spark that scales with your application's needs and eliminates the need to manually manage infrastructure. +* **Spark**: An application built using GitHub Spark. Sparks can range from simple utilities to full-stack web applications and can be deployed to the public internet with configurable visibility. +* **Targeted edit**: A feature in GitHub Spark that allows you to select a specific element within your application and provide a focused prompt to refine its style, substance, or behavior, rather than applying a global change. +{% endif %} + +## 3. Key features or capabilities + +The key features and capabilities outlined here describe what GitHub Copilot Agents are designed to do and how they perform across supported tasks. + +* **Automated code review feedback**: When a user requests a review from Copilot, it scans the code changes plus additional relevant context and provides feedback on the code. Feedback may include natural language comments and specific code suggestions linked to particular lines and files. +* **Customizable review guidance**: Copilot code review can be customized with custom instructions—natural language descriptions of coding style and best practices—so that feedback reflects a repository's conventions and standards. +* **Autonomous pull request creation**: The Copilot cloud agent can pick up a task from an issue, a pull request comment, or Copilot Chat, create a branch, generate tailored code changes, and open a pull request. After the initial pull request is created, the agent can iterate based on your feedback and reviews. +* **Ephemeral, firewalled execution**: While working on a task, the cloud agent has access to its own ephemeral development environment where it can make changes to code, execute automated tests, and run linters. A firewall is enabled by default to prevent data exfiltration. +* **Automated security scanning**: During code generation, the cloud agent automatically analyzes newly generated code for security vulnerabilities using CodeQL, secret scanning, and dependency analysis, and attempts to resolve any issues before they are introduced. +* **External integrations**: The cloud agent can receive information and context from MCP like workIQ and Microsoft 365, and external applications like Microsoft Teams, Linear, Slack, and Jira, enabling teams to assign tasks and track progress directly within their existing workflows. +* **Local agentic execution (Copilot CLI)**: Copilot CLI provides a chat-like interface in the terminal that can autonomously create and modify files, execute commands, and perform multi-step tasks. All actions are scoped to the current directory and require explicit permission prompts before the agent modifies files or runs commands. +{% ifversion spark %} +* **Natural language app building (Spark)**: GitHub Spark offers a natural language-centric development environment for creating and deploying full-stack web applications without requiring users to write or deploy code manually. Spark provides a fully managed runtime environment that scales with your application's needs. +* **Inference capabilities (Spark)**: Spark's SDK natively integrates with GitHub Models, allowing you to incorporate model inference into your application. If Spark determines that your application requires inference capabilities, it will add them using the Spark SDK. +{% endif %} + +## 4. Intended uses + +GitHub Copilot Agents can be used in multiple scenarios across a variety of industries. Some examples of use cases include: + +* **Supplementing human code review**: Copilot code review is intended to quickly provide feedback on a developer's code, enabling developers to get code ready to merge more quickly and increasing overall code quality. +* **Codebase maintenance**: The cloud agent can tackle security-related fixes, dependency upgrades, and targeted refactoring. +* **Feature development**: The cloud agent can implement incremental feature requests, develop additional test suites, and create or update documentation. +* **Prototyping new projects**: The cloud agent and Copilot CLI can greenfield new concepts, helping developers explore ideas quickly. +* **Setting up your environment (CLI)**: Copilot CLI can run commands in your terminal to set up your local environment to work on existing projects. +* **Finding the right command (CLI)**: Copilot CLI can suggest commands to perform tasks you're trying to complete, and explain unfamiliar commands in natural language. +* **Building custom AI applications (SDK)**: The Copilot SDK enables developers to build applications that leverage Copilot for code generation, natural language interaction, and task automation in their own products and workflows. +* **Multi-agent orchestration (SDK)**: Using custom agents and sub-agents, developers can build sophisticated workflows where multiple specialized agents collaborate on complex tasks, with automatic delegation based on user intent. +* **Extending applications with external tools (SDK)**: The SDK's MCP server support allows developers to connect their applications to external data sources and services, expanding the range of tasks their agents can perform. +{% ifversion spark %} +* **Building and deploying web applications (Spark)**: You can use GitHub Spark to build full-stack web applications using natural language. Spark's integrated runtime environment allows you to deploy these applications to the public internet with configurable visibility based on GitHub account permissions. +* **Rapid prototyping (Spark)**: Spark helps developers, designers, product managers, and other builders rapidly prototype ideas without needing to build applications from scratch or construct complex mockups. Prototypes can be deployed for ease of sharing or remain unpublished. +{% endif %} + +## 5. Models and training data + +GitHub Copilot Agents leverage a variety of AI models to power the experience that users see. For a comparison of the models available for Copilot, see [AUTOTITLE](/copilot/reference/ai-models/model-comparison). For the full list of supported models, see [AUTOTITLE](/copilot/reference/ai-models/supported-models). For information on where models are hosted, see [AUTOTITLE](/copilot/reference/ai-models/model-hosting). To learn more about the data used to train the foundation models behind GitHub Copilot Agents, refer to the linked AI model comparison above and [What data has GitHub Copilot been trained on?](https://github.com/features/copilot#faq) in the GitHub Copilot FAQ. + +Copilot code review is a purpose-built product that uses a carefully tuned mix of models, prompts, and system behaviors to deliver consistent, high-quality feedback across a wide range of codebases. Model switching is not supported, as changing the model is likely to compromise reliability, user experience, and the quality of review comments. Copilot code review may use models that are not enabled on your organization's "Models" settings page. + +The Copilot cloud agent uses a large language model to reason about tasks, generate code, and leverage tools within its ephemeral development environment. The agent has been evaluated across a variety of programming languages. English is the primary supported language for prompts and responses. + +Copilot CLI uses a large language model to reason about tasks, generate code, modify files, and execute commands in your local terminal environment. The agent has been evaluated across a variety of programming languages. English is the primary supported language for prompts and responses. + +The Copilot SDK communicates with Copilot CLI over JSON-RPC, using the same underlying models and capabilities. Applications built with the SDK use the same models available to the authenticated Copilot user or organization. Developers can also bring their own API keys (BYOK) to use custom model providers. + +{% ifversion spark %} +GitHub Spark uses a large language model to power its agent within the development environment. The agent writes code and runs commands to build your application. Spark's SDK natively integrates with GitHub Models, allowing your application to incorporate model inference capabilities. For information on the models used by GitHub Models, see [AUTOTITLE](/github-models/responsible-use-of-github-models). Spark does not test the prompts you create within your application for inference—you must ensure that your included capabilities act as intended. +{% endif %} + +## 6. Performance + +### Differences by experience + +#### Copilot cloud agent + +The Copilot cloud agent works by using a combination of natural language processing and machine learning to understand your task and make changes in a codebase. This process can be broken down into a number of steps: + +1. **Prompt processing**: The task provided through an issue, pull request comment, or Copilot Chat message is combined with other relevant, contextual information to form a prompt. That prompt is sent to a large language model for processing. Inputs can take the form of plain natural language, code snippets, or images. +1. **Language model analysis**: The prompt is passed through a large language model, which is a neural network that has been trained on a large body of data. The language model analyzes the input prompt to help the agent reason about the task and leverage necessary tools. +1. **Response generation**: The language model generates a response based on its analysis of the prompt. This response can take the form of natural language suggestions and code suggestions. +1. **Output formatting**: Once the agent completes its first run, it updates the pull request description with the changes it made. The agent may include supplemental information about resources it could not access and provide suggestions on steps to resolve. You may provide feedback by commenting within the pull request or explicitly mentioning the agent (`@copilot`). The agent will then resubmit that feedback for further analysis and respond with updated changes. + +Copilot cloud agent is intended to provide the most relevant solution for task resolution. However, it may not always provide the answer you are looking for. You are responsible for reviewing and validating responses generated by Copilot cloud agent to ensure they are accurate and appropriate. + +#### Copilot code review + +Copilot code review inspects your code and provides feedback using a combination of natural language processing and machine learning. This process can be broken down into a number of steps: + +1. **Input processing**: The code changes are combined with other relevant, contextual information (for example, the pull request's title and body), and any custom instructions that have been defined, to form a prompt. That prompt is sent to a large language model. +1. **Language model analysis**: The prompt is passed through the Copilot language model, which is a neural network that has been trained on a large body of text data. The language model analyzes the input prompt. +1. **Response generation**: The language model generates a response based on its analysis of the input prompt. This response can take the form of natural language suggestions and code suggestions. +1. **Output formatting**: The response is presented to the user either directly in a supported editor or as a pull request review on GitHub.com, providing code feedback linked to specific lines of specific files. Where Copilot has provided a code suggestion, the suggestion is presented as a suggested change, which can be applied with a couple of clicks. + +#### Copilot CLI + +Copilot CLI works by using a combination of natural language processing and machine learning to understand your task and make changes in a codebase. This process can be broken down into a number of steps: + +1. **Input processing**: Your input is combined with relevant contextual information to form a prompt. That prompt is sent to a large language model for processing. Inputs can take the form of plain natural language, code snippets, or references to files in your terminal. +1. **Language model analysis**: The prompt is passed through a large language model, which is a neural network that has been trained on a large body of data. The language model analyzes the input prompt to help the agent reason about the task and use the necessary tools. +1. **Response generation**: The language model generates a response based on its analysis of the prompt. This response can take the form of natural language suggestions, code suggestions, file modifications, and command executions. +1. **Output formatting**: The response is formatted and presented using syntax highlighting, indentation, and other formatting features. The agent may also execute commands in your local environment and create, edit, or delete files in your file system in order to complete the task. All such actions require explicit permission prompts. + +You may provide feedback to the agent after it returns a response in the interactive chat window. The agent will resubmit that feedback to the language model for further analysis and return an additional response. + +#### Copilot SDK + +The Copilot SDK provides a programmatic interface to Copilot's agentic capabilities. Applications built with the SDK follow this process: + +1. **Session creation**: The application creates a session with the SDK, specifying the model, system prompt, available tools, custom agents, MCP servers, and hooks. The SDK establishes a JSON-RPC connection to Copilot CLI. +1. **Prompt submission**: User input is submitted to the session. The SDK routes the prompt (along with session context) to the CLI, which forwards it to the language model. +1. **Agent execution**: The language model reasons about the task and may invoke tools, delegate to sub-agents, or connect to MCP servers. Lifecycle hooks fire at each stage, allowing the application to inject custom logic. +1. **Response streaming**: Responses are streamed back to the application, which can present them in any format appropriate for its interface. The SDK provides structured events for text, tool calls, errors, and completion signals. + +{% ifversion spark %} + +#### GitHub Spark + +GitHub Spark uses an agent-based approach to build and modify applications. This process can be broken down into a number of steps: + +1. **Input processing**: Input prompts are pre-processed by Copilot, augmented with contextual information from your current Spark inputs—including code from your current application, previous prompts, and any error logs from your development environment—and sent to a large language model-powered agent within your development environment. The system is designed to generate code based on submitted prompts and is not capable of conversational interactions. English is the preferred language for prompts. +1. **Language model analysis**: The prompt is passed through a large language model, which is a neural network trained on a large body of text data. The language model analyzes the input prompt to help the agent reason about the task and leverage necessary tools. +1. **Agent execution**: The agent runs in your development environment, accepting the prompt and additional context, and decides how to update your application. The agent can write code, run commands, and read execution outputs. All actions are taken to ensure functional, accurate code. The only output from the agent is your application code. + +Spark uses frameworks and SDKs that ensure modern design and secure deployments seamlessly integrated into Spark's runtime component. The design framework is flexible and modular, enabling you to modify the theme to match your desired look and feel. Spark's runtime integration uses best practices for web deployments to ensure secure, scalable deployments. + +{% endif %} + +## 7. Limitations + +Understanding GitHub Copilot agentic features' limitations is crucial to determine they are used within safe and effective boundaries. While we encourage customers to leverage these features in their innovative solutions or applications, it's important to note that they were not designed for every possible scenario. We encourage users to refer to [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms) as well as the following considerations when choosing a use case: + +* **Missed code quality problems**: Copilot may not identify all of the problems that are present in code, especially where changes are large or complex. To ensure that all relevant problems are identified and corrected, Copilot code review should be supplemented with careful human code review. +* **False positives**: Copilot code review has a risk of hallucination—it may highlight problems in reviewed code that do not exist or are based on misunderstandings of the code. Comments generated by Copilot code review should be carefully reviewed and considered before taking action and making changes. +* **Inaccurate or insecure code suggestions**: As part of its comments, Copilot code review may provide specific code suggestions. The code generated may appear to be valid but may not actually be semantically or syntactically correct, or may not correctly resolve the problem identified in the comment. In addition, code generated by Copilot may contain security vulnerabilities or other issues. You should always carefully review and test code generated by Copilot. +* **Potential biases**: Copilot's training data is drawn from existing code repositories, which may contain biases and errors that can be perpetuated by the tool. Additionally, Copilot code review may be biased toward certain programming languages or coding styles, which can lead to suboptimal or incomplete feedback. +* **Limited scope (cloud agent)**: The language model used by the cloud agent has been trained on a large body of code but still has a limited scope and may not be able to handle certain code structures or obscure programming languages. For each language, the quality of suggestions depends on the volume and diversity of training data for that language. +* **Inaccurate code (cloud agent)**: The cloud agent may generate code that appears to be valid but may not actually be semantically or syntactically correct, or may not accurately reflect the intent of the developer. You should carefully review and test generated code, particularly when dealing with critical or sensitive applications. +* **Security risks (cloud agent)**: The cloud agent generates code and natural language based on the context of an issue or comment within a repository, which can potentially expose sensitive information or vulnerabilities if not used carefully. You should review all outputs generated by the agent thoroughly prior to merging. +* **Public code matches (cloud agent)**: The cloud agent may generate code that is a match or near match of publicly available code, even if the "Suggestions matching public code" policy is set to "Block." If this happens, Copilot will show matches in the agent session logs with a link to display details of the matched code. +* **Limited scope (CLI)**: The language model used by Copilot CLI has been trained on a large body of code but still has a limited scope and may not be able to handle certain code structures or obscure programming languages. For each language, the quality of suggestions depends on the volume and diversity of training data for that language. +* **Inaccurate code (CLI)**: Copilot CLI may generate code that appears to be valid but may not actually be semantically or syntactically correct, or may not accurately reflect the intent of the developer. You should carefully review and test generated code, particularly when dealing with critical or sensitive applications. +* **Security risks (CLI)**: Copilot CLI generates code and natural language based on the context of your local environment, which can potentially expose sensitive information or vulnerabilities if not used carefully. You should review all outputs generated by the agent thoroughly. +* **Public code matches (CLI)**: Copilot CLI may generate code that is a match or near match of publicly available code, even if the "Suggestions matching public code" policy is set to "Block." +* **Command execution risks (CLI)**: Additional caution is required when asking or allowing Copilot CLI to execute a command, particularly regarding the potential destructiveness of some suggested commands. You may encounter commands for file deletion or hard drive formatting, which can cause problems if used incorrectly. You are ultimately responsible for the commands executed by Copilot CLI. +* **Inherited limitations (SDK)**: Because the Copilot SDK communicates with Copilot CLI, applications built with the SDK inherit the same model limitations, including limited scope for certain programming languages and the potential for inaccurate or insecure code generation. +* **Custom agent complexity (SDK)**: Incorrectly configured custom agents, tools, or hooks may produce unexpected behavior. Developers are responsible for testing and validating the behavior of their custom agent configurations. +* **MCP server trust (SDK)**: MCP servers connected through the SDK can expose tools and data from external sources. Developers must ensure that connected MCP servers are trustworthy, as malicious or misconfigured servers could introduce harmful behavior or expose sensitive data. +* **BYOK model variance (SDK)**: When using bring-your-own-key configurations with third-party model providers, behavior may differ from GitHub-hosted models. Developers are responsible for evaluating the safety and quality of responses from their chosen provider. +{% ifversion spark %} +* **Interpretation of user intent (Spark)**: Spark is not always correct in its interpretation of your intent. You should always use Spark's provided preview to confirm accurate behavior within your application. +* **Limited scope (Spark)**: Spark has been trained on a large body of code and relevant applications but may struggle with complex or truly novel applications. Spark performs best on common and personal application scenarios (for example, productivity tools, learning aids, life management utilities), and when the natural language instruction is provided in English. +* **Public code matches (Spark)**: Spark may generate code that is a match or near match of publicly available code, even if the "Suggestions matching public code" policy is set to "Block." If this happens, Copilot will not provide code references pointing to the original source of the code. +* **Security limitations (Spark)**: While Spark's runtime follows best practices for application deployment, it generates code probabilistically, which can potentially introduce vulnerabilities especially if those vulnerabilities are common in the training set. You should be careful when building applications that manage personal or sensitive data and always review and test the generated application thoroughly. +{% endif %} + +## 8. Evaluations + +{% data reusables.rai.copilot.application-card-evaluations %} + +### Performance and quality evaluations + +GitHub Copilot Agents are evaluated across its supported surfaces using a combination of industry-standard benchmarks (e.g., SWE-Bench) and internally developed evaluation suites. Benchmark tasks are sourced from public open-source repositories and synthetic scenarios; no real user queries or customer code are used. Each evaluation includes multiple independent runs to account for nondeterminism in model outputs. Key metrics include resolution rate (percentage of tasks successfully completed), token efficiency, latency, and tool call reliability. Models are re-evaluated when updates are made and monitored continuously in production via error rates, response latency, and aggregate usage patterns. + +### Performance and quality evaluation methods + +New models for GitHub Copilot Agents undergo a staged evaluation process before deployment. Integrator teams run benchmark suites specific to their surface, testing the model on representative coding tasks such as bug fixes, code generation, and multi-file refactoring. Results are reviewed against established baselines and existing production models. Models must meet or exceed baseline performance across key metrics like resolution rate, token efficiency, and latency, before advancing to the next stage. A cross-functional review board makes a formal go/no-go decision before any model is approved for user-facing deployment. + +### Risk and safety evaluations + +{% data reusables.rai.copilot.application-card-risk-and-safety-evaluations %} + +### Evaluation data for quality and safety + +{% data reusables.rai.copilot.application-card-evaluation-data-for-quality-and-safety %} + +### Custom evaluations + +Copilot agentic features have been subject to RAI red teaming to identify and address potential risks. We continue to monitor the efficacy and safety of these features over time. For more information, see [Microsoft AI Red Team building future of safer AI](https://www.microsoft.com/en-us/security/blog/2023/08/07/microsoft-ai-red-team-building-future-of-safer-ai/) on the Microsoft security blog. + +## 9. Safety components and mitigations + +### Copilot cloud agent + +* **Privilege escalation controls**: The cloud agent only responds to interactions from users with repository write access. Actions workflows triggered by pull requests raised by the agent require approval from a user with write access before they will run. The agent filters hidden characters that might allow users to hide harmful instructions in comments or issue contents. +* **Constrained permissions**: The cloud agent only has access to the repository where it is creating a pull request and cannot access other repositories. It can only push to a single branch: the existing pull request branch when triggered via `@copilot`, or otherwise to a new `copilot/` branch. This means that Copilot cannot push directly to your default branch (for example, `main`). The agent does not have access to Actions organization or repository secrets—only secrets and variables specifically added to the `copilot` environment are passed to the agent. +* **Ensuring traceability**: The cloud agent's commits are authored by Copilot, with the human who started the task marked as the co-author. This makes it easier to identify code generated by the agent and who initiated the task. The cloud agent's commits are signed, so they appear as "Verified" on GitHub. This provides confidence that the commits were made by GitHub Copilot cloud agent and have not been altered. Each commit message includes a link to the agent session logs. This gives you a permanent link from any agent-authored commit to the full session logs, so you can understand why Copilot made a change during code review or trace it later for auditing purposes. +* **Firewall for data exfiltration prevention**: By default, the cloud agent has a firewall enabled to prevent exfiltration of code or other sensitive data, either accidentally or due to malicious user input. +* **Automated security vulnerability detection**: During code generation, the cloud agent automatically analyzes newly generated code for security vulnerabilities and attempts to resolve them. Analysis is performed using CodeQL (to identify potential vulnerabilities and errors), secret scanning (to ensure secrets aren't introduced), and dependency analysis (to check for known vulnerabilities in referenced dependencies). + +### Copilot CLI + +* **Directory-scoped access**: By default, Copilot CLI only has access to files and folders in, and below, the directory from which it was invoked. If the agent wishes to access files outside the current directory, it will ask for permission. +* **Permission prompts for file modifications**: Copilot CLI asks for permission before modifying files. You should ensure it is modifying the correct files before granting permission. +* **Permission prompts for command execution**: Copilot CLI asks for permission before executing commands that may be dangerous. You should review these commands carefully before giving permission to run. +* **Configurable permissions**: You can grant Copilot CLI specific permissions, or all permissions, by using the various command line options: for example, `--allow-tool=[TOOLS...]`, `--allow-all-tools`, `--allow-all` (or its slash command equivalent `/allow-all` for use in an interactive session). For more information, see [AUTOTITLE](/copilot/reference/copilot-cli-reference/cli-command-reference#command-line-options). Typically, when you use Copilot CLI in autopilot mode, you will grant it full permissions to allow it to complete a task autonomously, without requiring you to approve activity as it works on the task. For more information, see [AUTOTITLE](/copilot/concepts/agents/copilot-cli/autopilot). +* **Security considerations**: For more information about security practices while using Copilot CLI, see [AUTOTITLE](/copilot/concepts/agents/about-copilot-cli#security-considerations). + +### Copilot SDK + +* **Inherited CLI safety controls**: The Copilot SDK communicates with Copilot CLI, inheriting its permission model and safety controls. Tool executions and file modifications still require appropriate permissions. +* **Hook-based oversight**: The SDK's lifecycle hooks (such as `onPreToolUse` and `onPostToolUse`) allow developers to implement custom safety checks, audit logging, and approval workflows before and after tool execution. +* **MCP server isolation**: MCP servers run as separate processes. Developers can control which servers are available per session, limiting the scope of external tool access. +* **Session scoping**: Each SDK session is isolated with its own context, tools, and permissions. Developers can control what data and capabilities are available within each session. +* **BYOK responsibility**: When using bring-your-own-key configurations, prompts and responses are sent directly to the configured provider. Developers are responsible for reviewing the data handling policies of their chosen provider. + +### Data handling when using your own model provider (CLI) + +When you configure Copilot CLI to use your own model provider, your prompts, code context, and generated responses are sent directly to the provider you configure. They are not routed through GitHub. You are responsible for reviewing and complying with the terms of service and data handling policies of your chosen provider. + +#### Telemetry + +When you use your own model provider without offline mode, Copilot CLI continues to send telemetry to GitHub as usual. This telemetry does not include your prompts or code, but it does include usage metadata. + +If you enable offline mode by setting the `COPILOT_OFFLINE` environment variable to `true`, all telemetry is disabled. In offline mode, Copilot CLI only makes network requests to your configured model provider. + +#### Authentication and feature availability + +GitHub authentication is not required when using your own model provider (BYOK). Without GitHub authentication, the following features are unavailable: + +* `/delegate`, which hands off the session to GitHub's server-side Copilot +* The GitHub MCP server +* GitHub Code Search + +In offline mode, web-based tools such as `web_fetch` and GitHub Code Search are also disabled. + +#### No fallback to GitHub-hosted models + +If your model provider configuration is invalid, Copilot CLI exits with an error. It does not fall back to GitHub-hosted models. Common failures, such as connection refused, authentication errors, model not found, and timeouts, produce user-friendly messages with actionable guidance. + +{% ifversion spark %} + +### GitHub Spark + +* **Content protections**: Spark has built-in protections against harmful, hateful, or offensive content. +* **Content reporting**: You can report problematic or offensive content via feedback, or report a spark as abuse or spam. Examples of offensive content should be reported to copilot-safety@github.com with the spark's URL. +* **Secure runtime**: Spark's runtime integration uses best practices for web deployments to ensure secure, scalable deployments. + +{% endif %} + +## 10. Best practices for deploying and adopting GitHub Copilot agentic features + +Responsible AI is a shared commitment between GitHub and its customers. While GitHub builds AI applications with safety, fairness, and transparency at the core, customers play a critical role in deploying and using these technologies responsibly within their own contexts. To support this partnership, we offer the following best practices for deployers and end users to help customers implement responsible AI effectively. + +* **Exercise caution and evaluate outcomes when using Copilot agentic features for consequential decisions or in sensitive domains**: {% data reusables.rai.copilot.application-card-consequential-decisions %} +* **Evaluate legal and regulatory considerations**: {% data reusables.rai.copilot.application-card-evaluate-legal-regulatory %} +* **Exercise human oversight when appropriate**: Human oversight is an important safeguard when interacting with AI applications. While we continuously improve our AI applications, AI might still make mistakes. The outputs generated may be inaccurate, incomplete, biased, misaligned, or irrelevant to your intended goals. This could happen due to various reasons, such as ambiguity in the inputs or limitations of the underlying models. As such, users should review the responses generated by Copilot agentic features and verify that they match their expectations and requirements. +* **Be aware of the risk of overreliance**: {% data reusables.rai.copilot.application-card-overreliance %} +* **Exercise caution when designing agentic AI in sensitive domains**: {% data reusables.rai.copilot.application-card-agentic-ai-caution %} +* **Use Copilot code review to supplement human reviews, not to replace them**: While Copilot code review can be a powerful tool for improving code quality, it is important to use it as a tool, rather than to replace human reviews. You should always review and verify the feedback generated by Copilot code review, and supplement Copilot's feedback with careful human review to ensure your code meets your requirements. +* **Provide feedback**: If you encounter any issues or limitations with Copilot code review, we recommend that you provide feedback by using the thumbs up and thumbs down buttons on Copilot's comments. This can help GitHub improve the tool and address any concerns or limitations. +* **Configure custom instructions**: You can configure custom instructions to help Copilot understand your coding style and best practices, improving the relevance and quality of review feedback. +* **Ensure cloud agent tasks are well-scoped**: The more clear and well-scoped the prompt you assign to the cloud agent, the better the results. An ideal issue includes a clear description of the problem, complete acceptance criteria, and hints on what files need to be changed. +* **Customize the cloud agent with additional context**: The cloud agent has access to semantic code search, which helps it find relevant code based on meaning rather than just exact text matches, allowing it to complete tasks faster. To further enhance performance, implement custom Copilot instructions to help the agent better understand your project and how to build, test, and validate its changes. +* **Use the cloud agent as a tool, not a replacement**: You should always review and test the content generated by the cloud agent to ensure that it meets your requirements and is free of errors or security concerns prior to merging. +* **Use secure coding and code review practices with the cloud agent**: Although the cloud agent can generate syntactically correct code, it may not always be secure. Follow best practices for secure coding and code review. Take the same precautions as you would with any code that uses material you did not independently originate, including rigorous testing, IP scanning, and checking for security vulnerabilities. +* **Stay up to date**: The cloud agent is an evolving technology. Stay up to date with any new security risks or best practices that may emerge. +* **Use Copilot CLI as a tool, not a replacement**: You should always review and verify commands and code generated by Copilot CLI to ensure they meet your requirements and are free of errors or security concerns. +* **Review commands before execution (CLI)**: Exercise particular caution when Copilot CLI suggests executing commands, especially those that modify or delete files. You are ultimately responsible for the commands you allow the agent to run. +* **Keep CLI tasks well-scoped**: The more clear and well-scoped the prompt you provide, the better the results. Include a clear description of the problem, acceptance criteria, and hints on what files need to be changed. +* **Provide feedback (CLI)**: If you encounter any issues or limitations with Copilot CLI, provide feedback using the `/feedback` command. +* **Validate custom agent behavior (SDK)**: Thoroughly test custom agents, tools, and hooks before deploying applications built with the SDK to production. Ensure that tool configurations and system prompts produce safe, expected behavior. +* **Audit MCP server connections (SDK)**: Only connect to MCP servers that you trust. Review the tools and data that each server exposes and ensure they align with your application's security requirements. +* **Implement safety hooks (SDK)**: Use the SDK's lifecycle hooks to implement guardrails such as content filtering, audit logging, and tool approval workflows in your applications. +* **Scope sessions appropriately (SDK)**: Configure each SDK session with only the tools, agents, and permissions required for the task at hand. Avoid granting broad access when narrow scoping is sufficient. +* **Review BYOK provider policies (SDK)**: If using bring-your-own-key configurations, ensure your chosen model provider's terms of service and data handling policies meet your organization's requirements. +{% ifversion spark %} +* **Keep Spark prompts specific and on topic**: The more specific you can be about the intended behaviors and interactions, the better the output. Incorporating relevant context such as specific scenarios, mockups, or specifications will help Spark understand your intent. Spark incorporates context from previous prompts, so off-topic prompts may hinder performance on subsequent revisions. +* **Use targeted edits in Spark**: Targeted edits allow you to specify elements within your application for focused refinement. Using targeted edits when possible—rather than global prompts—will result in more accurate changes and fewer side effects. +* **Verify Spark's output**: Always use Spark's provided application preview to verify that your application behaves as intended in different scenarios. If you are comfortable with code, review the generated code to ensure it meets your quality standards. +* **Ensure inference capabilities act as intended (Spark)**: If your Spark application uses inference capabilities via the GitHub Models SDK, you are responsible for testing the prompts you create to ensure they produce appropriate results. +{% endif %} + +## 11. Learn more about GitHub Copilot agentic features + +For additional guidance on the responsible use of Copilot agentic features, we recommend reviewing the following documentation: + +* [AUTOTITLE](/copilot/using-github-copilot/code-review/using-copilot-code-review) +* [AUTOTITLE](/copilot/tutorials/coding-agent/best-practices) +* [AUTOTITLE](/copilot/customizing-copilot/customizing-the-development-environment-for-copilot-coding-agent) +* [AUTOTITLE](/copilot/customizing-copilot/customizing-or-disabling-the-firewall-for-copilot-coding-agent) +* [AUTOTITLE](/copilot/how-tos/copilot-sdk/sdk-getting-started) +* [AUTOTITLE](/copilot/using-github-copilot/coding-agent/extending-copilot-coding-agent-with-mcp) +* [AUTOTITLE](/copilot/concepts/agents/about-copilot-cli) +{% ifversion spark %} +* [AUTOTITLE](/copilot/tutorials/building-your-first-app-in-minutes-with-github-spark) +* [AUTOTITLE](/copilot/tutorials/building-ai-app-prototypes) +* [AUTOTITLE](/copilot/concepts/copilot-billing/about-billing-for-github-spark) +* [AUTOTITLE](/github-models/responsible-use-of-github-models) +* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-pre-release-license-terms) +{% endif %} +* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#github-copilot) +* [Copilot Trust Center](https://copilot.github.trust.page/) + +### Learn more about responsible AI + +* [Microsoft AI principles](https://www.microsoft.com/en-us/ai/responsible-ai) +* [Microsoft responsible AI resources](https://www.microsoft.com/en-us/ai/responsible-ai-resources) +* [Microsoft Azure Learning courses on responsible AI](https://docs.microsoft.com/en-us/learn/paths/responsible-ai-business-principles/) diff --git a/content/copilot/responsible-use/chat-in-github-mobile.md b/content/copilot/responsible-use/chat-in-github-mobile.md deleted file mode 100644 index f271fc155df6..000000000000 --- a/content/copilot/responsible-use/chat-in-github-mobile.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Responsible use of GitHub Copilot Chat in GitHub Mobile -shortTitle: Chat in GitHub Mobile -intro: 'Learn how to use {% data variables.copilot.copilot_chat %} responsibly by understanding its purposes, capabilities, and limitations.' -redirect_from: - - /early-access/copilot/about-github-copilot-chat-in-github-mobile - - /copilot/github-copilot-chat/about-github-copilot-chat-in-github-mobile - - /copilot/github-copilot-chat/copilot-chat-in-github-mobile/about-github-copilot-chat-in-github-mobile - - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-chat-in-github-mobile - - /copilot/responsible-use-of-github-copilot-features/chat-in-github-mobile -versions: - feature: copilot-chat-for-mobile -contentType: rai -category: - - Responsible use ---- - -## About {% data variables.copilot.copilot_mobile %} - -{% data variables.copilot.copilot_mobile %} is a chat interface that lets you interact with {% data variables.product.prodname_copilot %}, to ask and receive answers to coding-related questions within {% data variables.product.prodname_mobile %}. The chat interface provides access to coding information and support without requiring you to navigate documentation or search online forums. In addition to {% data variables.product.prodname_mobile %}, {% data variables.copilot.copilot_chat_short %} is currently supported in the {% data variables.product.github %} website, {% data variables.product.prodname_vscode %}, {% data variables.product.prodname_vs %}, and the JetBrains suite of IDEs. For more information about {% data variables.product.prodname_copilot %}, see [AUTOTITLE](/copilot/about-github-copilot/what-is-github-copilot). - -{% data variables.copilot.copilot_chat %} can answer a wide range of coding-related questions on topics including syntax, programming concepts, test cases, debugging, and more. {% data variables.copilot.copilot_chat %} is not designed to answer non-coding questions or provide general information on topics outside of coding. - -The primary supported language for {% data variables.copilot.copilot_mobile %} is English. - -{% data variables.copilot.copilot_chat %} works by using a combination of natural language processing and machine learning to understand your question and provide you with an answer. This process can be broken down into a number of steps. - -{% data reusables.rai.copilot.about-copilot-chat-in-mobile %} - -## Further reading - -* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-copilot-pre-release-terms) -* [{% data variables.product.prodname_copilot %} Trust Center](https://copilot.github.trust.page/) diff --git a/content/copilot/responsible-use/chat-in-github.md b/content/copilot/responsible-use/chat-in-github.md deleted file mode 100644 index a0e2bbcc4a4b..000000000000 --- a/content/copilot/responsible-use/chat-in-github.md +++ /dev/null @@ -1,161 +0,0 @@ ---- -title: Responsible use of GitHub Copilot Chat in GitHub -shortTitle: Chat in GitHub -intro: 'Learn how to use {% data variables.copilot.copilot_chat_dotcom %} responsibly by understanding its purposes, capabilities, and limitations.' -versions: - feature: copilot -redirect_from: - - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-chat-in-githubcom - - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-chat-in-github - - /copilot/responsible-use-of-github-copilot-features/chat-in-github -contentType: rai -category: - - Responsible use ---- - -## About {% data variables.copilot.copilot_chat_dotcom %} - -{% data variables.copilot.copilot_chat_dotcom %} is a chat interface that lets you interact with {% data variables.product.prodname_copilot %}, to ask and receive answers to coding-related questions within {% data variables.product.github %}. - -The chat interface provides access to coding information and support without requiring you to navigate documentation or search online forums. - -> [!NOTE] {% data variables.copilot.copilot_chat_short %} is also available in {% data variables.product.prodname_vscode %}, {% data variables.product.prodname_vs %}, and the JetBrains suite of IDEs. However, features available in these IDEs differ from features available on {% data variables.product.github %}. - -{% data variables.copilot.copilot_chat %} can answer a wide range of coding-related questions on topics including syntax, programming concepts, test cases, debugging, and more. {% data variables.copilot.copilot_chat %} is not designed to answer non-coding questions or provide general information on topics outside of coding. - -The primary supported language for {% data variables.copilot.copilot_chat_dotcom_short %} is English. - -{% data variables.copilot.copilot_chat %} works by using a combination of natural language processing and machine learning to understand your question and provide you with an answer. This process can be broken down into a number of steps. - -### Input processing - -The input prompt from the user is pre-processed by the {% data variables.copilot.copilot_chat_short %} system, combined with contextual information (for example, the current date and time and the name of the repository the user is currently viewing), and sent to a large language model. User input can take the form of code snippets or plain language. - -The large language model will take the prompt, gather additional context (for example repository data stored on {% data variables.product.prodname_dotcom %} or search results from Bing), and provide a response based on the prompt. The system is only intended to respond to coding-related questions. - -### Language model analysis - -The pre-processed prompt is then passed through the {% data variables.copilot.copilot_chat_short %} language model, which is a neural network that has been trained on a large body of text data. The language model analyzes the input prompt. - -### Response generation - -The language model generates a response based on its analysis of the input prompt and the context provided to it. The language model can gather additional context (for example repository data stored on {% data variables.product.prodname_dotcom %} or search results from Bing), and provide a response based on the prompt. This response can take the form of generated code, code suggestions, or explanations of existing code. - -### Output formatting - -The response generated by {% data variables.copilot.copilot_chat_short %} is formatted and presented to the user. {% data variables.copilot.copilot_chat_short %} may use syntax highlighting, indentation, and other formatting features to add clarity to the generated response. Depending upon the type of question from the user, links to context that the model used when generating a response, such as source code files, issues, Bing search results, or documentation, may also be provided. - -{% data variables.copilot.copilot_chat_short %} is intended to provide you with the most relevant answer to your question. However, it may not always provide the answer you are looking for. Users of {% data variables.copilot.copilot_chat_short %} are responsible for reviewing and validating responses generated by the system to ensure they are accurate and appropriate. Additionally, as part of our product development process, we undertake red teaming to understand and improve the safety of {% data variables.copilot.copilot_chat_short %}. Input prompts and output completions are run through content filters. The content filtering system detects and prevents the output on specific categories of content including harmful, offensive, or off-topic content. For more information on improving the performance of {% data variables.copilot.copilot_chat_short %}, see [Improving performance for {% data variables.copilot.copilot_chat_short %}](#improving-performance-for-copilot-chat). - -## Use cases for {% data variables.copilot.copilot_chat_short %} - -{% data variables.copilot.copilot_chat_short %} can provide coding assistance in a variety of scenarios. - -### Answering coding questions - -You can ask {% data variables.copilot.copilot_chat_short %} for help or clarification on specific coding problems and receive responses in natural language format or in code snippet format. - -The response generated by {% data variables.copilot.copilot_chat_short %} may use the model's training data set, search results from Bing, and code in your repositories to answer your questions. - -This can be a useful tool for programmers, as it can provide guidance and support for common coding tasks and challenges. - -### Explaining code and suggesting improvements - -{% data variables.copilot.copilot_chat_short %} can help explain selected code by generating natural language descriptions of the code's functionality and purpose. This can be useful if you want to understand the code's behavior or for non-technical stakeholders who need to understand how the code works. For example, if you select a function or code block in the code editor, {% data variables.copilot.copilot_chat_short %} can generate a natural language description of what the code does and how it fits into the overall system. This can include information such as the function's input and output parameters, its dependencies, and its purpose in the larger application. - -{% data variables.copilot.copilot_chat_short %} can also suggest potential improvements to selected code, such as improved handling of errors and edge cases, or changes to the logical flow to make the code more readable. - -By generating explanations and suggesting related documentation, {% data variables.copilot.copilot_chat_short %} may help you to understand the selected code, leading to improved collaboration and more effective software development. However, it's important to note that the generated explanations and documentation may not always be accurate or complete, so you'll need to review, and occasionally correct, {% data variables.copilot.copilot_chat_short %}'s output. - -### Proposing code fixes - -{% data variables.copilot.copilot_chat_short %} can propose a fix for bugs in your code by suggesting code snippets and solutions based on the context of the error or issue. This can be useful if you are struggling to identify the root cause of a bug or you need guidance on the best way to fix it. For example, if your code produces an error message or warning, {% data variables.copilot.copilot_chat_short %} can suggest possible fixes based on the error message, the code's syntax, and the surrounding code. - -{% data variables.copilot.copilot_chat_short %} can suggest changes to variables, control structures, or function calls that might resolve the issue and generate code snippets that can be incorporated into the codebase. However, it's important to note that the suggested fixes may not always be optimal or complete, so you'll need to review and test the suggestions. - -### Planning coding tasks - -{% data variables.copilot.copilot_chat_short %} can read a {% data variables.product.prodname_dotcom %} issue and summarize it, answer questions about it, or propose next steps. This can be useful if you have a long, complex issue with many comments, and you want to understand it quickly or figure out what to do next. - -However, it's important to note that {% data variables.copilot.copilot_chat_short %}'s answers and summaries may not always be accurate or complete, so you'll need to review {% data variables.copilot.copilot_chat_short %}'s output for accuracy. - -### Finding out about releases, discussions, and commits - -{% data variables.copilot.copilot_chat_short %} can help you find out what changed in a specific release, it can summarize the information in a discussion, and it can explain the changes in a specific commit. This can be useful if, for example, you are new to a project, you want to quickly get the gist of a discussion, or you need to work on code that someone else wrote. However, it's important to note that {% data variables.copilot.copilot_chat_short %}'s summaries of releases, discussions, and commits may not always be accurate or complete. - -## Improving performance for {% data variables.copilot.copilot_chat_short %} - -{% data variables.copilot.copilot_chat_short %} can support a wide range of practical applications like Q&A, code generation, code analysis, and code fixes, each with different performance metrics and mitigation strategies. To enhance performance and address some of the limitations of {% data variables.copilot.copilot_chat_short %}, there are various measures that you can adopt. For more information on the limitations of {% data variables.copilot.copilot_chat_short %}, see [Limitations of {% data variables.copilot.copilot_chat %}](#limitations-of-github-copilot-chat). - -### Keep your prompts on topic - -{% data variables.copilot.copilot_chat_short %} is intended to address queries related to coding exclusively. Therefore, limiting the prompt to coding questions or tasks can enhance the model's output quality. - -### Use {% data variables.copilot.copilot_chat_short %} as a tool, not a replacement - -While {% data variables.copilot.copilot_chat_short %} can be a powerful tool for generating code, it is important to use it as a tool rather than a replacement for human programming. You should always review and test the code generated by {% data variables.copilot.copilot_chat_short %} to ensure that it meets your requirements and is free of errors or security concerns. - -### Use secure coding and code review practices - -While {% data variables.copilot.copilot_chat_short %} can generate syntactically correct code, it may not always be secure. You should always follow best practices for secure coding, such as avoiding hard-coded passwords or SQL injection vulnerabilities, as well as following code review best practices, to address {% data variables.copilot.copilot_chat_short %}'s limitations. - -### Provide feedback - -{% data reusables.rai.copilot-dotcom-feedback-collection %} - -If you encounter any issues or limitations with {% data variables.copilot.copilot_chat_dotcom_short %}, we recommend that you provide feedback by clicking the thumbs down icon below each chat response. This can help the developers to improve the tool and address any concerns or limitations. - -### Stay up to date - -{% data variables.copilot.copilot_chat_short %} is a new technology and is likely to evolve over time. For {% data variables.copilot.copilot_chat_dotcom %} you will always have access to the latest product experience. You should stay up to date with any new security risks or best practices that may emerge. - -## Limitations of {% data variables.copilot.copilot_chat %} - -Depending on factors such as your codebase and input data, you may experience different levels of performance when using {% data variables.copilot.copilot_chat_short %}. The following information is designed to help you understand system limitations and key concepts about performance as they apply to {% data variables.copilot.copilot_chat_short %}. - -### Limited scope - -{% data variables.copilot.copilot_chat_short %} has been trained on a large body of code but still has a limited scope and may not be able to handle more complex code structures or obscure programming languages. For each language, the quality of suggestions you receive may depend on the volume and diversity of training data for that language. For example, JavaScript is well-represented in public repositories and is one of {% data variables.product.prodname_copilot %}'s best supported languages. Languages with less representation in public repositories may be more challenging for {% data variables.copilot.copilot_chat_short %} to provide assistance with. Additionally, {% data variables.copilot.copilot_chat_short %} can only suggest code based on the context of the code being written, so it may not be able to identify larger design or architectural issues. - -### Potential biases - -{% data variables.product.prodname_copilot_short %}'s training data (drawn from existing code repositories) and context gathered by the large language model (for example, Bing search results) may contain biases and errors that can be perpetuated by the tool. Additionally, {% data variables.copilot.copilot_chat_short %} may be biased towards certain programming languages or coding styles, which can lead to suboptimal or incomplete code suggestions. - -### Security risks - -{% data variables.copilot.copilot_chat_short %} generates code based on the context of the code being written, which can potentially expose sensitive information or vulnerabilities if not used carefully. You should be careful when using {% data variables.copilot.copilot_chat_short %} to generate code for security-sensitive applications and always review and test the generated code thoroughly. - -### Matches with public code - -{% data variables.copilot.copilot_chat_short %} is capable of generating new code, which it does in a probabilistic way. While the probability that it may produce code that matches code in the training set is low, a {% data variables.copilot.copilot_chat_short %} suggestion may contain some code snippets that match code in the training set. - -If you have disabled suggestions that match public code then {% data variables.copilot.copilot_chat_short %} utilizes filters that prevent it from showing code that matches code found in public repositories on {% data variables.product.prodname_dotcom %}. However, you should always take the same precautions as you would with any code you write that uses material you did not independently originate, including precautions to ensure its suitability. These include rigorous testing, IP scanning, and checking for security vulnerabilities. - -If you have enabled suggestions that match public code then {% data variables.copilot.copilot_chat_short %} displays a message if matching code is found. The message includes links to repositories on {% data variables.product.github %} that contain matching code, and any license details that were found. For more information, see [AUTOTITLE](/copilot/using-github-copilot/finding-public-code-that-matches-github-copilot-suggestions). - -### Inaccurate code - -One of the limitations of {% data variables.copilot.copilot_chat_short %} is that it may generate code that appears to be valid but may not actually be semantically or syntactically correct or may not accurately reflect the intent of the developer. To mitigate the risk of inaccurate code, you should carefully review and test the generated code, particularly when dealing with critical or sensitive applications. You should also ensure that the generated code adheres to best practices and design patterns and fits within the overall architecture and style of the codebase. - -### Inaccurate responses to non-coding topics - -{% data variables.copilot.copilot_chat_short %} is not designed to answer non-coding questions, and therefore its responses may not always be accurate or helpful in these contexts. If a user asks {% data variables.copilot.copilot_chat_short %} a non-coding question, it may generate an answer that is irrelevant or nonsensical, or it may simply indicate that it is unable to provide a useful response. - -### Leveraging a web search to answer a question - -Depending on the question you ask, {% data variables.copilot.copilot_chat %} can optionally use a Bing search to help answer your question. {% data variables.product.prodname_copilot_short %} will use Bing for queries about recent events, new trends or technologies, highly specific subjects, or when a web search is explicitly requested by the user. Your {% data variables.product.prodname_enterprise %} administrator can enable Bing for your whole enterprise, or can delegate this decision to the organizational administrator. For more information, see [AUTOTITLE](/copilot/managing-copilot/managing-copilot-for-your-enterprise/managing-policies-and-features-for-copilot-in-your-enterprise). - -When leveraging Bing, {% data variables.product.prodname_copilot_short %} will use the content of your prompt, as well as additional available context, to generate a Bing search query on your behalf that is sent to the Bing Search API. {% data variables.product.prodname_copilot_short %} will provide a link to the search results with its response. The search query sent to Bing is governed by [Microsoft's Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). - -{% data reusables.rai.copilot.byok-transparency-note %} - -## Next steps - -For details of how to use {% data variables.copilot.copilot_chat_dotcom %}, see: - -* [AUTOTITLE](/enterprise-cloud@latest/copilot/github-copilot-chat/copilot-chat-in-github/using-github-copilot-chat-in-githubcom){% ifversion fpt %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %} - -## Further reading - -* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-copilot-pre-release-terms) -* [{% data variables.product.prodname_copilot %} Trust Center](https://copilot.github.trust.page/) diff --git a/content/copilot/responsible-use/chat-in-your-ide.md b/content/copilot/responsible-use/chat-in-your-ide.md deleted file mode 100644 index 3b6258ed84d0..000000000000 --- a/content/copilot/responsible-use/chat-in-your-ide.md +++ /dev/null @@ -1,188 +0,0 @@ ---- -title: Responsible use of GitHub Copilot Chat in your IDE -shortTitle: Chat in your IDE -intro: 'Learn how to use {% data variables.copilot.copilot_chat %} responsibly by understanding its purposes, capabilities, and limitations.' -redirect_from: - - /early-access/copilot/github-copilot-chat-transparency-note - - /early-access/copilot/github-copilot-chat-technical-preview-license-terms - - /copilot/github-copilot-chat/about-github-copilot-chat - - /copilot/github-copilot-chat/copilot-chat-in-ides/about-github-copilot-chat-in-your-ide - - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-chat-in-your-ide - - /copilot/responsible-use-of-github-copilot-features/chat-in-your-ide -product: '{% data reusables.gated-features.copilot-chat-callout %}' -versions: - feature: copilot -contentType: rai -category: - - Responsible use ---- - -{% vscode %} - -{% data reusables.rai.copilot.about-copilot-chat-ide %} - -{% data reusables.rai.copilot.copilot-chat-ide-input-processing-all1 %} - -{% data reusables.rai.copilot.copilot-chat-ide-input-processing-custom-instructions %} - -{% data reusables.rai.copilot.copilot-chat-ide-input-processing-all2 %} - -{% data reusables.rai.copilot.copilot-chat-ide-language-model-analysis %} - -{% data reusables.rai.copilot.copilot-chat-ide-response-generation %} - -When you use the `@github` chat participant, {% data variables.copilot.copilot_chat_short %} will be able to gather context from your code stored on {% data variables.product.github %} and search results from Bing (if enabled by your administrator). - -{% data reusables.rai.copilot.copilot-chat-ide-output-formatting %} - -{% data reusables.rai.copilot.copilot-chat-ide-leveraging-web-search %} - -{% data reusables.rai.copilot.byok-transparency-note %} - -{% data reusables.rai.copilot.copilot-chat-ide-use-cases %} - -### Answering coding questions - -You can ask {% data variables.copilot.copilot_chat_short %} for help or clarification on specific coding problems and receive responses in natural language format or in code snippet format. - -The response generated by {% data variables.copilot.copilot_chat_short %} will use the model's training data set to answer your questions. - -When you use the `@github` chat participant, the response generated may additionally use search results from Bing, and code in your repositories. - -This can be a useful tool for programmers, as it can provide guidance and support for common coding tasks and challenges. - -{% data reusables.rai.copilot.copilot-chat-ide-improving-performance %} -{% data reusables.rai.copilot.copilot-chat-ide-provide-feedback %} -{% data reusables.rai.copilot.copilot-chat-ide-stay-up-to-date %} - -{% data reusables.rai.copilot.copilot-chat-ide-limitations %} - -{% data reusables.rai.copilot.copilot-chat-ide-next-steps %} - -{% endvscode %} - -{% visualstudio %} - -{% data reusables.rai.copilot.about-copilot-chat-ide %} - -{% data reusables.rai.copilot.copilot-chat-ide-input-processing-all1 %} - -{% data reusables.rai.copilot.copilot-chat-ide-input-processing-custom-instructions %} - -{% data reusables.rai.copilot.copilot-chat-ide-input-processing-all2 %} - -{% data reusables.rai.copilot.copilot-chat-ide-language-model-analysis %} - -{% data reusables.rai.copilot.copilot-chat-ide-response-generation %} - -When you use the `@github` chat participant, {% data variables.copilot.copilot_chat_short %} will be able to gather context from your code stored on {% data variables.product.github %} and search results from Bing (if enabled by your administrator). - -{% data reusables.rai.copilot.copilot-chat-ide-output-formatting %} - -{% data reusables.rai.copilot.copilot-chat-ide-leveraging-web-search %} - -{% data reusables.rai.copilot.byok-transparency-note %} - -{% data reusables.rai.copilot.copilot-chat-ide-use-cases %} - -### Answering coding questions - -You can ask {% data variables.copilot.copilot_chat_short %} for help or clarification on specific coding problems and receive responses in natural language format or in code snippet format. - -The response generated by {% data variables.copilot.copilot_chat_short %} will use the model's training data set to answer your questions. - -This can be a useful tool for programmers, as it can provide guidance and support for common coding tasks and challenges. - -{% data reusables.rai.copilot.copilot-chat-ide-improving-performance %} -{% data reusables.rai.copilot.copilot-chat-ide-provide-feedback %} -{% data reusables.rai.copilot.copilot-chat-ide-stay-up-to-date %} - -{% data reusables.rai.copilot.copilot-chat-ide-limitations %} - -{% data reusables.rai.copilot.copilot-chat-ide-next-steps %} - -{% endvisualstudio %} - -{% jetbrains %} - -{% data reusables.rai.copilot.about-copilot-chat-ide %} - -{% data reusables.rai.copilot.copilot-chat-ide-input-processing-all1 %} - -{% data reusables.rai.copilot.copilot-chat-ide-input-processing-all2 %} - -{% data reusables.rai.copilot.copilot-chat-ide-language-model-analysis %} - -{% data reusables.rai.copilot.copilot-chat-ide-response-generation %} - -{% data reusables.rai.copilot.copilot-chat-ide-output-formatting %} - -{% data reusables.rai.copilot.byok-transparency-note %} - -{% data reusables.rai.copilot.copilot-chat-ide-use-cases %} - -### Answering coding questions - -You can ask {% data variables.copilot.copilot_chat_short %} for help or clarification on specific coding problems and receive responses in natural language format or in code snippet format. - -The response generated by {% data variables.copilot.copilot_chat_short %} will use the model's training data set to answer your questions. - -This can be a useful tool for programmers, as it can provide guidance and support for common coding tasks and challenges. - -{% data reusables.rai.copilot.copilot-chat-ide-improving-performance %} -{% data reusables.rai.copilot.copilot-chat-ide-provide-feedback %} -{% data reusables.rai.copilot.copilot-chat-ide-stay-up-to-date %} - -{% data reusables.rai.copilot.copilot-chat-ide-limitations %} - -{% data reusables.rai.copilot.copilot-chat-ide-next-steps %} - -{% endjetbrains %} - -{% eclipse %} - -{% data reusables.rai.copilot.about-copilot-chat-ide %} - -{% data reusables.rai.copilot.copilot-chat-ide-input-processing-all1 %} - -{% data reusables.rai.copilot.copilot-chat-ide-input-processing-all2 %} - -{% data reusables.rai.copilot.copilot-chat-ide-language-model-analysis %} - -{% data reusables.rai.copilot.copilot-chat-ide-response-generation %} - -{% data reusables.rai.copilot.copilot-chat-ide-output-formatting %} - -{% data reusables.rai.copilot.byok-transparency-note %} - -## Use cases for {% data variables.copilot.copilot_chat %} - -{% data variables.copilot.copilot_chat %} can provide coding assistance in a variety of scenarios. -{% data reusables.rai.copilot.copilot-chat-generate-test-cases %} - -### Explaining code and suggesting improvements - -{% data variables.copilot.copilot_chat_short %} can help explain the code in a file by generating natural language descriptions of the code's functionality and purpose. This can be useful if you want to understand the code's behavior or for non-technical stakeholders who need to understand how the code works. For example, you can ask {% data variables.product.prodname_copilot_short %} to explain a named function in the currently displayed file and {% data variables.copilot.copilot_chat_short %} will generate a natural language description of what the code does. This can include information such as the function's input and output parameters, and its dependencies. - -{% data variables.copilot.copilot_chat_short %} can also suggest potential improvements to the code, such as improved handling of errors and edge cases, or changes to the logical flow to make the code more readable. - -By generating explanations and suggesting related documentation, {% data variables.copilot.copilot_chat_short %} may help you to understand the code in a project, leading to improved collaboration and more effective software development. However, it's important to note that the generated explanations and documentation may not always be accurate or complete, so you'll need to review, and occasionally correct, {% data variables.copilot.copilot_chat_short %}'s output. - -{% data reusables.rai.copilot.copilot-chat-propose-fixes %} - -### Answering coding questions - -You can ask {% data variables.copilot.copilot_chat_short %} for help or clarification on specific coding problems and receive responses in natural language format or in code snippet format. - -The response generated by {% data variables.copilot.copilot_chat_short %} will use the model's training data set to answer your questions. - -This can be a useful tool for programmers, as it can provide guidance and support for common coding tasks and challenges. - -{% data reusables.rai.copilot.copilot-chat-ide-improving-performance %} -{% data reusables.rai.copilot.copilot-chat-ide-stay-up-to-date %} - -{% data reusables.rai.copilot.copilot-chat-ide-limitations %} - -{% data reusables.rai.copilot.copilot-chat-ide-next-steps %} - -{% endeclipse %} diff --git a/content/copilot/responsible-use/chat.md b/content/copilot/responsible-use/chat.md new file mode 100644 index 000000000000..fa9e098ccfe7 --- /dev/null +++ b/content/copilot/responsible-use/chat.md @@ -0,0 +1,238 @@ +--- +title: 'Application card: GitHub Copilot Chat' +shortTitle: Chat +intro: 'Learn how to use GitHub Copilot Chat responsibly by understanding its purposes, capabilities, and limitations.' +versions: + feature: copilot +redirect_from: + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-chat-in-githubcom + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-chat-in-github + - /copilot/responsible-use-of-github-copilot-features/chat-in-github + - /copilot/responsible-use/chat-in-github + - /early-access/copilot/github-copilot-chat-transparency-note + - /early-access/copilot/github-copilot-chat-technical-preview-license-terms + - /copilot/github-copilot-chat/about-github-copilot-chat + - /copilot/github-copilot-chat/copilot-chat-in-ides/about-github-copilot-chat-in-your-ide + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-chat-in-your-ide + - /copilot/responsible-use-of-github-copilot-features/chat-in-your-ide + - /copilot/responsible-use/chat-in-your-ide + - /early-access/copilot/about-github-copilot-chat-in-github-mobile + - /copilot/github-copilot-chat/about-github-copilot-chat-in-github-mobile + - /copilot/github-copilot-chat/copilot-chat-in-github-mobile/about-github-copilot-chat-in-github-mobile + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-chat-in-github-mobile + - /copilot/responsible-use-of-github-copilot-features/chat-in-github-mobile + - /copilot/responsible-use/chat-in-github-mobile + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-in-windows-terminal + - /copilot/responsible-use-of-github-copilot-features/copilot-in-windows-terminal + - /copilot/responsible-use/copilot-in-windows-terminal + - /copilot/responsible-use/copilot-spaces + - /copilot/github-copilot-enterprise/copilot-pull-request-summaries/about-copilot-pull-request-summaries + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-pull-request-summaries + - /copilot/responsible-use-of-github-copilot-features/pull-request-summaries + - /copilot/responsible-use/pull-request-summaries + - /copilot/responsible-use-of-github-copilot-features/copilot-commit-message-generation + - /copilot/responsible-use/copilot-commit-message-generation + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-in-github-desktop + - /copilot/responsible-use-of-github-copilot-features/copilot-in-github-desktop + - /copilot/responsible-use/copilot-in-github-desktop +contentType: rai +category: + - Responsible use +--- + +## What is an Application Card? + +{% data reusables.rai.copilot.application-card-intro %} + +## 1. Overview + +GitHub Copilot Chat is a chat interface that lets you interact with GitHub Copilot to ask and receive answers to coding-related questions. GitHub Copilot Chat is available on GitHub.com, in supported IDEs (VS Code, Visual Studio, JetBrains, and Eclipse), on GitHub Mobile, and in Windows Terminal. On GitHub.com and in GitHub Desktop, Copilot can also generate pull request summaries and commit messages—AI-powered overviews of changes made in a pull request or commit. + +GitHub Copilot Chat can answer a wide range of coding-related questions on topics including syntax, programming concepts, test cases, debugging, and more. GitHub Copilot Chat is not designed to answer non-coding questions or provide general information on topics outside of coding. + +The primary supported language for GitHub Copilot Chat is English. + +## 2. Key terms + +The following list provides a glossary of key terms related to GitHub Copilot Chat: + +* **Content filtering**: A safety system that scans prompts and responses to detect and block harmful content before it is shown to the user. +* **Hallucination**: A phenomenon where a language model generates output that sounds plausible but is factually incorrect, unsupported by the provided context, or entirely fabricated. Hallucinations are a known risk of large language models and are reason that human review of AI-generated output is important. +* **Large language model (LLM)**: A type of neural network trained on a large body of text data that can generate, analyze, and transform natural language and code. GitHub Copilot Chat uses one or more LLMs to process prompts and produce responses. +* **Prompt**: The input that is provided to GitHub Copilot Chat. The system combines the prompt with additional context (for example, open files or repository data) before sending it to the language model. +* **Public code matching**: A feature that checks whether Copilot's suggestions match publicly available code. Depending on your settings, matching suggestions may be turned off or on; if turned on, it can either block or annotate with a reference to the source repository and any license information. +* **Pull request summary**: An AI-generated overview of the changes in a pull request, consisting of a prose paragraph and a bulleted list of key changes linked to the affected files. Summaries are generated on demand on GitHub.com. +* **Red teaming**: A structured testing practice in which testers deliberately attempt to provoke unsafe, harmful, or unintended behavior from an AI system. Red teaming helps identify vulnerabilities and improve safety mitigations before and after release. +* **Training data**: The large body of publicly available text and code that was used to train the foundation models behind GitHub Copilot Chat. The composition of the training data influences the quality and coverage of the model's suggestions across different programming languages, frameworks, and topics. + +## 3. Key features or capabilities + +The key features and capabilities outlined here describe what GitHub Copilot Chat is designed to do and how it performs across supported tasks. + +* **Conversational coding assistance**: GitHub Copilot Chat provides a natural language interface for asking coding-related questions and receiving answers in the form of code, explanations, or step-by-step guidance. Users can ask follow-up questions to refine responses, and the conversation history is maintained within a session. +* **Context-aware responses**: GitHub Copilot Chat uses contextual information—such as open files, the active repository, chat history, and (when enabled) web search results—to generate responses that are relevant to the user's current work. The specific context available depends on the platform (GitHub.com, IDE, Mobile, Windows Terminal, or GitHub Desktop). +* **Multi-platform availability**: GitHub Copilot Chat is available across multiple surfaces, including GitHub.com, supported IDEs (VS Code, Visual Studio, JetBrains, and Eclipse), GitHub Mobile, Windows Terminal, and GitHub Desktop. Each platform offers a tailored experience optimized for its environment. +* **Agent mode**: In supported IDEs, GitHub Copilot Chat can operate in agent mode, where the model autonomously plans multi-step tasks, invokes tools (such as running terminal commands or editing files), and iterates on results. This extends the chat experience beyond single-turn question-and-answer interactions. +* **Copilot Spaces**: Spaces let users organize repositories, files, issues, and other materials into a curated collection of context. When a question is asked inside a space, Copilot uses the included context to produce more targeted and relevant responses. Spaces can also be accessed from the IDE via the remote GitHub MCP server. +* **Pull request summaries**: On GitHub.com, Copilot can generate an AI-powered summary of the changes in a pull request. The output consists of a prose overview followed by a bulleted list of key changes linked to the affected files. Summaries are generated on demand and are intended to help reviewers quickly understand what changed. +* **Commit message generation**: On GitHub.com and in GitHub Desktop, Copilot can generate a suggested commit summary (title) and description based on the code changes you have selected. In GitHub Desktop, users can select specific lines of code or files to improve context and accuracy. Generated messages can be reviewed and edited before committing. +* **Bring Your Own Key (BYOK)**: Organizations can connect GitHub Copilot Chat to large language models from supported third-party providers by supplying their own API key, rather than using the default GitHub-hosted model. +* **Content filtering**: At times, GitHub Copilot Chat may include a content filtering system that scans prompts and responses to detect and block harmful content. A public code matching feature checks whether suggestions match publicly available code and, depending on settings, blocks or annotates those matches with source and license information. + +## 4. Intended uses + +GitHub Copilot Chat can be used in multiple scenarios across a variety of industries. Some examples of use cases include: + +* **Answering coding questions**: Ask GitHub Copilot Chat for help or clarification on specific coding problems and receive responses in natural language or code snippet format. The response may draw on the model's training data, repository context, and web search results (when enabled). +* **Explaining code and suggesting improvements**: Generate natural language descriptions of a function's purpose, inputs, outputs, and dependencies. GitHub Copilot Chat can also suggest improvements such as better error handling or more readable control flow. Note that generated explanations may not always be accurate or complete and should be reviewed. +* **Generating unit test cases**: GitHub Copilot Chat can help write unit test cases by generating code snippets based on the code open in the editor or a highlighted code snippet. It can suggest possible input parameters, expected output values, and assertions based on the function's signature and body. GitHub Copilot Chat can also suggest test cases for edge cases and boundary conditions—such as error handling, null values, or unexpected input types—that might be difficult to identify manually. Generated test cases may not cover all possible scenarios; manual testing and code review are still necessary. +* **Proposing code fixes**: Get suggested fixes for bugs based on the error message, code syntax, and surrounding context. GitHub Copilot Chat can suggest changes to variables, control structures, or function calls that might resolve the issue. Note that suggested fixes may not always be optimal or complete. +* **Planning coding tasks**: Read and summarize GitHub issues, answer questions about them, or propose next steps. +* **Learning about releases, discussions, and commits**: Summarize what changed in a release, the gist of a discussion, or the changes in a specific commit. +* **Summarizing pull request changes (GitHub.com)**: Generate an AI-powered summary of the changes in a pull request—including a prose overview and a bulleted list of key changes linked to the affected files—to help reviewers quickly understand what changed and where to focus their review. +* **Generating commit messages (GitHub.com and GitHub Desktop)**: Generate a commit message summary (title) and description based on the code changes you've selected to commit, helping you save time and maintain clear commit histories. In GitHub Desktop, you can select specific lines of code or files for better context understanding to increase accuracy. You can review and edit the suggested title and description before committing. +* **Finding the right command (Windows Terminal)**: Ask Copilot to suggest commands that help you perform tasks in the command line. You can revise your question until the returned command meets your expectations, then insert it into your command line to run it. +* **Explaining an unfamiliar command (Windows Terminal)**: Ask Copilot to generate a natural language description of a command's functionality, including its input and output parameters and usage examples. Note that generated explanations may not always be accurate or complete. +* **Developing a new feature (Spaces)**: Bundle relevant code, product specs, and design notes in a space so Copilot can explain the current implementation, highlight gaps, and draft new code or next steps. +* **Defining logic for repeated tasks (Spaces)**: Document a process once—with flowcharts, examples, or schemas—and reuse it across your team for consistent patterns and reusable templates. +* **Sharing knowledge with teammates (Spaces)**: Collect the latest code and documentation in one place so Copilot can explain systems, answer questions, and onboard teammates. + +## 5. Models and training data + +GitHub Copilot Chat leverages a variety of AI models to power the experience that users see. For a comparison of the models available for Copilot, see [AUTOTITLE](/copilot/reference/ai-models/model-comparison). For the full list of supported models, see [AUTOTITLE](/copilot/reference/ai-models/supported-models). For information on where models are hosted, see [AUTOTITLE](/copilot/reference/ai-models/model-hosting). To learn more about the data used to train the foundation models behind GitHub Copilot Chat, refer to the linked AI model comparison above and [What data has GitHub Copilot been trained on?](https://github.com/features/copilot#faq) in the GitHub Copilot FAQ. + +### Using Bring Your Own Key (BYOK) + +When you use Bring Your Own Key with GitHub Copilot Chat, you can connect the chat experience to large language models from supported providers beyond the default Copilot model. Examples of supported providers include Anthropic, AWS Bedrock, Google AI Studio, Microsoft Foundry, OpenAI, OpenAI-compatible providers, and xAI. You add your API key for the chosen provider directly in your Copilot settings. + +When BYOK is active: + +* **Feature scope**: Your chosen model is used within GitHub Copilot Chat. In Agent mode, BYOK powers the main conversation, but certain actions such as code application or other tool calls may still use Copilot-integrated models optimized for those tasks. These built-in models do not run through your BYOK provider. +* **Content filtering**: Regardless of which provider is active, responses still pass through GitHub's API and may have content filtering before results are shown to you. +* **Quality considerations**: Suggestions may vary depending on the strengths and training coverage of your chosen provider. +* **Data handling**: When using BYOK, your prompts and responses are transmitted to your selected provider and may be subject to that provider's data retention and privacy policies. +* **Your responsibilities**: You are responsible for the following: + * Provider API key security + * Usage costs or quotas + * Output validation + * Evaluating whether your chosen model meets your safety and quality requirements + * Compliance with your selected provider's terms + * Determining whether your chosen model complies with applicable laws + * Ensuring that a human reviews any output before using it to make decisions that affect people +* **Export restrictions**: Certain AI models may be subject to export controls. Verify your selected provider and model are authorized for use in your jurisdiction. + +BYOK empowers your organization to choose the language model that best fits your needs. Note that model performance and safety characteristics are provider-dependent. + +## 6. Performance + +GitHub Copilot Chat works by using a combination of natural language processing and machine learning to understand your question and provide you with an answer. This process involves: + +1. **Input processing**: The user's prompt is pre-processed by the system, combined with contextual information (for example, the current repository, open files, or chat history), and sent to a large language model. User input can take the form of code snippets or plain language. +1. **Language model analysis**: The prompt is passed through the language model, which is a neural network trained on a large body of text data. The language model analyzes the input prompt. +1. **Response generation**: The model generates a response based on its analysis of the input prompt and the context provided to it. This response can take the form of generated code, code suggestions, or explanations of existing code. +1. **Output formatting**: The response is formatted with syntax highlighting, indentation, and other features to add clarity. Depending on the type of question, links to context that the model used—such as source code files, issues, or documentation—may also be provided. + +### Differences by experience + +* **On GitHub.com**: The model can gather additional context from repository data stored on GitHub and web search results (when enabled by your administrator). Responses may include links to source code files, issues, or documentation. +* **Pull request summaries (GitHub.com)**: When a user requests a summary, a workflow uses the code diffs from files to build a prompt and requests Copilot to generate an overall summary. The output consists of a prose paragraph giving an overview of the changes, followed by a bulleted list of key changes linked to the respective lines of code. You can generate a summary in the description of a new or existing pull request, or in a comment on the pull request timeline. Larger pull requests may take up to a couple of minutes to process. The only supported language for pull request summaries is English. +* **Commit message generation (GitHub.com)**: When you click the **Commit changes** button on GitHub.com, Copilot generates a suggested summary (title) and description based on the code changes in the selected files. The text is inserted into the summary and description fields for you to review and edit before committing. The only supported language for commit message generation is English. +* **Commit message generation (GitHub Desktop)**: When you click the Copilot button in GitHub Desktop, Copilot generates a suggested summary (title) and description based on the code changes you've selected. You can select specific lines of code or files to improve context and accuracy, and you can regenerate suggestions before finalizing. The only supported language is English. +* **In your IDE**: The system combines user input with contextual information such as the name of the repository and the files the user has open. In VS Code and Visual Studio, additional context can be provided automatically from an optional `.github/copilot-instructions.md` file (the user can disable this in settings). When using the `@github` chat participant in VS Code or Visual Studio, GitHub Copilot Chat can also gather context from code stored on GitHub and from Bing search results (if enabled by your administrator). +* **On GitHub Mobile**: The input prompt is pre-processed and sent to the language model. The system is only intended to respond to coding-related questions. The options available vary by Copilot plan: users with a Copilot Enterprise subscription can have conversations using data from private indexed repositories and, if the web search integration is enabled, receive responses informed by web search results. Users with a Copilot Pro subscription can discuss top popular public repositories. +* **In Windows Terminal**: The user's prompt is combined with contextual information (the name of the active shell and the chat history) and sent to the language model. Responses take the form of a suggested command or an explanation of a command. Suggested commands are not run automatically—you must click on a command to insert it into your command line and then manually run it. +* **In Copilot Spaces**: Spaces let you organize the context that GitHub Copilot Chat uses to answer your questions. A space can include repositories, code, pull requests, issues, free-text content like transcripts or notes, images, and file uploads. When you submit a question in a space, Copilot augments your request with relevant context from that space. Spaces can also be accessed from the IDE via the remote GitHub MCP server. Not all content in a space is used in every response—Copilot processes a portion of the included content, so being selective about what you add helps ensure relevance. + +GitHub Copilot Chat is intended to provide you with the most relevant answer to your question. However, it may not always provide the answer you are looking for. Users of GitHub Copilot Chat are responsible for reviewing and validating responses generated by the system to ensure they are accurate and appropriate. + +## 7. Limitations + +Understanding GitHub Copilot Chat's limitations is crucial to determine if it is used within safe and effective boundaries. While we encourage customers to leverage GitHub Copilot Chat in their innovative solutions or applications, it's important to note that GitHub Copilot Chat was not designed for every possible scenario. We encourage users to refer to [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms) as well as the following considerations when choosing a use case: + +* **Limited scope**: GitHub Copilot Chat has been trained on a large body of code but may not be able to handle more complex code structures or obscure programming languages. For each language, the quality of suggestions depends on the volume and diversity of training data. For example, JavaScript is well-represented and well-supported, while less common languages may yield lower-quality results. +* **Potential biases**: Training data drawn from existing code repositories may contain biases and errors that can be perpetuated by the tool. GitHub Copilot Chat may also be biased towards certain programming languages or coding styles, which can lead to suboptimal or incomplete code suggestions. +* **Security risks**: Generated code can potentially expose sensitive information or vulnerabilities if not reviewed carefully. Always review and test generated code thoroughly, especially for security-sensitive applications. +* **Matches with public code**: While the probability is low, GitHub Copilot Chat may produce code that matches code in the training set. You should take the same precautions as you would with any code that uses material you did not independently originate including rigorous testing, IP scanning, and checking for security vulnerabilities. For more information, see [AUTOTITLE](/copilot/using-github-copilot/finding-public-code-that-matches-github-copilot-suggestions). +* **Inaccurate code**: GitHub Copilot Chat may generate code that appears valid but is not semantically or syntactically correct, or does not accurately reflect the intent of the developer. Carefully review and test generated code, particularly for critical or sensitive applications. +* **Inaccurate responses to non-coding topics**: GitHub Copilot Chat is not designed to answer non-coding questions, and its responses in those contexts may be irrelevant or nonsensical. +* **Risk of destructive commands (Windows Terminal)**: Copilot may suggest commands that could be destructive—such as deleting content or formatting a hard drive—that may be necessary in certain scenarios but can cause problems if used incorrectly. You are ultimately responsible for any commands you choose to execute. Despite the presence of fail-safes and safety mechanisms, executing commands carries inherent risks. +* **Lines changed limits for PR summaries (GitHub.com)**: Files with more than 400 combined additions and deletions are excluded from summarization. +* **PR summaries are not auto-updated (GitHub.com)**: Pull request summaries are only created when users request them manually. When updates or changes are made to the pull request, the summary is not automatically refreshed. Users can request a new summary, but should carefully review the updated output—it carries the same risks of inaccuracy as the original. +* **Replication of PR content (GitHub.com)**: Because a summary outlines the changes in a pull request, if harmful or offensive terms appear in the pull request content, there is potential for the summary to replicate those terms. Users should expect terms used in their PR to appear in the AI-generated summary. +* **Limited scope for commit messages (GitHub.com and GitHub Desktop)**: Commit message generation may struggle with intricate code changes, short diff windows, or recently developed programming languages. The quality of suggestions depends on the availability and diversity of training data for the languages involved. +* **Replication of commit content (GitHub.com and GitHub Desktop)**: Because a commit message summarizes the changes in a commit, if harmful or offensive terms appear in the code changes, there is potential for the generated message to include those terms. +* **Commit messages are not auto-updated (GitHub.com and GitHub Desktop)**: Commit messages are only generated when you request them. When you make additional changes, the commit message is not automatically refreshed. You can regenerate a new suggestion, but should carefully review the updated output—it carries the same risks of inaccuracy as the original. +* **Interpretation of user intent (Spaces)**: Spaces help ground GitHub Copilot Chat's responses in curated context, but the system may still misunderstand your intent. Always review output to confirm it reflects your goals. +* **Context limits (Spaces)**: Spaces have defined size limits, and GitHub Copilot Chat only processes a portion of the content you include. Not every file, document, or note in a space will be used in a response. Being selective about what you add helps ensure the most relevant context is used. +* **Differing performance based on natural language**: GitHub Copilot Chat has been optimized primarily for English. You may notice differing performance with prompts in other languages. +* **Leveraging web search**: On GitHub.com and when using the GitHub chat participant in supported IDEs, GitHub Copilot Chat can optionally use a Bing search to help answer your question—for example, queries about recent events, new technologies, or highly specific subjects. Your enterprise administrator can enable or disable Bing for your organization. When web search is used, the content of your prompt, along with additional context, is used to generate a Bing search query on your behalf. The search query sent to Bing is governed by [Microsoft's Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). For more information, see [AUTOTITLE](/copilot/managing-copilot/managing-copilot-for-your-enterprise/managing-policies-and-features-for-copilot-in-your-enterprise). + +## 8. Evaluations + +{% data reusables.rai.copilot.application-card-evaluations %} + +### Performance and quality evaluations + +GitHub Copilot Chat AI features are evaluated using a combination of industry-standard benchmarks (e.g., SWE-Bench) and internally developed evaluation suites. Benchmark tasks are sourced from public open-source repositories and synthetic scenarios; no real user queries or customer code are used. Each evaluation includes multiple independent runs to account for nondeterminism in model outputs. Key metrics include resolution rate (percentage of tasks successfully completed), token efficiency, latency, and tool call reliability. Models are re-evaluated when updates are made and monitored continuously in production via error rates, response latency, and aggregate usage patterns. + +### Performance and quality evaluation methods + +New models for GitHub Copilot Chat undergo a staged evaluation process before deployment. Integrator teams run benchmark suites specific to their surface, testing the model on representative coding tasks such as bug fixes, code generation, and multi-file refactoring. Results are reviewed against established baselines and existing production models. Models must meet or exceed baseline performance across key metrics like resolution rate, token efficiency, and latency, before advancing to the next stage. A cross-functional review board makes a formal go/no-go decision before any model is approved for user-facing deployment. + +### Risk and safety evaluations + +{% data reusables.rai.copilot.application-card-risk-and-safety-evaluations %} + +### Evaluation data for quality and safety + +{% data reusables.rai.copilot.application-card-evaluation-data-for-quality-and-safety %} + +### Custom evaluations + +As part of our product development process, we undertake red teaming to understand and improve the safety of GitHub Copilot Chat. When enabled, input prompts and output completions are run through content filters. + +## 9. Safety components and mitigations + +* **Content filtering**: When enabled, the content filtering system detects and prevents the output of harmful content. If you encounter offensive content, report it to `copilot-safety@github.com`. +* **Public code matching**: Depending on your settings, GitHub Copilot Chat may have the duplicate detection filter turned on or off. If on, GitHub Copilot Chat either blocks suggestions that match public code or annotates them with links to the source repositories and any license details. In VS Code, if you have enabled suggestions that match public code, GitHub Copilot Chat displays a message with a link to show the matched code and any license details in the editor. In Visual Studio, JetBrains, Eclipse, and GitHub Mobile, GitHub Copilot Chat uses filters that block matches with public code. Regardless of settings, you should take the same precautions as with any code that uses material you did not independently originate—including rigorous testing, IP scanning, and checking for security vulnerabilities. For more information, see [AUTOTITLE](/copilot/using-github-copilot/finding-public-code-that-matches-github-copilot-suggestions). + +## 10. Best practices for deploying and adopting GitHub Copilot Chat + +Responsible AI is a shared commitment between GitHub and its customers. While GitHub builds AI applications with safety, fairness, and transparency at the core, customers play a critical role in deploying and using these technologies responsibly within their own contexts. To support this partnership, we offer the following best practices for deployers and end users to help customers implement responsible AI effectively. + +* **Exercise caution and evaluate outcomes when using GitHub Copilot Chat for consequential decisions or in sensitive domains**: {% data reusables.rai.copilot.application-card-consequential-decisions %} +* **Evaluate legal and regulatory considerations**: {% data reusables.rai.copilot.application-card-evaluate-legal-regulatory %} + +* **Exercise human oversight when appropriate**: Human oversight is an important safeguard when interacting with AI applications. While we continuously improve our AI applications, AI might still make mistakes. The outputs generated may be inaccurate, incomplete, biased, misaligned, or irrelevant to your intended goals. This could happen due to various reasons, such as ambiguity in the inputs or limitations of the underlying models. As such, users should review the responses generated by GitHub Copilot Chat and verify that they match their expectations and requirements. +* **Be aware of the risk of overreliance**: {% data reusables.rai.copilot.application-card-overreliance %} +* **Exercise caution when designing agentic AI in sensitive domains**: {% data reusables.rai.copilot.application-card-agentic-ai-caution %} +* **Use GitHub Copilot Chat as a tool, not a replacement**: While GitHub Copilot Chat can be a powerful tool for generating code, it is important to use it as a tool rather than a replacement for human programming. Always review and test code generated by GitHub Copilot Chat to ensure it meets your requirements and is free of errors or security concerns. +* **Keep prompts on topic**: GitHub Copilot Chat is intended to address coding-related queries. Limiting prompts to coding questions or tasks enhances the model's output quality. +* **Use secure coding and code review practices**: Follow best practices for secure coding—such as avoiding hard-coded passwords or SQL injection vulnerabilities—and review all generated code. +* **Be selective with context (Spaces)**: Adding only the most relevant files, repositories, and notes to a space helps Copilot stay focused. Overloading a space with unnecessary content can dilute response quality. +* **Keep context updated (Spaces)**: As your project evolves, refresh the files, issues, or documentation in your space. Outdated context may cause Copilot to generate inaccurate or incomplete answers. +* **Use instructions alongside sources (Spaces)**: Combining natural language instructions with curated sources helps Copilot better understand your intent. +* **Anchor chat in a space (Spaces)**: Starting conversations from within a space ensures continuity and relevance, keeping responses aligned with the context you've set up. +* **Review PR summaries before publishing (GitHub.com)**: Pull request summaries are intended to supplement—not replace—your own context about the changes. Always review and assess the accuracy of a generated summary before saving or publishing your pull request. +* **Review commit messages before committing (GitHub.com and GitHub Desktop)**: Commit message generation is intended to supplement—not replace—your own descriptions of the changes. Always review and edit the suggested title and description before committing. In GitHub Desktop, selecting specific lines of code or files can improve accuracy. You can opt out of commit message generation via the Copilot [settings page](https://github.com/settings/copilot/features) on GitHub.com. +* **Provide feedback**: If you encounter any issues or limitations, provide feedback through the thumbs up/down buttons below each chat response. The ability to provide feedback about pull request summaries is dependent on your enterprise settings. For more information, see [AUTOTITLE](/copilot/managing-copilot/managing-copilot-for-your-enterprise/managing-policies-and-features-for-copilot-in-your-enterprise). For commit message generation, you can share feedback via the [community discussion](https://github.com/orgs/community/discussions/categories/copilot-news-and-announcements) or by [opening an issue in the GitHub Desktop repository](https://github.com/desktop/desktop/issues). This helps improve the tool and address concerns. +* **Stay up to date**: GitHub Copilot Chat is evolving. Stay current with updates, new security risks, and best practices. + +## 11. Learn more about GitHub Copilot Chat + +For additional guidance on the responsible use of GitHub Copilot Chat, we recommend reviewing the following documentation: + +* [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-your-ide) +* [AUTOTITLE](/enterprise-cloud@latest/copilot/github-copilot-enterprise/copilot-pull-request-summaries/creating-a-pull-request-summary-with-github-copilot) +* [AUTOTITLE](/enterprise-cloud@latest/copilot/github-copilot-chat/copilot-chat-in-github/using-github-copilot-chat-in-githubcom) +* [AUTOTITLE](/copilot/github-copilot-chat/copilot-chat-in-ides/using-github-copilot-chat-in-your-ide) +* [Terminal Chat](https://learn.microsoft.com/windows/terminal/terminal-chat) +* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-copilot-pre-release-terms) +* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#github-copilot) +* [GitHub Copilot Trust Center](https://copilot.github.trust.page/) + +### Learn more about responsible AI + +* [Microsoft AI principles](https://www.microsoft.com/en-us/ai/responsible-ai) +* [Microsoft responsible AI resources](https://www.microsoft.com/en-us/ai/responsible-ai-resources) +* [Microsoft Azure Learning courses on responsible AI](https://docs.microsoft.com/en-us/learn/paths/responsible-ai-business-principles/) diff --git a/content/copilot/responsible-use/code-review.md b/content/copilot/responsible-use/code-review.md deleted file mode 100644 index e6cca5c751f3..000000000000 --- a/content/copilot/responsible-use/code-review.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: Responsible use of GitHub Copilot code review -shortTitle: Code review -intro: 'Learn how to use {% data variables.copilot.copilot_code-review %} safely and responsibly by understanding its purposes, capabilities, and limitations.' -versions: - feature: copilot -redirect_from: - - /early-access/copilot/code-review/responsible-use-of-copilot-code-review - - /early-access/copilot/code-reviews/responsible-use-of-copilot-code-review - - /early-access/copilot/code-reviews/responsible-use-of-copilot-code-reviews - - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-code-review - - /copilot/responsible-use-of-github-copilot-features/code-review -contentType: rai -category: - - Responsible use ---- - -## About {% data variables.copilot.copilot_code-review %} - -{% data variables.copilot.copilot_code-review %} is an AI-powered feature that reviews code and provides feedback. - -When a user requests a code review from {% data variables.product.prodname_copilot_short %}, {% data variables.product.prodname_copilot_short %} scans through the code changes, plus additional relevant context, and provides feedback on the code. As part of that feedback, it may also provide specific suggested code changes. - -{% data variables.product.prodname_copilot_short %}'s review can be customized with custom instructions, which are natural language descriptions of coding style and best practices. For more information, see [AUTOTITLE](/copilot/how-tos/configure-custom-instructions/add-repository-instructions). - -{% data variables.copilot.copilot_code-review %} inspects your code and provides feedback using a combination of natural language processing and machine learning. This process can be broken down into a number of steps. - -### Input processing - -The code changes are combined with other relevant, contextual information (for example, the pull request’s title and body on {% data variables.product.github %}), and any custom instructions that have been defined, to form a prompt, and that prompt is sent to a large language model. - -### Language model analysis - -The prompt is then passed through the {% data variables.product.prodname_copilot_short %} language model, which is a neural network that has been trained on a large body of text data. The language model analyzes the input prompt. - -### Response generation - -The language model generates a response based on its analysis of the input prompt. This response can take the form of natural language suggestions and code suggestions. - -### Output formatting - -The response generated by {% data variables.product.prodname_copilot_short %} is presented to the user either directly in the supported editor, or as a pull request review on {% data variables.product.github %}, providing code feedback linked to specific lines of specific files. - -Where {% data variables.product.prodname_copilot_short %} has provided a code suggestion, the suggestion is presented as a suggested change, which can be applied with a couple of clicks. - -### Model usage - -{% data reusables.copilot.ccr-model-usage %} Each use of this feature consumes {% data variables.product.prodname_ai_credits_short %}. See [AUTOTITLE](/copilot/concepts/billing/usage-based-billing-for-individuals) and [AUTOTITLE](/copilot/concepts/billing/usage-based-billing-for-organizations-and-enterprises). - -{% data reusables.copilot.ccr-model-settings %} - -## Use case for {% data variables.copilot.copilot_code-review %} - -The goal of {% data variables.copilot.copilot_code-review %} is to quickly provide feedback on a developer’s code. This can enable developers to get code ready to merge more quickly and increase overall code quality. - -## Improving the performance of {% data variables.copilot.copilot_code-review %} - -### Use {% data variables.copilot.copilot_code-review_short %} to supplement human reviews, not to replace them - -While {% data variables.copilot.copilot_code-review %} can be a powerful tool for improving code quality, it is important to use it as a tool, rather than to replace human reviews. - -You should always review and verify the feedback generated by {% data variables.copilot.copilot_code-review_short %}, and supplement {% data variables.product.prodname_copilot_short %}'s feedback with careful human review to ensure your code meets your requirements. - -### Provide feedback - -If you encounter any issues or limitations with {% data variables.copilot.copilot_code-review_short %}, we recommend that you provide feedback by using the thumbs up and thumbs down buttons on {% data variables.product.prodname_copilot_short %}'s comments. This can help GitHub to improve the tool and address any concerns or limitations. - -### Custom instructions - -You can configure custom instructions to help {% data variables.product.prodname_copilot_short %} understand your coding style and best practices. For more information, see [AUTOTITLE](/copilot/how-tos/configure-custom-instructions/add-repository-instructions). - -## Limitations of {% data variables.copilot.copilot_code-review %} - -Depending on factors such as your codebase and programming language, you may encounter different levels of performance when using {% data variables.copilot.copilot_code-review %}. The following information is designed to help you understand system limitations and key concepts about performance as they apply to {% data variables.copilot.copilot_code-review %}. - -### Missed code quality problems - -{% data variables.product.prodname_copilot_short %} may not identify all of the problems that are present in code, especially where changes are large or complex. To ensure that all relevant problems are identified and corrected, {% data variables.copilot.copilot_code-review_short %} should be supplemented with careful human code review. - -### False positives - -{% data variables.copilot.copilot_code-review_short %} has a risk of "hallucination" - that is, it may highlight problems in reviewed code that do not exist or are based on misunderstandings of the code. Comments generated by {% data variables.copilot.copilot_code-review_short %} should be carefully reviewed and considered before taking action and making changes. - -### Inaccurate or insecure code - -As part of its comments, {% data variables.copilot.copilot_code-review_short %} may provide specific code suggestions. The code generated may appear to be valid, but may not actually be semantically or syntactically correct, or may not correctly resolve the problem identified in the comment. In addition, code generated by {% data variables.product.prodname_copilot_short %} may contain security vulnerabilities or other issues. You should always carefully review and test code generated by {% data variables.product.prodname_copilot_short %}. - -### Potential biases - -{% data variables.product.prodname_copilot_short %}'s training data is drawn from existing code repositories, which may contain biases and errors that can be perpetuated by the tool. Additionally, {% data variables.copilot.copilot_code-review_short %} may be biased toward certain programming languages or coding styles, which can lead to suboptimal or incomplete feedback. - -## Next steps - -For details of how to use {% data variables.copilot.copilot_code-review_short %}, see: - -* [AUTOTITLE](/copilot/using-github-copilot/code-review/using-copilot-code-review) diff --git a/content/copilot/responsible-use/copilot-cli.md b/content/copilot/responsible-use/copilot-cli.md deleted file mode 100644 index d2aeaee31f5b..000000000000 --- a/content/copilot/responsible-use/copilot-cli.md +++ /dev/null @@ -1,175 +0,0 @@ ---- -title: Responsible use of GitHub Copilot CLI -shortTitle: Copilot CLI -intro: 'Learn how to use {% data variables.copilot.copilot_cli %} responsibly by understanding its purposes, capabilities, and limitations.' -product: '{% data reusables.gated-features.copilot-cli %}' -versions: - feature: copilot -redirect_from: - - /copilot/github-copilot-in-the-cli/about-github-copilot-in-the-cli - - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-in-the-cli - - /copilot/responsible-use-of-github-copilot-features/copilot-in-the-cli - - /copilot/responsible-use/copilot-in-the-cli -contentType: rai -category: - - Responsible use - - Learn about Copilot CLI -docsTeamMetrics: - - copilot-cli ---- - -## About {% data variables.copilot.copilot_cli %} - -{% data variables.copilot.copilot_cli %} provides a chat-like interface in the terminal that can autonomously create and modify files on your computer and execute commands. You can ask {% data variables.product.prodname_copilot_short %} to perform any action on the files in the active directory. - -{% data variables.copilot.copilot_cli %} can generate tailored changes based on your description and configurations, including tasks like bug fixes, implementing incremental new features, prototyping, documentation, and codebase maintenance. - -While working on your task, the {% data variables.product.prodname_copilot_short %} agent has access to your local terminal environment where it can make changes to your code, execute automated tests, run linters, and execute commands available in your environment. - -The agent has been evaluated across a variety of programming languages, with English as the primary supported language. - -The agent works by using a combination of natural language processing and machine learning to understand your task and make changes in a codebase to complete the task. This process can be broken down into a number of steps. - -### Input processing - -Your input is combined with relevant contextual information to form a prompt. That prompt is sent to a large language model for processing. Inputs can take the form of plain natural language, code snippets, or references to files in your terminal. - -### Language model analysis - -The prompt is then passed through a large language model, which is a neural network that has been trained on a large body of data. The language model analyzes the input prompt to help the agent reason about the task and use the necessary tools. - -### Response generation - -The language model generates a response based on its analysis of the prompt. This response can take the form of natural language suggestions, code suggestions, file modifications, and command executions. - -### Output formatting - -The response generated by the agent is formatted and presented to you. {% data variables.copilot.copilot_cli %} uses syntax highlighting, indentation, and other formatting features to add clarity to the generated response. - -The agent might also want to execute commands in your local environment and create, edit, or delete files in your file system in order to complete your task. - -You may provide feedback to the agent after it returns a response in the interactive chat window. The agent will then resubmit that feedback to the language model for further analysis. Once the agent completes changes based on feedback, the agent will return an additional response. - -Copilot is intended to provide you with the most relevant solution for task resolution. However, it may not always provide the answer you are looking for. You are responsible for reviewing and validating responses generated by {% data variables.product.prodname_copilot_short %} to ensure they are accurate and appropriate. For more information, see the section [Improving the results from {% data variables.copilot.copilot_cli %}](#improving-the-results-from-github-copilot-cli), later in this article. - -## Use cases for {% data variables.copilot.copilot_cli %} - -You can delegate a task to {% data variables.product.prodname_copilot_short %} in a variety of scenarios, including, but not limited to: - -* **Codebase maintenance:** Tackling security-related fixes, dependency upgrades, and targeted refactoring. -* **Documentation:** Updating and creating new documentation. -* **Feature development:** Implementing incremental feature requests. -* **Improving test coverage:** Developing additional test suites for quality management. -* **Prototyping new projects:** Greenfielding new concepts. -* **Setting up your environment:** Running commands in your terminal to set up your local environment to work on existing projects -* **Find the right command to perform a task:** {% data variables.product.prodname_copilot_short %} can provide suggestions for commands to perform tasks you're trying to complete. -* **Explain an unfamiliar command:** {% data variables.product.prodname_copilot_short %} can provide a natural language description of a command's functionality and purpose. - -## Improving the results from {% data variables.copilot.copilot_cli %} - -{% data variables.copilot.copilot_cli %} can support a wide range of tasks. To enhance the responses you receive, and address some of the limitations of the agent, there are various measures that you can adopt. - -For more information about limitations, see the section [Limitations of {% data variables.copilot.copilot_cli %}](#limitations-of-github-copilot-cli), later in this article. - -### Ensure your tasks are well-scoped - -{% data variables.copilot.copilot_cli %} leverages your prompt as key context when completing a task. The clearer and more well-scoped the prompt you provide, the better the results you will get. An ideal prompt includes: - -* A clear description of the problem to be solved or the work required. -* Complete acceptance criteria on what a good solution looks like (for example, should there be unit tests?). -* Hints or pointers on what files need to be changed. - -### Customize your experience with additional context - -{% data variables.copilot.copilot_cli %} leverages your prompt and the repository’s code as context when generating suggested changes. To enhance {% data variables.product.prodname_copilot_short %}’s performance, consider implementing custom {% data variables.product.prodname_copilot_short %} instructions to help the agent better understand your project and how to build, test and validate its changes. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-cli/customize-copilot/add-custom-instructions). - -### Use {% data variables.copilot.copilot_cli %} as a tool, not a replacement - -While {% data variables.copilot.copilot_cli %} can be a powerful tool for generating code and documentation, it is important to use it as a tool, rather than a replacement for human programming. You should always review and verify commands generated by {% data variables.copilot.copilot_cli %} to ensure that it meets your requirements and is free of errors or security concerns. - -### Use secure coding and code review practices - -Although {% data variables.copilot.copilot_cli %} can generate syntactically correct code, it may not always be secure. You should always follow best practices for secure coding, such as avoiding hard-coded passwords or SQL injection vulnerabilities, as well as following code review best practices, to address the agent’s limitations. You should always take the same precautions as you would with any code you write that uses material you did not independently originate, including precautions to ensure its suitability. These include rigorous testing, IP scanning, and checking for security vulnerabilities. - -### Provide feedback - -If you encounter any issues or limitations with {% data variables.copilot.copilot_cli %}, we recommend that you provide feedback using the `/feedback` command. - -## Security measures for {% data variables.copilot.copilot_cli %} - -### Constraining {% data variables.product.prodname_copilot_short %}’s permissions - -By default, {% data variables.copilot.copilot_cli_short %}: - -* Only has access to files and folders in, and below, the directory from which {% data variables.copilot.copilot_cli %} was invoked. Ensure you trust the files in this directory. If {% data variables.product.prodname_copilot_short %} wishes to access files outside the current directory, it will ask for permission. Only grant it permission if you trust the contents of that directory. -* Will ask for permission before modifying files. Ensure that it is modifying the correct files before granting permission. -* Will ask for permission before executing commands that may be dangerous. Review these commands carefully before giving it permission to run. - -You can grant {% data variables.copilot.copilot_cli_short %} specific permissions, or all permissions, by using the various command line options: for example, `--allow-tool=[TOOLS...]`, `--allow-all-tools`, `--allow-all` (or its slash command equivalent `/allow-all` for use in an interactive session). For more information, see [AUTOTITLE](/copilot/reference/copilot-cli-reference/cli-command-reference#command-line-options). Typically, when you use {% data variables.copilot.copilot_cli_short %} in autopilot mode, you will grant it full permissions to allow it to complete a task autonomously, without requiring you to approve activity as it works on the task. For more information, see [AUTOTITLE](/copilot/concepts/agents/copilot-cli/autopilot). - -For more information about security practices while using {% data variables.copilot.copilot_cli %}, see "Security considerations" in [AUTOTITLE](/copilot/concepts/agents/about-copilot-cli#security-considerations). - -## Data handling when using your own model provider - -When you configure {% data variables.copilot.copilot_cli_short %} to use your own model provider, your prompts, code context, and generated responses are sent directly to the provider you configure. They are not routed through {% data variables.product.github %}. You are responsible for reviewing and complying with the terms of service and data handling policies of your chosen provider. - -### Telemetry - -When you use your own model provider without offline mode, {% data variables.copilot.copilot_cli_short %} continues to send telemetry to {% data variables.product.github %} as usual. This telemetry does not include your prompts or code, but it does include usage metadata. - -If you enable offline mode by setting the `COPILOT_OFFLINE` environment variable to `true`, all telemetry is disabled. In offline mode, {% data variables.copilot.copilot_cli_short %} only makes network requests to your configured model provider. - -### Authentication and feature availability - -{% data variables.product.github %} authentication is not required when using your own model provider (BYOK). Without {% data variables.product.github %} authentication, the following features are unavailable: - -* `/delegate`, which hands off the session to {% data variables.product.github %}'s server-side {% data variables.product.prodname_copilot_short %} -* The {% data variables.product.github %} MCP server -* {% data variables.product.github %} Code Search - -In offline mode, web-based tools such as `web_fetch` and {% data variables.product.github %} Code Search are also disabled. - -### No fallback to {% data variables.product.github %}-hosted models - -If your model provider configuration is invalid, {% data variables.copilot.copilot_cli_short %} exits with an error. It does not fall back to {% data variables.product.github %}-hosted models. Common failures, such as connection refused, authentication errors, model not found, and timeouts, produce user-friendly messages with actionable guidance. - -## Limitations of {% data variables.copilot.copilot_cli %} - -Depending on factors such as your codebase and input data, you may experience different levels of performance when using {% data variables.copilot.copilot_cli %}. The following information is designed to help you understand system limitations and key concepts about performance as they apply to {% data variables.copilot.copilot_cli %}. - -### Limited scope - -The language model used by {% data variables.copilot.copilot_cli %} has been trained on a large body of code but still has a limited scope and may not be able to handle certain code structures or obscure programming languages. For each language, the quality of suggestions you receive may depend on the volume and diversity of training data for that language. - -### Potential biases - -The language model used by {% data variables.copilot.copilot_cli %}’s training data and context gathered by the large language model may contain biases and errors that can be perpetuated by the tool. Additionally, {% data variables.copilot.copilot_cli %} may be biased towards certain programming languages or coding styles, which can lead to suboptimal or incomplete suggestions. - -### Security risks - -{% data variables.copilot.copilot_cli %} generates code and natural language based on the context of an issue or comment within a repository, which can potentially expose sensitive information or vulnerabilities if not used carefully. You should be careful to review all outputs generated by {% data variables.copilot.copilot_cli %} thoroughly prior to merging. - -### Inaccurate code - -{% data variables.copilot.copilot_cli %} may generate code that appears to be valid but may not actually be semantically or syntactically correct or may not accurately reflect the intent of the developer. - -To mitigate the risk of inaccurate code, you should carefully review and test the generated code, particularly when dealing with critical or sensitive applications. You should also ensure that the generated code adheres to best practices and design patterns and fits within the overall architecture and style of the codebase. - -### Public code - -{% data variables.copilot.copilot_cli %} may generate code that is a match or near match of publicly available code, even if the "Suggestions matching public code" policy is set to "Block." See [AUTOTITLE](/copilot/managing-copilot/managing-copilot-as-an-individual-subscriber/managing-your-copilot-plan/managing-copilot-policies-as-an-individual-subscriber#enabling-or-disabling-suggestions-matching-public-code). - -### Legal and regulatory considerations - -Users need to evaluate potential specific legal and regulatory obligations when using any AI services and solutions, which may not be appropriate for use in every industry or scenario. Additionally, AI services or solutions are not designed for and may not be used in ways prohibited in applicable terms of service and relevant codes of conduct. - -### Risk management and user accountability in command execution - -Additional caution is required when asking or allowing {% data variables.copilot.copilot_cli %} to execute a command, particularly regarding the potential destructiveness of some suggested commands. You may encounter commands for file deletion or hard drive formatting, which can cause problems if used incorrectly. While such commands may be necessary in certain scenarios, you need to be careful when accepting and running these commands. - -Additionally, you are ultimately responsible for the commands executed by {% data variables.copilot.copilot_cli %}. It is entirely your decision whether to use commands generated by {% data variables.copilot.copilot_cli %}. Despite the presence of fail-safes and safety mechanisms, you must understand that executing commands carries inherent risks. {% data variables.copilot.copilot_cli %} provides a powerful tool set, but you should approach its recommendations with caution and ensure that commands align with your intentions and requirements. - -## Further reading - -* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#github-copilot) -* [{% data variables.product.prodname_copilot %} Trust Center](https://copilot.github.trust.page/) diff --git a/content/copilot/responsible-use/copilot-cloud-agent.md b/content/copilot/responsible-use/copilot-cloud-agent.md deleted file mode 100644 index 4f232495f863..000000000000 --- a/content/copilot/responsible-use/copilot-cloud-agent.md +++ /dev/null @@ -1,193 +0,0 @@ ---- -title: Responsible use of GitHub Copilot cloud agent on GitHub.com -shortTitle: Copilot cloud agent -allowTitleToDifferFromFilename: true -intro: 'Learn how to use {% data variables.copilot.copilot_cloud_agent %} on {% data variables.product.prodname_dotcom_the_website %} responsibly by understanding its purposes, capabilities, and limitations.' -versions: - feature: copilot -redirect_from: - - /copilot/responsible-use/copilot-coding-agent - - /early-access/copilot/coding-agent/responsible-use-of-copilot-coding-agent - - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-copilot-coding-agent-on-githubcom - - /copilot/responsible-use-of-github-copilot-features/copilot-coding-agent -contentType: rai -category: - - Responsible use ---- - -## About {% data variables.copilot.copilot_cloud_agent %} on {% data variables.product.prodname_dotcom_the_website %} - -{% data variables.copilot.copilot_cloud_agent %} is an autonomous and asynchronous software development agent integrated into {% data variables.product.github %}. The agent can pick up a task from an issue or from {% data variables.copilot.copilot_chat_short %}, research a repository, create an implementation plan, and make code changes on a branch. You can review the diff, iterate with the agent, and create a pull request when you're ready. - -{% data variables.copilot.copilot_cloud_agent %} can generate tailored changes based on your description and configurations, including tasks like researching a codebase, planning an approach, bug fixes, implementing incremental new features, prototyping, documentation, and codebase maintenance. The agent can iterate with you based on your feedback, whether that's through follow-up prompts during a session or comments on a pull request. - -While working on your task, the agent has access to its own ephemeral development environment where it can make changes to your code, execute automated tests, and run linters. - -The agent can also be run automatically, on a schedule or in response to events such as an issue being opened, by setting up an {% data variables.copilot.copilot_automation %}. In this case, the agent performs a task you defined in advance, without a person initiating each run. For more information, see [AUTOTITLE](/copilot/concepts/agents/cloud-agent/about-automations). - -The agent has been evaluated across a variety of programming languages, with English as the primary supported language. - -The agent works by using a combination of natural language processing and machine learning to understand your task and make changes in a codebase to complete your task. This process can be broken down into a number of steps. - -> [!NOTE] Deep research, planning, and iterating on code changes before creating a pull request are only available with {% data variables.copilot.copilot_cloud_agent %} on {% data variables.product.prodname_dotcom_the_website %}. {% data variables.copilot.copilot_cloud_agent_short_cap_c %} integrations (such as Azure Boards, JIRA, Linear, Slack, or Teams) only support creating a pull request directly. - -### Prompt processing - -The task provided to {% data variables.product.prodname_copilot_short %} through an issue, pull request comment or {% data variables.copilot.copilot_chat_short %} message is combined with other relevant, contextual information to form a prompt. That prompt is sent to a large language model for processing. Inputs can take the form of plain natural language, code snippets, or images. - -### Language model analysis - -The prompt is then passed through a large language model, which is a neural network that has been trained on a large body of data. The language model analyzes the input prompt to help the agent reason on the task and leverage necessary tools. - -### Response generation - -The language model generates a response based on its analysis of the prompt. This response can take the form of natural language suggestions and code suggestions. - -### Output formatting - -Once the agent completes its first run, it will provide a summary of the changes it made. If a pull request was created, the agent updates the pull request description. The agent may include supplemental information about resources it could not access and provide suggestions on the steps to resolve. - -You may provide feedback to the agent by sending follow-up prompts during a session, commenting within a pull request, or explicitly mentioning the agent (`@copilot`) on the pull request. The agent will then resubmit that feedback to the language model for further analysis. Once the agent completes changes based on feedback, it will respond with updated changes. - -Copilot is intended to provide you with the most relevant solution for task resolution. However, it may not always provide the answer you are looking for. You are responsible for reviewing and validating responses generated by {% data variables.product.prodname_copilot_short %} to ensure they are accurate and appropriate. - -Additionally, as part of our product development process, {% data variables.product.github %} undertakes red teaming (testing) to understand and improve the safety of the agent. - -For information on how to improve performance, see [Improving performance for {% data variables.copilot.copilot_cloud_agent %}](#improving-performance-for-copilot-cloud-agent) below. - -## Use cases for {% data variables.copilot.copilot_cloud_agent %} - -You can delegate a task to {% data variables.product.prodname_copilot_short %} in a variety of scenarios, including, but not limited to: - -* **Deep research:** Understanding how a codebase works, identifying where to make a change, or confirming assumptions. -* **Planning:** Creating an implementation plan before making changes. -* **Codebase maintenance:** Tackling security-related fixes, dependency upgrades, and targeted refactoring. -* **Documentation:** Updating and creating new documentation. -* **Feature development:** Implementing incremental feature requests. -* **Improving test coverage:** Developing additional test suites for quality management. -* **Prototyping new projects:** Greenfielding new concepts. - -## Improving performance for {% data variables.copilot.copilot_cloud_agent %} - -{% data variables.copilot.copilot_cloud_agent %} can support a wide range of tasks. To enhance the performance and address some of the limitations of the agent, there are various measures that you can adopt. - -For more information about limitations, see [Limitations of {% data variables.copilot.copilot_cloud_agent %}](#limitations-of-copilot-cloud-agent) (below). - -### Ensure your tasks are well-scoped - -{% data variables.copilot.copilot_cloud_agent %} leverages your prompt as key context when working on a task. The more clear and well-scoped the prompt you assign to the agent, the better the results you will get. An ideal task includes: - -* A clear description of the problem to be solved or the work required. -* Complete acceptance criteria on what a good solution looks like (for example, should there be unit tests?). -* Hints or pointers on what files need to be changed. - -### Customize your experience with additional context - -{% data variables.copilot.copilot_cloud_agent %} leverages your prompt, comments and the repository’s code as context when generating suggested changes. The agent also has access to semantic code search, which helps it find relevant code based on meaning rather than just exact text matches, allowing it to complete tasks faster. - -To enhance {% data variables.product.prodname_copilot_short %}’s performance, consider implementing custom {% data variables.product.prodname_copilot_short %} instructions to help the agent better understand your project and how to build, test and validate its changes. For more information, see "Add custom instructions to your repository" in [AUTOTITLE](/copilot/tutorials/cloud-agent/get-the-best-results#adding-custom-instructions-to-your-repository). - -For information about other customizations for {% data variables.copilot.copilot_cloud_agent %}, see: - -* [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/customize-the-agent-environment) -* [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/customize-the-agent-firewall) -* [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/extend-cloud-agent-with-mcp) - -### Use {% data variables.copilot.copilot_cloud_agent %} as a tool, not a replacement - -While {% data variables.copilot.copilot_cloud_agent %} can be a powerful tool for generating code and documentation, it is important to use it as a tool, rather than a replacement for human programming. You should always review and test the content generated by the agent to ensure that it meets your requirements and is free of errors or security concerns prior to merging. - -### Use secure coding and code review practices - -Although {% data variables.copilot.copilot_cloud_agent %} can generate syntactically correct code, it may not always be secure. You should always follow best practices for secure coding, such as avoiding hard-coded passwords or SQL injection vulnerabilities, as well as following code review best practices, to address the agent’s limitations. You should always take the same precautions as you would with any code you write that uses material you did not independently originate, including precautions to ensure its suitability. These include rigorous testing, IP scanning, and checking for security vulnerabilities. - -### Provide feedback - -If you encounter any issues or limitations with {% data variables.copilot.copilot_cloud_agent %} on {% data variables.product.prodname_dotcom_the_website %}, we recommend that you provide feedback by clicking the thumbs down icon below each agent response. This can help the developers to improve the tool and address any concerns or limitations. Additionally, you can provide feedback in the community discussion forum. - -### Stay up to date - -{% data variables.copilot.copilot_cloud_agent %} is a new technology and is likely to evolve over time. You should stay up to date with any new security risks or best practices that may emerge. - -## Security measures for {% data variables.copilot.copilot_cloud_agent %} - -By design, {% data variables.copilot.copilot_cloud_agent %} is built with several mitigations to help ensure your data and codebase is secure. Although mitigations exist, be sure to continue implementing security best practices while understanding the agent’s limitations and how they may impact your code. - -### Avoiding privileged escalation - -{% data variables.copilot.copilot_cloud_agent %} will only respond to interactions (for example, assigning the agent or commenting) from users with repository write access. - -{% data variables.product.prodname_actions %} workflows triggered in response to pull requests raised by {% data variables.copilot.copilot_cloud_agent %} require approval from a user with repository write access before they will run. - -The agent filters hidden characters, that are not displayed on {% data variables.product.prodname_dotcom_the_website %}, which might otherwise allow users to hide harmful instructions in comments or issue body contents. This protects against risks like jailbreaks. - -### Constraining Copilot’s permissions - -Copilot only has access to the repository where it is working, and cannot access other repositories. - -Its permissions are limited, allowing it to push code and read other resources. Built-in protections mean that Copilot can only push to a single branch: the existing pull request branch when triggered via `@copilot`, or otherwise to a new `copilot/` branch. This means that Copilot cannot push directly to your default branch (for example, `main`). - -{% data variables.copilot.copilot_cloud_agent %} does not have access to {% data variables.product.prodname_actions %} secrets or variables during runtime. Only Agents secrets and variables, configured at the organization or repository level, are passed to the agent. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables). - -### Ensuring traceability - -{% data variables.copilot.copilot_cloud_agent %}'s commits are authored by {% data variables.product.prodname_copilot_short %}, with the human who started the task marked as the co-author. This makes it easier to identify code generated by the agent and who initiated the task. - -{% data variables.copilot.copilot_cloud_agent %}'s commits are signed, so they appear as "Verified" on {% data variables.product.github %}. This provides confidence that the commits were made by {% data variables.copilot.copilot_cloud_agent %} and have not been altered. - -Each commit message includes a link to the agent session logs. This gives you a permanent link from any agent-authored commit to the full session logs, so you can understand why {% data variables.product.prodname_copilot_short %} made a change during code review or trace it later for auditing purposes. - -### Preventing data exfiltration - -By default, {% data variables.copilot.copilot_cloud_agent %} has a firewall enabled to prevent exfiltration of code or other sensitive data, either accidentally or due to malicious user input. - -For more information, see [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/customize-the-agent-firewall). - -### Preventing security vulnerabilities in generated code - -During the code generation process, {% data variables.copilot.copilot_cloud_agent %} automatically analyzes the newly generated code for security vulnerabilities and attempts to resolve them, to prevent any discovered issues from being introduced. Analysis is performed using the following tools and processes: - -* **{% data variables.product.prodname_codeql %}**: will run to identify potential vulnerabilities and errors. -* **{% data variables.product.prodname_secret_scanning_caps %}**: will scan for known types of secrets, to ensure secrets aren't introduced in the response. -* **Dependency analysis**: dependencies referenced by new code will be checked for known vulnerabilities in the {% data variables.product.prodname_advisory_database %}. - -## Limitations of {% data variables.copilot.copilot_cloud_agent %} - -Depending on factors such as your codebase and input data, you may experience different levels of performance when using {% data variables.copilot.copilot_cloud_agent %}. The following information is designed to help you understand system limitations and key concepts about performance as they apply to {% data variables.copilot.copilot_cloud_agent %}. - -### Limited scope - -The language model used by {% data variables.copilot.copilot_cloud_agent %} has been trained on a large body of code but still has a limited scope and may not be able to handle certain code structures or obscure programming languages. For each language, the quality of suggestions you receive may depend on the volume and diversity of training data for that language. - -### Potential biases - -The language model used by {% data variables.copilot.copilot_cloud_agent %}’s training data and context gathered by the large language model may contain biases and errors that can be perpetuated by the tool. Additionally, {% data variables.copilot.copilot_cloud_agent %} may be biased towards certain programming languages or coding styles, which can lead to suboptimal or incomplete suggestions. - -### Security risks - -{% data variables.copilot.copilot_cloud_agent %} generates code and natural language based on the context of an issue or comment within a repository, which can potentially expose sensitive information or vulnerabilities if not used carefully. You should be careful to review all outputs generated by the agent thoroughly prior to merging. - -### Inaccurate code - -{% data variables.copilot.copilot_cloud_agent %} may generate code that appears to be valid but may not actually be semantically or syntactically correct or may not accurately reflect the intent of the developer. - -To mitigate the risk of inaccurate code, you should carefully review and test the generated code, particularly when dealing with critical or sensitive applications. You should also ensure that the generated code adheres to best practices and design patterns and fits within the overall architecture and style of the codebase. - -### Public code - -{% data variables.copilot.copilot_cloud_agent %} may generate code that is a match or near match of publicly available code, even if the "Suggestions matching public code" policy is set to "Block." See [AUTOTITLE](/copilot/managing-copilot/managing-copilot-as-an-individual-subscriber/managing-your-copilot-plan/managing-copilot-policies-as-an-individual-subscriber#enabling-or-disabling-suggestions-matching-public-code). - -If this happens, {% data variables.product.prodname_copilot_short %} will show matches in the agent session logs with a link to display details of the matched code. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/use-copilot-agents/manage-and-track-agents). - -### Legal and regulatory considerations - -Users need to evaluate potential specific legal and regulatory obligations when using any AI services and solutions, which may not be appropriate for use in every industry or scenario. Additionally, AI services or solutions are not designed for and may not be used in ways prohibited in applicable terms of service and relevant codes of conduct. - -## External integrations with Copilot cloud agent - -{% data variables.copilot.copilot_cloud_agent %} can receive information and context from external applications like Microsoft Teams, Linear, Slack, and Jira. When you mention the external application in these platforms or assign a task to the cloud agent via a connected workflow, it can access relevant context, such as conversation history in threads where it’s mentioned or issue details and activity timelines. This allows the cloud agent to better understand your development needs and provide more relevant assistance. These integrations enable teams to collaborate on code, assign tasks, and track progress directly within their existing workflows, without switching tools. Ensure your team understands what information is being shared and configure integrations according to your organization’s privacy and data handling policies. - -For more information about external integrations with {% data variables.copilot.copilot_cloud_agent %}, see: -* [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/integrate-cloud-agent-with-teams) -* [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/integrate-cloud-agent-with-linear) -* [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/integrate-cloud-agent-with-slack) diff --git a/content/copilot/responsible-use/copilot-code-completion.md b/content/copilot/responsible-use/copilot-code-completion.md deleted file mode 100644 index 85d6d26a276e..000000000000 --- a/content/copilot/responsible-use/copilot-code-completion.md +++ /dev/null @@ -1,124 +0,0 @@ ---- -title: Responsible use of GitHub Copilot inline suggestions -shortTitle: Copilot inline suggestions -allowTitleToDifferFromFilename: true -intro: 'Learn how to use {% data variables.product.prodname_copilot_short %} inline suggestions responsibly by understanding its purposes, capabilities, and limitations.' -versions: - feature: copilot -redirect_from: - - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-code-completion - - /copilot/responsible-use-of-github-copilot-features/copilot-code-completion -contentType: rai -category: - - Responsible use ---- - -## About {% data variables.product.prodname_copilot %} inline suggestions - -{% data variables.product.prodname_copilot_short %} inline suggestions are autocomplete-style suggestions generated inline by {% data variables.product.prodname_copilot %}. {% data variables.product.prodname_copilot_short %} inline suggestions create the experience of working with an AI-powered pair programmer, automatically offering suggestions to complete your code. In addition, it can suggest code comments, tests, and more. It provides these suggestions directly in supported editors while you write your code, and it can work with a broad range of programming languages and frameworks. For more information, see [AUTOTITLE](/copilot/about-github-copilot/what-is-github-copilot). - -{% data variables.product.prodname_copilot_short %}'s suggestions may be the completion of the current line, but will sometimes be a whole new block of code. You can accept all or part of a suggestion, dismiss the suggestion, or keep typing and ignore the suggestions. - -{% data variables.product.prodname_copilot_short %} inline suggestions work by using a combination of natural language processing and machine learning to understand your surrounding code (relative to your cursor position) and provide you with suggestions. This process can be broken down into a number of steps. - -### Input processing - -The surrounding code from the user's cursor is pre-processed by the {% data variables.product.prodname_copilot_short %} inline suggestion system, combined with contextual information (such as code snippets from open tabs in the editor) and sent to a large language model in the form of a prompt. For information about data retention, see the [{% data variables.product.prodname_copilot %} Trust Center](https://copilot.github.trust.page/faq?s=b9buqrq7o9ssfk3ta50x6). - -The large language model then takes the prompt and provides a response based on the prompt. The system is only intended to assist with coding. - -### Language model analysis - -The large language model that processes the input prompt is a fine-tuned language model for inline suggestions, which is a neural network that has been trained on a large body of code data specialized for providing inline suggestions. - -You can change the model that is used for inline suggestions. See [AUTOTITLE](/copilot/how-tos/use-ai-models/change-the-completion-model). - -### Response generation - -The language model generates a response based on its analysis of the input prompt and the context provided to it. This response takes the form of generated code and plain text comments, ranging from the completion of the current line to a whole new block of code. - -### Output formatting - -The response generated by {% data variables.product.prodname_copilot_short %} is formatted as "ghost text" that is visually distinct from the surrounding code and presented to the user as a suggestion. It is only added to the file/codebase if the user explicitly accepts the suggestion. Users can accept all or part of a suggestion, dismiss the suggestion, or they can keep typing and ignore the suggestions in which case the suggestion is discarded. - -{% data variables.product.prodname_copilot %} inline suggestions are intended to provide you with the most relevant and useful code suggestions to augment your existing code. However, it may not always provide the answers that you are looking for. Users of {% data variables.product.prodname_copilot_short %} are responsible for reviewing and validating responses generated by the system before they accept them, to ensure they are accurate and appropriate. Additionally, as part of our product development process, we undertake red teaming to understand and improve the safety of {% data variables.product.prodname_copilot_short %} inline suggestions. The generated suggestions are also run through content filters. The content filtering system detects and blocks {% data variables.product.prodname_copilot_short %} from outputting any harmful or offensive content, or insecure code. Furthermore, depending on the user's GitHub settings, the filter also blocks or annotates suggestions that contain matches to public code. - -## Use cases for {% data variables.product.prodname_copilot %} inline suggestions - -{% data variables.product.prodname_copilot %} inline suggestions can provide coding assistance in a variety of scenarios. - -### Generate code based on your instructions - -In addition to relying on {% data variables.product.prodname_copilot_short %} to provide suggestions, you can use code comments to tell {% data variables.product.prodname_copilot_short %} about the code you expect to follow the comment. For example, you could use comments such as "use recursion" or "use a singleton pattern" to specify a type of algorithm {% data variables.product.prodname_copilot_short %} should suggest. Or you could use comments to tell {% data variables.product.prodname_copilot_short %} which methods and properties to add to a class. - -### Generating unit test cases - -{% data variables.product.prodname_copilot_short %} inline suggestions can help you write unit test cases by generating code snippets based on the surrounding code typed in the editor. This may help you spend less time on repetitive tasks writing test cases. For example, if you are writing a test case for a specific function, you can use {% data variables.product.prodname_copilot_short %} to suggest possible input parameters and expected output values based on the function's signature and body. Inline suggestions can also suggest assertions that ensure the function is working correctly, based on the code's context and semantics. - -{% data variables.product.prodname_copilot_short %} inline suggestions can also help generate test cases for edge cases and boundary conditions that might be difficult to identify manually. For instance, {% data variables.product.prodname_copilot_short %} can suggest test cases for error handling, null values, or unexpected input types, helping you ensure your code is robust and resilient. However, it is important to note that generated test cases may not cover all possible scenarios, and manual testing and code review are still necessary to ensure the quality of the code. - -This can be a useful tool for programmers, as it can provide guidance and support for common coding tasks and challenges. - -## Improving performance for {% data variables.product.prodname_copilot %} inline suggestions - -{% data variables.product.prodname_copilot_short %} inline suggestions can generate code suggestions in a number of different contexts, with different performance and quality metrics. To enhance performance and address some of the limitations of {% data variables.product.prodname_copilot_short %} inline suggestions, there are various measures that you can adopt. For more information on the limitations of {% data variables.product.prodname_copilot_short %} inline suggestions, see [Limitations of {% data variables.product.prodname_copilot %} inline suggestions](#limitations-of-github-copilot-inline-suggestions). - -### Keep your prompts on topic - -{% data variables.product.prodname_copilot_short %} is exclusively intended to generate completions that are either code-related or code itself. Therefore, limiting the context of the content in the editor to code, or coding-related information, can enhance the model's output quality. - -### Use {% data variables.product.prodname_copilot_short %} inline suggestions as a tool, not a replacement - -While {% data variables.product.prodname_copilot_short %} can be a powerful tool for generating code, it is important to use it as a tool rather than as a replacement for human programming. You should always review the code generated by {% data variables.product.prodname_copilot_short %} before accepting a suggestion, and further validate it after to ensure that it meets your requirements and is free of errors or security concerns. - -> [!IMPORTANT] -> Users assume all risks associated with generated code including security vulnerabilities, bugs, and IP infringement. - -### Use secure coding and code review practices - -While {% data variables.product.prodname_copilot_short %} inline suggestions can generate syntactically correct code, it may not always be secure. You should always follow best practices for secure coding, such as avoiding hard-coded passwords or SQL injection vulnerabilities, as well as following code review best practices, to address {% data variables.product.prodname_copilot_short %}'s limitations. - -### Stay up to date - -{% data variables.product.prodname_copilot_short %} inline suggestions are still a fairly new technology and are likely to evolve over time. You should stay up to date with any updates or changes to the tool, as well as any new security risks or best practices that may emerge. Automated extension updates are enabled by default in Visual Studio Code, Visual Studio, and the JetBrains suite of IDEs. If you have automatic updates enabled, {% data variables.product.prodname_copilot_short %} will automatically update to the latest version when you open your IDE. For more information on automatic updates in your IDE, see the documentation for your preferred IDE or code editor. - -## Limitations of {% data variables.product.prodname_copilot %} inline suggestions - -Depending on factors such as your codebase and input data, you may experience different levels of performance when interacting with {% data variables.product.prodname_copilot_short %} inline suggestions. The following information is designed to help you understand system limitations and key concepts about performance as they apply to {% data variables.product.prodname_copilot_short %} inline suggestions. - -### Limited scope - -{% data variables.product.prodname_copilot_short %} inline suggestions are trained on a large body of code but still have a limited scope and may not be able to handle more complex code structures or obscure programming languages. For each language, the quality of suggestions you receive may depend on the volume and diversity of training data for that language. For example, JavaScript is well-represented in public repositories and is one of {% data variables.product.prodname_copilot %}'s best supported languages. Languages with less representation in public repositories may be more challenging for {% data variables.product.prodname_copilot_short %} to assist. Additionally, {% data variables.product.prodname_copilot_short %} inline suggestions can only suggest code based on the context of the code being written, so it may not be able to identify larger design or architectural issues. - -Lastly, {% data variables.product.prodname_copilot_short %} inline suggestions are intended to generate code and code-related output. Using {% data variables.product.prodname_copilot_short %} inline suggestions is not intended to generate natural language outputs. - -### Potential biases - -{% data variables.product.prodname_copilot_short %}'s training data is drawn from existing code repositories, which may contain biases and errors that can be perpetuated by the tool. Additionally, {% data variables.product.prodname_copilot_short %} inline suggestions may be biased towards certain programming languages or coding styles, which can lead to suboptimal or incomplete code suggestions. - -### Security risks - -{% data variables.product.prodname_copilot_short %} generates code based on the context of the code being written, which can potentially expose sensitive information or vulnerabilities if not used carefully. You should be careful when using {% data variables.product.prodname_copilot_short %} to generate code for security-sensitive applications and always review and test the generated code thoroughly. - -### Matches with public code - -{% data variables.product.prodname_copilot_short %} inline suggestions are capable of generating new code, which they do in a probabilistic way. While the probability is low, {% data variables.product.prodname_copilot_short %} may generate code suggestions that match code in the training set. - -### Inaccurate code - -One of the limitations of {% data variables.product.prodname_copilot_short %} is that it may generate code that appears to be valid but may not actually be semantically or syntactically correct or may not accurately reflect the intent of the developer. To mitigate the risk of inaccurate code, you should carefully review and test the generated code, particularly when dealing with critical or sensitive applications. You should also ensure that the generated code adheres to best practices and design patterns and fits within the overall architecture and style of the codebase. - -### Legal and regulatory considerations - -Users need to evaluate potential specific legal and regulatory obligations when using any AI services and solutions, which may not be appropriate for use in every industry or scenario. Additionally, AI services or solutions are not designed for and may not be used in ways prohibited in applicable terms of service and relevant codes of conduct. - -## Next steps - -For details of how to use {% data variables.product.prodname_copilot_short %} inline suggestions, see: - -* [AUTOTITLE](/copilot/using-github-copilot/getting-code-suggestions-in-your-ide-with-github-copilot) - -## Further reading - -* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#github-copilot) -* [{% data variables.product.prodname_copilot %} Trust Center](https://copilot.github.trust.page/) diff --git a/content/copilot/responsible-use/copilot-commit-message-generation.md b/content/copilot/responsible-use/copilot-commit-message-generation.md deleted file mode 100644 index 6dd0aa76efd1..000000000000 --- a/content/copilot/responsible-use/copilot-commit-message-generation.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Responsible use of GitHub Copilot commit message generation -shortTitle: Commit message generation -allowTitleToDifferFromFilename: true -intro: 'Learn how to use {% data variables.product.prodname_copilot_short %} commit message generation responsibly by understanding its purposes, capabilities, and limitations.' -versions: - feature: copilot -contentType: rai -category: - - Responsible use ---- - -## About {% data variables.product.prodname_copilot_short %} commit message generation - -{% data variables.product.prodname_copilot_short %} commit message generation is an AI-powered feature that allows you to create a commit message summary (title) and description based on the changes you've selected to commit in {% data variables.product.prodname_dotcom_the_website %}. To learn about commit message generation in {% data variables.product.prodname_desktop %}, see [AUTOTITLE](/copilot/responsible-use/copilot-in-github-desktop). - -When users commit changes to files using {% data variables.product.github %}'s web interface, {% data variables.product.prodname_copilot_short %} scans through the code changes and provides a suggested summary (title) and description of the changes made in prose. You can review and edit {% data variables.product.prodname_copilot_short %}'s suggested title and description **before** committing the changes to a branch. - -The only supported language for {% data variables.product.prodname_copilot_short %}-generated commit messages in {% data variables.product.prodname_dotcom_the_website %} is English. - -{% data variables.product.prodname_copilot_short %} commit message generation uses a simple-prompt flow leveraging the {% data variables.product.prodname_copilot_short %} API, utilizing the generic large language model and no additional trained models. - -When you click on the **Commit changes** button in {% data variables.product.prodname_dotcom_the_website %}, a call is generated to the {% data variables.product.prodname_copilot_short %} API to generate suggested text to insert into the summary and description boxes. The text complete request includes information from the selected changes in the different files of the repository in a prompt that requests {% data variables.product.prodname_copilot_short %} to generate a suggestion for a commit message that accurately describes those changes. The response is then used to fill the summary and description boxes. You can then review the suggested message, edit it if needed, and then make a commit with it. - -## Use cases for {% data variables.product.prodname_copilot_short %} commit message generation - -{% data variables.product.prodname_copilot_short %} commit message generation aims to streamline the author workflow so that they can save time and maintain clear commit histories when summarizing their changes. For many users, this could be helpful for saving time when committing large changes. Authors can review and edit suggestions before finalizing and manually committing the changes to a branch. The feature is integrated seamlessly into the commit workflow for a smoother experience. - -## Improving {% data variables.product.prodname_copilot_short %} commit message generation - -To enhance the experience and address some of the limitations of {% data variables.product.prodname_copilot_short %} commit message generation, there are various measures that you can adopt. For more information about the limitations, see [Limitations of {% data variables.product.prodname_copilot_short %} commit message generation](#limitations-of-copilot-commit-message-generation). - -### Use {% data variables.product.prodname_copilot_short %} commit message generation as a tool, not a replacement - -The feature is intended to supplement rather than replace a human's work to draft commit messages. The quality of the commit message suggestions will depend on the quality of the code changes and the context in the changed files. It remains your responsibility to review and assess the accuracy of information in the commits you create. - -### Provide feedback - -If you encounter any issues or limitations with {% data variables.product.prodname_copilot_short %} commit message generation, you can provide feedback via the [community discussion](https://github.com/orgs/community/discussions/categories/copilot-news-and-announcements). This can help the developers to improve the tool and address any concerns or limitations. - -## Limitations of {% data variables.product.prodname_copilot_short %} commit message generation - -Depending on factors such as your operating system and input data, you may encounter different levels of accuracy when using {% data variables.product.prodname_copilot_short %} commit message generation in {% data variables.product.prodname_dotcom_the_website %}. The following information is designed to help you understand system limitations and key concepts about performance as they apply to {% data variables.product.prodname_copilot_short %} commit message generation. - -### Limited scope - -{% data variables.product.prodname_copilot_short %} commit message generation operates within defined boundaries and might struggle with intricate code changes, short diff windows, or recently developed programming languages. The quality of suggestions it provides can be influenced by the availability and diversity of training data. For instance, inquiries about well-documented languages like Python may yield more accurate responses compared to questions about less popular languages. - -### Inaccurate responses - -The more inputs and context that {% data variables.product.prodname_copilot_short %} can learn from, the better the outputs will become. However, since the feature is quite new, it will take time to reach exact precision with the summaries that are generated. In the meantime, there may be cases where a generated summary is less accurate and requires the user to make modifications before saving and publishing their commit. In addition, there is a risk of "hallucination," where {% data variables.product.prodname_copilot_short %} generates statements that are inaccurate. For these reasons, reviewing is a requirement, and careful review of the output is highly recommended by our team. - -### Replication of commit message content - -Because a commit message is a summary of the changes that were made in a repository, there is potential for the summary to include harmful or offensive terms if any are within the content of the changes. - -### Potential biases and errors - -Training data for {% data variables.product.prodname_copilot_short %} commit message generation is sourced from existing online sources. It’s important to note that these sources may include biases and errors of the individuals who contributed to the training data. {% data variables.product.prodname_copilot_short %} commit message generation may inadvertently perpetuate these biases and errors. - -## Opt out - -Users wishing to opt out of {% data variables.product.prodname_copilot_short %} commit message generation can do so via the {% data variables.product.prodname_copilot_short %} [settings page](https://github.com/settings/copilot/features) in {% data variables.product.prodname_dotcom_the_website %}. - -## Further reading - -* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#github-copilot) -* [{% data variables.product.prodname_copilot %} Trust Center](https://copilot.github.trust.page/) diff --git a/content/copilot/responsible-use/copilot-in-github-desktop.md b/content/copilot/responsible-use/copilot-in-github-desktop.md deleted file mode 100644 index e8798a457434..000000000000 --- a/content/copilot/responsible-use/copilot-in-github-desktop.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -title: Responsible use of GitHub Copilot in GitHub Desktop -shortTitle: Copilot in GitHub Desktop -intro: 'Learn how to use {% data variables.copilot.copilot_desktop_short %} responsibly by understanding its purposes, capabilities, and limitations.' -product: '{% data reusables.gated-features.copilot-in-desktop %}' -versions: - feature: copilot -redirect_from: - - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-in-github-desktop - - /copilot/responsible-use-of-github-copilot-features/copilot-in-github-desktop -contentType: rai -category: - - Responsible use ---- - -## About {% data variables.copilot.copilot_desktop_short %} - -{% data variables.product.prodname_copilot_short %} commit message generation is an AI-powered feature that allows you to create a commit message summary (title) and description based on the changes you've selected to commit through {% data variables.product.prodname_desktop %}. - -When users select specific lines of code, {% data variables.product.prodname_copilot_short %} scans through the code changes and provides a suggested summary (title) and description of the changes made in prose. You can review, edit, or regenerate suggestions before finalizing and manually pushing the commits to a branch. - -The only supported language for {% data variables.product.prodname_copilot_short %}-generated commit messages in {% data variables.product.prodname_desktop %} is English. - -{% data variables.product.prodname_copilot_short %} commit message generation uses a simple-prompt flow leveraging the {% data variables.product.prodname_copilot_short %} API, utilizing the generic large language model and no additional trained models. - -When you click on the copilot button, a call is generated to the {% data variables.product.prodname_copilot_short %} API to generate suggested text to insert into the summary and description boxes. The text complete request includes information from the selected changes in the different files of the repository in a prompt that requests {% data variables.product.prodname_copilot_short %} to generate a suggestion for a commit message that accurately describes those changes. The response is then used to fill the summary and description boxes. You can then review the suggested message, edit it if needed, and then make a commit with it. - -## Use cases for {% data variables.copilot.copilot_desktop_short %} - -{% data variables.copilot.copilot_desktop_short %} aims to streamline the author workflow so that they can save time and maintain clear commit histories when summarizing their changes. For many users, this could be helpful for saving time when committing large changes. Authors can review, edit, or regenerate suggestions before finalizing and manually pushing the commits to a branch. They can also select specific lines of code or files for better context understanding to increase accuracy. The feature is integrated seamlessly into the commit workflow for a smoother experience. - -## Improving {% data variables.copilot.copilot_desktop_short %} - -To enhance the experience and address some of the limitations of {% data variables.copilot.copilot_desktop_short %}, there are various measures that you can adopt. For more information about the limitations, see [Limitations of {% data variables.copilot.copilot_desktop_short %}](#limitations-of-copilot-in-github-desktop). - -### Use {% data variables.copilot.copilot_desktop %} as a tool, not a replacement - -The feature is intended to supplement rather than replace a human's work to draft commit messages. The quality of the commit message suggestions will depend on the quality of the code changes and the context in the changed files. We encourage you to select specific lines of code changes or files for better context understanding and increased accuracy. It remains your responsibility to review and assess the accuracy of information in the commits you create. - -### Provide feedback - -If you encounter any issues or limitations with {% data variables.copilot.copilot_desktop_short %}, you can provide feedback by creating an issue in the [{% data variables.product.prodname_desktop %} open source repository](https://github.com/desktop/desktop/issues/new?template=bug_report.yaml). This can help the developers to improve the tool and address any concerns or limitations. - -## Limitations of {% data variables.copilot.copilot_desktop_short %} - -Depending on factors such as your operating system and input data, you may encounter different levels of accuracy when using {% data variables.copilot.copilot_desktop_short %}. The following information is designed to help you understand system limitations and key concepts about performance as they apply to {% data variables.copilot.copilot_desktop_short %}. - -### Limited scope - -{% data variables.copilot.copilot_desktop_short %} operates within defined boundaries and might struggle with intricate code changes, short diff windows, or recently developed programming languages. The quality of suggestions it provides can be influenced by the availability and diversity of training data. For instance, inquiries about well-documented languages like Python may yield more accurate responses compared to questions about less popular languages. - -### Inaccurate responses - -The more inputs and context that {% data variables.product.prodname_copilot_short %} can learn from, the better the outputs will become. However, since the feature is quite new, it will take time to reach exact precision with the summaries that are generated. In the meantime, there may be cases where a generated summary is less accurate and requires the user to make modifications before saving and publishing their pull request with this description. In addition, there is a risk of "hallucination," where {% data variables.product.prodname_copilot_short %} generates statements that are inaccurate. For these reasons, reviewing is a requirement, and careful review of the output is highly recommended by our team. - -### Regenerating summaries - -Commit messages are only created when users request them manually. When users submit updates or changes to repositories, the commit summary and description are not automatically updated. Users can ask {% data variables.product.prodname_copilot_short %} to generate a new message if required. Manual review of the updated {% data variables.product.prodname_copilot_short %} message is highly recommended. The updated message carries the same risks of inaccuracy as the original message. - -### Replication of pull request content - -Because a commit message is a summary of the changes that were made in a repository, there is potential for the summary to include harmful or offensive terms if any are within the content of the changes. - -### Potential biases and errors - -{% data variables.copilot.copilot_desktop %} training data is sourced from existing online sources. It’s important to note that these sources may include biases and errors of the individuals who contributed to the training data. {% data variables.copilot.copilot_desktop_short %} may inadvertently perpetuate these biases and errors. - -## Further reading - -* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#github-copilot) -* [{% data variables.product.prodname_copilot %} Trust Center](https://copilot.github.trust.page/) diff --git a/content/copilot/responsible-use/copilot-in-windows-terminal.md b/content/copilot/responsible-use/copilot-in-windows-terminal.md deleted file mode 100644 index 3185bb15dc2c..000000000000 --- a/content/copilot/responsible-use/copilot-in-windows-terminal.md +++ /dev/null @@ -1,102 +0,0 @@ ---- -title: Responsible use of GitHub Copilot in Windows Terminal -shortTitle: Copilot in Windows Terminal -intro: 'Learn how to use {% data variables.product.prodname_copilot %} responsibly by understanding its purposes, capabilities, and limitations.' -product: '{% data reusables.gated-features.copilot-in-windows-terminal %}' -versions: - feature: copilot -redirect_from: - - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-in-windows-terminal - - /copilot/responsible-use-of-github-copilot-features/copilot-in-windows-terminal -contentType: rai -category: - - Responsible use ---- - -## About {% data variables.product.prodname_copilot %} in {% data variables.product.prodname_windows_terminal %} - -{% data variables.product.prodname_copilot %} in the Terminal Chat chat interface allows you to ask questions about the command line. You can ask {% data variables.product.prodname_copilot %} to provide either command suggestions or explanations of given commands. - -The primary supported language for {% data variables.product.prodname_copilot %} is English. - -{% data variables.product.prodname_copilot %} works by using a combination of natural language processing and machine learning to understand your question and provide you with an answer. This process can be broken down into a number of steps. - -### Input processing - -The input prompt from the user is pre-processed by Terminal Chat, combined with contextual information (the name of the active shell and the chat history), and sent to a {% data variables.product.company_short %} service that is connected to a large language model that then generates a response based on the context and prompt. User input can take the form of natural language prompts or questions. The system is only intended to respond to command line-related questions. For more information, see [Terminal Chat](https://learn.microsoft.com/windows/terminal/terminal-chat). - -### Language model analysis - -The input prompt is then passed through the language model, which is a neural network that has been trained on a large body of text data. The language model analyzes the input prompt to find the command or command explanation most relevant to your query. - -### Response generation - -The language model generates a response based on its analysis of the input prompt. This response will take the form of a suggested command or an explanation of the command you asked about. If you want to run a suggested command, you need to click on the command to insert it to your command line. The command does not run automatically. You will need to manually run the command. - -### Output formatting - -The response generated by {% data variables.product.prodname_copilot %} is formatted and presented to you. Terminal Chat and {% data variables.product.prodname_copilot %} use syntax highlighting, indentation, and other formatting features to add clarity to the generated response. - -{% data variables.product.prodname_copilot %} is intended to provide you with the most relevant answer to your question. However, it may not always provide the answer you are looking for. Users of {% data variables.product.prodname_copilot %} are responsible for reviewing and validating responses generated by the system to ensure they are accurate and appropriate. - -## Use cases for {% data variables.product.prodname_copilot %} in {% data variables.product.prodname_windows_terminal %} - -{% data variables.product.prodname_copilot %} in Terminal Chat can help you by providing either command suggestions or explanations of given commands. - -### Find the right command to perform a task - -{% data variables.product.prodname_copilot %} aims to suggest commands that help you perform the tasks you’re trying to complete. If the result isn’t quite what you’re looking for, you can keep revising your question until the returned command meets your expectations. Once you’ve generated the perfect command for your task, you can insert it to your command line to run it wherever you need. - -### Explain an unfamiliar command - -{% data variables.product.prodname_copilot %} can help explain a command that you asked about by generating a natural language description of the command's functionality and purpose. This can be useful if you want to understand the command's behavior for the specific example provided without having to read or search through the command's documentation. The explanation can include information such as the command's input and output parameters and examples of how it could be used. - -By generating explanations, {% data variables.product.prodname_copilot %} may help you to understand the command better, leading to enhanced learning, improved productivity, and less context switching. However, it's important to note that the generated explanations may not always be accurate or complete, so you'll need to review, and occasionally correct, its output. You remain responsible for ensuring the accuracy and appropriateness of the commands you run in the command line. - -## Improving {% data variables.product.prodname_copilot %} in {% data variables.product.prodname_windows_terminal %} - -To enhance the experience and address some of the limitations of {% data variables.product.prodname_copilot %}, there are various measures that you can adopt. For more information about the limitations, see [Limitations of {% data variables.product.prodname_copilot %}](#limitations-of-github-copilot-in-windows-terminal). - -### Use {% data variables.product.prodname_copilot %} as a tool, not a replacement - -While {% data variables.product.prodname_copilot %} can be a powerful tool for enhancing understanding of commands and the command line, it is important to use it as a tool rather than a replacement for human programming. You should always review and verify the command generated by {% data variables.product.prodname_copilot %} to ensure that it meets your requirements and is free of errors or security concerns. - -### Provide feedback - -If you encounter any issues or limitations with {% data variables.product.prodname_copilot %} in {% data variables.product.prodname_windows_terminal %}, we recommend that you provide feedback by opening an issue in the [{% data variables.product.prodname_windows_terminal %} repository](https://github.com/microsoft/terminal/issues). This can help the developers to improve the tool and address any concerns or limitations. - -## Limitations of {% data variables.product.prodname_copilot %} in {% data variables.product.prodname_windows_terminal %} - -Depending on factors such as your operating system and input data, you may encounter different levels of accuracy when using {% data variables.product.prodname_copilot %} in the terminal. The following information is designed to help you understand system limitations and key concepts about performance as they apply to {% data variables.product.prodname_copilot %}. - -### Limited scope - -{% data variables.product.prodname_copilot %} operates within defined boundaries and might struggle with intricate commands, less common ones, or more recently developed tools. The quality of suggestions it provides for each language can be influenced by the availability and diversity of training data. For instance, inquiries about well-documented commands and tools like Git may yield more accurate responses compared to questions about more obscure command line tools. - -### Potential biases and errors - -{% data variables.product.prodname_copilot %}'s training data is sourced from existing online sources. It’s important to note that these sources may include biases and errors of the individuals who contributed to the training data. {% data variables.product.prodname_copilot %} may inadvertently perpetuate these biases and errors. Additionally, {% data variables.product.prodname_copilot %} might perform differently depending on the scripting languages or scripting styles, potentially resulting in suboptimal or incomplete command suggestions or explanations. - -### Inaccurate responses - -{% data variables.product.prodname_copilot %} may generate seemingly valid but syntactically or semantically incorrect commands. To avoid issues, always carefully review and verify suggestions, especially for critical or destructive tasks such as deleting content. Ensure generated commands align with best practices and fit your workflow. - -### Risk management and user accountability in command execution - -Additional caution is required with the addition of the functionality to ask {% data variables.product.prodname_copilot %} to execute a command, particularly regarding the potential destructiveness of some suggested commands. You may encounter commands for file deletion or hard drive formatting, which can cause problems if used incorrectly. While such commands may be necessary in certain scenarios, you need to be careful when accepting and running these commands. - -Additionally, you are ultimately responsible for the commands executed by {% data variables.product.prodname_copilot %}. It is entirely your decision whether to use commands generated by {% data variables.product.prodname_copilot %}. Despite the presence of fail-safes and safety mechanisms, you must understand that executing commands carries inherent risks. {% data variables.product.prodname_copilot %} provides a powerful tool set, but you should approach its recommendations with caution and ensure that commands align with your intentions and requirements. - -### Inaccurate responses to non-coding topics - -{% data variables.product.prodname_copilot %} in {% data variables.product.prodname_windows_terminal %} is not designed to answer questions beyond the scope of command line-related tasks. As a result, its responses might not consistently offer accuracy or assistance when confronted with questions unrelated to coding or general command line use. When you inquire about non-coding topics, {% data variables.product.prodname_copilot %} may express its inability to provide a meaningful response. - -### Differing performance based on natural language - -{% data variables.product.prodname_copilot %} has been trained on natural language content written predominantly in English. As a result, you may notice differing performance when providing {% data variables.product.prodname_copilot %} with natural language input prompts in languages other than English. - -## Further reading - -* [Terminal Chat](https://learn.microsoft.com/windows/terminal/terminal-chat) -* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#github-copilot) -* [{% data variables.product.prodname_copilot %} Trust Center](https://copilot.github.trust.page/) diff --git a/content/copilot/responsible-use/copilot-spaces.md b/content/copilot/responsible-use/copilot-spaces.md deleted file mode 100644 index bfb637064135..000000000000 --- a/content/copilot/responsible-use/copilot-spaces.md +++ /dev/null @@ -1,110 +0,0 @@ ---- -title: Responsible use of GitHub Copilot Spaces -shortTitle: Copilot Spaces -intro: 'Learn how to use GitHub Copilot Spaces responsibly by understanding its purposes, capabilities, and limitations.' -versions: - feature: copilot -contentType: rai -category: - - Responsible use ---- - -## About GitHub Copilot Spaces - -Copilot Spaces let you organize the context that Copilot Chat uses to answer your questions. Spaces can include repositories, code, pull requests, issues, free-text content like transcripts or notes, images, and file uploads. You can ask Copilot questions grounded in that context, or share the space with your team to support collaboration and knowledge sharing. Spaces can also be accessed directly from the IDE via the remote GitHub MCP server. - -### Input processing - -When you submit a question in a space, Copilot Chat augments your request with relevant context from that space. Included context can be: - -* Files and repositories you’ve added -* Issues, pull requests, and documentation -* Notes or transcripts you supply - -The input prompt from the user is pre-processed by the Copilot Chat system, combined with additional contextual information (for example, the current date and time), and sent to a large language model. User input can take the form of code snippets or plain language. - -The large language model will take the prompt, gather additional context (for example repository data stored on GitHub or search results from Bing), and provide a response based on the prompt. English is the preferred language for submitted prompts. - -### Language model analysis - -The pre-processed prompt is then passed through the Copilot Chat language model, which is a neural network that has been trained on a large body of text data. The language model analyzes the input prompt. - -### Response generation - -The language model generates a response based on its analysis of the input prompt and the context provided to it. The language model can gather additional context (for example repository data stored on GitHub or search results from Bing), and provide a response based on the prompt. - -### Output formatting - -The response generated by Copilot Chat is formatted and presented to the user. Copilot may use syntax highlighting, indentation, and other formatting features to add clarity to the generated response. Depending upon the type of question from the user, links to context that the model used when generating a response, such as source code files, issues, Bing search results, or documentation, may also be provided. - -Copilot Chat is intended to provide you with the most relevant answer to your question. However, it may not always provide the answer you are looking for. Users of Copilot Chat are responsible for reviewing and validating responses generated by the system to ensure they are accurate and appropriate. Additionally, as part of our product development process, we undertake red teaming to understand and improve the safety of Copilot Chat. Input prompts and output completions are run through content filters. The content filtering system detects and prevents the output on specific categories of content including harmful, offensive, or off-topic content. For more information on improving the performance of Copilot Chat, see [Improving performance for Copilot Chat](/copilot/responsible-use/chat-in-github#improving-performance-for-copilot-chat). - -## Use cases for Spaces - -### Developing a new feature - -Spaces let you bundle relevant code, product specs, and design notes so Copilot can quickly explain the current implementation, highlight gaps, and draft new code or next steps. This helps you save time, stay aligned with requirements, and produce higher-quality feature work. - -### Defining the logic for a small, frequent task - -For repetitive tasks like adding telemetry or event handling, Spaces make it easy to document the process once and reuse it. By grounding Copilot in flowcharts, examples, or schemas, you ensure consistent patterns, reusable templates, and efficient execution across your team. - -### Sharing knowledge with teammates - -Spaces can act as living guides for common project questions (e.g. how authentication or search works) by collecting the latest code and documentation in one place. Copilot then uses that context to explain systems, answer questions, and onboard teammates quickly with best practices. - -## Improving performance for Spaces - -Spaces can be used in a wide variety of development and collaboration workflows, from generating code to sharing knowledge across a team. To improve performance and get more relevant responses, there are several best practices you can adopt. For details on system constraints, see [Limitations of GitHub Copilot Spaces](#limitations-of-github-copilot-spaces). - -### Be selective with context - -Adding only the most relevant files, repositories, and notes helps Copilot stay focused. Overloading a space with unnecessary content can dilute the quality of responses and make it harder to get precise results. - -### Keep context updated - -As your project evolves, refresh the files, issues, or documentation in your space. Out-of-date context may cause Copilot to generate inaccurate or incomplete answers. - -### Use instructions alongside sources - -Combining natural language instructions with curated sources helps Copilot better understand your intent. Instructions provide guidance, while sources ground the output in real project context. - -### Anchor chat in a space - - Starting your conversations from within a space ensures continuity and relevance. This keeps Copilot’s responses aligned with the specific context you’ve already set up, instead of resetting with each new chat. - -### Verify Space’s output - -Spaces ground Copilot’s responses in the context you provide, but the system may still make mistakes. These mistakes could be misunderstandings of your intent or simple errors in the generated response. Always review Copilot’s output carefully to confirm it behaves as intended, and ensure it meets your team’s quality and security standards before using it in production. - -## Limitations of GitHub Copilot Spaces - -### Interpretation of user intent - -Spaces help ground Copilot Chat’s responses in curated context, but the system may still misunderstand your intent. Always review Copilot’s output to confirm it reflects your goals before using it in your project. - -### Context limits - -Spaces have defined size limits, and Copilot Chat only processes a portion of the content you include. This means not every file, document, or note in a Space will be used in a response. Being selective about what you add helps ensure that Copilot works with the most relevant context. - -### Limited scope - -Spaces that contain only a repository cannot currently be accessed in the IDE via the GitHub MCP server. To use Spaces in the IDE, you’ll need to include additional context such as files, issues, or documentation. - -Spaces is backed by Copilot Chat, and therefore has been trained on a large body of code but still has a limited scope and may not be able to handle more complex code structures or obscure programming languages. For each language, the quality of suggestions you receive may depend on the volume and diversity of training data for that language. For example, JavaScript is well-represented in public repositories and is one of GitHub Copilot's best supported languages. Languages with less representation in public repositories may be more challenging for Copilot Chat to provide assistance with. Additionally, Copilot Chat can only suggest code based on the context of the code being written, so it may not be able to identify larger design or architectural issues. - -### Inaccurate responses - -Even when grounded in a Space, Copilot Chat may generate responses that are inaccurate, incomplete, or outdated. This applies to all types of outputs, including code, summaries, or issue drafts. Always validate results against your own project requirements. - -### Security limitations - -Copilot Chat generates code based on the context of the code being written, which can potentially expose sensitive information or vulnerabilities if not used carefully. You should be careful when using Copilot Chat to generate code for security-sensitive applications and always review and test the generated code thoroughly. - -### Legal and regulatory considerations - -Users need to evaluate potential specific legal and regulatory obligations when using any AI services and solutions, which may not be appropriate for use in every industry or scenario. Additionally, AI services or solutions are not designed for and may not be used in ways prohibited in applicable terms of service and relevant codes of conduct. - -### Offensive content - -Spaces utilizes Copilot Chat which has built-in protections against harmful, hateful, or offensive content. Please report any examples of offensive content to copilot-safety@github.com. diff --git a/content/copilot/responsible-use/index.md b/content/copilot/responsible-use/index.md index eae83ae5d035..a6799ecb103a 100644 --- a/content/copilot/responsible-use/index.md +++ b/content/copilot/responsible-use/index.md @@ -1,25 +1,15 @@ --- title: Responsible use of GitHub Copilot features shortTitle: Responsible use -intro: 'Learn how to use {% data variables.product.prodname_copilot %} features responsibly by understanding their purposes, capabilities, and limitations.' +intro: Learn how to use {% data variables.product.prodname_copilot %} features responsibly by understanding their purposes, capabilities, and limitations. versions: feature: copilot children: - - /copilot-code-completion - - /chat-in-your-ide - - /chat-in-github - - /chat-in-github-mobile - - /copilot-cli - - /copilot-in-windows-terminal - - /copilot-in-github-desktop - - /pull-request-summaries - - /copilot-commit-message-generation - - /code-review - - /copilot-cloud-agent - - /spark - - /copilot-spaces + - /chat + - /inline-suggestions + - /agents redirect_from: - /copilot/responsible-use-of-github-copilot-features - - /copilot/responsible-use/copilot-text-completion contentType: rai --- + diff --git a/content/copilot/responsible-use/inline-suggestions.md b/content/copilot/responsible-use/inline-suggestions.md new file mode 100644 index 000000000000..47e29a978382 --- /dev/null +++ b/content/copilot/responsible-use/inline-suggestions.md @@ -0,0 +1,185 @@ +--- +title: 'Application card: GitHub Copilot inline suggestions' +shortTitle: Inline suggestions +intro: Learn how to use GitHub Copilot inline suggestions responsibly by understanding their purposes, capabilities, and limitations. +versions: + feature: copilot +permissions: Members of an enterprise with a subscription to GitHub Copilot Enterprise +redirect_from: + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-code-completion + - /copilot/responsible-use-of-github-copilot-features/copilot-code-completion + - /copilot/responsible-use/copilot-code-completion + - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-text-completion + - /copilot/responsible-use-of-github-copilot-features/copilot-text-completion + - /copilot/responsible-use/copilot-text-completion +contentType: rai +category: + - Responsible use +--- + +{% ifversion fpt %} + +{% data reusables.rai.copilot.enterprise-fpt-link %} + +{% endif %} + +## What is an Application Card? + +{% data reusables.rai.copilot.application-card-intro %} + +## 1. Overview + +GitHub Copilot inline suggestions provide autocomplete-style suggestions as you work. These suggestions appear inline in your editor or in text fields on GitHub.com, helping you write code and pull request descriptions more quickly. + +Copilot inline suggestions come in two forms: + +* **IDE inline suggestions**: As you type code in a supported editor, Copilot automatically offers inline suggestions to complete the current line, generate new blocks of code, or suggest edits to existing code. These suggestions may include predicting both the location of the next edit you may want to make and what that edit should be, including deletions, modifications, or insertions of code. You can accept all or part of a suggestion, dismiss it, or keep typing to ignore it. Inline suggestions work across a broad range of programming languages and frameworks. +* **Pull request text completion**: When you pause while typing a pull request description on GitHub.com, Copilot suggests prose to continue your thought. The suggestion draws on the pull request title, existing description text, commit titles, partial diffs, and recently viewed pull request and issue titles. You can accept the suggestion by pressing Tab or reject it by continuing to type. + +The primary supported language for pull request text completion is English. Inline suggestions support many programming languages, with quality varying by the volume and diversity of training data available for each language. + +## 2. Key terms + +The following list provides a glossary of key terms related to GitHub Copilot inline suggestions: + +* **Content filtering**: A safety system that scans prompts and responses to detect and block harmful, offensive, or insecure content before it is shown to the user. +* **Hallucination**: A phenomenon where a language model generates output that sounds plausible but is factually incorrect, unsupported by the provided context, or entirely fabricated. Hallucinations are a known risk of large language models and are a key reason that human review of AI-generated output is important. +* **Inline suggestion**: An AI‑generated code suggestion from Copilot that appears in the editor as you type. Inline suggestions can complete the current line or propose edits to existing code by predicting both where the next change should occur and what that change should be, including inserting, modifying, or deleting code. Suggestions may appear at the cursor or guide users to other relevant locations in the codebase, where they can be accepted, dismissed, or ignored by continuing to type. +* **Large language model (LLM)**: A type of neural network trained on a large body of text data that can generate, analyze, and transform natural language and code. Copilot inline suggestions use one or more LLMs to process context and produce suggestions. +* **Public code matching**: A safety feature that checks whether Copilot's suggestions match publicly available code. Depending on your settings, matching suggestions are either blocked or annotated with a reference to the source repository and any license information. +* **Pull request text completion**: An autocomplete-style suggestion for pull request descriptions on GitHub.com. When you pause while typing, Copilot suggests prose to continue your thought based on the pull request context. +* **Training data**: The large body of publicly available text and code that was used to train the foundation models behind Copilot inline suggestions. The composition of the training data influences the quality and coverage of the model's suggestions across different programming languages, frameworks, and topics. + +## 3. Key features or capabilities + +The key features and capabilities outlined here describe what GitHub Copilot inline suggestions are designed to do and how they perform across supported tasks. + +* **Inline code suggestions**: As you type code in a supported editor, Copilot automatically offers inline suggestions that can complete the current line, generate new blocks of code, or propose edits to existing code. These suggestions may include inserting, modifying, or deleting code, code comments, tests, and more, by predicting both what changes should be made and where in the codebase they should occur. Suggestions may appear at the cursor or guide users to other relevant edit locations, and can be accepted in full or in part, dismissed, or ignored by continuing to type. +* **Comment-driven code generation**: You can guide inline suggestions by writing code comments that describe the code you expect. For example, comments like "use recursion" or "use a singleton pattern" influence the type of algorithm Copilot suggests. +* **Multi-language support**: Inline suggestions work across a broad range of programming languages and frameworks. The quality of suggestions depends on the volume and diversity of training data available for each language. For a list of actively developed programming languages that are found on GitHub, see [Programming languages](https://github.com/collections/programming-languages). +* **Pull request text completion**: When you pause while typing a pull request description on GitHub.com, Copilot suggests prose to continue your thought. The suggestion draws on the pull request title, existing description text, commit titles, partial diffs, and recently viewed pull request and issue titles. + +## 4. Intended uses + +GitHub Copilot inline suggestions can be used in multiple scenarios across a variety of industries. Some examples of use cases include: + +* **Accelerating code authoring**: Developers can use inline suggestions to work faster by accepting predicted changes as they type, including completing code, generating new blocks, or modifying existing code. Suggestions may insert, update, or delete code across the current line or at other relevant locations in the file by anticipating both what changes should be made and where they should occur. This is particularly useful for boilerplate code, repetitive patterns, common idioms, and maintaining consistency as code evolves across supported languages and frameworks. +* **Generating unit tests**: Copilot can suggest test cases based on the surrounding code, including possible input parameters, expected output values, and assertions. This helps developers create test coverage more quickly, including edge cases and boundary conditions that might be difficult to identify manually. Generated tests should still be reviewed, as they may not cover all scenarios. +* **Guided code generation via comments**: Developers can write natural language comments describing the code they need, and Copilot generates corresponding implementations or modifications. This can be useful for specifying algorithms, design patterns, or methods and properties to add to a class. +* **Drafting pull request descriptions**: When writing a pull request description on GitHub.com, Copilot can suggest prose to continue your thought, helping you write clear summaries of your changes more quickly. + +## 5. Models and training data + +GitHub Copilot inline suggestions leverage a variety of AI models to power the experience that users see. For a comparison of the models available for Copilot, see [AUTOTITLE](/copilot/reference/ai-models/model-comparison). For the full list of supported models, see [AUTOTITLE](/copilot/reference/ai-models/supported-models). For information on where models are hosted, see [AUTOTITLE](/copilot/reference/ai-models/model-hosting). To learn more about the data used to train the foundation models behind GitHub Copilot inline suggestions, refer to the linked AI model comparison above and [What data has GitHub Copilot been trained on?](https://github.com/features/copilot#faq) in the GitHub Copilot FAQ. + +Pull request text completion uses a simple-prompt flow leveraging the Copilot API with the generic large language model. No additional trained models are used for this feature. + +## 6. Performance + +Copilot inline suggestions work by using a combination of natural language processing and machine learning to understand your surrounding context and provide suggestions. This process follows a consistent pipeline: + +1. **Input processing**: The surrounding code from your cursor position is pre-processed by the inline suggestions system, combined with contextual information (such as code snippets from open tabs in the editor), and sent to a large language model in the form of a prompt. For information about data retention, see the [Copilot Trust Center](https://copilot.github.trust.page/faq?s=b9buqrq7o9ssfk3ta50x6). +1. **Language model analysis**: A large language model processes the input prompt. For inline suggestions, the model generates both inline suggestions and predicted edits based on context from the current and open files in the editor, including inserting, modifying, or deleting code by anticipating what changes should be made and where they should occur. For pull request text completion, Copilot uses a language model via the Copilot API. +1. **Response generation**: The language model generates a response based on its analysis of the input prompt and the context provided. For inline suggestions, this may take the form of completing code, generating new blocks, or proposing changes to existing code (including deletions) by predicting both what edits should be made and where in the codebase they should occur. For pull request text completion, the response is a prose continuation of the description. +1. **Output formatting**: The response is presented inline in the editor as a suggested change that is visually distinct from the surrounding content. Suggestions may appear at or near the cursor, as well as highlight other relevant locations in the codebase where edits are proposed, and are only applied to the file or text field if you explicitly accept them. + +Copilot inline suggestions are intended to provide the most relevant and useful suggestions to augment your existing work. However, they may not always provide the answers you are looking for. Users are responsible for reviewing and validating suggestions before accepting them to ensure they are accurate and appropriate. As part of the product development process, generated suggestions are run through content filters. The content filtering system detects and blocks harmful or offensive content, or insecure code. Depending on your GitHub settings, the filter also blocks or annotates suggestions that contain matches to public code. + +### Differences by experience + +#### Inline suggestions (IDE) + +Inline suggestions use fine-tuned language models specialized for the task. They analyze the code surrounding your current work along with context from the codebase and users' system. Based on this analysis, the system may complete code, generate new blocks, or propose edits (including deletions) to existing code by predicting both what changes should be made and where in the codebase they should occur. The system is only intended to assist with coding tasks. + +#### Pull request text completion (GitHub.com) + +Pull request text completion uses a simple-prompt flow leveraging the Copilot API with a generic large language model. When you pause while typing a pull request description, the system combines the pull request title, existing description text, commit titles, partial diffs, and recently viewed pull request and issue titles to suggest prose that continues your thought. The primary supported language is English. + +## 7. Limitations + +Understanding GitHub Copilot inline suggestions limitations is crucial to determine they are used within safe and effective boundaries. While we encourage customers to leverage Copilot inline suggestions in their innovative solutions or applications, it's important to note that Copilot inline suggestions were not designed for every possible scenario. We encourage users to refer to [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms) as well as the following considerations when choosing a use case: + +* **Limited scope**: Inline suggestions are trained on a large body of code but still have a limited scope and may not be able to handle more complex code structures or obscure programming languages. For each language, the quality of suggestions depends on the volume and diversity of training data for that language. For example, JavaScript is well-represented in public repositories and is one of the best supported languages. Languages with less representation in public repositories may be more challenging to assist with. Additionally, inline suggestions can only suggest code based on the context of the code being written, so they may not be able to identify larger design or architectural issues. Inline suggestions are intended to generate code and code-related output, not natural language outputs. +* **Potential biases**: The sources of Copilot's training data may contain biases and errors that can be perpetuated by the tool. Additionally, inline suggestions may be biased towards certain programming languages or coding styles, which can lead to suboptimal or incomplete code suggestions. +* **Security risks**: Copilot generates code based on the context of the code being written, which can potentially expose sensitive information or vulnerabilities if not used carefully. You should be careful when using Copilot to generate code for security-sensitive applications and always review and test the generated code thoroughly. +* **Matches with public code**: Inline suggestions are capable of generating new code, which they do in a probabilistic way. While the probability is low, Copilot may generate code suggestions that match code in the training set. +* **Inaccurate code**: Copilot may generate code that appears to be valid but may not actually be semantically or syntactically correct or may not accurately reflect the intent of the developer. To mitigate the risk of inaccurate code, you should carefully review and test the generated code, particularly when dealing with critical or sensitive applications. You should also ensure that the generated code adheres to best practices and design patterns and fits within the overall architecture and style of the codebase. +* **Large pull requests may reduce suggestion quality**: For very large pull requests, some of the pull request content that Copilot relies on for text completion may not fit into the API call. As a result, some suggestions you might expect may not appear, or may be less contextually accurate. +* **Hallucination risk in pull request text completion**: Because pull request text completion is generated by a large language model, there is a risk of hallucination—where Copilot generates statements that sound plausible but are factually inaccurate. Carefully reviewing the generated text before publishing is essential. +* **Replication of pull request content**: Pull request text completion draws from the content of the pull request itself. If harmful or offensive terms appear in the pull request content (such as commit messages or diffs), there is a possibility that the suggestion may also include those terms. +* **Language support**: The primary supported language for pull request text completion is English. Inline suggestions support many programming languages, with quality varying by the volume and diversity of training data available for each language. + +## 8. Evaluations + +{% data reusables.rai.copilot.application-card-evaluations %} + +### Performance and quality evaluations + +GitHub Copilot inline suggestions are evaluated through a multi-layered offline and online evaluation system designed to assess suggestion quality, relevance, and developer value. The system is also designed to enable rapid model iteration while maintaining high quality standards. + +### Performance and quality evaluation methods + +For offline evaluation, we use a curated set of test suites covering key inline suggestion scenarios across multiple programming languages. Models are evaluated against expected outputs to detect regressions in core behaviors such as code correctness and contextual relevance. We also compare candidate models against production baselines using by assessing output quality, coherence, and alignment with developer intent. + +For online evaluation, we deploy candidate models to controlled user segments to measure acceptance rate, shown rate, edit quality, and retention. + +Our evaluations track latency, token usage, and compute footprint alongside quality metrics to ensure models deliver value within operational constraints. + +We also leverage Microsoft and GitHub internal developers’ experiences to evaluate candidate models under real development conditions, providing qualitative feedback and early signal on edge-case behaviors before broader rollout. + +### Risk and safety evaluations + +{% data reusables.rai.copilot.application-card-risk-and-safety-evaluations %} + +### Risk and safety evaluation methods + +**Adversarial testing**: When the base model is updated or significant changes are made to training data sources (such as incorporating a new type of dataset), the model undergoes safety testing where it is deliberately challenged with inputs designed to elicit harmful, insecure, or policy-violating outputs. This testing covers multiple risk categories, including harmful content, intellectual property risks, and insecure code generation. Results are compared against production baselines, and if there are any regressions, they undergo manual review to assess true risk. + +### Evaluation data for quality and safety + +{% data reusables.rai.copilot.application-card-evaluation-data-for-quality-and-safety %} + +### Custom evaluations + +Copilot inline suggestions have been subject to RAI red teaming to identify and address potential safety risks. We continue to monitor the efficacy and safety of the feature over time. For more information, see [Microsoft AI Red Team building future of safer AI](https://www.microsoft.com/en-us/security/blog/2023/08/07/microsoft-ai-red-team-building-future-of-safer-ai/) on the Microsoft security blog. + +## 9. Safety components and mitigations + +GitHub Copilot inline suggestions employ a safety architecture with multiple layers of protection across the entire suggestion pipeline. + +* **Input and output processing**: Code context — including edit history, surrounding code, and cursor position — is structured and scoped before reaching the language model. The model is constrained to a narrow task (predicting the next code edit within a defined window) and must follow a strict output format, producing only code edits rather than freeform responses. The system prompt also enforces adherence to content policies, with a mandated refusal response for requests that may breach guidelines. +* **Content and code safety filters**: GitHub Copilot includes safety filters designed to reduce harmful or inappropriate outputs and discourage misuse. Users should still review suggestions before using them. +* **Public code matching**: GitHub Copilot uses a duplication detection system designed to identify when suggestions match publicly available code. Organizations and individuals can configure this to block matching suggestions or provide code referencing with repository and license information. +* **Human oversight**: Inline suggestions follow human-in-the-loop principles—suggestions are visually distinct from the surrounding content and are only applied when the user explicitly accepts them. No code changes occur without deliberate user action. Users are encouraged to review, test, and validate all generated suggestions. + +## 10. Best practices for deploying and adopting GitHub Copilot inline suggestions + +Responsible AI is a shared commitment between GitHub and its customers. While GitHub builds AI applications with safety, fairness, and transparency at the core, customers play a critical role in deploying and using these technologies responsibly within their own contexts. To support this partnership, we offer the following best practices for deployers and end users to help customers implement responsible AI effectively. + +* **Exercise caution and evaluate outcomes when using Copilot suggestions for consequential decisions or in sensitive domains**: {% data reusables.rai.copilot.application-card-consequential-decisions %} +* **Evaluate legal and regulatory considerations**: {% data reusables.rai.copilot.application-card-evaluate-legal-regulatory %} +* **Keep prompts on topic**: Copilot inline suggestions are exclusively intended to generate code or code-related suggestions. Limiting the content in the editor to code or coding-related information can enhance the quality of suggestions. +* **Provide good context for pull request text completion**: The quality of pull request text completion suggestions depends on the quality of the pull request title, commit messages, and any text already in the description. Providing clear, descriptive titles and commit messages will improve the relevance of suggestions. It remains your responsibility to review and assess the accuracy of information in the pull requests you create. +* **Use Copilot inline suggestions as a tool, not a replacement**: While Copilot can be a powerful tool for generating code, it is important to use it as a tool rather than as a replacement for human programming. You should always review Copilot's suggestions before accepting them, and further validate it after to ensure that it meets your requirements and is free of errors or security concerns. +* **Exercise human oversight when appropriate**: Human oversight is an important safeguard when interacting with AI applications. While we continuously improve our AI applications, AI might still make mistakes. The outputs generated may be inaccurate, incomplete, biased, misaligned, or irrelevant to your intended goals. This could happen due to various reasons, such as ambiguity in the inputs or limitations of the underlying models. As such, users should review the responses generated by Copilot inline suggestions and verify that they match their expectations and requirements. +* **Be aware of the risk of overreliance**: {% data reusables.rai.copilot.application-card-overreliance %} +* **Exercise caution when designing agentic AI in sensitive domains**: {% data reusables.rai.copilot.application-card-agentic-ai-caution %} +* **Use secure coding and code review practices**: While inline suggestions can generate syntactically correct code, it may not always be secure. You should always follow best practices for secure coding, such as avoiding hard-coded passwords or SQL injection vulnerabilities, as well as following code review best practices. +* **Stay up to date**: Copilot inline suggestions are still an evolving technology. You should stay up to date with any updates or changes to the tool, as well as any new security risks or best practices that may emerge. Automated extension updates are enabled by default in Visual Studio Code, Visual Studio, and the JetBrains suite of IDEs. + +> [!IMPORTANT] +> Users assume all risks associated with generated code including security vulnerabilities, bugs, and IP infringement. + +## 11. Learn more about GitHub Copilot inline suggestions + +For additional guidance on the responsible use of Copilot inline suggestions, we recommend reviewing the following documentation: + +* [AUTOTITLE](/copilot/using-github-copilot/getting-code-suggestions-in-your-ide-with-github-copilot) +* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#github-copilot) +* [Copilot Trust Center](https://copilot.github.trust.page/) + +### Learn more about responsible AI + +* [Microsoft AI principles](https://www.microsoft.com/en-us/ai/responsible-ai) +* [Microsoft responsible AI resources](https://www.microsoft.com/en-us/ai/responsible-ai-resources) +* [Microsoft Azure Learning courses on responsible AI](https://docs.microsoft.com/en-us/learn/paths/responsible-ai-business-principles/) diff --git a/content/copilot/responsible-use/pull-request-summaries.md b/content/copilot/responsible-use/pull-request-summaries.md deleted file mode 100644 index 33ded2bf3002..000000000000 --- a/content/copilot/responsible-use/pull-request-summaries.md +++ /dev/null @@ -1,104 +0,0 @@ ---- -title: Responsible use of GitHub Copilot pull request summaries -shortTitle: Pull request summaries -intro: 'Learn how to use {% data variables.copilot.copilot_for_prs %} responsibly by understanding its purposes, capabilities, and limitations.' -versions: - feature: copilot -redirect_from: - - /copilot/github-copilot-enterprise/copilot-pull-request-summaries/about-copilot-pull-request-summaries - - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-pull-request-summaries - - /copilot/responsible-use-of-github-copilot-features/pull-request-summaries -contentType: rai -category: - - Responsible use ---- - -## About {% data variables.copilot.copilot_for_prs %} - -{% data variables.copilot.copilot_for_prs %} is an AI-powered feature that allows you to create a summary of the changes that were made in a pull request, which files they impact, and what a reviewer should focus on when they conduct their review. - -When a user requests a summary, {% data variables.product.prodname_copilot_short %} scans through the pull request and provides an overview of the changes made in prose, as well as a bulleted list of changes with the files that they impact. - -You can generate a summary in the following places: - -* In the description of a new pull request you're creating -* In the description of an existing pull request, by editing the opening comment -* In a comment on the main timeline of a pull request - -The only supported language for {% data variables.copilot.copilot_for_prs %} is English. - -{% data variables.copilot.copilot_for_prs %} uses a simple-prompt flow leveraging the {% data variables.product.prodname_copilot_short %} API, with no additional trained models. This utilizes the generic large language model. - -### Response generation - -The current process uses a large language model to initiate the auto-complete process and generate the pull request summary. - -#### Pipeline approach - -When a user requests a summary, a workflow is triggered. The workflow uses the code diffs to build a prompt call, which requests {% data variables.product.prodname_copilot_short %} to generate a summary of the pull request. The summary request initiates a pipeline process which includes raw diffs from summarizable files in a prompt and requests {% data variables.product.prodname_copilot_short %} to generate an overall summary for the pull request. - -### Output formatting - -You can initiate this feature when creating a pull request, by editing the pull request description after creation, or in a comment in the pull request thread. Upon initiation, {% data variables.product.prodname_copilot_short %} will generate a two part summary: - -* A paragraph, written in prose, giving an overview of the changes in the pull request. -* A bulleted list of the key changes, linked to the respective lines of code where those changes occur. - -Larger pull requests can take a couple minutes for {% data variables.product.prodname_copilot_short %} to generate. Depending on your enterprise settings, you can share your feedback on a summary directly from the UI after a summary is generated to help us continue to improve the feature. - -## Use case for pull request summaries - -The goal of {% data variables.copilot.copilot_for_prs %} is to help optimize an author's ability to quickly provide context when they request a human review that requires sharing context of the changes that were made. It may help increase developer productivity by reducing the time taken to open a pull request. - -For many users, it could provide more helpful context for the changes that were made within a pull request than would normally be available. - -## Improving performance of pull request summaries - -### Use {% data variables.copilot.copilot_for_prs %} as a tool, not a replacement - -The feature is intended to supplement rather than replace a human's work to add context, and we encourage you to continue adding useful context and let {% data variables.product.prodname_copilot_short %} do the busy work of parsing the code and linking to specific files. It remains your responsibility to review and assess the accuracy of information in a pull request that you create. - -### Provide feedback - -{% data reusables.rai.copilot-dotcom-feedback-collection %} - -If you encounter any issues or limitations with {% data variables.copilot.copilot_for_prs %}, you can provide feedback by clicking the "Bad summary" button (a thumbs down icon), which is displayed below the text box after a summary is generated and before you click **Create pull request** or **Update comment**. - -![Screenshot of the bottom of a pull request comment. The feedback icons, thumbs up and thumbs down, are highlighted with a dark orange outline.](/assets/images/help/copilot/copilot-summary-feedback.png) - -After you rate a summary as good or bad, you can provide written feedback by clicking the link that's displayed. - -## Limitations of pull request summaries - -Currently, our team is aware that there are limitations to this feature. Many of them are expected in leveraging our {% data variables.product.prodname_copilot_short %} API; however, there are a few that are specific to {% data variables.copilot.copilot_for_prs %} which pertain to limited scope, longer processing times, and inaccurate responses. We also note that users should expect terms used in their PR to appear in the AI-generated summary. This feature has been subject to RAI Red Teaming and we will continue to monitor the efficacy and safety of the feature over time. For more information, see [Microsoft AI Red Team building future of safer AI](https://www.microsoft.com/en-us/security/blog/2023/08/07/microsoft-ai-red-team-building-future-of-safer-ai/) on the Microsoft security blog. - -### Lines changed limits - -Files with more than 400 combined additions and deletions are excluded from summarization. - -### Limited scope - -Because of capacity, we know that larger pull requests that reference 30 or more files will require more time to be processed thoroughly. We don't have an exact threshold currently, but have observed the first 30 files being accounted for and then any additional files being omitted from the summarization. We are working to address this current scope limitation. - -### Processing time - -In general, we expect a summary to be returned in 40 seconds or less after a user initiates the action. However, we have heard that this can take up to a minute, and in some cases a couple of minutes. We are working to decrease processing time and we know that users may not want to wait for this to finish before moving on to other parts of the pull request. - -### Inaccurate responses - -The more inputs and context that {% data variables.product.prodname_copilot_short %} can learn from, the better the outputs will become. However, since the feature is quite new, it will take time to reach exact precision with the summaries that are generated. In the meantime, there may be cases where a generated summary is less accurate and requires the user to make modifications before saving and publishing their pull request with this description. In addition, there is a risk of "hallucination," where {% data variables.product.prodname_copilot_short %} generates statements that are inaccurate. For these reasons, reviewing is a requirement, and careful review of the output is highly recommended by our team. - -### Regenerating summaries - -Pull request summaries are only created when users request them manually. When users submit updates or changes to their pull request, the summary is not automatically updated. Users can ask {% data variables.product.prodname_copilot_short %} to generate a new summary if required. Manual review of the updated {% data variables.product.prodname_copilot_short %} summary is highly recommended. The updated summary carries the same risks of inaccuracy as the original summary. - -### Replication of pull request content - -Because a summary is an outline of the changes that were made in a pull request, if harmful or offensive terms are within the content of the pull request, there is potential for the summary to also include those terms. - -## Further reading - -* [{% data variables.product.prodname_copilot %} Trust Center](https://copilot.github.trust.page/) -{%- ifversion fpt %} -* [AUTOTITLE](/copilot/github-copilot-enterprise/copilot-pull-request-summaries/creating-a-pull-request-summary-with-github-copilot) in the {% data variables.product.prodname_ghe_cloud %} documentation. -{%- endif %} diff --git a/content/copilot/responsible-use/spark.md b/content/copilot/responsible-use/spark.md deleted file mode 100644 index 7f528654aba8..000000000000 --- a/content/copilot/responsible-use/spark.md +++ /dev/null @@ -1,113 +0,0 @@ ---- -title: Responsible use of GitHub Spark -shortTitle: Spark -intro: 'Learn how to use {% data variables.product.prodname_spark %} responsibly by understanding its purposes, capabilities, and limitations.' -versions: - feature: spark -redirect_from: - - /copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-spark - - /copilot/responsible-use-of-github-copilot-features/spark -contentType: rai -category: - - Responsible use ---- - -{% data reusables.rai.spark-preview-note %} - -## About {% data variables.product.prodname_spark %} - -{% data variables.product.prodname_spark_short %} is a {% data variables.product.prodname_copilot_short %}-powered platform for creating and sharing applications (“sparks”) that can be tailored to individual needs and accessed seamlessly across desktop and mobile devices \- without requiring users to write or deploy code. - -{% data variables.product.prodname_spark_short %} offers a natural language centric development environment for application creation and a fully managed runtime environment that scales with your sparks’ needs. {% data variables.product.prodname_spark_short %} eliminates the need to manually manage infrastructure or stitch together multiple tools, letting you focus on building. - -### Input processing - -{% data reusables.rai.spark-model %} - -Input prompts in {% data variables.product.prodname_spark_short %} are pre-processed by {% data variables.product.prodname_copilot_short %}, augmented with contextual information from your current {% data variables.product.prodname_spark_short %} inputs and sent to a large language model powered agent within your development environment. Included context includes information from your spark such as code from your current application, previous prompts supplied in the {% data variables.product.prodname_spark_short %} interface, and any error logs from your spark’s development environment. - -The system is only designed to generate code based on submitted prompts. It is not capable of conversational interactions. English is the preferred language for submitted prompts. - -### Language model analysis - -The prompt is then passed through a large language model, which is a neural network that has been trained on a large body of text data. The language model analyzes the input prompt to help the agent reason on the task and leverage necessary tools. - -### Agent execution - -The agent which runs in your development environment accepts your prompt and the additional context passed, and decides how to update your spark to satisfy your request. The agent is able to operate your development environment by writing code, running commands, and reading execution outputs. All of the actions taken by the agent are to ensure functional, accurate code to execute your prompt. The only output from the agent is your application code. - -### {% data variables.product.prodname_spark_short %} frameworks - -The {% data variables.product.prodname_spark_short %} agent is trained to use frameworks and SDKs supplied by {% data variables.product.prodname_spark_short %} that ensure modern design and secure deployments seamlessly integrated into {% data variables.product.prodname_spark_short %}’s runtime component. The design framework is designed to be flexible and modular, enabling you to easily modify the theme to match your desired look and feel. {% data variables.product.prodname_spark_short %}’s runtime integration, accessible via the SDK, uses best practices for web deployments to ensure secure, scalable deployments. - -### Adding inference capabilities to your spark - -{% data variables.product.prodname_spark_short %}’s SDK natively integrates with {% data variables.product.prodname_github_models %}, allowing you to incorporate model inference into your spark. If {% data variables.product.prodname_spark_short %} determines that your application requires inference capabilities, it will add them using the {% data variables.product.prodname_spark_short %} SDK. - -{% data variables.product.prodname_spark_short %} gives you the tools to create, modify, and test the prompts that will be used with these inference capabilities. {% data variables.product.prodname_spark_short %} does not do any testing of the prompts that you create within your application, so you must ensure that your included capabilities act as intended. For more information on responsible use within {% data variables.product.prodname_github_models %}, see the [AUTOTITLE](/github-models/responsible-use-of-github-models). - -## Use cases for {% data variables.product.prodname_spark_short %} - -### Building and deploying full stack web applications - -You can use {% data variables.product.prodname_spark_short %} to build full stack web applications for you using natural language. {% data variables.product.prodname_spark_short %}’s integrated runtime environment allows you to deploy these applications to the public internet. You can define permissions to these deployed applications based on {% data variables.product.github %} account visibility, allowing them to be visible to the general public, specific {% data variables.product.github %} members, members of your team or organization, or just you. Sparks can be anything \- from board game score trackers to full software-as-a-service products \- however whatever you deploy remains subject to {% data variables.product.github %}’s [Terms](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#github-copilot) for user generated content. - -### Prototyping ideas - -{% data variables.product.prodname_spark_short %} helps developers, designers, product managers, or other builders rapidly prototype ideas without needing to build applications from scratch or construct complex mockups. These prototypes can be deployed for ease of sharing, or can remain unpublished as a way for builders to instantly see their vision. - -## Improving performance for {% data variables.product.prodname_spark_short %} - -{% data variables.product.prodname_spark_short %} can build a wide variety of applications, and iterate on them over time to increase complexity as new requirements are surfaced. To enhance performance and address some limitations of {% data variables.product.prodname_spark_short %}, there are various best practices you can adopt. For more information about the limitations of {% data variables.product.prodname_spark_short %}, see [Limitations of {% data variables.product.prodname_spark_short %}](#limitations-of-github-spark). - -### Keep your prompts specific and on topic - -{% data variables.product.prodname_spark_short %} is intended to build and iterate on your spark. The more specific you can be about the intended behaviors and interactions, the better the output will be from {% data variables.product.prodname_spark_short %}. Incorporating relevant context such as specific scenarios, mockups, or specifications will help {% data variables.product.prodname_spark_short %} understand your intent, which will improve the output you receive. - -{% data variables.product.prodname_spark_short %} also incorporates context from previous prompts into each subsequent revision it generates. Submitting off-topic prompts may hinder performance on subsequent revisions. Therefore try to keep your prompts as relevant as possible to the application you are building. - -### Use targeted edits appropriately - -Targeted edits in {% data variables.product.prodname_spark_short %} allow you to specify elements within your application, letting you refine style, substance, or behavior of individual elements of your application. These targeted edits are an excellent way to constrain edit surface area and express intent to {% data variables.product.prodname_spark_short %}. Using targeted edits when possible (rather than global prompts) will result in more accurate changes, as well as fewer side effects in your application as {% data variables.product.prodname_spark_short %} generates new revisions. - -### Verify {% data variables.product.prodname_spark_short %}’s output - -While {% data variables.product.prodname_spark_short %} is an extremely powerful tool, it may still make mistakes. These mistakes can be misunderstandings of your goals, or more simple syntax errors within your generated spark. You should always use {% data variables.product.prodname_spark_short %}’s provided application preview to verify that your spark behaves as intended in different scenarios. If you are comfortable with code, it is also best practice to ensure the generated code is up to your code quality standards. - -## Limitations of {% data variables.product.prodname_spark %} - -### Interpretation of user intent - -{% data variables.product.prodname_spark_short %} is not always correct in its interpretation of your intent. You should always use {% data variables.product.prodname_spark_short %}’s provided preview to confirm accurate behavior within your spark. - -### Limited scope - -{% data variables.product.prodname_spark_short %} is backed by {% data variables.product.prodname_copilot_short %}, and therefore has been trained on a large body of code and relevant applications. However it may still struggle with complex or truly novel applications. {% data variables.product.prodname_spark_short %} will perform best on common/personal application scenarios (e.g. productivity tools, learning aids, life management utilities), and when the natural language instruction is provided in English. - -### Public code - -{% data variables.product.prodname_spark_short %} may generate code that is a match or near match of publicly available code, even if the "Suggestions matching public code" policy is set to "Block." See [AUTOTITLE](/copilot/managing-copilot/managing-copilot-as-an-individual-subscriber/managing-your-copilot-plan/managing-copilot-policies-as-an-individual-subscriber#enabling-or-disabling-suggestions-matching-public-code). - -If this happens, {% data variables.product.prodname_copilot_short %} will not provide code references pointing to the original source of the code. See [AUTOTITLE](/copilot/using-github-copilot/finding-public-code-that-matches-github-copilot-suggestions). - -### Security limitations - -While {% data variables.product.prodname_spark_short %}’s runtime follows best practices for application deployment, it does generate code probabilistically, which can potentially introduce vulnerabilities especially if those vulnerabilities are common in the training set of applications. You should be careful when building applications that manage personal or sensitive data and always review and test the generated application thoroughly. - -### Legal and regulatory considerations - -Users need to evaluate potential specific legal and regulatory obligations when using any AI services and solutions, which may not be appropriate for use in every industry or scenario. Additionally, AI services or solutions are not designed for and may not be used in ways prohibited in applicable terms of service and relevant codes of conduct. - -### Offensive content - -{% data variables.product.prodname_spark_short %} has built-in protections against harmful, hateful, or offensive content. Please report any examples of offensive content to copilot-safety@github.com. Please include your spark’s URL so that we can identify the spark. - -You can report problematic or illegal content via Feedback, or you can report a spark as abuse or spam. See [AUTOTITLE](/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam) and {% data variables.product.github %}'s [Content Removal Policies](/free-pro-team@latest/site-policy/content-removal-policies). - -## Further Reading - -* [AUTOTITLE](/copilot/tutorials/building-your-first-app-in-minutes-with-github-spark) -* [AUTOTITLE](/copilot/tutorials/building-ai-app-prototypes) -* [AUTOTITLE](/copilot/concepts/copilot-billing/about-billing-for-github-spark) -* [AUTOTITLE](/github-models/responsible-use-of-github-models) -* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-pre-release-license-terms) diff --git a/content/github-models/responsible-use-of-github-models.md b/content/github-models/responsible-use-of-github-models.md index affb85f8a634..9e55c8fecc0c 100644 --- a/content/github-models/responsible-use-of-github-models.md +++ b/content/github-models/responsible-use-of-github-models.md @@ -4,7 +4,6 @@ shortTitle: Responsible use intro: Learn how to use {% data variables.product.prodname_github_models %} responsibly by understanding its purposes, capabilities, and limitations. versions: feature: github-models -contentType: rai category: - Build with AI models --- diff --git a/content/support/learning-about-github-support/about-copilot-in-github-support.md b/content/support/learning-about-github-support/about-copilot-in-github-support.md index 5d226c33284b..c4fef1261ca2 100644 --- a/content/support/learning-about-github-support/about-copilot-in-github-support.md +++ b/content/support/learning-about-github-support/about-copilot-in-github-support.md @@ -6,7 +6,6 @@ versions: ghec: '*' ghes: '*' shortTitle: About Copilot in GitHub Support -contentType: rai category: - Understand your support options --- diff --git a/data/reusables/rai/copilot/application-card-agentic-ai-caution.md b/data/reusables/rai/copilot/application-card-agentic-ai-caution.md new file mode 100644 index 000000000000..2287df378fe3 --- /dev/null +++ b/data/reusables/rai/copilot/application-card-agentic-ai-caution.md @@ -0,0 +1,2 @@ + +Users should exercise caution when designing and/or deploying agentic AI applications in sensitive domains where agent actions are irreversible or highly consequential. Additional precautions should also be taken when creating autonomous agentic AI as described further in the [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms). diff --git a/data/reusables/rai/copilot/application-card-consequential-decisions.md b/data/reusables/rai/copilot/application-card-consequential-decisions.md new file mode 100644 index 000000000000..e0031664b842 --- /dev/null +++ b/data/reusables/rai/copilot/application-card-consequential-decisions.md @@ -0,0 +1,2 @@ + +Consequential decisions are those that may have a legal or significant impact on a person's access to education, employment, financial platforms, government benefits, healthcare, housing, insurance, legal platforms, or that could result in physical, psychological, or financial harm. Sensitive domains—such as financial platforms, healthcare, and housing—require particular care due to the potential for disproportionate impact on different groups of people. When using AI for decisions in these areas, make sure that impacted stakeholders can understand how decisions are made, appeal decisions, and update any relevant input data. diff --git a/data/reusables/rai/copilot/application-card-evaluate-legal-regulatory.md b/data/reusables/rai/copilot/application-card-evaluate-legal-regulatory.md new file mode 100644 index 000000000000..9a4232b0a326 --- /dev/null +++ b/data/reusables/rai/copilot/application-card-evaluate-legal-regulatory.md @@ -0,0 +1,2 @@ + +Customers need to evaluate potential specific legal and regulatory obligations when using any AI platforms and solutions, which may not be appropriate for use in every industry or scenario. Additionally, AI platforms or solutions are not designed for and may not be used in ways prohibited in applicable terms of service and relevant codes of conduct. diff --git a/data/reusables/rai/copilot/application-card-evaluation-data-for-quality-and-safety.md b/data/reusables/rai/copilot/application-card-evaluation-data-for-quality-and-safety.md new file mode 100644 index 000000000000..95bacbaec6a4 --- /dev/null +++ b/data/reusables/rai/copilot/application-card-evaluation-data-for-quality-and-safety.md @@ -0,0 +1,2 @@ + +Our evaluation data is custom-built to assess AI application performance across key areas of **safety** and **quality**, simulating real-world scenarios and risks. We begin by identifying relevant evaluation aspects of concern based on multi-disciplinary research and expert input. These concerns are translated into targeted evaluation objectives and guide formulation of evaluation metrics. For **safety**, we create adversarial prompts to elicit undesirable or edge-case responses, which are then scored using AI-assisted annotators trained to assess alignment with GitHub’s standards. For **quality**, we craft rubric-based prompts relevant to scenarios including evaluating retrieval-augmented generation (RAG) applications and agents. Datasets are curated from diverse sources including synthetic and public datasets to simulate real-world user scenarios. Using the curated datasets, both evaluations undergo iterative refinement and human alignment to improve metric efficacy and reliability. This methodology forms the foundation of repeatable, rigorous assessments that reflect how customers use evaluations to build better AI. diff --git a/data/reusables/rai/copilot/application-card-evaluations.md b/data/reusables/rai/copilot/application-card-evaluations.md new file mode 100644 index 000000000000..7ce395964ec7 --- /dev/null +++ b/data/reusables/rai/copilot/application-card-evaluations.md @@ -0,0 +1,2 @@ + +Performance and safety evaluations assess whether AI applications are operating reliably and securely by examining factors like groundedness, relevance, and coherence while identifying the risks of generating harmful content. The following evaluations were conducted with safety components already in place, which are also described in [9. Safety components and mitigations](#9-safety-components-and-mitigations). diff --git a/data/reusables/rai/copilot/application-card-intro.md b/data/reusables/rai/copilot/application-card-intro.md new file mode 100644 index 000000000000..7cd28d746f9c --- /dev/null +++ b/data/reusables/rai/copilot/application-card-intro.md @@ -0,0 +1,4 @@ + +GitHub’s application and platform cards are intended to help you understand how our AI technology works, the choices application owners can make that influence application performance and behavior, and the importance of considering the whole application, including the technology, the people, and the environment. Application cards are created for AI applications and platform cards are created for AI platform services. These resources can support the development or deployment of your own applications and can be shared with users or stakeholders impacted by them. + +As part of its commitment to responsible AI, GitHub adheres to Microsoft's [six core principles](https://www.microsoft.com/en-us/ai/principles-and-approach/?msockid=3da790040c776d6f2b5485e40de56c06#ai-principles): fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. These principles are embedded in the [Responsible AI Standard](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft-Responsible-AI-Standard-General-Requirements.pdf?culture=en-us&country=us), which guides teams in designing, building, and testing AI applications. Application and Platform Cards play a key role in operationalizing these principles by offering transparency around capabilities, intended uses, and limitations. For further insight, readers are encouraged to explore Microsoft’s [Responsible AI Transparency Report](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Responsible-AI-Transparency-Report-2025-vertical.pdf) and [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms). diff --git a/data/reusables/rai/copilot/application-card-overreliance.md b/data/reusables/rai/copilot/application-card-overreliance.md new file mode 100644 index 000000000000..5320c7b0916d --- /dev/null +++ b/data/reusables/rai/copilot/application-card-overreliance.md @@ -0,0 +1,2 @@ + +Overreliance on AI happens when users accept incorrect or incomplete AI outputs, mainly because mistakes in AI outputs may be hard to detect. For the end-user, overreliance could result in decreased productivity, loss of trust, application abandonment, financial loss, psychological harm, physical harm, among others. (e.g. a doctor accepts an incorrect AI output). diff --git a/data/reusables/rai/copilot/application-card-release-assessment-process.md b/data/reusables/rai/copilot/application-card-release-assessment-process.md new file mode 100644 index 000000000000..1f3c96e4b783 --- /dev/null +++ b/data/reusables/rai/copilot/application-card-release-assessment-process.md @@ -0,0 +1,2 @@ + +All model releases undergo a Responsible AI review process. Adversarial testing results (when applicable) and mitigation documentation are evaluated by assessment leads before approval. Releases always include phased rollouts and continued monitoring before broader exposure. diff --git a/data/reusables/rai/copilot/application-card-risk-and-safety-evaluations.md b/data/reusables/rai/copilot/application-card-risk-and-safety-evaluations.md new file mode 100644 index 000000000000..57e6fb039fd3 --- /dev/null +++ b/data/reusables/rai/copilot/application-card-risk-and-safety-evaluations.md @@ -0,0 +1,10 @@ + +Evaluating potential risks associated with AI-generated content is essential for safeguarding against content risks with varying degrees of severity. This includes evaluating an AI application's predisposition towards generating harmful content or testing vulnerabilities to jailbreak attacks. For GitHub, we conduct performance evaluations, including those which are adapted for coding purposes from [Microsoft Foundry](https://learn.microsoft.com/en-us/azure/ai-foundry/concepts/evaluation-evaluators/risk-safety-evaluators): + +* Hate and unfairness +* Sexual +* Violence +* Self-harm +* Protected material +* Jailbreak +* Code vulnerability diff --git a/data/reusables/rai/copilot/enterprise-fpt-link.md b/data/reusables/rai/copilot/enterprise-fpt-link.md new file mode 100644 index 000000000000..37577761b4c0 --- /dev/null +++ b/data/reusables/rai/copilot/enterprise-fpt-link.md @@ -0,0 +1 @@ +> [!NOTE] You are currently viewing the documentation for Free, Pro, and Team plans. {% data variables.copilot.copilot_enterprise %} is only available to customers on the {% data variables.product.prodname_ghe_cloud %} plan. For full documentation of {% data variables.copilot.copilot_enterprise_short %}, see [AUTOTITLE](/enterprise-cloud@latest/copilot/github-copilot-enterprise) in the {% data variables.product.prodname_ghe_cloud %} documentation. diff --git a/src/content-linter/tests/unit/rai-app-card-structure.ts b/src/content-linter/tests/unit/rai-app-card-structure.ts index 863c750ef68d..82394e1ad94c 100644 --- a/src/content-linter/tests/unit/rai-app-card-structure.ts +++ b/src/content-linter/tests/unit/rai-app-card-structure.ts @@ -83,22 +83,14 @@ function validCard(): string { '', '## 10. Best practices for deploying and adopting Copilot Chat', '', - '### Deployers and end-users should', - '', '{% data reusables.rai.copilot.application-card-consequential-decisions %}', '', '{% data reusables.rai.copilot.application-card-evaluate-legal-regulatory %}', '', - '### End-users should', - '', '{% data reusables.rai.copilot.application-card-overreliance %}', '', '{% data reusables.rai.copilot.application-card-agentic-ai-caution %}', '', - '### Deployers should', - '', - 'Deployer practices.', - '', '## 11. Learn more about Copilot Chat', '', 'Links.', From ea6e10bf1ce25e4c5ea43fed31f79fa37a18da6a Mon Sep 17 00:00:00 2001 From: Joe Clark <31087804+jc-clark@users.noreply.github.com> Date: Thu, 4 Jun 2026 13:26:49 -0700 Subject: [PATCH 5/5] Reactivate RAI linter rules (GHD035, GHD064) (#61444) --- .../contributing/content-linter-rules.md | 2 ++ .../linting-rules/rai-app-card-structure.ts | 3 ++- src/content-linter/style/github-docs.ts | 26 +++++++------------ 3 files changed, 14 insertions(+), 17 deletions(-) diff --git a/data/reusables/contributing/content-linter-rules.md b/data/reusables/contributing/content-linter-rules.md index 2876d58237c5..9aeae153d6b4 100644 --- a/data/reusables/contributing/content-linter-rules.md +++ b/data/reusables/contributing/content-linter-rules.md @@ -44,6 +44,7 @@ | GHD032 | image-alt-text-end-punctuation | Alternate text for images should end with punctuation | error | accessibility, images | | GHD033 | incorrect-alt-text-length | Images alternate text should be between 40-150 characters | error | accessibility, images | | GHD034 | frontmatter-curly-quotes | Frontmatter title and intro should not contain curly quotes | error | frontmatter, format | +| GHD035 | rai-reusable-usage | RAI articles and reusables can only reference reusable content in the data/reusables/rai directory | error | feature, rai | | GHD036 | image-no-gif | Image must not be a gif, styleguide reference: contributing/style-guide-and-content-model/style-guide.md#images | error | images | | GHD038 | expired-content | Expired content must be remediated. | warning | expired | | GHD039 | expiring-soon | Content that expires soon should be proactively addressed. | warning | expired | @@ -64,6 +65,7 @@ | GHD061 | frontmatter-hero-image | Hero image paths must be absolute, extensionless, and point to valid images in /assets/images/banner-images/ | error | frontmatter, images | | GHD062 | frontmatter-intro-links | introLinks keys must be valid keys defined in data/ui.yml under product_landing | error | frontmatter, single-source | | GHD063 | frontmatter-children | Children frontmatter paths must exist. Supports relative paths and absolute /content/ paths for cross-product inclusion. | error | frontmatter, children | +| GHD064 | rai-app-card-structure | RAI application/platform card articles must follow the required template structure | error | feature, rai | | GHD065 | frontmatter-content-type | Content files in content-type directories must have a contentType frontmatter property that matches the parent directory. | error | frontmatter, content-type | | GHD066 | frontmatter-docs-team-metrics | Articles whose path contains a docsTeamMetrics value must include that value in their docsTeamMetrics frontmatter property. | error | frontmatter, docs-team-metrics | | [search-replace](https://github.com/OnkarRuikar/markdownlint-rule-search-replace) | deprecated liquid syntax: octicon- | The octicon liquid syntax used is deprecated. Use this format instead `octicon "" aria-label=""` | error | | diff --git a/src/content-linter/lib/linting-rules/rai-app-card-structure.ts b/src/content-linter/lib/linting-rules/rai-app-card-structure.ts index d166ed89ee45..0e4ca02fdbbb 100644 --- a/src/content-linter/lib/linting-rules/rai-app-card-structure.ts +++ b/src/content-linter/lib/linting-rules/rai-app-card-structure.ts @@ -331,7 +331,8 @@ interface Frontmatter { function isFileRaiCard(params: RuleParams): boolean { const fm: Frontmatter = (getFrontmatter(params.frontMatterLines) as Frontmatter) || {} - return fm.contentType === 'rai' + // Files with children: are landing pages that aggregate cards, not cards themselves. + return fm.contentType === 'rai' && !('children' in fm) } export const raiAppCardStructure: Rule = { diff --git a/src/content-linter/style/github-docs.ts b/src/content-linter/style/github-docs.ts index fbadcf7ec11a..0e8f7d338039 100644 --- a/src/content-linter/style/github-docs.ts +++ b/src/content-linter/style/github-docs.ts @@ -119,14 +119,11 @@ const githubDocsConfig = { 'partial-markdown-files': true, 'yml-files': true, }, - // 'rai-reusable-usage': { - // // GHD035 - // // Temporarily disabled until RAI application card PRs merge. - // // Re-enable by uncommenting this block. - // // See: github/docs-internal#59611, #59934, #59936 - // severity: 'error', - // 'partial-markdown-files': true, - // }, + 'rai-reusable-usage': { + // GHD035 + severity: 'error', + 'partial-markdown-files': true, + }, 'image-no-gif': { // GHD036 severity: 'error', @@ -190,14 +187,11 @@ const githubDocsConfig = { 'partial-markdown-files': true, 'yml-files': true, }, - // 'rai-app-card-structure': { - // // GHD064 - // // Temporarily disabled until RAI application card PRs merge. - // // Re-enable by uncommenting this block (use 'error' once migration is complete per github/docs-team#6340). - // // See: github/docs-internal#59611, #59934, #59936 - // severity: 'warning', - // 'partial-markdown-files': false, - // }, + 'rai-app-card-structure': { + // GHD064 + severity: 'error', + 'partial-markdown-files': false, + }, } export const githubDocsFrontmatterConfig = {