🟢 🏥 In Practice Published: · 3 min read ·

GitHub Copilot CLI gets a /security-review command for scanning vulnerabilities without leaving the terminal

Editorial illustration: GitHub Copilot CLI command for security code review and secret key scanning

GitHub introduced a dedicated /security-review command in Copilot CLI to public preview — an experimental tool that scans local code changes for security vulnerabilities within the terminal, independent of existing tools like Dependabot and code scanning. The command covers 11 vulnerability categories with severity ratings and actionable suggestions.

🤖

This article was generated using artificial intelligence from primary sources.

GitHub announced on June 10, 2026 a dedicated /security-review command in Copilot CLI, available in public preview as an experimental feature. The goal is straightforward: developers should be able to scan their own code changes for security vulnerabilities without leaving the terminal.

What does the new /security-review command deliver?

The command analyzes local code changes and delivers findings sorted by severity and confidence, along with suggestions that can be applied immediately. The entire process takes place within the terminal — without opening a browser or web interface.

Activation requires enabling the Copilot CLI experimental mode. After that, /security-review is available in any project to analyze the current local changes.

11 vulnerability categories the command covers

The command scans 11 vulnerability categories:

  1. Injection attacks — SQL, command, and LDAP injection
  2. XSS (cross-site scripting) — injecting scripts into web interfaces
  3. Broken access control
  4. Path traversal — unauthorized access to files outside intended directories
  5. SSRF (Server-Side Request Forgery) — forcing the server to make unwanted requests
  6. Insecure deserialization
  7. Prototype pollution — manipulating the JavaScript prototype chain
  8. Weak cryptography
  9. Hardcoded credentials
  10. Sensitive data leaks
  11. Supply-chain risks — dependencies without a pinned version (unpinned dependencies)

One category particularly worth highlighting in the context of modern development: the command also recognizes cross-prompt injection (XPIA) as a distinct vulnerability type specific to code that integrates language models, reflecting the growing presence of AI components in applications.

Independent of existing security tools

/security-review operates independently of three existing security mechanisms on GitHub:

  • Code scanning — static code analysis integrated into the CI/CD process
  • Dependabot — automatic pull requests for security dependency upgrades
  • Secret scanning — detecting secret keys and passwords in repositories

It is not a replacement for them. This is a complementary, lightweight on-demand tool. While existing tools run automatically on the repository at every push, /security-review is intended for the developer who wants to — locally, at the moment of writing code — check changes before even sending them to the server.

Less friction between writing code and security

Integrating security scanning directly into the terminal reduces friction between writing code and discovering vulnerabilities. Instead of waiting for an automatic CI scan or manually running external tools, a developer can invoke /security-review at the moment it makes the most sense — immediately after writing the relevant changes, while the context is still fresh and a fix is cheapest.

The command is available to all GitHub Copilot users who activate experimental mode. GitHub is collecting feedback through a GitHub Community discussion. As an experimental feature in preview, it is subject to change — scanning scope and precision may change without prior notice.

Frequently Asked Questions

What does the /security-review command do in GitHub Copilot CLI?
The command scans local code changes for security vulnerabilities within the terminal, without leaving the development environment. Results are sorted by severity and confidence, with suggestions that can be applied immediately.
What vulnerability categories does /security-review cover?
The command covers 11 categories: injection attacks, XSS, broken access control, path traversal, SSRF, insecure deserialization, prototype pollution, weak cryptography, hardcoded credentials, sensitive data leaks, and supply-chain risks from unpinned dependencies.
Is /security-review a replacement for Dependabot and code scanning?
No — the command is a complementary, lightweight on-demand tool. It operates independently of Dependabot, code scanning, and secret scanning, aimed at developers who want to immediately check local changes before pushing code.

📬 AI news in your inbox

A daily digest built your way — pick topics, sources and cadence. One-click unsubscribe.