Why this category matters
Security work needs repeatable workflows and explicit controls. The Analyze security category shows how Copilot Chat can accelerate setup and triage while keeping humans in control of final decisions.
Use cases
- Engineers hardening repository defaults and dependency workflows
- Security champions triaging vulnerability findings with developers
- Developers who need guardrails for Copilot-assisted security workflows
The 3 examples in this category
- Securing your repository
- Managing dependency updates
- Finding existing vulnerabilities in code
Diagram: Security hardening flow
+-----------------------------+
| Baseline repo setup |
| - secret scanning |
| - push protection |
| - branch rules |
+-----------------------------+
|
v
+-----------------------------+
| Dependency hygiene |
| - dependabot.yml |
| - update schedules |
| - PR policy tuning |
+-----------------------------+
|
v
+-----------------------------+
| Code-level review |
| - vulnerability prompts |
| - secure coding fixes |
+-----------------------------+
|
v
+-----------------------------+
| Continuous validation |
| - code scanning |
| - review and triage |
+-----------------------------+
1) Securing your repository
Cookbook scenario:
- Ask for step-by-step enablement of essential repository security features.
Features called out in the example:
- Secret scanning
- Push protection
- Dependabot alerts
- Dependabot security updates
- Branch protection rules with required reviews
Prompt pattern:
Provide step-by-step instructions to enable essential repository security features,
including why each one matters.
Additional cookbook workflow:
- Generate a SECURITY.md policy with reporting path, response timeline, disclosure guidance, and supported versions.
2) Managing dependency updates
Cookbook demonstrates two workflows.
Workflow A: generate baseline dependabot configuration by detecting package ecosystems.
Workflow B: customize Dependabot behavior for team workflow.
Customization examples from the cookbook:
- Auto-assign reviewers/team.
- Add labels for routing and governance.
- Limit open PRs.
- Ignore development dependencies where appropriate.
What to verify:
- Ecosystem directories are correct.
- Schedules and PR limits align with team capacity.
- Labels and assignees exist in target repository.
3) Finding vulnerabilities in code
Cookbook scenario:
- Detect potential XSS in DOM update logic and suggest safer rendering.
Vulnerable code:
// Directly inserts user-controlled text into the DOM
function renderUserComment(commentText) {
document.getElementById("comments").innerHTML += commentText;
}
An attacker who supplies <img src=x onerror="stealCookies()"> as commentText executes arbitrary JavaScript in every viewer's browser.
Safer alternative:
// Treats user input as text, never as markup
function renderUserComment(commentText) {
const p = document.createElement("p");
p.textContent = commentText;
document.getElementById("comments").appendChild(p);
}
Prompt pattern:
Analyze this code for potential security vulnerabilities and suggest fixes.
Cookbook guardrail (important):
- Do not rely on Copilot Chat as a comprehensive security analysis tool.
- Use GitHub code scanning for broader and deeper security coverage.
High-value prompt constraints for security tasks
- Ask for threat explanation plus fix.
- Ask for minimally invasive patch.
- Ask for tests or checks that verify the fix.
- Ask for residual risk and recommended follow-up scanning.
Worked example
Scenario
You want to establish a baseline security posture for a new service repository.
Prompt 1 (baseline hardening)
Provide a step-by-step checklist to secure this repository.
Include secret scanning, push protection, branch protection, and code scanning.
For each item, explain why it matters and how to validate it.
Prompt 2 (dependency hygiene)
Generate a Dependabot configuration for npm and GitHub Actions with weekly updates,
labels, and reviewer assignment.
Prompt 3 (code vulnerability triage)
Analyze this code snippet for likely XSS, injection, or insecure output handling.
Suggest minimal patches and tests.
Validation checklist
- Security settings are actually enabled in repository UI.
- Dependabot config matches real package ecosystems.
- Proposed code fix is backed by tests and code scanning results.
Always pair these prompts with GitHub code scanning and human review before merge.
Key takeaways
- Security prompts can accelerate setup, but policy and validation remain human responsibilities.
- Dependabot effectiveness depends on well-tuned configuration, not defaults alone.
- Vulnerability prompts are useful for triage and patch ideas, not full security assurance.
- Pair Copilot Chat with code scanning and disciplined review workflows.
References
- https://docs.github.com/en/copilot/tutorials/copilot-chat-cookbook
- https://docs.github.com/en/copilot/tutorials/copilot-chat-cookbook/analyze-security
- https://docs.github.com/en/copilot/tutorials/copilot-chat-cookbook/analyze-security/secure-your-repository
- https://docs.github.com/en/copilot/tutorials/copilot-chat-cookbook/analyze-security/manage-dependency-updates
- https://docs.github.com/en/copilot/tutorials/copilot-chat-cookbook/analyze-security/find-vulnerabilities
- https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates
- https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates
- https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs
- https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs
- https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning
- https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning
0 Comments