While they may be considered "common knowledge" by many developers, the vast majority of newly introduced security weaknesses are due to vulnerabilities like cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF). These vulnerabilities can be mitigated by following secure coding practices, such as using parameterized queries, input validation, and avoiding hard-coded sensitive data. GitHub Copilot can help detect and resolve these issues.
Note
While Copilot Chat can help find some common security vulnerabilities and help you fix them, you should not rely on Copilot for a comprehensive security analysis. Using security tools and features will more thoroughly ensure your code is secure. For more information on GitHub security features, see GitHub security features.
Example scenario
The JavaScript code below has a potential XSS vulnerability that could be exploited if the name
parameter is not properly sanitized before being displayed on the page.
function displayName(name) {
const nameElement = document.getElementById('name-display');
nameElement.innerHTML = `Showing results for "${name}"`
}
Example prompt
You can ask Copilot Chat to analyze code for common security vulnerabilities and provide explanations and fixes for the issues it finds.
Analyze this code for potential security vulnerabilities and suggest fixes.
Example response
Note
The following response is an example. Copilot Chat responses are non-deterministic, so you may get a different response from the one shown here.
Copilot responds with an explanation of the vulnerability, and suggested changes to the code to fix it.
function displayName(name) {
const nameElement = document.getElementById('name-display');
nameElement.textContent = `Showing results for "${name}"`;
}