Security validation for third-party coding agents - GitHub Changelog

Security validation for third-party coding agents is now generally available. GitHub supports third-party coding agents (including Claude and OpenAI Codex) that work directly within your repositories to implement features, fix bugs, and improve test coverage. Now, code generated by these agents receives the same automatic security validation already available for GitHub Copilot cloud agent. Learn more by reading Risks and mitigations for GitHub Copilot cloud agent.

When a third-party coding agent creates code in your repository, GitHub now automatically analyzes it for potential security vulnerabilities using CodeQL, checks newly introduced dependencies against the GitHub Advisory Database, and uses GitHub secret scanning to detect sensitive information such as API keys and tokens. If the analysis finds any issues, the agent attempts to resolve them before finalizing the pull request.

Since we released automatic code validation for Copilot cloud agent in October 2025, we’ve proactively prevented hundreds of potential security leaks and vulnerabilities. Extending this protection to third-party agents helps ensure that every line of agent-generated code undergoes the same security checks, regardless of which coding agent wrote it.