GitHub just shipped the most useful security feature in the Copilot app since Code Scanning — and it is a slash command. No experimental-mode opt-in. No terminal incantation. No Copilot Business upgrade gate. Type the command in the Copilot desktop app, and an LLM scans your uncommitted diff for injection, XSS, weak cryptography, path traversal, and insecure data handling before a single character of vulnerable code reaches your repo. This is the first time GitHub Copilot's pre-commit vulnerability scanning is available to every subscriber — Free tier included — and the timing is not coincidental.

GitHub Copilot is, by GitHub's own positioning, the largest single source of AI-generated code in the world. Veracode's 2025 GenAI Code Security Report tested more than 100 large language models across 80 representative programming tasks and found that 45% of AI-generated code introduces at least one OWASP vulnerability. GitHub is, in other words, simultaneously the entity most responsible for the volume of potentially vulnerable AI code reaching developer machines and the entity now shipping a pre-commit tool to catch it before it lands in a pull request. That is a rare honest loop: ship the fire, ship the extinguisher, give both away to the same audience.