GitHub Copilot CLI: Dedicated /security-review Command
GitHub CopilotGitHub Copilot CLI introduced a new /security-review slash command as an experimental feature in public preview, giving developers an on-demand way to scan their code changes for security vulnerabilities directly from the terminal. The command surfaces findings ranked by severity and confidence, covers common vulnerability classes including injection flaws, XSS, insecure data handling, path traversal, and weak cryptography, and returns actionable remediation suggestions without requiring a context switch to a browser or external tool. It operates independently from GitHub's other security tools (code scanning, Dependabot, secret scanning), complementing them as a lightweight pre-commit check.
Sources & Mentions
2 external resources covering this update
Copilot CLI Gets a Dedicated Security Review Command
GitHub added a /security-review slash command to Copilot CLI on June 10, 2026, giving developers a fast, terminal-native way to catch security vulnerabilities before code reaches a pull request. The command is currently available as an experimental feature in public preview.
What the Command Does
Running /security-review triggers a Copilot-powered scan of the current code changes. The output consists of security findings ranked by severity and confidence level, each accompanied by actionable recommendations the developer can apply without leaving the terminal. The scan is tuned to flag high-impact, commonly exploited vulnerability classes:
- Injection flaws (SQL injection, command injection, and similar patterns)
- Cross-site scripting (XSS)
- Insecure data handling
- Path traversal vulnerabilities
- Weak or broken cryptographic implementations
The focus on severity and confidence ranking helps developers prioritize which findings to address first rather than being overwhelmed by low-signal noise.
How It Fits Into the Security Toolchain
The /security-review command operates independently of GitHub's established security tools. It does not rely on code scanning (CodeQL), Dependabot, or secret scanning. GitHub describes it as complementary: a lightweight, on-demand way to review changes before committing. Where code scanning runs in CI after a push and generates findings on pull requests, /security-review runs locally at development time, giving developers earlier feedback in the workflow.
Catching a vulnerability during development, before the code is ever committed or shared, is significantly cheaper to fix than discovering it later in review or after merge. This "shift left" positioning is what makes the command a meaningful addition even for teams that already rely on CI-based security scanning.
How to Use It
To try the command, experimental mode must first be enabled in Copilot CLI. Once active, running /security-review in any project directory initiates the scan against the current set of changes.