Copilot auto model selection is now generally available in GitHub Copilot CLI for all Copilot plans. With auto, Copilot chooses the most efficient model on your behalf.
Auto is dynamic, giving you reliable access to your favorite models while mitigating rate limits. It routes to models like GPT-5.4, GPT-5.3-Codex, Sonnet 4.6, and Haiku 4.5 based on your plan and policies. The models auto will route to will change over time.
Transparency: See which model was used directly in the Copilot CLI.
Stay in control: Switch between auto and any specific model at any time.
Respects your policies: Auto honors all administrator model settings.
Premium request use for auto is billed based on the model it selects, which is currently limited to models with 0x to 1x multipliers like those listed above. All paid subscribers get a 10% discount on the model multiplier when using auto. For example, when auto uses a model that has a 1x multiplier, you’ll draw down 0.9 premium requests instead of 1.
Join the discussion within GitHub Community.
The post GitHub Copilot CLI now supports Copilot auto model selection appeared first on The GitHub Blog.
Agent skills are reshaping how developers work with AI coding agents. Today we’re launching gh skill, a new command in the GitHub CLI that makes it easy to discover, install, manage, and publish agent skills from GitHub repositories.
Agent skills are portable sets of instructions, scripts, and resources that teach AI agents how to perform specific tasks. They follow the open Agent Skills specification, and work across multiple agent hosts including GitHub Copilot, Claude Code, Cursor, Codex, and Gemini CLI among others.
With the new gh skill command, you can now install agent skills in a single command, right from the GitHub CLI.
Update the GitHub CLI to version v2.90.0 or later.
Then discover and install skills interactively:
# Browse skills in a repository and install them interactively
gh skill install github/awesome-copilot
# Or install a specific skill directly
gh skill install github/awesome-copilot documentation-writer
# Install a specific version using @tag
gh skill install github/awesome-copilot documentation-writer@v1.2.0
# Install at a specific commit SHA
gh skill install github/awesome-copilot documentation-writer@abc123def
# Discover skills
gh skill search mcp-apps
Skills are automatically installed to the correct directory for your agent host. You can target a specific agent and scope with flags:
gh skill install github/awesome-copilot documentation-writer --agent claude-code --scope user
Agent skills are executable instructions that shape how AI agents behave. A skill that changes silently between installs is a supply chain risk. gh skill brings the same guarantees you expect from package managers to the skills ecosystem, using primitives GitHub already provides.
Tags and releases: Every published release is tied to a git tag. gh skill publish offers to enable immutable releases, so release content cannot be altered after publication, even by admins.
Content-addressed change detection: Each installed skill records the git tree SHA of its source directory. gh skill update compares local SHAs against the remote to detect real content changes, not just version bumps. By storing this information in skills front-matter, versioning and pinning are portable too, so you (or your agent) can copy and paste the skill to different projects without losing the ability to track changes and update it.
Version pinning: Lock a skill to a specific tag or commit SHA with --pin. Pinned skills are skipped during updates, so you upgrade deliberately, not accidentally.
Portable provenance via frontmatter: When gh skill installs a skill, it writes tracking metadata (repository, ref, tree SHA) directly into the SKILL.md frontmatter. Because provenance data lives inside the skill file itself, it travels with the skill no matter where it ends up. Skills get moved, copied, and reorganized by users, agents, and scripts.
# Pin to a release tag
gh skill install github/awesome-copilot documentation-writer --pin v1.2.0
# Pin to a commit for maximum reproducibility
gh skill install github/awesome-copilot documentation-writer --pin abc123def
If you maintain a skills repository, gh skill publish validates your skills against the agentskills.io spec and checks remote settings like tag protection, secret scanning, and code scanning. These settings are not required, but strongly recommended to improve the supply chain security of your repo.
Enabling immutable releases, for example, means even if someone gets control of your repository they cannot change existing releases, so users installing via tag pinning are fully protected. The publish command makes it trivial to enable these features.
# Validate all skills
gh skill publish
# Auto-fix metadata issues
gh skill publish --fix
gh skill update scans all known agent host directories, reads provenance metadata from each installed skill, and checks for upstream changes:
# Check for updates interactively
gh skill update
# Update a specific skill
gh skill update git-commit
# Update everything without prompting
gh skill update --all
Host Install command example
GitHub Copilot
gh skill install OWNER/REPOSITORY SKILL
Claude Code
gh skill install OWNER/REPOSITORY SKILL --agent claude-code
Cursor
gh skill install OWNER/REPOSITORY SKILL --agent cursor
Codex
gh skill install OWNER/REPOSITORY SKILL --agent codex
Gemini CLI
gh skill install OWNER/REPOSITORY SKILL --agent gemini
Antigravity
gh skill install OWNER/REPOSITORY SKILL --agent antigravity
Check out the Agent Skills specification.
Join the discussion in GitHub Community.
gh skill is launching in public preview and it’s subject to change without notice.
Skills are installed at your own discretion. They are not verified by GitHub and may contain prompt injections, hidden instructions, or malicious scripts. We strongly recommend inspecting the content of skills before installation, which can be done via the gh skill preview command.
Join the GitHub Community.
The post Manage agent skills with GitHub CLI appeared first on The GitHub Blog.
GitHub repository rulesets are powerful, but it hasn’t been easy to spot trends like spikes in blocked pushes during an incident or patterns in bypass activity without digging through data in the rule insights page.
The new rule insights dashboard is now available in your repository’s Settings > Rules tab. It gives you a visual, high-level view of rule evaluation activity, including:
Successes, failures, and bypasses over time
The most active bypassers for your rulesets
Each chart links back to the rule insights page with filters prefilled, so you can quickly drill into specific statuses, bypassers, or time ranges.
Whether you’re responding to an incident or auditing bypass activity, the dashboard helps you spot trends at a glance and jump to the details when you need them.
Building on the filter bar improvements shipped in February, we’ve replaced custom dropdowns on several alert management pages with the same unified filter bar component. This affects:
GitHub code scanning alert dismissal requests at the enterprise and organization levels.
GitHub Dependabot alert dismissal requests at the enterprise and organization levels.
GitHub secret scanning alert dismissals at the enterprise and organization levels.
GitHub secret scanning push protection bypass requests at the enterprise, organization, and repository levels.
You now get a consistent filtering experience, including support for custom properties, across all of these pages.
Learn more about GitHub repository rulesets.
These experiences are available in public preview.
The post Rule insights dashboard and unified filter bar appeared first on The GitHub Blog.
Claude Opus 4.7, Anthropic’s latest Opus model, is now rolling out on GitHub Copilot. In our early testing, Opus 4.7 delivers stronger multi-step task performance and more reliable agentic execution, building on the coding strategy strengths of its predecessor. It also shows meaningful improvement in long-horizon reasoning and complex, tool-dependent workflows.
As part of our efforts to improve service reliability, we are streamlining our model offerings. Over the coming weeks, Opus 4.7 will replace Opus 4.5 and Opus 4.6 in the model picker for Copilot Pro+. We’ve seen strong improvements across our benchmarks, and we’re committed to providing individual users with state-of-the-art models while ensuring a fast, reliable Copilot experience.
This model is launching with a 7.5× premium request multiplier as part of promotional pricing until April 30th.
Claude Opus 4.7 will be available to Copilot Pro+, Business, and Enterprise users.
You’ll be able to select the model in the model picker in:
Visual Studio Code
Visual Studio
Copilot CLI
GitHub Copilot Coding Agent
github.com
GitHub Mobile IOS and Android
JetBrains
Xcode
Eclipse
Rollout will be gradual. Check back soon if you don’t see it yet.
Copilot Enterprise and Copilot Business plan administrators must enable the Claude Opus 4.7 policy in Copilot settings.
To explore all models available in GitHub Copilot, see our documentation on models and get started with Copilot.
Join the GitHub Community to share your feedback.
The post Claude Opus 4.7 is generally available appeared first on The GitHub Blog.
CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.25.2, which brings a new Kotlin version update, various accuracy improvements, and a set of security severity score adjustments across multiple languages.
Java/Kotlin
Kotlin versions up to 2.3.20 are now supported for analysis.
The java/tainted-arithmetic query no longer flags arithmetic expressions used directly as an operand of a comparison in if-condition bounds-checking patterns, reducing false positives.
The java/potentially-weak-cryptographic-algorithm query no longer flags Elliptic Curve algorithms, HMAC-based algorithms, or PBKDF2 key derivation as potentially insecure, reducing false positives for this query.
C/C++
cpp/suspicious-add-sizeof, cpp/wrong-type-format-argument, and cpp/integer-multiplication-cast-to-long queries.C#
cs/constant-condition query has been simplified to produce fewer false positives. As a result, the cs/constant-comparison query has been removed, since cs/constant-condition now covers those results.We’ve updated @security-severity scores across several languages to better align log injection and XSS queries with their actual impact:
C/C++: cpp/cgi-xss increased from medium (6.1) to high (7.8).
C#: cs/log-forging reduced from high (7.8) to medium (6.1); cs/web/xss increased from medium (6.1) to high (7.8).
Go: go/log-injection reduced from high (7.8) to medium (6.1); go/html-template-escaping-bypass-xss, go/reflected-xss, and go/stored-xss increased from medium (6.1) to high (7.8).
Java/Kotlin: java/log-injection reduced from high (7.8) to medium (6.1); java/android/webview-addjavascriptinterface, java/android/websettings-javascript-enabled, and java/xss increased from medium (6.1) to high (7.8).
Python: py/log-injection reduced from high (7.8) to medium (6.1); py/jinja2/autoescape-false and py/reflective-xss increased from medium (6.1) to high (7.8).
Ruby: rb/log-injection reduced from high (7.8) to medium (6.1); rb/reflected-xss, rb/stored-xss, and rb/html-constructed-from-input increased from medium (6.1) to high (7.8).
Swift: swift/unsafe-webview-fetch increased from medium (6.1) to high (7.8).
Rust: rust/log-injection increased from low (2.6) to medium (6.1); rust/xss increased from medium (6.1) to high (7.8).
For a full list of changes, please refer to the complete changelog for version 2.25.2. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.25.2 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.
The post CodeQL 2.25.2 adds Kotlin 2.3.20 support and other updates appeared first on The GitHub Blog.
You can now selectively enable GitHub Copilot cloud agent (CCA) access on a per-organization basis. Previously, enterprise admins and AI managers could only enable the agent everywhere, disable it everywhere,…
The post Enable Copilot cloud agent via custom properties appeared first on The GitHub Blog.
Dependabot and code scanning now support OpenID Connect (OIDC) authentication for private registries configured at the organization level, eliminating the need to store long-lived credentials as repository secrets. What’s new…
The post OIDC support for Dependabot and code scanning appeared first on The GitHub Blog.
Artifact and deployment context now appears in two new places: repository properties and security alert pages. Repository properties: deployable and deployed Two new built-in repository properties—deployable and deployed—are now available.…
The post Deployment context in repository properties and alerts appeared first on The GitHub Blog.
You can now link code scanning alerts to GitHub Issues, bringing security remediation into your existing planning and tracking workflows. This functionality is in public preview. With this update, you…
The post Link code scanning alerts to GitHub Issues appeared first on The GitHub Blog.
It’s now easier to configure Dependabot and code scanning for organizations that rely on multiple internal package feeds. Previously, organization-level settings only allowed a single private registry configuration per ecosystem…
The post Dependabot and code scanning: Org-level private registries appeared first on The GitHub Blog.
This week, we’re rolling out several improvements to our detection coverage, APIs, and workflows. These improvements strengthen our continued investment in the developer experience of our secret scanning features. Built…
The post Secret scanning pattern updates and product improvements appeared first on The GitHub Blog.
Software Bill of Materials (SBOM) exports from repository pages and new API endpoints are now asynchronous operations. Previously, navigating to a repository’s dependency graph page and clicking the Export SBOM…
The post SBOM exports are now computed asynchronously appeared first on The GitHub Blog.
Model selection is now available for the Claude and Codex third-party coding agents on github.com. Just like Copilot cloud agent, you can now select a model when kicking off a…
The post Model selection for Claude and Codex agents on github.com appeared first on The GitHub Blog.
We’ve updated the GitHub Code Quality experience to make it easier to navigate and triage findings across your repository. GitHub Code Quality standard findings help you detect potential reliability and…
The post GitHub Code Quality: Improvements to standard findings in public preview appeared first on The GitHub Blog.
GitHub Copilot now supports data residency for US and EU regions, ensuring all inference processing and associated data stay within your designated geography. For US government customers, all model hosts…
The post Copilot data residency in US + EU and FedRAMP compliance now available appeared first on The GitHub Blog.
You can now fix merge conflicts in three clicks with the new Fix with Copilot button on github.com, powered by Copilot cloud agent. Click the button, and a comment is…
The post Fix merge conflicts in three clicks with Copilot cloud agent appeared first on The GitHub Blog.
The Copilot CLI is no longer a purely local experience. Today we’re launching copilot --remote: With remote capabilities, you can now monitor and steer a running CLI session directly from…
The post Remote control CLI sessions on web and mobile in public preview appeared first on The GitHub Blog.
As GitHub Copilot continues to rapidly grow, we continue to observe an increase in patterns of high concurrency and intense usage. While we understand this can be driven by legitimate…
The post Enforcing new limits and retiring Opus 4.6 Fast from Copilot Pro+ appeared first on The GitHub Blog.
Note: We’ve recently renamed Copilot coding agent to Copilot cloud agent. We will be updating our data schema for all existing coding agent fields to reflect this change in the…
The post Copilot usage metrics now aggregate Copilot cloud agent active user counts appeared first on The GitHub Blog.
As GitHub Copilot continues to grow, we’ve seen a significant rise in abuse of our free trial system. To protect the experience and integrity of the platform for legitimate developers,…
The post Pausing new GitHub Copilot Pro trials appeared first on The GitHub Blog.