Two new REST API endpoints return a daily per-repository breakdown of Copilot coding agent and Copilot code review PR activity at the enterprise and organization level.
GitHub Changelog
The Copilot usage metrics API now reports GitHub Copilot app activity in enterprise and organization 1-day and 28-day reports, including daily active users, session count, request count, and token usage breakdown.
Copilot code review now runs behind a configurable firewall by default, reads custom instructions from the head branch of pull requests, and supports custom setup steps via a dedicated copilot-code-review.yml workflow. Also added support for REVIEW.md, GEMINI.md, and CLAUDE.md files, and split organization runner configurations from Copilot cloud agent.
Copilot code review pull request comments in GitHub Mobile now include a "Fix with Copilot" button on the main view and individual review comments, allowing users to start a Copilot-assisted fix without manually composing a prompt.
GitHub Projects views now support logical AND and OR operators in the filter bar. Pull request items can be filtered by review state using reviews: search filter, and a new 90-day retention policy for deployment statuses is in effect.
Repository admins can now archive pull requests to remove them from public view without permanent deletion. Archived PRs are closed and locked, visible only to admins, and can be found with the is:archived filter.
Enterprise admins can now programmatically manage VSS assignments with three new REST API endpoints: list all subscriptions, map a UPN to a GitHub handle, and remove a manual match. This enables bulk matching for organizations where UPNs don't align with SCIM identities.
GitHub-hosted macOS runners now support Xcode 27 in public preview, with a new support model where each image is based on a major Xcode version rather than the underlying OS. Only available on arm64 runners; not supported on Intel.
Secret scanning now blocks VolcEngine secrets by default with push protection and adds Resend as a secret scanning partner alongside new APIclub and Resend detector types. The secret_scanning_alert webhook now includes a secret_category field, and the public monitoring alert list surfaces insight cards with attribution breakdowns.
Copilot usage tracking with real-time updates and proactive alerts is now available in Visual Studio, along with trust validation for MCP servers that detects configuration changes at startup. The C++ modernization agent reaches general availability, and next edit suggestions can now propose changes anywhere in the active file.
Custom endpoints with API keys are now supported for BYOK, plugin management for customizations is available through the marketplace or source repository, and Claude agent provider customizations are in public preview. Also added local sandboxing, a built-in debugger skill for Copilot CLI, and message re-edit support.
GitHub code scanning now surfaces AI-powered security detections directly on pull requests, expanding vulnerability coverage to languages and frameworks beyond those supported by CodeQL. Findings appear labeled with AI, require a GitHub Copilot license, and draw down AI credits during public preview.
Dependabot now waits three days after a new release appears on its registry before opening a version update pull request, protecting against supply chain attacks. Security updates are exempt and still open immediately. Admins can set a different window or opt out entirely via the cooldown option in dependabot.yml.
The /security-review slash command, now in public preview in the GitHub Copilot app, scans in-flight code changes for vulnerabilities like injection flaws, XSS, and insecure data handling. It returns scored findings and actionable suggestions without leaving the editor, available to all Copilot users during preview.
Security teams can create, edit, and manage secret scanning custom patterns via REST API endpoints for list, create, update, and delete operations at repository, organization, and enterprise levels.
GitHub Code Quality usage estimates are now available in the Billing and Licensing page, showing the number of active committers and projected monthly cost before the product becomes paid at $10 per committer per month on July 20, 2026.
The combined SSO & Organizations page in user settings is now split into two distinct pages: SSO and Organizations, making each set of settings easier to find and manage independently.
CodeQL now supports Kotlin up to 2.4.0 and introduces a JavaScript/TypeScript query for system prompt injection targeting untrusted values flowing into AI model system prompts. Also adds Razor page handler parameters as remote flow sources for C# security queries, models for Go log/slog, and prompt injection sinks for additional OpenAI, Anthropic, and Google GenAI SDK APIs.
Non-provider patterns are now called generic patterns, and Copilot secret scanning is now AI-detected secrets. Detection behavior is unchanged; all existing documentation links, webhook events, and REST API endpoints continue to work.
Agentic autofix is now in public preview for code scanning alerts, remediating alerts by exploring relevant files, proposing a fix, and rerunning CodeQL to confirm the fix closes the alert before opening a pull request. It requires GitHub Code Security or Advanced Security and a Copilot license with cloud agent enabled.

