releases.shpreview

GitHub Changelog

Mon
Wed
Fri
JulAugSepOctNovDecJanFebMarAprMayJunJul
Less
More
Releases271Avg83/moVersionsv2.5 to v5.6

The Copilot usage metrics API now reports GitHub Copilot app activity in enterprise and organization 1-day and 28-day reports, including daily active users, session count, request count, and token usage breakdown.

Read more →

Copilot code review now runs behind a configurable firewall by default, reads custom instructions from the head branch of pull requests, and supports custom setup steps via a dedicated copilot-code-review.yml workflow. Also added support for REVIEW.md, GEMINI.md, and CLAUDE.md files, and split organization runner configurations from Copilot cloud agent.

Read more →

GitHub Projects views now support logical AND and OR operators in the filter bar. Pull request items can be filtered by review state using reviews: search filter, and a new 90-day retention policy for deployment statuses is in effect.

Read more →

Custom endpoints with API keys are now supported for BYOK, plugin management for customizations is available through the marketplace or source repository, and Claude agent provider customizations are in public preview. Also added local sandboxing, a built-in debugger skill for Copilot CLI, and message re-edit support.

Read more →

GitHub code scanning now surfaces AI-powered security detections directly on pull requests, expanding vulnerability coverage to languages and frameworks beyond those supported by CodeQL. Findings appear labeled with AI, require a GitHub Copilot license, and draw down AI credits during public preview.

Read more →

Dependabot now waits three days after a new release appears on its registry before opening a version update pull request, protecting against supply chain attacks. Security updates are exempt and still open immediately. Admins can set a different window or opt out entirely via the cooldown option in dependabot.yml.

Read more →

The /security-review slash command, now in public preview in the GitHub Copilot app, scans in-flight code changes for vulnerabilities like injection flaws, XSS, and insecure data handling. It returns scored findings and actionable suggestions without leaving the editor, available to all Copilot users during preview.

Read more →
v2.26.0

CodeQL now supports Kotlin up to 2.4.0 and introduces a JavaScript/TypeScript query for system prompt injection targeting untrusted values flowing into AI model system prompts. Also adds Razor page handler parameters as remote flow sources for C# security queries, models for Go log/slog, and prompt injection sinks for additional OpenAI, Anthropic, and Google GenAI SDK APIs.

Read more →

Agentic autofix is now in public preview for code scanning alerts, remediating alerts by exploring relevant files, proposing a fix, and rerunning CodeQL to confirm the fix closes the alert before opening a pull request. It requires GitHub Code Security or Advanced Security and a Copilot license with cloud agent enabled.

Read more →
Last Checked
2h ago
Latest
Jul 17, 2026
Tracking since Apr 8, 2026