GitHub Copilot Coding Agent: model picker, self-review, and built-in security scanning

In one sentence GitHub upgrades the Copilot agent: per-task model picker, self-review before opening PRs, code/secret/dependency scanning in-workflow, custom agents in .github/agents/, and CLI handoff. Copilot CLI hits GA the same day.

Verified Official source

ShareLinkedIn X

In May 2025 GitHub had shipped the "Copilot coding agent": you give the bot a task on GitHub.com, it spins up a branch, writes code, opens a PR. The early-months problem: it always ran on the same model, didn't double-check its own work, and could commit code with vulnerabilities or leaked secrets.

On February 26, 2026 an update closes all three holes:

Model picker: choose the model per task. Sonnet 4.6 for hard refactors, faster models for trivial fixes.
Self-review: before opening the PR for humans, the agent runs Copilot code review on itself, takes the feedback, iterates. By the time it lands in your queue, it's already "one pass ahead".
Security built-in: code scanning, secret scanning, and dependency vulnerability check run inside the agent's workflow. If it spots a committed API key or a known vulnerability, it flags it before opening the PR.
Custom agents: define .github/agents/foo.md in the repo with your own rules (linting, style, processes). The agent reads and respects them.
CLI handoff: hand off a session from the cloud agent to the local Copilot CLI and vice versa.

Same day, the Copilot CLI hits GA.