Tip: Use Copilot's /security-review as Triage, Not a Gate — It Shares Its Own False-Positive Profile
GitHub Changelog·medium signal
The new in-app /security-review is genuinely useful for catching injection, XSS, path-traversal, and weak-crypto issues in the uncommitted diff, but it is LLM-powered and Copilot's own history includes real prompt-injection CVEs — CamoLeak (CVE-2025-59145, CVSS 9.6) and RoguePilot in Codespaces. Run it early and often, keep a human in the loop, and don't auto-block merges solely on its verdict.