Demystifying GitHub Copilot Security Controls: easing concerns for organizational adoption

This is an important limitation to understand. Content exclusion is an IDE‑level feature and is not enforced in Copilot CLI or Agent mode today. The safest approach is to ensure sensitive data is never present or accessible in the first place. Because of that, the best strategy is preventive, not exclusion‑based:

• Don’t keep sensitive data in the repository or working directory: Use secret managers, environment variables, or managed identities instead of files.
• Treat Copilot CLI and Agent mode as operating with developer‑level permissions: If a developer can read a file, an agent potentially can too.
• Practice strong repo hygiene: Use .gitignore, sandboxed working directories, and secret‑scanning tooling. Example .gitignore:

.ignore
.env
secrets.*
*.key
local.settings.json
*.pem
.env.*

• Add guardrails via Copilot instructions or AGENTS.md: Explicitly forbid handling sensitive data:

## Security rules
- Never read files matching *.env, *.pem, *.key
- Treat all configuration values as placeholders unless explicitly provided
- Never output secrets, credentials, tokens, or connection strings