Microsoft
Microsoft
MicrosoftThis is an important limitation to understand. Content exclusion is an IDE‑level feature and is not enforced in Copilot CLI or Agent mode today. The safest approach is to ensure sensitive data is never present or accessible in the first place. Because of that, the best strategy is preventive, not exclusion‑based:
.ignore
.env
secrets.*
*.key
local.settings.json
*.pem
.env.*## Security rules
- Never read files matching *.env, *.pem, *.key
- Treat all configuration values as placeholders unless explicitly provided
- Never output secrets, credentials, tokens, or connection stringsSo we basically have to “hope” that copilot follows those rules… I agree that the best practice is to not have this content inside the repository or the environment but that is rarely possible. What about customer data that needs to be analyzed for debugging purpose ? It’s full of sensitive information. What about confidential data that is needed to build/run ? It’s required to stay local and may even contain private hardware keys…
A lot of codebases are old and often do not support the complete exclusion of secrets - and even then, your dev machine has access to them anyways or it would not be able to build/run locally.
That’s why i don’t understand why a super simple feature like that, does not exist (should be mandatory since day 1 nowadays). I mean it’s just that your connector (cli, plugin, or so on) needs to check if the requested file is on the block list. Basically like the gitignore… (some additional features for MCP would be nice)
Cant you ask the CCA to implement this quickly?
