GitHub Copilot Coding Agent: Five Updates That Actually Matter

TL;DR

• Model picker lets you choose speed vs. power per task — faster models for tests, robust ones for refactors
• Agent now self-reviews its code before opening PRs, catching awkward patterns you'd otherwise fix manually
• Built-in security scanning (code, secrets, dependencies) runs during agent work — free, even without GitHub Advanced Security
• Custom agents codify your team's process in .github/agents/ — one team built a performance optimizer that benchmarks before and after
• Cloud-to-CLI handoff preserves full context — start in browser, finish in terminal, or delegate back with &

The Big Picture

GitHub Copilot coding agent is the part of Copilot that works when you're not looking. You assign it an issue. It goes off, writes code, runs tests, opens a pull request. You review when it's done.

The pitch has always been: delegate the boring stuff. The reality has been messier. Agent output often needed cleanup. You couldn't control which model ran your task. Security checks happened after the PR, not during. And switching between cloud and local meant losing context.

Five recent updates change that. Model selection gives you control over speed and capability. Self-review means the agent iterates on its own code before you see it. Security scanning catches vulnerabilities and secrets before the PR opens. Custom agents let you encode your team's actual process. And CLI handoff preserves full context when you move between environments.

This isn't about hype. It's about whether the agent can handle real work without creating more work for you. These updates move it closer to that line.

How It Works

Model selection is the most straightforward change. Open the Agents panel in GitHub, pick your repo, and choose a model. Fast models for unit tests. Robust models for gnarly refactors or integration tests with edge cases. Auto mode if you don't want to think about it.

Before this, every task ran on a single default model. You couldn't pay for more power when you needed it, and you couldn't prioritize speed when you didn't. Now you can. Model selection is live for Copilot Pro and Pro+ users. Business and Enterprise support is coming.

Self-review is where things get interesting. The agent now runs Copilot code review on its own changes before opening the pull request. It gets feedback, iterates, and improves the patch. By the time you're tagged for review, someone already went through it.

In one demo session, the agent caught its own overly complex string concatenation and fixed it before the PR landed. That kind of cleanup used to be your job. Now it happens before you see the diff. You still review the final output, but the obvious stuff is already handled.

To see this in action, assign an issue to Copilot or create a task from the Agents panel. Click into the task to view the logs. You'll see the moments where the agent ran code review and applied feedback. The pull request only gets opened after iteration.

Security scanning runs during the agent's workflow, not after. Code scanning, secret scanning, and dependency vulnerability checks all happen before the pull request opens. If a dependency has a known CVE, or something looks like a committed API key, it gets flagged immediately.

Code scanning is normally part of GitHub Advanced Security. With Copilot coding agent, you get it for free. Run any task through the Agents panel and check the session logs. You'll see scanning entries as the agent works. By the time you review the PR, it's already been through the security filter.

Custom agents let you codify your team's process. Create a file under .github/agents/ and define a specific approach. A performance optimizer agent, for example, can be wired to benchmark first, make the change, then measure the difference before opening a pull request.

In a recent GitHub Checkout demo, a custom agent benchmarked a lookup, made a targeted fix, and came back with a 99% improvement on that one function. Small scope, real data, no guessing. You can share custom agents across your org or enterprise, so the same process applies everywhere teams are using the coding agent.

To get started, create an agent file under .github/agents/ in your repo. Open the Agents panel, start a new task, and select your custom agent from the options. Write a prompt scoped to what that agent does.

CLI handoff solves the context-switching problem. Start a task in the cloud, then pull it into your terminal with full context — branch, logs, everything. Or press & in the CLI to push work back to the cloud and keep going locally.

Before this, switching contexts meant starting the conversation over. Now it doesn't. Start a task with Copilot coding agent and wait for the session to appear. Click "Continue in Copilot CLI" and copy the command. Paste it in your terminal to load the session locally. Press & to delegate work back to the cloud.

What This Changes For Developers

The model picker changes how you think about task delegation. Before, you had to guess whether the agent could handle something. Now you can tune the model to the task. Fast model for adding unit tests. Robust model for a refactor that touches multiple files. Auto mode when you don't care.

Self-review changes what you see in the diff. The agent still makes mistakes, but the obvious ones — awkward logic, overly complex patterns — get caught before you're tagged. You're reviewing a second draft, not a first pass.

Security scanning changes the risk profile. AI-generated code can introduce vulnerabilities faster than human-written code. Catching those issues during the agent's workflow, not after the PR opens, means fewer security surprises in review. And you get code scanning for free, even if you're not on GitHub Advanced Security.

Custom agents change how teams standardize. Instead of writing the same instructions in every prompt, you encode the process once. A performance optimizer that benchmarks before and after. A test generator that follows your team's conventions. A refactoring agent that checks for breaking changes. Share it across your org and everyone gets the same behavior.

CLI handoff changes how you move between environments. Start something in the cloud while you're in a meeting. Pull it into your terminal when you're back at your desk. Push it back to the cloud when you need to context-switch. The agent keeps working, and you don't lose the thread.

If you're already using GitHub Copilot CLI for terminal workflows, the handoff feature extends that into background tasks. If you're managing agent work across a team, custom agents give you the standardization you've been hacking together with prompt templates.

Try It Yourself

Model selection is available now for Copilot Pro and Pro+ users. Open the Agents panel in GitHub, select your repo, and pick a model. Write a clear prompt and kick off the task. Leave it on auto if you'd rather let GitHub choose.

Self-review is automatic. Assign an issue to Copilot or create a task from the Agents panel. Click into the task to view the logs. Look for the moments where the agent ran Copilot code review and applied feedback. Review the pull request when prompted.

Security scanning is also automatic. Run any task through the Agents panel and check the session logs as it runs. You'll see scanning entries as the agent works. Review the pull request knowing it's already been through the security filter.

Custom agents require setup. Create a file under .github/agents/ in your repo and define your agent's behavior. Open the Agents panel, start a new task, and select your custom agent. Write a prompt scoped to what that agent does. GitHub's docs have examples to get you started.

CLI handoff works once you have a task running. Start a task with Copilot coding agent and wait for the session to appear. Click "Continue in Copilot CLI" and copy the command. Paste it in your terminal to load the session locally. Press & to delegate work back to the cloud.

The Bottom Line

Use this if you're already delegating work to Copilot and hitting friction. Model selection fixes the "wrong tool for the job" problem. Self-review fixes the "obvious cleanup" problem. Security scanning fixes the "surprise vulnerability" problem. Custom agents fix the "inconsistent process" problem. CLI handoff fixes the "lost context" problem.

Skip this if you're not yet comfortable delegating tasks to an agent. These updates make the agent better at what it already does. They don't change the fundamental workflow: you assign work, the agent does it, you review the output. If that workflow doesn't fit your process yet, these updates won't change that.

The real opportunity is custom agents. If your team has a repeatable process — performance optimization, test generation, refactoring with specific constraints — encoding it once and sharing it across your org is a leverage point. The 99% performance improvement from the benchmarking agent wasn't luck. It was a well-defined process that ran consistently.

The real risk is treating the agent like a junior developer who never learns. Self-review helps, but it's not a substitute for clear prompts and well-scoped tasks. If you're assigning vague work and expecting perfect output, you'll still be disappointed. These updates make the agent more capable. They don't make it clairvoyant.

Source: GitHub Blog