AzureFeeds

Introduction 

In today’s fast-paced development environments, security is often an afterthought-until it’s too late. With the rise of AI-assisted development tools like GitHub Copilot, developers now have a powerful ally not just for writing code, but also for reviewing it. This blog explores how GitHub Copilot can be used to perform secure code reviews using a structured, prompt-driven approach. 

By integrating GitHub Copilot into the code review process, developers can use its AI-driven insights to identify security flaws early in the development process. This tool’s ability to parse and understand a wide range of programming languages and frameworks allows it to serve as an additional layer of scrutiny, complementing both automated and manual review processes. The structured, prompt-driven method ensures that specific security concerns are systematically addressed, thereby enhancing the overall robustness of the codebase. 

By integrating security-focused prompts into the workflow, developers are nudged towards more secure coding habits, thereby reducing the likelihood of introducing vulnerabilities in the first place. This not only enhances the security posture of the codebase but also fosters a culture of security awareness among developers. 

 

Why Use GitHub Copilot for Security Reviews? 

GitHub Copilot, powered by AI, can analyse code snippets, suggest improvements, and even detect potential vulnerabilities. While it’s not a replacement for manual reviews or automated scanners, it offers several advantages: 

• Time Efficiency: Allows developers to focus on complex security reviews by automating routine checks. 

• Real-time Feedback: Provides immediate suggestions to improve code security as developers write. 

• Language Versatility: Supports a wide range of programming languages and frameworks. 

• Reducing Human Error: Minimizes common mistakes by providing best practice suggestions. 

• Consistency: Applies the same logic across files and projects. 

• Coverage: Can be prompted to look for specific vulnerabilities across large codebases. 

However, Copilot has limitations. It may lack full context in large projects, and its suggestions should always be confirmed by a human reviewer. 

Building a Prompt Library for Security 

To make the most of Copilot, a structured prompt library is created which is categorized by common security concerns. Entry includes: 

• A prompt to use with Copilot 


• Vulnerable Code snippets 


• GHCP Response 

This library is designed to be used interactively with GitHub Copilot Chat or inline suggestions. 

Use Cases  

Injection Attacks

Prompt: 

– Identify all the instances in the where user supplied parameter checks against Format, Length and Range are not validated. 

Vulnerable Code Snippet: 

 

 

 

GHCP Response: 

 

SQL Injection Detection 

Prompt:   

Find potential SQL injection vulnerabilities in #filename.sql, #filename.cs. 

#filename.cs – Analyse the endpoint in this Controller and verify if it is vulnerable to SQL injection vulnerability.  

What it does:   

Copilot scans for dynamic SQL queries where user input is directly concatenated, flagging them as potential injection points. 

Vulnerable Code: 

 

 

GHCP Response: 

 

Follow-up prompts: 

• Show a secure way to handle SQL queries using parameterized queries. 

• Find all instances where parameterized SQL statements can be used. 

Error Handling & Logging 

Prompt:   

Identify if any file accepts user-supplied input for logging. Could this lead to log poisoning? 

Vulnerable Code Snippet: 

 

 

GHCP Response: 

 

Response:   

Copilot flags unsafe logging practices and recommends sanitizing inputs or using structured logging frameworks. 

Third-party Libraries 

Prompt:   

List all third-party and open-source libraries, including versions and publisher info. 

Note:   

Long responses may be truncated. Use follow-up prompts like: 

– Find any vulnerabilities associated with these libraries. 

Vulnerable Code Snippet: 

 

GHCP Response: 

 

Authentication & Authorization 

Prompts: 

• Analyse the project file and explain how authentication is handled. 

• Explain how token validation is managed, including verification of security parameters such as issuer, audience, scope, expiration time, etc. 

Vulnerable Code Snippet:  

Authorization-specific: 

• Describe how data-level checks are implemented to prevent horizontal privilege escalation. 

These prompts help uncover weak or missing access controls and suggest best practices for secure implementation.  

GHCP Response: 

Hardcoded Credentials 

Prompt:   

Search for hardcoded credentials in #filename.cs. 

Observation:   

Copilot finds base64-encoded strings or plaintext credentials and suggests storing them in environment variables or a secrets manager.  

External Communications 

Prompt:   

Analyse external calls and report if they use unencrypted channels like HTTP or FTP. 

-This helps detect insecure data transmission that could be intercepted. 

User-Controlled Loops 

Prompt:   

Analyse this function to decide if user input controls loop iterations. Could this lead to a DoS vulnerability? 

– Useful for finding performance bottlenecks or denial-of-service risks. 

Miscellaneous Checks 

Prompts: 

1. Highlight potential XSS issues in this JavaScript code. 

1. Find insecure deserialization patterns in . 

1. Identify all the instances in the where Object is deserialized into dynamic or object types. 

1. Generate code to encrypt sensitive data using AES-256. 

1. Search the solution for OWASP Top 10 vulnerabilities. 

1. Search the solution for SANS Top 25 vulnerabilities. 

These helps cover a wide range of security concerns beyond the basics. 

Cloud Resource Provisioning (IaC) 

This is especially useful for DevSecOps teams reviewing infrastructure-as-code. 

Prompts: 

1. List all cloud resources provisioned via. bicep, .tf, or ARM templates. 

1. Find misconfigurations and provide Rule ID links with fix examples. 

1. Identify hardcoded credentials in scripts. 

1. Check for excessive permissions in IAM policies. 

1. Validate proper use of security groups and firewall rules. 

1. Detect usage of deprecated API versions. 

1. Ensure encryption is enabled for data at rest and in transit. 

1. Verify the application of least privilege principles. 

1. Identify unprotected secrets in environment variables or config files. 

1. Check for the use of unsupported or outdated libraries. 

1. Find instances of insecure storage configurations (e.g., Azure Storage Accounts). 

1. Ensure compliance with relevant security benchmarks (e.g., CIS, NIST).  

Tips for Effective Prompting 

• Use file-specific prompts (e.g., #filename.cs) for better accuracy. 

• Combine broad prompts with targeted follow-ups.  

• Use natural language queries to describe security concerns clearly. 

• Leverage code comments to guide Copilot’s focus on specific areas. 

• Incorporate examples of ideal code patterns for better suggestions. 

• Utilize iterative prompting to refine the results progressively. 

• Cross-reference Copilot’s output with security guidelines and best practices. 

• Use Copilot Chat for interactive exploration and clarification. 

• Always confirm Copilot’s suggestions in sensitive Use cases. 

Challenges and Considerations 

• Context limitations: Copilot may not understand the full project structure. 

• Response truncation: Long outputs may be cut off-rephrase or narrow the scope. 

• Human oversight: Always review AI-generated insights before acting on them. 

Conclusion 

GitHub Copilot is a powerful tool that can aid developers in writing secure code. By using a structured prompt library, developers and security engineers can proactively find and remediate vulnerabilities across the SDLC. While not a silver bullet, Copilot can significantly reduce the time and effort needed for security analysis-especially when paired with human ability. It can also help to find potential vulnerabilities in development phase of SDLC.