{"id":96655,"date":"2026-06-09T00:12:54","date_gmt":"2026-06-09T07:12:54","guid":{"rendered":"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents"},"modified":"2026-06-09T06:53:59","modified_gmt":"2026-06-09T13:53:59","slug":"security-validation-for-third-party-coding-agents","status":"publish","type":[3522],"link":"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents","title":{"rendered":"Security validation for third-party coding agents"},"content":{"rendered":"<!DOCTYPE html PUBLIC \"-\/\/W3C\/\/DTD HTML 4.0 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/REC-html40\/loose.dtd\">\n<html><body><p>Security validation for third-party coding agents is now generally available. GitHub supports third-party coding agents (including Claude and OpenAI Codex) that work directly within your repositories to implement features, fix bugs, and improve test coverage. Now, code generated by these agents receives the same automatic security validation already available for GitHub Copilot cloud agent. Learn more by reading <a href=\"https:\/\/docs.github.com\/copilot\/concepts\/agents\/cloud-agent\/risks-and-mitigations#unvalidated-code-can-introduce-vulnerabilities\">Risks and mitigations for GitHub Copilot cloud agent<\/a>.<\/p>\n<p>When a third-party coding agent creates code in your repository, GitHub now automatically analyzes it for potential security vulnerabilities using CodeQL, checks newly introduced dependencies against the GitHub Advisory Database, and uses GitHub secret scanning to detect sensitive information such as API keys and tokens. If the analysis finds any issues, the agent attempts to resolve them before finalizing the pull request.<\/p>\n<p>Since we released <a href=\"https:\/\/github.blog\/changelog\/2025-10-28-copilot-coding-agent-now-automatically-validates-code-security-and-quality\/\">automatic code validation for Copilot cloud agent in October 2025<\/a>, we&rsquo;ve proactively prevented hundreds of potential security leaks and vulnerabilities. Extending this protection to third-party agents helps ensure that every line of agent-generated code undergoes the same security checks, regardless of which coding agent wrote it.<\/p>\n<p>These security validations are on by default and follow your repository&rsquo;s Copilot settings for which validation tools to use. If you&rsquo;ve already enabled security validation for Copilot cloud agent, third-party agents will automatically receive the same protections. Security validation doesn&rsquo;t require a GitHub Advanced Security license. See <a href=\"https:\/\/docs.github.com\/copilot\/how-tos\/use-copilot-agents\/cloud-agent\/configuring-agent-settings#enabling-or-disabling-built-in-code-quality-and-security-validation-tools\">Configuring agent settings<\/a> for more information.<\/p>\n<\/body><\/html>\n","protected":false},"excerpt":{"rendered":"<p>Security validation for third-party coding agents is now generally available. GitHub supports third-party coding agents (including Claude and OpenAI Codex) that work directly within your repositories to implement features, fix&hellip;<\/p>\n","protected":false},"author":2106,"featured_media":96656,"template":"","meta":{"_gh_post_show_toc":"","_gh_post_is_no_robots":"","_gh_post_is_featured":"","_gh_post_is_excluded":"","_gh_post_is_unlisted":"","_gh_post_related_link_1":"","_gh_post_related_link_2":"","_gh_post_related_link_3":"","_gh_post_sq_img":"","_gh_post_sq_img_id":"","_gh_post_cta_title":"","_gh_post_cta_text":"","_gh_post_cta_link":"","_gh_post_cta_button":"","_gh_post_recirc_hide":"","_gh_post_recirc_col_1":"","_gh_post_recirc_col_2":"","_gh_post_recirc_col_3":"","_gh_post_recirc_col_4":"","_featured_video":"","_gh_post_additional_query_params":"","footnotes":"","_links_to":"","_links_to_target":"","primary_cta":"","primary_cta_url":"","secondary_cta":"","secondary_cta_url":""},"label":[3627,2765],"group":[3865],"coauthors":[3100],"class_list":["post-96655","changelog","type-changelog","status-publish","has-post-thumbnail","hentry","changelog-type-improvements","changelog-label-application-security","changelog-label-copilot","changelog-group-06-2026"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.7 (Yoast SEO v27.7) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Security validation for third-party coding agents - GitHub Changelog<\/title>\n<meta name=\"description\" content=\"Code generated by third-party agents will receive automatic security and quality validation.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Security validation for third-party coding agents \u00b7 GitHub Changelog\" \/>\n<meta property=\"og:description\" content=\"Code generated by third-party agents will receive automatic security and quality validation.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents\/\" \/>\n<meta property=\"og:site_name\" content=\"The GitHub Blog\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-09T13:53:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/github.blog\/wp-content\/uploads\/2026\/06\/604533181-35cdb18b-9cec-469d-b7f7-5822ebf44a7c.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2064\" \/>\n\t<meta property=\"og:image:height\" content=\"1140\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data2\" content=\"Allison\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-06-09-security-validation-for-third-party-coding-agents\\\/\",\"url\":\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-06-09-security-validation-for-third-party-coding-agents\\\/\",\"name\":\"Security validation for third-party coding agents - The GitHub Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-06-09-security-validation-for-third-party-coding-agents\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-06-09-security-validation-for-third-party-coding-agents\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/604535744-2cab4ed5-314c-4655-88de-c81cdc17d5b4.jpg?fit=2064%2C1140\",\"datePublished\":\"2026-06-09T07:12:54+00:00\",\"dateModified\":\"2026-06-09T13:53:59+00:00\",\"description\":\"Code generated by third-party agents will receive automatic security and quality validation.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-06-09-security-validation-for-third-party-coding-agents\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-06-09-security-validation-for-third-party-coding-agents\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-06-09-security-validation-for-third-party-coding-agents\\\/#primaryimage\",\"url\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/604535744-2cab4ed5-314c-4655-88de-c81cdc17d5b4.jpg?fit=2064%2C1140\",\"contentUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/604535744-2cab4ed5-314c-4655-88de-c81cdc17d5b4.jpg?fit=2064%2C1140\",\"width\":2064,\"height\":1140,\"caption\":\"Security validation for third-party coding agents\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-06-09-security-validation-for-third-party-coding-agents\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/github.blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Changelogs\",\"item\":\"https:\\\/\\\/github.blog\\\/changelog\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Security validation for third-party coding agents\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/github.blog\\\/#website\",\"url\":\"https:\\\/\\\/github.blog\\\/\",\"name\":\"The GitHub Blog\",\"description\":\"Updates, ideas, and inspiration from GitHub to help developers build and design software.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/github.blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Security validation for third-party coding agents - GitHub Changelog","description":"Code generated by third-party agents will receive automatic security and quality validation.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents\/","og_locale":"en_US","og_type":"article","og_title":"Security validation for third-party coding agents \u00b7 GitHub Changelog","og_description":"Code generated by third-party agents will receive automatic security and quality validation.","og_url":"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents\/","og_site_name":"The GitHub Blog","article_modified_time":"2026-06-09T13:53:59+00:00","og_image":[{"width":2064,"height":1140,"url":"https:\/\/github.blog\/wp-content\/uploads\/2026\/06\/604533181-35cdb18b-9cec-469d-b7f7-5822ebf44a7c.png","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes","Written by":"Allison"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents\/","url":"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents\/","name":"Security validation for third-party coding agents - The GitHub Blog","isPartOf":{"@id":"https:\/\/github.blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents\/#primaryimage"},"image":{"@id":"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2026\/06\/604535744-2cab4ed5-314c-4655-88de-c81cdc17d5b4.jpg?fit=2064%2C1140","datePublished":"2026-06-09T07:12:54+00:00","dateModified":"2026-06-09T13:53:59+00:00","description":"Code generated by third-party agents will receive automatic security and quality validation.","breadcrumb":{"@id":"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents\/#primaryimage","url":"https:\/\/github.blog\/wp-content\/uploads\/2026\/06\/604535744-2cab4ed5-314c-4655-88de-c81cdc17d5b4.jpg?fit=2064%2C1140","contentUrl":"https:\/\/github.blog\/wp-content\/uploads\/2026\/06\/604535744-2cab4ed5-314c-4655-88de-c81cdc17d5b4.jpg?fit=2064%2C1140","width":2064,"height":1140,"caption":"Security validation for third-party coding agents"},{"@type":"BreadcrumbList","@id":"https:\/\/github.blog\/changelog\/2026-06-09-security-validation-for-third-party-coding-agents\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/github.blog\/"},{"@type":"ListItem","position":2,"name":"Changelogs","item":"https:\/\/github.blog\/changelog\/"},{"@type":"ListItem","position":3,"name":"Security validation for third-party coding agents"}]},{"@type":"WebSite","@id":"https:\/\/github.blog\/#website","url":"https:\/\/github.blog\/","name":"The GitHub Blog","description":"Updates, ideas, and inspiration from GitHub to help developers build and design software.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/github.blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/changelogs\/96655","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/changelogs"}],"about":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/types\/changelog"}],"author":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/users\/2106"}],"version-history":[{"count":3,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/changelogs\/96655\/revisions"}],"predecessor-version":[{"id":96664,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/changelogs\/96655\/revisions\/96664"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media\/96656"}],"wp:attachment":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media?parent=96655"}],"wp:term":[{"taxonomy":"changelog-type","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/type?post=96655"},{"taxonomy":"changelog-label","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/label?post=96655"},{"taxonomy":"changelog-group","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/group?post=96655"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/coauthors?post=96655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}