[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-github-copilot-security-code-quality-may-2026-en":3,"article-related-github-copilot-security-code-quality-may-2026-en":30,"series-tools-eccfb0ca-5f78-4c1b-8cb1-26448b12bf34":80},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":22,"views":26,"created_at":27,"published_at":28,"topic_cluster_id":29},"eccfb0ca-5f78-4c1b-8cb1-26448b12bf34","github-copilot-security-code-quality-may-2026-en","GitHub adds Copilot, security, and code quality updates","\u003Cp data-speakable=\"summary\">\u003Ca href=\"\u002Ftag\u002Fgithub\">GitHub\u003C\u002Fa>’s May 2026 release notes add \u003Ca href=\"\u002Ftag\u002Fcopilot\">Copilot\u003C\u002Fa> controls, security filters, and code quality APIs.\u003C\u002Fp>\u003Cp>GitHub packed a lot into its May 2026 release notes. On May 26 alone, the company shipped changes across \u003Ca href=\"https:\u002F\u002Fgithub.blog\u002Fproducts\u002Fcopilot\u002F\" target=\"_blank\" rel=\"noopener\">Copilot\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fgithub.blog\u002Fproducts\u002Fcode-security\u002F\" target=\"_blank\" rel=\"noopener\">secret scanning\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdependabot\" target=\"_blank\" rel=\"noopener\">Dependabot\u003C\u002Fa>, and \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffeatures\u002Fcode-quality\" target=\"_blank\" rel=\"noopener\">GitHub Code Quality\u003C\u002Fa>, plus a few quality-of-life fixes in \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fgithub\u002Fcopilot-cli\" target=\"_blank\" rel=\"noopener\">Copilot CLI\u003C\u002Fa>.\u003C\u002Fp>\u003Cp>The headline is not one giant product launch. It is a cluster of smaller updates that all point in the same direction: more control for admins, more context for reviewers, and fewer rough edges for developers using GitHub every day.\u003C\u002Fp>\u003Ctable>\u003Cthead>\u003Ctr>\u003Cth>Area\u003C\u002Fth>\u003Cth>Update\u003C\u002Fth>\u003Cth>Key detail\u003C\u002Fth>\u003C\u002Ftr>\u003C\u002Fthead>\u003Ctbody>\u003Ctr>\u003Ctd>Copilot CLI\u003C\u002Ftd>\u003Ctd>Version 1.0.55-1\u003C\u002Ftd>\u003Ctd>Improved visibility, session handling, clipboard reliability, and Unicode copying on Windows\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Copilot Memory\u003C\u002Ftd>\u003Ctd>Public preview\u003C\u002Ftd>\u003Ctd>Repository off switch, deletion guidance, and new \u002Fmemory commands\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Code Quality API\u003C\u002Ftd>\u003Ctd>Public preview\u003C\u002Ftd>\u003Ctd>PATCH and GET endpoints for repository setup\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Dependabot\u003C\u002Ftd>\u003Ctd>New ecosystem support\u003C\u002Ftd>\u003Ctd>sbt version updates now open pull requests\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Secret scanning\u003C\u002Ftd>\u003Ctd>UI and API changes\u003C\u002Ftd>\u003Ctd>Sort requests and filter alerts with is_bypassed\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Code coverage\u003C\u002Ftd>\u003Ctd>Public preview\u003C\u002Ftd>\u003Ctd>Aggregate coverage percent now appears on pull requests\u003C\u002Ftd>\u003C\u002Ftr>\u003C\u002Ftbody>\u003C\u002Ftable>\u003Ch2>Copilot gets more controllable, and that matters\u003C\u002Fh2>\u003Cp>The most interesting Copilot update is the extra control around \u003Ca href=\"https:\u002F\u002Fgithub.blog\u002Fchangelog\u002F2026-05-26-copilot-memory-has-more-controls-for-deletion-scope-and-the-copilot-cli\u002F\" target=\"_blank\" rel=\"noopener\">Copilot Memory\u003C\u002Fa>. GitHub added clearer deletion guidance, a repository-level off switch, and new \u003Ccode>\u002Fmemory\u003C\u002Fcode> commands in the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fgithub\u002Fcopilot-cli\" target=\"_blank\" rel=\"noopener\">Copilot CLI\u003C\u002Fa>. That is a practical change, because memory features only feel useful when teams can explain what is stored, where it lives, and how to turn it off.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779855365933-1bwk.png\" alt=\"GitHub adds Copilot, security, and code quality updates\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>GitHub also clarified the difference between user-level preferences and repository-level facts at capture time. That matters for teams that share repos across contractors, internal staff, and automation. A memory that follows one developer across repositories is a different thing from a fact that belongs to a project.\u003C\u002Fp>\u003Cblockquote>“The right to be forgotten is one of the key rights in the GDPR,” said \u003Ca href=\"https:\u002F\u002Fgdpr.eu\u002F\" target=\"_blank\" rel=\"noopener\">Max Schrems\u003C\u002Fa>, founder of NOYB.\u003C\u002Fblockquote>\u003Cp>That quote is not about Copilot specifically, but it captures the pressure any memory system faces once it starts storing user or team context. GitHub’s new controls look like an attempt to answer that pressure before larger enterprise customers ask for it in a support ticket.\u003C\u002Fp>\u003Cul>\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.blog\u002Fchangelog\u002F2026-05-26-copilot-memory-has-more-controls-for-deletion-scope-and-the-copilot-cli\u002F\" target=\"_blank\" rel=\"noopener\">Copilot Memory\u003C\u002Fa> is in public preview and available to all paid Copilot plans.\u003C\u002Fli>\u003Cli>Repository admins can disable repository-level memory without deleting preexisting facts.\u003C\u002Fli>\u003Cli>The new \u003Ccode>\u002Fmemory\u003C\u002Fcode> commands persist across sessions in \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fgithub\u002Fcopilot-cli\" target=\"_blank\" rel=\"noopener\">Copilot CLI\u003C\u002Fa>.\u003C\u002Fli>\u003Cli>The store prompt now tells you whether a memory is personal or repository-scoped.\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>Enterprise admins get finer model controls\u003C\u002Fh2>\u003Cp>GitHub is also giving enterprise owners more control over which Copilot models each organization can use. The new targeted model rules let admins allow specific models for specific organizations instead of applying one enterprise-wide setting to everyone.\u003C\u002Fp>\u003Cp>That sounds small until you think about how enterprises actually work. One team may want the newest model as soon as it is available. Another may want a narrower set of models for compliance or cost reasons. A single default setting forces both groups into the same box.\u003C\u002Fp>\u003Cp>GitHub says the targeted model rules are in public preview for customers on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffeatures\u002Fcopilot\u002Fbusiness\" target=\"_blank\" rel=\"noopener\">Copilot Business\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffeatures\u002Fcopilot\u002Fenterprise\" target=\"_blank\" rel=\"noopener\">Copilot Enterprise\u003C\u002Fa>. The company also refreshed the default model availability page so admins can set models to either Enabled or Optional from one place.\u003C\u002Fp>\u003Cul>\u003Cli>Targeted model rules apply at the organization level inside an enterprise.\u003C\u002Fli>\u003Cli>Admins can set defaults to Enabled or Optional.\u003C\u002Fli>\u003Cli>The feature is limited to \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffeatures\u002Fcopilot\u002Fbusiness\" target=\"_blank\" rel=\"noopener\">Copilot Business\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffeatures\u002Fcopilot\u002Fenterprise\" target=\"_blank\" rel=\"noopener\">Copilot Enterprise\u003C\u002Fa>.\u003C\u002Fli>\u003Cli>GitHub moved the control surface into a single management page for faster policy changes.\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>Code quality and Dependabot keep moving toward automation\u003C\u002Fh2>\u003Cp>Two updates here are aimed squarely at teams that care about CI, review speed, and dependency hygiene. First, GitHub Code Quality now has a Repository Enablement \u003Ca href=\"\u002Ftag\u002Fapi\">API\u003C\u002Fa> in public preview. That means teams can turn it on and configure it programmatically, rather than clicking through setup screens one repo at a time.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779855368129-67tw.png\" alt=\"GitHub adds Copilot, security, and code quality updates\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>The API exposes two endpoints: one \u003Ccode>PATCH\u003C\u002Fcode> endpoint to enable or disable default setup and choose languages and runner type, and one \u003Ccode>GET\u003C\u002Fcode> endpoint to retrieve the current configuration. Supported languages include \u003Ccode>csharp\u003C\u002Fcode>, \u003Ccode>go\u003C\u002Fcode>, \u003Ccode>java-kotlin\u003C\u002Fcode>, \u003Ccode>javascript-\u003Ca href=\"\u002Ftag\u002Ftypescript\">typescript\u003C\u002Fa>\u003C\u002Fcode>, \u003Ccode>python\u003C\u002Fcode>, and \u003Ccode>ruby\u003C\u002Fcode>.\u003C\u002Fp>\u003Cp>Second, \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdependabot\" target=\"_blank\" rel=\"noopener\">Dependabot\u003C\u002Fa> now supports the \u003Ca href=\"https:\u002F\u002Fwww.scala-sbt.org\u002F\" target=\"_blank\" rel=\"noopener\">sbt\u003C\u002Fa> ecosystem for version updates. Add sbt to \u003Ccode>.github\u002Fdependabot.yml\u003C\u002Fcode>, and Dependabot will watch \u003Ccode>build.sbt\u003C\u002Fcode> inputs and open pull requests when newer upstream commits appear.\u003C\u002Fp>\u003Cp>That is useful for Scala teams because it reduces the amount of custom scripting needed just to stay current. It does not change security updates, only version updates, so the scope is narrow but practical.\u003C\u002Fp>\u003Cul>\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffeatures\u002Fcode-quality\" target=\"_blank\" rel=\"noopener\">GitHub Code Quality\u003C\u002Fa> API is in public preview on github.com, not Enterprise Server.\u003C\u002Fli>\u003Cli>The API supports both setup changes and configuration retrieval.\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdependabot\" target=\"_blank\" rel=\"noopener\">Dependabot\u003C\u002Fa> now supports sbt version updates, not security updates.\u003C\u002Fli>\u003Cli>sbt support starts after the next scheduled Dependabot run.\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>Security reviewers and pull request authors get better signals\u003C\u002Fh2>\u003Cp>GitHub also tightened the workflow around secret scanning. Teams can now sort push protection bypass requests and alert dismissal requests by newest, oldest, recently updated, or least recently updated. That helps security teams focus on the requests that need attention first instead of living with a fixed newest-first list.\u003C\u002Fp>\u003Cp>On top of that, the secret scanning REST API now accepts an \u003Ccode>is_bypassed\u003C\u002Fcode> query parameter on all three alert list endpoints. That closes a gap between the UI and the API, which is the kind of detail that matters when a platform feature graduates from “nice to have” into “we need to automate this.”\u003C\u002Fp>\u003Cp>There is also a new code coverage view for pull requests in \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffeatures\u002Fcode-quality\" target=\"_blank\" rel=\"noopener\">GitHub Code Quality\u003C\u002Fa>. Reviewers can see an aggregate coverage percentage directly on the pull request, which gives them one more signal before they approve a merge.\u003C\u002Fp>\u003Cp>GitHub says users upload a Cobertura report from an existing CI workflow with the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fgithub\u002Fupload-code-coverage\" target=\"_blank\" rel=\"noopener\">upload-code-coverage\u003C\u002Fa> action, and GitHub Apps plus Actions workflows need the new \u003Ccode>code-quality:write\u003C\u002Fcode> fine-grained permission. That is a decent tradeoff: a little setup in exchange for less tab-switching during review.\u003C\u002Fp>\u003Cul>\u003Cli>Secret scanning sorting now works at repository, organization, and enterprise levels.\u003C\u002Fli>\u003Cli>The REST API accepts \u003Ccode>is_bypassed=true\u003C\u002Fcode> or \u003Ccode>false\u003C\u002Fcode>.\u003C\u002Fli>\u003Cli>Code coverage is in public preview for GitHub Code Quality users on github.com.\u003C\u002Fli>\u003Cli>Coverage data comes from Cobertura reports uploaded through CI.\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>What these updates say about GitHub’s direction\u003C\u002Fh2>\u003Cp>Put together, these release notes show a clear pattern. GitHub is spending a lot of effort on admin controls, policy granularity, and better signals inside the developer workflow. That is a sensible move for a platform used by hobby projects and enterprise teams with strict compliance rules.\u003C\u002Fp>\u003Cp>The next thing to watch is adoption. If Copilot Memory and targeted model rules get traction, GitHub will have a stronger story for \u003Ca href=\"\u002Ftag\u002Fenterprise-ai\">enterprise AI\u003C\u002Fa> governance. If code coverage on pull requests gets used widely, more teams may treat GitHub Code Quality as a default part of review instead of a side tool.\u003C\u002Fp>\u003Cp>For now, the actionable takeaway is simple: if your org already uses Copilot, Dependabot, or secret scanning, these updates are worth a setup pass this week. The most useful GitHub changes here are the ones that reduce manual cleanup, and that is exactly where these release notes spend their energy.\u003C\u002Fp>\u003Cp>Related reading: \u003Ca href=\"\u002Fnews\u002Fgithub-copilot-memory-controls\" target=\"_blank\" rel=\"noopener\">GitHub Copilot Memory controls\u003C\u002Fa>, \u003Ca href=\"\u002Fnews\u002Fdependabot-sbt-support\" target=\"_blank\" rel=\"noopener\">Dependabot sbt support\u003C\u002Fa>, and \u003Ca href=\"\u002Fnews\u002Fgithub-code-quality-api\" target=\"_blank\" rel=\"noopener\">GitHub Code Quality API\u003C\u002Fa>.\u003C\u002Fp>","GitHub’s May 2026 updates add Copilot Memory controls, model rules, sbt support in Dependabot, and code coverage on pull requests.","releasebot.io","https:\u002F\u002Freleasebot.io\u002Fupdates\u002Fgithub",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779855365933-1bwk.png","tools","en","df3796d7-5e6b-4250-96f0-96b15845f04a",[17,18,19,20,21],"GitHub","Copilot Memory","Dependabot","secret scanning","code quality",[23,24,25],"Copilot Memory now has a repo-level off switch and clearer deletion controls.","Enterprise admins can target Copilot model availability by organization.","Dependabot added sbt version updates, while Code Quality and secret scanning gained API and review improvements.",4,"2026-05-27T04:15:40.596283+00:00","2026-05-27T04:15:40.546+00:00","a7343b93-37cc-4634-a2bc-707f6275bdb6",{"tags":31,"relatedLang":11,"relatedPosts":43},[32,34,36,39,41],{"name":18,"slug":33},"copilot-memory",{"name":17,"slug":35},"github",{"name":37,"slug":38},"Secret Scanning","secret-scanning",{"name":19,"slug":40},"dependabot",{"name":21,"slug":42},"code-quality",[44,50,56,62,68,74],{"id":45,"slug":46,"title":47,"cover_image":48,"image_url":48,"created_at":49,"category":13},"aa96e422-2b01-4480-b4ce-a646be8e0993","magenta-realtime-2-score-inside-daw-en","Magenta RealTime 2 lets you score in the DAW","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781046208039-ksdz.png","2026-06-09T23:02:56.428086+00:00",{"id":51,"slug":52,"title":53,"cover_image":54,"image_url":54,"created_at":55,"category":13},"c79bca38-50b2-4d80-9a48-7f4d1afd051a","open-source-ai-tools-beat-claude-paid-tiers-en","Open-source AI tools beat Claude’s paid tiers on value","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781045269190-a1ow.png","2026-06-09T22:47:20.7972+00:00",{"id":57,"slug":58,"title":59,"cover_image":60,"image_url":60,"created_at":61,"category":13},"fbd166b2-30ad-451c-bfa5-8f190d0c4252","500-ai-agent-projects-show-where-agents-work-now-en","500 AI agent projects show where agents work now","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781033595427-zvq5.png","2026-06-09T19:32:37.573706+00:00",{"id":63,"slug":64,"title":65,"cover_image":66,"image_url":66,"created_at":67,"category":13},"8f987f8b-1e3b-409d-9ca9-3f0884d5e1d9","chocolatey-go-package-policy-installs-en","Chocolatey’s Go package turns installs into policy","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781029112225-4nik.png","2026-06-09T18:18:05.601854+00:00",{"id":69,"slug":70,"title":71,"cover_image":72,"image_url":72,"created_at":73,"category":13},"c1c49550-3032-4381-bad9-a7ef29973b4d","go-support-policy-turns-releases-into-a-checklist-en","Go support policy turns releases into a checklist","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781028203465-bas6.png","2026-06-09T18:02:50.061065+00:00",{"id":75,"slug":76,"title":77,"cover_image":78,"image_url":78,"created_at":79,"category":13},"75f55dc1-b87b-4a8a-812f-bc31ab4ae4dc","rustdesk-self-hosting-secure-remote-access-en","RustDesk self-hosting setup for secure remote access","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781017372462-mgyj.png","2026-06-09T15:02:24.622252+00:00",[81,86,91,96,101,106,111,116,121,126],{"id":82,"slug":83,"title":84,"created_at":85},"8008f1a9-7a00-4bad-88c9-3eedc9c6b4b1","surepath-ai-mcp-policy-controls-en","SurePath AI's New MCP Policy Controls Enhance AI Security","2026-03-26T01:26:52.222015+00:00",{"id":87,"slug":88,"title":89,"created_at":90},"27e39a8f-b65d-4f7b-a875-859e2b210156","mcp-standard-ai-tools-2026-en","MCP Standard in 2026: Integrating AI Tools","2026-03-26T01:27:43.127519+00:00",{"id":92,"slug":93,"title":94,"created_at":95},"165f9a19-c92d-46ba-b3f0-7125f662921d","rag-2026-transforming-enterprise-ai-en","How RAG in 2026 is Transforming Enterprise AI","2026-03-26T01:28:11.485236+00:00",{"id":97,"slug":98,"title":99,"created_at":100},"6a2a8e6e-b956-49d8-be12-cc47bdc132b2","mastering-ai-prompts-2026-guide-en","Mastering AI Prompts: A 2026 Guide for Developers","2026-03-26T01:29:07.835148+00:00",{"id":102,"slug":103,"title":104,"created_at":105},"3ab2c67e-4664-4c67-a013-687a2f605814","garry-tan-open-sources-claude-code-toolkit-en","Garry Tan Open-Sources a Claude Code Toolkit","2026-03-26T08:26:20.245934+00:00",{"id":107,"slug":108,"title":109,"created_at":110},"66a7cbf8-7e76-41d4-9bbf-eaca9761bf69","github-ai-projects-to-watch-in-2026-en","20 GitHub AI Projects to Watch in 2026","2026-03-26T08:28:09.752027+00:00",{"id":112,"slug":113,"title":114,"created_at":115},"9f332fda-eace-448a-a292-2283951eee71","practical-github-guide-learning-ml-2026-en","A Practical GitHub Guide to Learning ML in 2026","2026-03-27T01:16:50.125678+00:00",{"id":117,"slug":118,"title":119,"created_at":120},"1b1f637d-0f4d-42bd-974b-07b53829144d","aiml-2026-student-ai-ml-lab-repo-review-en","AIML-2026 Is a Bare-Bones Student Lab Repo","2026-03-27T01:21:51.661231+00:00",{"id":122,"slug":123,"title":124,"created_at":125},"6d1bf3f6-e191-4d30-b55b-8a0722fa6afe","ai-trending-github-repos-and-research-feeds-en","AI Trending Tracks Repos and Research Feeds","2026-03-27T01:31:35.709532+00:00",{"id":127,"slug":128,"title":129,"created_at":130},"010539a1-4c3a-4bd3-937a-26616422ee0d","awesome-ai-for-science-research-tools-map-en","Awesome AI for Science Is Becoming a Real Research Map","2026-03-27T01:46:50.89513+00:00"]