GitHub adds Copilot, security, and code quality updates

GitHub’s May 2026 release notes add Copilot controls, security filters, and code quality APIs.

GitHub packed a lot into its May 2026 release notes. On May 26 alone, the company shipped changes across Copilot, secret scanning, Dependabot, and GitHub Code Quality, plus a few quality-of-life fixes in Copilot CLI.

The headline is not one giant product launch. It is a cluster of smaller updates that all point in the same direction: more control for admins, more context for reviewers, and fewer rough edges for developers using GitHub every day.

Copilot gets more controllable, and that matters

The most interesting Copilot update is the extra control around Copilot Memory. GitHub added clearer deletion guidance, a repository-level off switch, and new /memory commands in the Copilot CLI. That is a practical change, because memory features only feel useful when teams can explain what is stored, where it lives, and how to turn it off.

GitHub also clarified the difference between user-level preferences and repository-level facts at capture time. That matters for teams that share repos across contractors, internal staff, and automation. A memory that follows one developer across repositories is a different thing from a fact that belongs to a project.

“The right to be forgotten is one of the key rights in the GDPR,” said Max Schrems, founder of NOYB.

That quote is not about Copilot specifically, but it captures the pressure any memory system faces once it starts storing user or team context. GitHub’s new controls look like an attempt to answer that pressure before larger enterprise customers ask for it in a support ticket.

• Copilot Memory is in public preview and available to all paid Copilot plans.
• Repository admins can disable repository-level memory without deleting preexisting facts.
• The new /memory commands persist across sessions in Copilot CLI.
• The store prompt now tells you whether a memory is personal or repository-scoped.

Enterprise admins get finer model controls

GitHub is also giving enterprise owners more control over which Copilot models each organization can use. The new targeted model rules let admins allow specific models for specific organizations instead of applying one enterprise-wide setting to everyone.

That sounds small until you think about how enterprises actually work. One team may want the newest model as soon as it is available. Another may want a narrower set of models for compliance or cost reasons. A single default setting forces both groups into the same box.

GitHub says the targeted model rules are in public preview for customers on Copilot Business and Copilot Enterprise. The company also refreshed the default model availability page so admins can set models to either Enabled or Optional from one place.

• Targeted model rules apply at the organization level inside an enterprise.
• Admins can set defaults to Enabled or Optional.
• The feature is limited to Copilot Business and Copilot Enterprise.
• GitHub moved the control surface into a single management page for faster policy changes.

Code quality and Dependabot keep moving toward automation

Two updates here are aimed squarely at teams that care about CI, review speed, and dependency hygiene. First, GitHub Code Quality now has a Repository Enablement API in public preview. That means teams can turn it on and configure it programmatically, rather than clicking through setup screens one repo at a time.

The API exposes two endpoints: one PATCH endpoint to enable or disable default setup and choose languages and runner type, and one GET endpoint to retrieve the current configuration. Supported languages include csharp, go, java-kotlin, javascript-typescript, python, and ruby.

Second, Dependabot now supports the sbt ecosystem for version updates. Add sbt to .github/dependabot.yml, and Dependabot will watch build.sbt inputs and open pull requests when newer upstream commits appear.

That is useful for Scala teams because it reduces the amount of custom scripting needed just to stay current. It does not change security updates, only version updates, so the scope is narrow but practical.

• GitHub Code Quality API is in public preview on github.com, not Enterprise Server.
• The API supports both setup changes and configuration retrieval.
• Dependabot now supports sbt version updates, not security updates.
• sbt support starts after the next scheduled Dependabot run.

Security reviewers and pull request authors get better signals

GitHub also tightened the workflow around secret scanning. Teams can now sort push protection bypass requests and alert dismissal requests by newest, oldest, recently updated, or least recently updated. That helps security teams focus on the requests that need attention first instead of living with a fixed newest-first list.

On top of that, the secret scanning REST API now accepts an is_bypassed query parameter on all three alert list endpoints. That closes a gap between the UI and the API, which is the kind of detail that matters when a platform feature graduates from “nice to have” into “we need to automate this.”

There is also a new code coverage view for pull requests in GitHub Code Quality. Reviewers can see an aggregate coverage percentage directly on the pull request, which gives them one more signal before they approve a merge.

GitHub says users upload a Cobertura report from an existing CI workflow with the upload-code-coverage action, and GitHub Apps plus Actions workflows need the new code-quality:write fine-grained permission. That is a decent tradeoff: a little setup in exchange for less tab-switching during review.

• Secret scanning sorting now works at repository, organization, and enterprise levels.
• The REST API accepts is_bypassed=true or false.
• Code coverage is in public preview for GitHub Code Quality users on github.com.
• Coverage data comes from Cobertura reports uploaded through CI.

What these updates say about GitHub’s direction

Put together, these release notes show a clear pattern. GitHub is spending a lot of effort on admin controls, policy granularity, and better signals inside the developer workflow. That is a sensible move for a platform used by hobby projects and enterprise teams with strict compliance rules.

The next thing to watch is adoption. If Copilot Memory and targeted model rules get traction, GitHub will have a stronger story for enterprise AI governance. If code coverage on pull requests gets used widely, more teams may treat GitHub Code Quality as a default part of review instead of a side tool.

For now, the actionable takeaway is simple: if your org already uses Copilot, Dependabot, or secret scanning, these updates are worth a setup pass this week. The most useful GitHub changes here are the ones that reduce manual cleanup, and that is exactly where these release notes spend their energy.

Related reading: GitHub Copilot Memory controls, Dependabot sbt support, and GitHub Code Quality API.