You want to use GitHub Copilot to review your code and get improvement suggestions. GitHub Copilot can analyze your code for common issues, suggest fixes, and propose better patterns. This article explains how to enable Copilot code review, configure it for your repository, and interpret the suggestions it generates.
GitHub Copilot code review works by running a separate AI model on pull requests. It checks for bugs, security vulnerabilities, code style problems, and performance issues. The feature is available for public repositories at no extra cost and for private repositories with a Copilot Business or Enterprise license.
This guide covers the setup steps, the types of suggestions you can expect, and what to do when Copilot misses a problem or gives an incorrect recommendation. By the end, you will know how to integrate Copilot code review into your team’s pull request workflow.
Key Takeaways: Using GitHub Copilot for Code Review
- Repository Settings > Code security and analysis > GitHub Copilot code review: Enable the feature per repository to start receiving AI-powered pull request suggestions.
- Pull request Files changed tab > Review comment icon: View individual suggestions inline and accept or dismiss them directly from the code diff.
- Copilot code review configuration file (.github/copilot-review.yml): Customize which checks run, such as security, performance, or style rules, to match your team’s standards.
How GitHub Copilot Code Review Works
GitHub Copilot code review is a feature that adds an AI-powered reviewer to your pull requests. When you open a new pull request, Copilot analyzes the code changes and posts comments with suggestions. These suggestions cover issues such as missing null checks, insecure API calls, overly complex logic, and deviations from common coding patterns.
The feature uses a model that is separate from the inline code completion model. It is trained on a large set of public code reviews and bug fixes. Copilot code review does not modify your code. It only adds review comments that you can accept, dismiss, or ignore.
Prerequisites
Before you can use Copilot code review, you need the following:
- A GitHub account with a Copilot subscription. For private repositories, you need Copilot Business or Copilot Enterprise.
- Repository admin or owner permissions to enable the feature in repository settings.
- An active Copilot license assigned to your GitHub user.
Supported Languages
Copilot code review supports the same languages as Copilot code completion. This includes Python, JavaScript, TypeScript, Java, C#, Go, Ruby, Rust, and many others. The quality of suggestions is highest for languages with large training datasets.
Steps to Enable and Use GitHub Copilot Code Review
Follow these steps to enable Copilot code review on a repository and use it during a pull request review.
- Enable Copilot code review in the repository
Go to your repository on GitHub. Click Settings in the top navigation bar. In the left sidebar, click Code security and analysis. Scroll down to the GitHub Copilot code review section. Click the Enable button next to Copilot code review. The feature is now active for this repository. - Create or open a pull request
Open a new pull request in the repository. Copilot code review runs automatically when the pull request is opened. It also runs when you push new commits to an existing pull request. The review usually completes within 30 seconds to two minutes. - Review Copilot suggestions in the pull request
Go to the pull request page. Click the Files changed tab. You will see comments from github-copilot inline in the code diff. Each comment highlights a specific line or block and includes a suggestion. Read the suggestion and decide whether to apply the change. - Accept or dismiss a suggestion
To accept a suggestion, click the Apply suggestion button that appears in the comment. This commits the change directly to the pull request branch. To dismiss a suggestion, click the small X icon in the comment header. Dismissed suggestions are hidden from the view but remain in the pull request history. - View the summary of all Copilot suggestions
Scroll to the bottom of the Files changed tab. Copilot posts a summary comment that lists all suggestions grouped by category. The categories include Bug risk, Security, Performance, and Style. Use this summary to prioritize which issues to fix first.
Customizing Copilot Code Review with a Configuration File
You can control which types of checks Copilot runs by adding a configuration file to your repository.
- Create the configuration file
In the root of your repository, create a new file named copilot-review.yml inside the .github folder. The full path is .github/copilot-review.yml. - Add rule categories to enable or disable
Open the file in a text editor. Add the following YAML structure:checks:
security: true
performance: true
style: false
bug_risk: true
Set each category to true to enable it or false to disable it. Save and commit the file to the default branch. - Verify the configuration takes effect
Open a new pull request. Copilot reads the configuration file from the default branch. The review will now skip any disabled categories.
Common Issues and Limitations with Copilot Code Review
Copilot Does Not Post Any Suggestions on a Pull Request
If you do not see any Copilot comments on a pull request, check the following. First, confirm that the feature is enabled in the repository settings under Code security and analysis. Second, verify that your Copilot subscription is active. For private repositories, you need Copilot Business or Enterprise. Third, check that the pull request contains at least 10 lines of changed code. Copilot skips very small changes. Finally, ensure the pull request is not a draft. Copilot only reviews open pull requests.
Copilot Suggests a Change That Is Incorrect or Irrelevant
Copilot code review is an AI tool and can produce false positives. If a suggestion is wrong, dismiss it using the X icon. Do not apply changes blindly. Always test the suggested code before merging. To reduce irrelevant suggestions, disable the style category in the configuration file if your team uses a different style guide.
Copilot Misses a Known Bug in the Code
Copilot does not replace human code review. It may miss context-specific bugs, business logic errors, or issues that require domain knowledge. Always perform a manual review alongside Copilot. Use Copilot suggestions as a second pair of eyes, not as the sole quality gate.
GitHub Copilot Code Review vs Manual Code Review
| Item | GitHub Copilot Code Review | Manual Human Code Review |
|---|---|---|
| Speed | Completes in seconds to minutes | Can take hours or days depending on team size |
| Coverage | Checks common patterns, security, and style | Catches domain-specific logic, architecture issues, and team conventions |
| False positives | Occasional irrelevant or incorrect suggestions | Low when reviewers are familiar with the codebase |
| Cost | Included with Copilot subscription | Uses developer time and salary |
| Learning curve | Minimal setup required | Requires training and experience in the codebase |
Copilot code review works best as a complement to manual review. Use it to catch low-hanging issues early so human reviewers can focus on higher-level concerns.
You can now enable GitHub Copilot code review on your repositories and use its suggestions during pull request reviews. Start by enabling the feature in one repository and testing it on a few pull requests. Review the summary comment to see the categories of issues Copilot detects. For advanced control, create a .github/copilot-review.yml configuration file to disable checks that do not fit your team’s workflow. Remember that Copilot is a tool to assist, not replace, human judgment in code review.