Security validation for third-party coding agents is now generally available. GitHub supports third-party coding agents (including Claude and OpenAI Codex) that work directly within your repositories to implement features, fix bugs, and improve test coverage. Now, code generated by these agents receives the same automatic security validation already available for GitHub Copilot cloud agent. Learn more by reading Risks and mitigations for GitHub Copilot cloud agent.

When a third-party coding agent creates code in your repository, GitHub now automatically analyzes it for potential security vulnerabilities using CodeQL, checks newly introduced dependencies against the GitHub Advisory Database, and uses GitHub secret scanning to detect sensitive information such as API keys and tokens. If the analysis finds any issues, the agent attempts to resolve them before finalizing the pull request.

Since we released automatic code validation for Copilot cloud agent in October 2025, we’ve proactively prevented hundreds of potential security leaks and vulnerabilities. Extending this protection to third-party agents helps ensure that every line of agent-generated code undergoes the same security checks, regardless of which coding agent wrote it.

These security validations are on by default and follow your repository’s Copilot settings for which validation tools to use. If you’ve already enabled security validation for Copilot cloud agent, third-party agents will automatically receive the same protections. Security validation doesn’t require a GitHub Advanced Security license. See Configuring agent settings for more information.