Developers Report GitHub Copilot Integration Flaws

- A recent study found that 36% of code generated by GitHub Copilot contains security flaws, contributing to an accumulation of security debt over time. - In November 2025, Microsoft disclosed two significant vulnerabilities, including one (CVE-2025-62453) related to improper validation of generative AI output in Copilot, which could allow attackers to bypass security checks. - Enterprise users have encountered integration issues with Single Sign-On (SSO) for GitHub Enterprise in Visual Studio, where the Copilot extension fails to connect when the enterprise account is active. - Research from GitGuardian revealed that public repositories with active Copilot use had a 40% higher incidence rate of leaking secrets, such as API keys, compared to the overall average. - Studies on code quality show that while Copilot can increase the volume of code written by 25%, it also correlates with a rise in maintainability issues, reliability problems, and overall technical debt. - Some developers using the enterprise version in Visual Studio 2022 have reported that Copilot is "terrible at following instructions" for simple refactoring tasks, occasionally deleting unrelated methods from a class. - The Copilot Chat extension's deep UI integration requires it to be compatible only with the latest release of Visual Studio Code, meaning developers on older IDE versions cannot use the most current chat features or models. - A key security risk identified is "package hallucination squatting," where Copilot suggests code that includes a non-existent but plausibly named package, which an attacker can then register and fill with malicious code.