Grasp AI Logo
Back to Blog
Cloud Strategy

GitHub Copilot Coding Agent Just Got Serious About Production

Leon Godwin
8 March 2026

You assign an issue before lunch. By the time you're back, there's a pull request waiting. Not a rough draft — a reviewed, security-scanned, ready-for-your-eyes pull request.

That's the pitch for GitHub Copilot coding agent. And with the latest batch of updates, it's actually starting to deliver on it.

The problem with AI-generated code

Every developer who's worked with AI coding tools has felt this: the code technically works, but nobody would write it that way. String concatenation that's unnecessarily complex. Variable names that miss your team's conventions. Tests that cover the happy path and nothing else.

The cleanup tax was real. You'd spend as long reviewing and fixing AI output as you'd have spent writing it yourself. And that's before you consider the security angle — AI-generated code can introduce vulnerable patterns, leak secrets, and pull in dependencies with known CVEs. It does all of this faster than a human, which isn't the flex it sounds like.

GitHub's latest updates to the coding agent tackle these problems directly.

Five changes that actually matter

Model selection per task. The Agents panel now includes a model picker. Use a faster model for straightforward work like adding unit tests. Upgrade to a more capable model for gnarly refactors or integration tests with real edge cases. Or leave it on auto and let GitHub choose. This sounds simple, but it's the difference between paying premium rates for every task and spending intelligently. Available now for Copilot Pro and Pro+ users, with Business and Enterprise support coming soon.

Self-review before you see it. The coding agent now runs Copilot code review on its own changes before opening the PR. It gets feedback, iterates, and improves the patch. By the time you're tagged for review, someone — something — already went through it. In one demo session, the agent caught that its own string concatenation was overly complex and fixed it before the PR landed. That kind of thing used to be your problem.

Built-in security scanning. Code scanning, secret scanning, and dependency vulnerability checks now run directly inside the agent's workflow. If a dependency has a known issue, or something looks like a committed API key, it gets flagged before the PR opens. Here's the kicker: code scanning is normally part of GitHub Advanced Security. With the coding agent, you get it for free.

Custom agents for your team's process. A short prompt leaves a lot to judgement. Custom agents let you codify how your team actually works. Create a file under .github/agents/ and define a specific approach. A performance optimiser agent, for example, can benchmark first, make the change, then measure the difference before opening a PR. You can share custom agents across your organisation or enterprise, so the same process applies everywhere.

Cloud-to-CLI handoff. Start a task in the cloud and finish it locally, or push work from your terminal back to the cloud. The branch, logs, and full context transfer with you. Press & in the CLI to delegate work back to the cloud and keep going on your end. No more starting conversations over when you switch environments.

The competitive context

This matters because the AI coding agent space is getting crowded. Anthropic's Claude Code runs at $200/month. Cursor and Windsurf are building loyal followings. Open-source alternatives like Goose offer similar capabilities for free.

GitHub's advantage isn't the model — it's the integration. The coding agent lives where the code already lives. It understands your repo structure, your CI/CD pipelines, your team's review process. The Azure DevOps Boards integration (Sprint 269) now lets you select custom agents when creating PRs from work items. That's platform-level integration that standalone tools can't match.

The free security scanning is a particularly sharp move. It removes the "we haven't bought Advanced Security yet" blocker and makes governance the default rather than an add-on.

Getting started

Open the Agents panel (top-right in GitHub), select your repo, and assign an issue to Copilot. Or create a task directly from the panel and pick your model.

For custom agents, create a markdown file under .github/agents/ in your repo that describes the agent's approach, constraints, and workflow. The GitHub docs walk through the structure.

If you're running self-hosted runners, check the network configuration changes that took effect on 27 February 2026. Your firewall rules may need updating.

One thing to watch: model selection isn't available yet for Business and Enterprise tiers. That's the majority of paying customers. GitHub says it's coming soon, but no timeline. If you're evaluating this for enterprise rollout, factor in that limitation.

What this means for developer teams

The pattern here is clear. AI coding tools are shifting from "autocomplete on steroids" to "delegate entire tasks." The self-review loop, security scanning, and custom agents aren't features — they're the requirements for trusting an AI with real work.

The teams that will get the most from this aren't the ones with the best prompts. They're the ones with well-defined processes that can be encoded into custom agents, clear security policies that the built-in scanning enforces, and a review culture that treats AI PRs with the same rigour as human ones.

The model isn't the bottleneck any more. Your process is.

Leon Godwin is Principal Cloud Evangelist at Cloud Direct, helping organisations build cloud strategy with clarity and technical honesty.