paulsorensen.io

Configure GitHub Copilot in VSCode with a Privacy-First Approach

GitHub Copilot is a powerful AI coding assistant for Visual Studio Code (VSCode), but its default settings can risk exposing sensitive data like API keys, tokens, or passwords. This guide details how to configure Copilot securely, prioritizing privacy to prevent data leaks. We’ll cover GitHub and VSCode settings, extension installation, authentication, and a robust .copilotignore file example.

Importance of a Privacy-First Setup

Improperly configured AI tools like Copilot may transmit sensitive code snippets to GitHub’s servers for processing or training. This guide minimizes data sharing, disables telemetry, and excludes sensitive files, ensuring Copilot enhances productivity without compromising proprietary or confidential data – a critical step for developers handling sensitive projects.

1. GitHub Privacy Settings

Navigate to GitHub Copilot settings and disable:

  • Copilot can search the web
  • Allow GitHub to use my data for product improvements
  • Allow GitHub to use my data for AI model training

Disabling “Copilot can search the web” prevents Copilot from sending queries online, minimizing data exposure. Opting out of “Allow GitHub to use my data for product improvements” and “Allow GitHub to use my data for AI model training” ensures your code isn’t used to enhance GitHub’s models, safeguarding proprietary logic.

The “Suggestions matching public code (duplication detection filter)” setting, whether allowed or blocked, allows snippets up to 150 characters to be sent to GitHub for comparison, risking transmission of sensitive data like API keys or tokens. While Copilot’s filters block sensitive information (e.g., credentials, emails) from suggestions, and Copilot Chat in VSCode discards prompts after responses, later steps in this guide will explain how to block Copilot from accessing sensitive config files and other sources entirely, preventing these snippets from being sent.

2. VSCode Privacy Settings

In VSCode, press Ctrl+Shift+P, select “Preferences: Open User Settings (JSON)”, and add the following to your settings:

{
  "telemetry.telemetryLevel": "off",
  "telemetry.feedback.enabled": false,
  "workbench.enableExperiments": false,
  "extensions.autoUpdate": false,
  "extensions.ignoreRecommendations": true,
  "files.associations": {
    ".env*": "dotenv",
    "*.cfg": "ini",
    "*.cnf": "ini",
    "*.conf": "ini",
    "*.config": "ini",
    "*.ini": "ini",
    "*.yaml": "yaml",
    "*.yml": "yaml"
  },
  "github.copilot.enable": {
    "*": true,
    "dotenv": false,
    "ini": false,
    "yaml": false
  },
  "github.copilot.advanced": {
    "webSearch": false
  },
  "omnisharp.enableTelemetry": false,
  "powershell.telemetry.enable": false,
  "pylance.telemetry": false,
  "python.telemetry.enable": false,
  "debugpy.telemetry.enable": false
}

These settings minimize telemetry and data sharing, locking down VSCode and Copilot to prevent leaks.

Settings Breakdown

  • telemetry.telemetryLevel: "off": Disables all core VSCode telemetry, preventing usage data, crash reports, and error data from being sent to Microsoft after activation.
  • telemetry.feedback.enabled: false: Disables feedback prompts, avoiding data collection.
  • workbench.enableExperiments: false: Prevents experimental features that may introduce telemetry.
  • extensions.autoUpdate: false: Halts automatic extension updates, letting you vet changes.
  • extensions.ignoreRecommendations: true: Stops automatic extension suggestions, which can involve data sharing.
  • github.copilot.advanced.webSearch: false: Ensures Copilot’s web search is disabled in VSCode.

File Associations and Copilot Enable

files.associations assigns language modes to sensitive file types (.env to dotenv, .cfg/.cnf/.conf/.config/.ini to ini, .yaml/.yml to yaml). Paired with github.copilot.enable, this disables Copilot for these file types, preventing it from scanning or suggesting in configs or environment files that often hold sensitive data.

Extension Telemetry

Settings like omnisharp.enableTelemetry, powershell.telemetry.enable, pylance.telemetry, python.telemetry.enable, and debugpy.telemetry.enable disable telemetry for C#, PowerShell, and Python extensions, which may otherwise collect code snippets or usage data.

3. Install Copilot Extensions

Open VSCode Extensions (Ctrl+Shift+X), search for “GitHub Copilot” and install it. It will automatically install “GitHub Copilot Chat” as well. Both are official extensions by GitHub. The Copilot extension handles code completion, while Copilot Chat supports conversational queries. Official extensions ensure compatibility, and our privacy settings limit their data-sharing risks.

4. Authenticate with GitHub

When prompted in VSCode, sign in to your GitHub account to activate Copilot.
This links the extension to your account, enabling features within usage limits of your plan.
If you have never set up Copilot before, you will start with a free plan.

5. Create a .copilotignore File

Whenever you create a new project, place a .copilotignore in your projects root folder to block Copilot from accessing sensitive files, mirroring .gitignore. Below is the content of the .copilotignore file I have made and use for my projects. Also available as a Gist: .copilotignore gist.

# paulsorensen.io .copilotignore
# Last Modified : 2025/04/15 03:36:15

# Cloud Services
.aws/*
.azure/*
.firebase/*
.kube/config

# Database
*.db
*.sql
*.sqlite

# General Configs
.dockerignore
.dropbox
.dropbox.cache/*
.env
.envrc
.gitignore
.python-version
.secrets
*.bak
*.backup
*.cfg
*.cnf
*.conf
*.config
*.ini
*.json
*.log
*.old
*.tmp
*.toml
*.txt
*.yaml
*.yml

# Linux
.crontab
.pass/*
.systemd/*
*.cron
*.service

# Miscellaneous
.Dockerfile
.Makefile
.Vagrantfile
.ansible.cfg
.hosts
.secret*
*.mk

# Package Managers
.composer.json
.composer.lock
.gemrc
.gradle.properties
.netlify/*
.npmrc
.Pipfile
.pyproject.toml
.requirements.txt
.yarnrc

# Security
.curlrc
.gitconfig
.gnupg/*
.id_ecdsa
.id_ed25519
.id_rsa
.netrc
.ssh/*
*.asc
*.gpg
*.jwt
*.key
*.p12
*.pass
*.pem
*.pfx
*.pwd
*.token

# Shell Scripts
.bash_profile
.bashrc
.kshrc
.profile
.zprofile
.zshrc

# Testing
.history/*
*_test.go
.test/**
.test_*.py
.tests/**
.tsconfig.json
.__tests__/**
*.test.js

# VSCode/Visual Studio
.app.config
.appsettings.*.json
.vscode/launch.json
.vscode/settings.json
.vscode/tasks.json
*.user

# Web Servers
.htaccess

# Windows
*.dll
*.exe
*.suo

This file excludes sensitive files like credentials (.env, .secrets), cloud configs (.aws/*), and logs (*.log) from Copilot’s scope. It complements VSCode settings with project-specific control, covering CI/CD, databases, security, and more, making it a versatile template for privacy-focused projects.

Conclusion

We’ve secured GitHub Copilot in VSCode by disabling GitHub’s data-sharing options, tightening VSCode telemetry and Copilot settings, installing official extensions, authenticating safely, and implementing a comprehensive .copilotignore file. This setup ensures Copilot aids coding without risking sensitive data exposure.

Stay cautious: monitor GitHub and VSCode updates for changes to telemetry defaults, and tailor .copilotignore for unique project files. For Copilot Business or Enterprise users, check organization-level content exclusion settings. This approach balances AI productivity with robust privacy.

Categories: Dev
Tags: , , ,
Search: