How to Add Action Gating to GitHub Copilot Workflows

SafeClaw by Authensor enforces deny-by-default policies on GitHub Copilot's agent mode actions, gating every file edit, terminal command, and MCP tool call before Copilot executes it. When Copilot agent mode proposes changes in VS Code, SafeClaw intercepts those actions and checks them against your YAML policy — blocking anything not explicitly permitted.

How Copilot Agent Mode Works

GitHub Copilot's agent mode operates differently from inline completions. In agent mode, Copilot can edit files across your project, run terminal commands, install packages, and call MCP-connected tools. It plans multi-step tasks and executes them autonomously. VS Code shows a confirmation dialog for terminal commands, but file edits can happen silently. The attack surface includes: arbitrary file writes, shell command injection, dependency confusion via package installs, and unauthorized MCP tool invocations.

Copilot Agent Plan → Proposed Action → [SafeClaw Policy Check] → Execute or Deny

Quick Start

npx @authensor/safeclaw

Creates a safeclaw.yaml in your project root. When integrated with Copilot's MCP server configuration, SafeClaw evaluates every action Copilot's agent mode proposes.

Step 1: Define Copilot-Specific Policies

# safeclaw.yaml
version: 1
default: deny

policies:
  - name: "copilot-file-edits"
    description: "Control which files Copilot can modify"
    actions:
      - tool: "file_edit"
        effect: allow
        constraints:
          path_pattern: "src/**"
      - tool: "file_edit"
        effect: allow
        constraints:
          path_pattern: "tests/**"
      - tool: "file_edit"
        effect: deny
        constraints:
          path_pattern: ".env|.key|.pem|docker-compose"
      - tool: "file_create"
        effect: allow
        constraints:
          path_pattern: "src/|tests/"

- name: "copilot-terminal-commands"
    description: "Restrict terminal command execution"
    actions:
      - tool: "terminal_command"
        effect: allow
        constraints:
          command_pattern: "npm test|npm run |npx jest|git status|git diff"
      - tool: "terminal_command"
        effect: deny
        constraints:
          command_pattern: "rm -rf|sudo |curl  | sh|chmod "
      - tool: "terminal_command"
        effect: deny

- name: "copilot-package-installs"
    description: "Control package installations"
    actions:
      - tool: "terminal_command"
        effect: allow
        constraints:
          command_pattern: "npm install --save-dev @types/*"
      - tool: "terminal_command"
        effect: deny
        constraints:
          command_pattern: "npm install *"

Step 2: Configure SafeClaw as a Copilot MCP Server

Copilot agent mode supports MCP servers for tool execution. Configure SafeClaw as a gating layer in your VS Code settings:

// .vscode/settings.json
{
  "github.copilot.chat.agent.mcp": {
    "servers": {
      "safeclaw": {
        "command": "npx",
        "args": ["@authensor/safeclaw", "mcp-server"],
        "env": {
          "SAFECLAW_POLICY": "./safeclaw.yaml"
        }
      }
    }
  }
}

This routes Copilot's tool calls through SafeClaw's MCP server, which evaluates each action against your policy before execution.

Step 3: Protect Sensitive Files

Copilot agent mode can access any file in your workspace. Define explicit deny rules for sensitive paths:

policies:
  - name: "sensitive-file-protection"
    description: "Block access to secrets and configs"
    actions:
      - tool: "file_read"
        effect: deny
        constraints:
          path_pattern: ".env|.key|*.pem|secrets/|credentials/"
      - tool: "file_edit"
        effect: deny
        constraints:
          path_pattern: ".github/workflows/*|Dockerfile|.lock"

This prevents Copilot from reading your environment files or modifying CI/CD pipelines — even if prompted to do so by a malicious instruction in a code comment.

Step 4: Audit Copilot's Actions

Every action Copilot proposes — whether allowed or denied — is logged to SafeClaw's hash-chained audit trail:

npx @authensor/safeclaw audit --last 100 --filter agent=copilot

This gives your team full visibility into what Copilot tried to do, what was permitted, and what was blocked, with cryptographic proof the log hasn't been tampered with.

Why SafeClaw

• 446 tests covering policy evaluation, edge cases, and audit integrity
• Deny-by-default — Copilot's new capabilities are blocked until explicitly allowed
• Sub-millisecond evaluation — no delay to Copilot's interactive agent workflow
• Hash-chained audit log — tamper-evident record of every Copilot action
• Works with Claude AND OpenAI — Copilot uses OpenAI models; SafeClaw supports both

Related Pages

• How to Secure AI Agents in Cursor IDE
• How to Add Safety Controls to Windsurf AI Agents
• How to Secure MCP Servers
• How to Secure Devin and Autonomous Coding Agents