Ask HN: VSCode, GitHub Copilot – Too easy to leak confidential info?
Hi. My team and I have been trialing using Github Copilot via the VS Code extension and it seems to be a huge security hole. By default, it enables itself on all files, and in the background sends those files to Github Copilot in order to do it's thing. The problem is - many of those files may contain sensitive info - API keys, private notes, etc. On more than one occasion I've been on a zoom call with a colleague and noticed the Github Copilot autocomplete helper happening on a file where API keys are, or confidential notes. So basically, people are unintentionally sending all kinds of sensitive stuff they don't intend to, to Github/Microsoft/OpenAI. The best you can do right now is to disable by file type. In my opinion this extension as it's currently implemented is a huge security hole and should probably be taken down by Microsoft until they come up with a way to opt in/out on a file by file basis - either .gitignore or simply a UI toggle that is default to off for EVERY file until you turn it on. Thoughts? Secrets like API keys should be added last, when the program is in the very last stages, then you can plug them in. I know, it sucks having to do that, but it's a strategy I've been using for years, and I use leaky things like Copilot too. If you must use API keys with Copilot, make the key related to some disposable staging/test environment, not important code like prod. No one uses API keys with Copilot intentionally. If you install the VSCode extension and start using it, and you happen to open a file that has an API key in it, boom - it's sent to Copilot. That is the issue. It's currently like walking a tightrope with no guardrails, and it's not obvious.