Need stronger controls to prevent GitHub Copilot(AI) from accessing sensitive data/code in IDE (VS code)

[MaheshD777]

Select Topic Area

General

Copilot Feature Area

VS Code

Body

Hi GitHub Copilot team,

I'm a Copilot subscriber actively using the extension in VS Code across multiple real-world codebases. While Copilot provides immense value in boosting productivity, I have serious concerns about limiting its visibility into sensitive data — especially secrets, credentials, proprietary configurations, and internal logic that should not be accessed by any AI assistant.

[Leorev01]

Hey @MaheshD777
Right now, there’s no way to tell GitHub Copilot to ignore specific files or folders in VS Code. But you can exclude Copilot from certain languages in your settings. For example:

"github.copilot.enable": {
  "*": true,          // enable Copilot for all languages by default
  "yaml": false,      // disable for YAML files
  "plaintext": false  // disable for plain text files
}

[MaheshD777]

Hi @Leorev01
Seems working partially and not sure -
"github.copilot.enable": {
"*": true, // enable Copilot for all languages by default
"yaml": false, // disable for YAML files
"plaintext": false , // disable for plain text files
"dotenv": false, // disable for .env files
".env": false, // disable for .env files
"json":false,
"credentialManager.json": false // disable for credentialManager.json files
}
With this still Copliot accesseed to .env, json and credentialManager so not fully working this settings.json too
Here is the reply from Copiot -

[Leorev01]

Hi @Leorev01

Seems working partially and not sure -

"github.copilot.enable": {

"*": true, // enable Copilot for all languages by default

"yaml": false, // disable for YAML files

"plaintext": false , // disable for plain text files

"dotenv": false, // disable for .env files

".env": false, // disable for .env files

"json":false,

"credentialManager.json": false // disable for credentialManager.json files

}

With this still Copliot accesseed to .env, json and credentialManager so not fully working this settings.json too

Here is the reply from Copiot -

Apparently you can disable copilot from accessing specific files like this:

"github.copilot.ignoredFiles": [
"/*.env",
"/*.json",
"**/credentialManager.json"
]

This explicitly tells Copilot to ignore .env, .json, and credentialManager.json files.

Try this and let me know if it works for you

[Mijutra]

CAUTION: This only works for auto-complete. Agent will still read the files.

[MaheshD777]

Hi @Leorev01
Still same behaviour after added that in settings.json too, still copilot able to read and here is the explaination from Copilot -
"They do not prevent:
Files from being loaded in the workspace context
AI assistants from reading file contents
Files from being included in conversation context
For true security of sensitive files like [.env](vscode-file://vscode-

Keep them in a separate, restricted workspace
Never open them in AI-enabled editors
Use a secure credential manager or vault service
Implement proper access controls at the system level"

[Leorev01]

Thats unfortunate, maybe they can add a feature to exclude files directly soon

[MaheshD777]

Hi @Leorev01 ,
Thank you for your support so far.

I have one more security concern. Currently, I’m using GitHub Copilot alongside the MCP (Model Context Protocol) server, which is enabled in my VS Code environment.

Is it safe to allow Copilot to interact with the browser via the MCP server and access the accessibility tree? I want to make sure this setup doesn’t introduce any security risks or unintended exposure of sensitive information.

Looking forward to your guidance on this.

Thanks,