Before you enable Copilot 클라우드 에이전트, it is good practice to set up your enterprise so you can be confident Copilot will operate within secure, predictable guardrails.
Learn about built-in protections
Copilot 클라우드 에이전트 has a strong base of built-in security protections designed to protect against common risk points of AI agents. See GitHub Copilot 클라우드 에이전트에 대한 위험 및 완화.
Plan policy settings
Plan your policies for Copilot 클라우드 에이전트 in advance. Policies allow you to set a baseline for restrictions at the enterprise level, which organization owners can restrict further if needed.
Some questions to ask are:
- Which organizations and repositories will Copilot 클라우드 에이전트 be enabled in? See GitHub Copilot 클라우드 에이전트에 대한 액세스 관리.
- Which MCP servers will you configure to give Copilot 클라우드 에이전트 access to external tools? See MCP(모델 컨텍스트 프로토콜)를 사용하여 GitHub Copilot 클라우드 에이전트 확장.
Which policies don't apply?
The following Copilot policies don't apply to Copilot 클라우드 에이전트:
- Content exclusions
- Custom models (providing your own LLM API keys)
- Private MCP registries
Adapt rulesets
Copilot 클라우드 에이전트 is already restricted from actions like pushing to a default branch or merging pull requests. You can build on these default protections in branch rulesets. Copilot 클라우드 에이전트 is subject to rulesets just like human developers.
To adapt your rulesets for Copilot 클라우드 에이전트:
- Consider whether additional rules are required in repositories where agents will operate, such as requiring results from code scanning or Code Quality. If you have identified the organizations or repositories where Copilot 클라우드 에이전트 will be enabled, you can apply a custom property to them so they're easy to target in a ruleset.
- Consider whether Copilot 클라우드 에이전트 will be blocked by any of your existing rulesets. Copilot can sign its commits, but it may not be able to follow other rules that restrict commit metadata.
- Protect important Copilot and MCP configuration files with a
CODEOWNERSfile, and enable the "Require review from Code Owners" rule, so that edits to these files must be approved by specific teams. For filepaths to target, see Copilot 사용자 지정 참고 자료.
Set up your GitHub Actions environment
Copilot 클라우드 에이전트 operates on GitHub Actions runners. Set up your runners and policies so that Copilot operates securely.
Store data and secrets
Continue to store data and tokens that you don't want Copilot to access as GitHub Actions variables or secrets. Copilot won't be able to access these in its sessions or environment setup steps.
If you need to provide data and secrets that Copilot 클라우드 에이전트 does need, you'll be able to do this in a specific copilot environment.
Configure runners
Decide which runners you will use for Copilot 클라우드 에이전트. We recommend using GitHub-hosted runners, so that each Copilot 클라우드 에이전트 runs on a fresh virtual machine. If you use self-hosted runners, we recommend using ephemeral runners.
Organization owners can restrict the Copilot 클라우드 에이전트's runners to a specific runner label, to be used automatically in all repositories. See 조직의 GitHub Copilot 클라우드 에이전트에 대한 실행기 구성.
Configure workflow policies
Decide whether GitHub Actions workflows should be blocked from running in pull requests that Copilot 클라우드 에이전트 creates. See GitHub Copilot 클라우드 에이전트에 대한 설정 구성.
By default, workflows are blocked from running until someone with write access approves them. Repository administrators will be able to disable this feature, so communicate with them in advance about your preferred setting.
Review default permissions
Review the default permissions for the GITHUB_TOKEN in your enterprise. See 엔터프라이즈에서 GitHub Actions 대한 정책 적용.
This policy does not affect the token that Copilot will receive for its sessions, but the GITHUB_TOKEN is used in environment setup steps defined in copilot-setup-steps.yml workflow files.
Bear in mind that developers will be able to set their own permissions in these workflow files, and you should encourage them to use the minimum required permissions in all workflows.
Next steps
When you're ready to enable Copilot 클라우드 에이전트, see 엔터프라이즈에서 GitHub Copilot 클라우드 에이전트 관리.