DEV Community

Cover image for How to Audit and Lock Down Your AI Training Data Exposure on GitHub
Alan West
Alan West

Posted on

How to Audit and Lock Down Your AI Training Data Exposure on GitHub

#github #githubcopilot #privacy #security

So GitHub just updated their Copilot data usage policy. The short version: interaction data from all user tiers — including free users — will be used to train and improve their models, and it's opt-in by default. If you're reading this with a knot in your stomach, you're not alone.

Let's skip the outrage cycle and focus on the actual problem: how do you figure out what data you're exposing, and how do you lock it down?

The Real Problem: You Don't Know What's Being Sent

Here's what caught most people off guard. It's not just your code that's being collected — it's your interaction data. That means prompts, suggestions you accepted or rejected, and the context surrounding those interactions. If you've been using Copilot to help debug a production issue at 2am, that context went somewhere.

The frustrating part isn't that data collection exists. It's that the defaults changed silently, and most developers won't notice until someone posts about it on Reddit.

Step 1: Check Your Current Settings

First, let's see where you actually stand. Head to your GitHub settings and check what's enabled:

https://github.com/settings/copilot
Enter fullscreen mode Exit fullscreen mode

You're looking for the section about data usage and telemetry. On individual accounts, you should see toggles for allowing GitHub to use your data for product improvement. On organization accounts, admins control this at the org level.

If you're managing a team, check the org-level settings too:

https://github.com/organizations/YOUR_ORG/settings/copilot
Enter fullscreen mode Exit fullscreen mode

Step 2: Audit What You've Already Sent

Before you flip any switches, it helps to know what's already out there. You can request a data export from GitHub to see what they've collected:

# Request your GitHub data export via the API
curl -X POST \
  -H "Authorization: Bearer $GITHUB_TOKEN" \
  -H "Accept: application/vnd.github+json" \
  https://api.github.com/user/migrations \
  -d '{"repositories": [], "lock_repositories": false}'
Enter fullscreen mode Exit fullscreen mode

This won't show you Copilot interaction data specifically, but it's a good starting point for understanding your overall data footprint. For Copilot-specific data, you'll need to go through the GitHub privacy contact page and submit a Subject Access Request.

Step 3: Opt Out Properly

Here's the step-by-step to actually opt out. This matters because there are multiple settings and missing one means you're still sharing data.

For individual users:

  1. Go to Settings → Copilot
  2. Find the telemetry/data sharing section
  3. Disable "Allow GitHub to use my data for product improvement" (or however they've worded it this week)
  4. While you're there, review the code snippet collection settings too

For organization admins:

# Check your org's current Copilot policy via the API
curl -s \
  -H "Authorization: Bearer $GITHUB_TOKEN" \
  -H "Accept: application/vnd.github+json" \
  https://api.github.com/orgs/YOUR_ORG/copilot/billing \
  | python3 -m json.tool
Enter fullscreen mode Exit fullscreen mode

Org admins can enforce opt-out across the entire organization, which is the move if you're dealing with proprietary code.

Step 4: Set Up a Local Safety Net

Opting out is one thing, but if you want real control, you need to think about what leaves your machine in the first place. Here's a .gitconfig approach to remind yourself:

# Add a pre-commit hook that warns about sensitive patterns
# Save this as .git/hooks/pre-commit and chmod +x it

#!/bin/bash
# Check for common sensitive patterns before commit
SENSITIVE_PATTERNS=(
  "API_KEY"
  "SECRET"
  "password"
  "private_key"
  "BEGIN RSA"
)

for pattern in "${SENSITIVE_PATTERNS[@]}"; do
  if git diff --cached --diff-filter=ACM | grep -qi "$pattern"; then
    echo "WARNING: Possible sensitive data detected: $pattern"
    echo "Review your staged changes before committing."
    # Uncomment the next line to block the commit entirely
    # exit 1
  fi
done
Enter fullscreen mode Exit fullscreen mode

This doesn't stop Copilot from seeing your code in the editor — that ship sails the moment you type. But it adds a layer of awareness about what's in your repo.

Step 5: Consider Your Editor-Level Options

If you're really serious about this, you can control things at the editor level. VS Code lets you configure which files Copilot can access:

// In your VS Code settings.json
{
  "github.copilot.enable": {
    "*": true,
    "plaintext": false,
    "markdown": false,
    "yaml": false  // often contains config/secrets
  },
  // Disable Copilot for specific file patterns
  "github.copilot.advanced": {
    "excludeFiles": [
      "**/.env*",
      "**/secrets/**",
      "**/config/production.*"
    ]
  }
}
Enter fullscreen mode Exit fullscreen mode

This is actually my preferred approach. I keep Copilot on for the code I'm writing but exclude anything that might contain infrastructure secrets or sensitive configuration.

The Bigger Picture: Building Better Habits

Honestly, this GitHub situation is a symptom of a broader problem. Every AI coding tool is hungry for training data, and the incentives will always push toward more collection, not less. Here's what I've started doing across all my projects:

  • Separate sensitive config from code. Use environment variables and external secret managers. If it never hits your editor, it can't be collected.
  • Review your extensions periodically. Not just Copilot — any AI extension could be phoning home. Check what telemetry each one sends.
  • Use .gitignore patterns aggressively. Even for files that shouldn't exist in the repo, having the ignore pattern is a safety net.
  • Read the policy updates. Yeah, I know. Nobody does this. But a 5-minute skim every few months beats finding out on Reddit that your data practices changed.

Prevention: Automate the Boring Parts

Set up a quarterly reminder to audit your settings. Seriously, put it in your calendar. These policies change, defaults get reset during updates, and new features get opted in without fanfare.

For teams, consider writing this into your onboarding docs. New developer joins? Part of their setup checklist should include reviewing data sharing settings on every tool they install. It takes five minutes and saves everyone a headache later.

# Quick audit script — run this periodically
#!/bin/bash
echo "=== GitHub Copilot Settings Audit ==="
echo "Checking GitHub CLI auth status..."
gh auth status 2>&1
echo ""
echo "Current Copilot settings:"
gh api /user/copilot 2>/dev/null || echo "Could not fetch Copilot settings (check your token scopes)"
echo ""
echo "Remember to also check:"
echo "  - https://github.com/settings/copilot"
echo "  - Your org settings if applicable"
echo "  - VS Code extension telemetry settings"
Enter fullscreen mode Exit fullscreen mode

The goal isn't paranoia. It's informed consent. Use the tools if they make you productive — just know what you're trading for that productivity, and make sure it's a trade you're actually choosing to make.

Top comments (0)