Your company has just purchased GitHub Copilot licences for the entire development team.
The promise is appealing: faster delivery, less repetitive work, more focus on the important stuff.
But after a few weeks… problems start to emerge:
- Code that is inconsistent with project standards.
- Missing unit tests.
- Insecure implementations in critical areas such as cookies, authentication, or input validation.
This happens because Copilot, by default, does not know your internal rules.
The solution: create a shared custom instructions file that every developer can use.
1. What are “Custom Instructions” for Copilot?
Instead of giving instructions in every comment or prompt, you can define a persistent set of rules that Copilot will always consider.
When it suggests code, it will then respect:
- Project style guidelines.
- Security practices.
- The correct framework and internal libraries.
- Linter rules.
💡 These instructions can be stored in a file (e.g., .copilot-instructions.md) and distributed to the whole team.
2. Example .copilot-instructions.md file
# GitHub Copilot – Corporate Instructions
## Style and Linter
- Always follow the rules from `.eslintrc.json` for JavaScript and `.pylintrc` for Python.
- Use single quotes in JavaScript/TypeScript.
- Always end statements with `;` in JS/TS.
## Security
- For cookies: set `httpOnly`, `secure`, `sameSite: strict`, and `maxAge`.
- Never include passwords or secrets in code.
- Validate all external input using patterns from `utils/validators`.
## Tests
- Always generate unit tests alongside new code.
- Use Jest for JS/TS projects and pytest for Python.
- Minimum coverage: 90%.
## Internal Libraries
- Use `logger` for logs, not `console.log`.
- Use `fetchWithAuth` instead of `fetch` for authenticated HTTP calls.
## Other
- Document every public function with JSDoc or Python docstrings.
- Avoid external dependencies not listed in `approved-deps.json`.
3. How to implement this across your team
Create the file .github/.copilot-instructions.md at the root of your project (create .github folder if you don't have it).
Share it in the base repository or in your project templates.
Configure Copilot so that it applies these rules: If you use Visual Studio Code, open the file at the start of a session and paste its content into Copilot’s “Custom Instructions” settings.
If your team uses GitHub Copilot Chat, paste the content as initial context.
In enterprise setups, include it as part of onboarding scripts or IDE initialisation steps.
4. Example in practice
Without instructions, Copilot might produce:
res.cookie('sessionId', id);
With .copilot-instructions.md in place, it will suggest:
res.cookie('sessionId', id, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
maxAge: 1000 * 60 * 60 // 1 hour
});
5. Benefits
Consistency: all developers receive aligned suggestions.
Security: reduced risk of unsafe implementations.
Less friction: no need to repeat the same instructions in every prompt.
Faster onboarding: new joiners produce better code from day one.
Conclusion
Copilot is not a senior developer – it needs context.
A corporate instructions file turns that “intuition” into a set of explicit rules, helping Copilot to produce code that is secure, consistent, and compliant with your organisation’s standards.
For more details, see the Github Docs
Top comments (0)