Copilot Is a Tool, Not an Oracle
GitHub Copilot is genuinely useful — but developers who accept every suggestion blindly write worse code than those who write without it. The key is treating Copilot as an extremely fast junior developer whose output you always review.
How Copilot Works
Copilot is powered by a large language model trained on public code repositories. It predicts what code should come next based on:
- The current file content
- Open tabs in your editor
- Comments and function names you've written
- The surrounding code context
It's completing patterns, not reasoning. It doesn't know what your app does — it knows what code that looks like your code usually does.
What Copilot Is Great At
Boilerplate and Scaffolding
// Write this comment, let Copilot complete the rest:
// Function that validates an email address using regex
// Copilot suggests:
function validateEmail(email: string): boolean {
const regex = /^[^s@]+@[^s@]+.[^s@]+$/;
return regex.test(email);
}
Test Generation
Write a function, then type:
// Tests for validateEmail
describe('validateEmail', () => {
// Copilot will suggest comprehensive test cases
Repetitive Patterns
After writing one iteration of a pattern, Copilot autocompletes the rest:
const ROUTES = {
home: '/',
about: '/about',
// Copilot continues the pattern...
Documentation
/**
* // Copilot writes the JSDoc based on function signature and implementation
*/
function parseDate(input: string): Date {}
What Copilot Is Bad At
Business logic — Copilot doesn't know your domain rules. It'll generate plausible-looking logic that may be subtly wrong.
Security-sensitive code — Copilot has seen lots of vulnerable code in training data. Review auth, crypto, and input handling with extra care.
Complex algorithms — For anything non-trivial algorithmically, verify correctness independently.
Your specific codebase conventions — It doesn't know your team's patterns unless they're in open tabs.
Prompting Copilot Effectively
Better context → better suggestions.
// Vague — generates generic code:
// Get users
// Specific — generates targeted code:
// Fetch paginated users from PostgreSQL, ordered by created_at desc,
// accepting page and pageSize parameters, returning total count
async function getUsers(page: number, pageSize: number) {
// Copilot now has enough context
Keyboard Shortcuts
| Action | Mac | Windows |
|---|---|---|
| Accept suggestion | Tab | Tab |
| Dismiss suggestion | Esc | Esc |
| Next suggestion | Opt+] | Alt+] |
| Prev suggestion | Opt+[ | Alt+[ |
| Open Copilot panel (all suggestions) | Ctrl+Enter | Ctrl+Enter |
Security Considerations
- Never commit secrets — Copilot sometimes suggests hardcoded API keys from its training data
- Review crypto implementations — Cryptographic code is often subtly wrong
- Check SQL for injection — Copilot may generate string-interpolated SQL
- Verify package suggestions — It sometimes suggests packages that no longer exist or have been compromised
Copilot Chat vs Inline Completion
Inline completion (the classic ghost text) — best for continuing code you're already writing.
Copilot Chat — better for explaining code, suggesting refactors, asking "why is this slow?", or getting it to write a whole function from a description.
The Right Mental Model
Think of Copilot as autocomplete that sometimes writes entire functions. The same way you'd review a for loop completion, review a function completion. Speed up by accepting obvious suggestions instantly. Slow down on anything security-related, logic-heavy, or business-critical.
Conclusion
Copilot's ROI is real — it's especially good at tests, boilerplate, and repetitive patterns. But coding with Copilot requires active engagement, not passive acceptance. Read every suggestion. Understand what you're accepting. Your job is to be the intelligent filter between Copilot's pattern matching and your production codebase.
