GitHub Copilot shipped one of its most consequential updates yet with the VS Code April releases โ€” Bring Your Own Key (BYOK), live browser sharing for agents, terminal access, and semantic search across workspaces. The Rubber Duck cross-model review agent went bidirectional, GitHub’s MCP Server reached new maturity milestones, and enterprise administrators gained new governance levers with managed CLI plugins. Here is everything that matters for engineering teams in this week’s Copilot Weekly.

VS Code April Releases: The Agent Workflow Reset

VS Code versions 1.116โ€“1.119 landed on May 6 with agent-mode features that fundamentally reshape how developers interact with Copilot in the IDE. Source

Bring Your Own Key (BYOK)

Copilot Business and Enterprise users can now link their own API keys โ€” from OpenRouter, Microsoft Foundry, Google, Anthropic, OpenAI, or local models via Ollama โ€” for use directly in VS Code chat. Admins control access through the “Bring Your Own Language Model Key” policy on GitHub.com. Why it matters: BYOK uncouples the Copilot subscription from model selection. Teams with negotiated API contracts, region-restricted model requirements, or bleeding-edge preview needs no longer have to wait for GitHub to add them.

Enterprise angle: Configuring BYOK across an organization requires careful planning around compliance, cost tracking, and key governance. Our AI & Automation practice helps enterprises evaluate model sourcing strategies that align with existing procurement and security policies.

Terminal Access & Browser Sharing

Agents can now read from and write to existing foreground terminals, including running REPLs and interactive scripts. Separately, agents can access the user’s live browser by sharing tabs on demand โ€” reading content, interacting with pages, and validating changes in real time. Why it matters: The terminal was a blind spot for coding agents; now agents can diagnose running processes and inspect server logs mid-debug. Combined with browser access, this makes agents capable of end-to-end interaction with a running application โ€” from code generation through runtime validation.

Semantic Search Across Workspaces

The agent can now search by meaning across any workspace and run grep-style queries across GitHub repos and orgs using a new githubTextSearch tool. Why it matters: Semantic search dramatically improves context-finding in large codebases where naming conventions vary โ€” “session timeout handling” finds relevant code even when the implementation uses “token expiry” or “auth window.”

What Else Shipped

  • Inline diffs in chat โ€” Code changes appear as diffs directly in the chat thread.
  • /chronicle (Experimental) โ€” Query your own chat history to recall past sessions and PRs.
  • Lower token usage โ€” Smarter prompt caching and deferred tool loading reduce consumption.
  • Remote CLI session steering โ€” Copilot CLI sessions started in VS Code can be monitored from GitHub.com or GitHub Mobile (experimental).
  • Agent plugins (Preview) โ€” Prepackaged bundles of skills, agents, hooks, and MCP servers, discoverable from marketplaces and centrally recommended via workspace settings.

Rubber Duck Goes Bidirectional

The Rubber Duck cross-family review agent in Copilot CLI now works both ways:

  • GPT-session users: Get a Claude-powered Rubber Duck for a second opinion.
  • Claude-session users: Pair with GPT-5.5 as the reviewer model (upgraded).

Requires /experimental on. Source

Why it matters: Cross-family review exploits the complementary strengths of different model architectures. An earlier post showed Claude Sonnet + Rubber Duck closing 74.7% of the performance gap between Sonnet and Opus on SWE-Bench Pro. This week extends that capability to both families โ€” every developer gets a different model’s perspective, regardless of their primary choice. For enterprises worried about single-model blind spots, this is a practical hedge.

MCP Server Milestones

Secret scanning via the GitHub MCP Server is now generally available โ€” MCP-compatible agents can scan for exposed secrets before commit or PR, honoring existing push protection customizations. Source

Dependency scanning entered public preview, checking changes against the GitHub Advisory Database and returning structured results with affected packages, severity, and fixed versions. Source

Why it matters: These turn the MCP Server into a pre-commit security gate. The GA designation on secret scanning signals production readiness โ€” agents can automatically check for secrets and vulnerabilities as part of their workflow, catching issues before they ever reach a PR.

Enterprise Administration

Managed CLI Plugins โ€” Public Preview

Enterprise admins can centrally configure and distribute plugins to Copilot CLI users via a settings.json at .github-private/.github/copilot/settings.json. Plugins auto-install when Business or Enterprise users authenticate with Copilot CLI. Source

Why it matters: Without centralized CLI management, each developer configures their plugins independently โ€” creating inconsistency and security gaps. This lets admins enforce a standard toolchain while still allowing customization.

Cloud Agent: Organization-Level Secrets

The Copilot cloud agent now has a dedicated “Agents” section for secrets and variables. Admins can configure these at the organization level for the first time, sharing them across repositories with per-repo access control. Source

Enterprise angle: Centralized secret management is table stakes for AI governance at scale. Teams adopting Copilot agents organization-wide should pair this with structured AI automation practices to maintain audit trails and access controls.

Code Review Metrics Get Granular

The usage metrics API now exposes copilot_suggestions_by_comment_type, breaking down suggestions by category (security, bug_risk) with total and applied counts. Source

Model Deprecations: Three Models on the Move

Multiple model deprecations require attention:

  • Claude Sonnet 4 โ€” Deprecated May 6. Switch to Claude Sonnet 4.6.
  • GPT-4.1 โ€” Deprecated June 1. Switch to GPT-5.5.
  • Grok Code Fast 1 โ€” Accelerated to May 15 per xAI request. Alternatives: GPT-5 mini or Claude Haiku 4.5.

Source (Claude) | Source (GPT-4.1) | Source (Grok)

Why it matters: Grok’s accelerated timeline leaves less than a week to migrate. GPT-4.1 teams have until June 1 โ€” which also coincides with Copilot code review beginning to consume GitHub Actions minutes for private repos. This is a good moment to audit both model selection and upcoming cost impact. Source (AI Credits)

Also This Week

  • Token efficiency deep dive โ€” GitHub published how they instrumented production agentic workflows, finding that unused MCP tool registrations added 8โ€“12 KB per call in overhead. Replacing GitHub MCP calls with gh CLI calls for data-fetching eliminated full LLM round-trips. Essential reading for teams running agents at scale. Source

  • Enterprise Live Migrations โ€” Public Preview โ€” Migrate repos from GHES to GHEC with data residency and zero-downtime cutover in minutes. Ships with GHES 3.17.14+. Source

  • Code-to-cloud risk visibility โ€” GA โ€” Defender for Cloud correlates container images back to source repos, with new runtime context filters in GitHub Advanced Security. Source

  • Datadog Copilot integration โ€” Tracks completions, chat, agent mode, and CLI metrics by team/language/IDE/repo, plus a GA MCP Server for live observability data access. Source

  • Guide to reviewing agent-generated PRs โ€” Practical advice on catching technical debt before it ships. Source

What to Watch

  • May 15: Grok Code Fast 1 deprecation โ€” Accelerated. Test GPT-5 mini or Claude Haiku 4.5 now.
  • June 1: GPT-4.1 deprecation + AI Credits enforcement โ€” Two changes converge. Audit model selection and code review cost simultaneously.
  • Docker Extension for Copilot (Limited Beta) โ€” Containerization guidance, Dockerfile generation, and Docker Scout vulnerability analysis for Node, Python, and Java. Source
  • MCP Registry expansion โ€” Infrastructure (Azure, Terraform), databases (MongoDB, Elasticsearch), and design (Figma, Webflow) servers now cataloged.

That is a wrap for this week’s Copilot Weekly. The VS Code April update alone would be notable, but combined with bidirectional Rubber Duck reviews, MCP Server maturity, and new enterprise governance tools, this was a week that advanced Copilot on every front โ€” from the individual developer’s IDE to the admin’s control panel.

Put these capabilities to work in your organization. Whether you’re evaluating BYOK configuration, rolling out MCP Server security scanning, or building an enterprise AI governance strategy, Big Hat Group can help. Contact our team or explore our AI & Automation services.

Check back next week for the latest.