GitHub Copilot
Install the Vulnetix security plugin for GitHub Copilot CLI.
Quick Install
npx skills add Vulnetix/pix-ai-coding-assistant
This installs the Vulnetix security skills into your project’s .copilot/skills directory.
Via GitHub CLI (Preview)
GitHub CLI v2.90.0+ includes gh skill, a dedicated skills manager for GitHub Copilot and other agents. It adds version pinning, content-addressed change detection, and centralized update management on top of the standard skills install.
Requires GitHub CLI v2.90.0+.
Search for the plugin:
gh skill search vulnetix
Install individual skills (note: for the full plugin including hooks, commands, and the bulk-triage agent, use npx skills add above):
gh skill install Vulnetix/pix-ai-coding-assistant dashboard
gh skill install Vulnetix/pix-ai-coding-assistant exploits
gh skill install Vulnetix/pix-ai-coding-assistant exploits-search
gh skill install Vulnetix/pix-ai-coding-assistant fix
gh skill install Vulnetix/pix-ai-coding-assistant package-search
gh skill install Vulnetix/pix-ai-coding-assistant remediation
gh skill install Vulnetix/pix-ai-coding-assistant vuln
Pin to a specific release for reproducible installs:
gh skill install Vulnetix/pix-ai-coding-assistant dashboard@v1.2.2
gh skillis in preview and subject to change. See GitHub CLI documentation for the full reference.
Prerequisites
Before running the install command:
- Node.js — Required to run
npx. Install from nodejs.org if not already available. - Vulnetix CLI — Install and authenticate following the prerequisites guide.
- jq — Required by plugin hooks for JSON processing. See prerequisites for install instructions.
What Gets Installed
The plugin registers the following into .copilot/skills:
| Component | Count | Details |
|---|---|---|
| Hooks | 6 | Pre-commit scan, manifest edit gate, post-install scan, session dashboard, stop reminder, vuln context inject |
| Skills | 6 | package-search, exploits, fix, vuln, exploits-search, remediation |
| Commands | 4 | vdb-vuln, vdb-vulns, vdb-exploits-search, vdb-remediation |
| Agents | 1 | bulk-triage — parallel vulnerability triage and prioritization |
Native Hooks
GitHub Copilot CLI supports hooks natively. The plugin ships hooks.copilot.json pre-configured for Copilot’s hook system. After install, hooks are registered automatically — no manual configuration needed.
The following events are wired up:
| Hook | Event | Matcher | Timeout |
|---|---|---|---|
| Pre-Commit Scan | preToolUse | Bash | 30s |
| Manifest Edit Gate | preToolUse | Edit|Write | 30s |
| Post-Install Scan | postToolUse | Bash | 120s |
| Session Summary | sessionStart | – | 10s |
| Stop Reminder | agentStop | – | 10s |
| Context Inject | userPromptSubmitted | – | 15s |
See Hooks documentation for details on each hook.
Verify Installation
Run the dashboard skill to confirm everything is working:
/vulnetix:dashboard
You should see a vulnerability summary table for your project’s dependencies. If you get an authentication error, re-run vulnetix auth login.
Upgrade
Re-run the install command to pull the latest version:
npx skills add Vulnetix/pix-ai-coding-assistant
This overwrites existing files with the latest version. Your .vulnetix/memory.yaml and cached data are not affected.
If you installed individual skills via gh skill, update all at once:
gh skill update
Uninstall
Remove the plugin skills:
rm -rf .copilot/skills
To also remove cached vulnerability data and memory:
rm -rf .vulnetix/