Home›GH-300 Study Guide›M06 — Privacy and Safeguards

Module 6 — Privacy, Content Exclusions, and Safeguards

Exam tactic. Privacy and safeguards matter most in Enterprise environments. Exam questions usually ask at which level (user, org) a setting is controlled and what it affects.

L01 — Privacy settings and content exclusions

Why privacy matters

GitHub Copilot sends code context to GitHub services on Microsoft Azure. Without proper settings, sensitive material — passwords, API keys, customer data — can end up in Copilot's context.

Content Exclusions levels

Level	Configured in	Who can set it
Organization	GitHub.com → Org Settings → Copilot	Org admin
Repository	GitHub.com → Repo Settings → Copilot → Content exclusion	Repo admin
User	IDE settings	Individual user (limited)

Key exam point. Org-level exclusions take precedence — users cannot override them.

Configuring org-level exclusions

1. GitHub.com → Organization → Settings → GitHub Copilot → Content exclusion.
2. Add file paths or glob patterns (**/*.env, config/secrets/**).
3. Changes can take up to 30 minutes to take effect (reload the IDE).

Repo-level exclusions

Configured at Repository → Settings → Copilot → Content exclusion. One path per line:

- "**/.env"
- "**/secrets/**"
- "**/*password*"
- "config/production.yml"

IDE-level settings

{
  "github.copilot.enable": {
    "*": true,
    "yaml": false,
    "plaintext": false,
    "markdown": false
  }
}

This disables Copilot in YAML, plaintext, and Markdown — useful for files that often hold sensitive data. Org-level settings still take precedence.

Output ownership and limits

• Copilot's terms: the user/organization owns the generated code; GitHub does not claim copyright over Copilot output.
• Copilot can produce code that resembles open source — Duplication Detection helps surface those cases.
• GitHub does not guarantee correctness or security of generated code; the developer is responsible for what ships.

L02 — Safeguards and troubleshooting

Duplication Detection

Duplication Detection checks whether a Copilot suggestion resembles known public code (e.g. open source on GitHub). Settings:

• Block — suggestions matching public code are not shown at all (highest protection).
• Allow with warning — shown with a warning and a reference to the source (balanced default for most orgs).
• Allow — all suggestions shown (default, lowest protection).

Configured at GitHub.com → Settings → GitHub Copilot → Suggestions matching public code (per user) or Org Settings → Copilot (per org).

Security warnings

Copilot can warn inline in the IDE about hard-coded secrets, SQL injection patterns, missing input validation, insecure HTTP, and weak/deprecated cryptography. Active automatically when Copilot is enabled (Business/Enterprise). These warnings are not exhaustive — pair with SAST tools.

Troubleshooting checklist

Copilot gives no suggestions:

1. Is the extension installed and up to date?
2. Does the user have an active subscription?
3. Is the file type excluded (org or user setting)?
4. Is the file excluded by Content Exclusions (org or repo)?
5. Is Copilot temporarily disabled in the IDE status bar?

Copilot still suggests in an excluded file:

1. Is the path/pattern correct?
2. Have the changes propagated yet (up to 30 minutes)? Reload the IDE.
3. Is this an org-level or repo-level exclusion?
4. Run "Reload Window".

Duplication Detection not triggering:

1. Is it set to Block or Allow with warning?
2. Is the user on Business/Enterprise? (limited on Free)
3. Is GitHub authentication still valid?

Org policies don't appear in the IDE:

1. Is the IDE signed in to the right GitHub account?
2. Is the user actually a member of the org?
3. Have the changes propagated? Restart the IDE.

L03 — Course wrap-up

Whole-course summary

• M01 — Responsible AI (15–20%): generative AI can hallucinate; six principles; developer accountability.
• M02 — Copilot Features (25–30%): IDE, CLI, Agent / Plan / Ask, MCP, Code Review, cloud agent, memory, org governance.
• M03 — Data and Architecture (10–15%): data flow IDE → tokenization → prompt → LLM → filtering → IDE; Business/Enterprise = no training.
• M04 — Prompt Engineering (10–15%): Role + Task + Context + Format; zero-shot, few-shot, chain-of-thought, role prompting.
• M05 — Developer Productivity (10–15%): repetitive structures, boilerplate, docs, tests, edge cases, security warnings.
• M06 — Privacy & Safeguards (10–15%): exclusions org > repo > user; Duplication Detection Block / Allow-with-warning / Allow; security warnings.

Exam preparation checklist

• Read all six modules.
• Practice with the official exam sandbox: aka.ms/GHExamDemo-enu.
• Review the exam-ready checklist of every module the day before.
• Schedule the exam: examregistration.github.com.

Pass score: 700/1000. Duration: 45–75 minutes. Validity: one year. Most weight is in M02 (~25–30%), then M01 (~15–20%), then the rest (10–15% each). Read questions carefully — many ask for the "BEST" or "MOST APPROPRIATE" answer.

Next steps after the certification

Passing GH-300 validates your knowledge. Using Copilot well in production is a methodology question. AI Architect Mastery teaches the AI Driven Development Methodology — also known as structured Vibe Coding — a structured PRD → PLAN → TASK → IMPLEMENTATION workflow that turns ad hoc Copilot use into repeatable, production-quality work.

See the methodology See AAM courses

Official source documents

• Configuring content exclusions for GitHub Copilot
• Managing Copilot policies in your organization
• GitHub Copilot Trust Center
• GH-300 Study Guide