Module 6 — Privacy, Content Exclusions, and Safeguards
Exam tactic. Privacy and safeguards matter most in Enterprise environments. Exam questions usually ask at which level (user, org) a setting is controlled and what it affects.
Privacy settings and content exclusions
Why privacy matters
GitHub Copilot sends code context to GitHub services on Microsoft Azure. Without proper settings, sensitive material — passwords, API keys, customer data — can end up in Copilot's context.
Content Exclusions levels
| Level | Configured in | Who can set it |
|---|---|---|
| Organization | GitHub.com → Org Settings → Copilot | Org admin |
| Repository | GitHub.com → Repo Settings → Copilot → Content exclusion | Repo admin |
| User | IDE settings | Individual user (limited) |
Key exam point. Org-level exclusions take precedence — users cannot override them.
Configuring org-level exclusions
- GitHub.com → Organization → Settings → GitHub Copilot → Content exclusion.
- Add file paths or glob patterns (
**/*.env,config/secrets/**). - Changes can take up to 30 minutes to take effect (reload the IDE).
Repo-level exclusions
Configured at Repository → Settings → Copilot → Content exclusion. One path per line:
- "**/.env"
- "**/secrets/**"
- "**/*password*"
- "config/production.yml"IDE-level settings
{
"github.copilot.enable": {
"*": true,
"yaml": false,
"plaintext": false,
"markdown": false
}
}This disables Copilot in YAML, plaintext, and Markdown — useful for files that often hold sensitive data. Org-level settings still take precedence.
Output ownership and limits
- Copilot's terms: the user/organization owns the generated code; GitHub does not claim copyright over Copilot output.
- Copilot can produce code that resembles open source — Duplication Detection helps surface those cases.
- GitHub does not guarantee correctness or security of generated code; the developer is responsible for what ships.
Want a structured video walkthrough of Copilot privacy and safeguards?
The GitHub Copilot GH-300 Certification Prep course covers content exclusions, Duplication Detection, and all plan-level differences with live demos and a chapter quiz.
Safeguards and troubleshooting
Duplication Detection
Duplication Detection checks whether a Copilot suggestion resembles known public code (e.g. open source on GitHub). Settings:
- Block — suggestions matching public code are not shown at all (highest protection).
- Allow with warning — shown with a warning and a reference to the source (balanced default for most orgs).
- Allow — all suggestions shown (default, lowest protection).
Configured at GitHub.com → Settings → GitHub Copilot → Suggestions matching public code (per user) or Org Settings → Copilot (per org).
Security warnings
Copilot can warn inline in the IDE about hard-coded secrets, SQL injection patterns, missing input validation, insecure HTTP, and weak/deprecated cryptography. Active automatically when Copilot is enabled (Business/Enterprise). These warnings are not exhaustive — pair with SAST tools.
Troubleshooting checklist
Copilot gives no suggestions:
- Is the extension installed and up to date?
- Does the user have an active subscription?
- Is the file type excluded (org or user setting)?
- Is the file excluded by Content Exclusions (org or repo)?
- Is Copilot temporarily disabled in the IDE status bar?
Copilot still suggests in an excluded file:
- Is the path/pattern correct?
- Have the changes propagated yet (up to 30 minutes)? Reload the IDE.
- Is this an org-level or repo-level exclusion?
- Run "Reload Window".
Duplication Detection not triggering:
- Is it set to Block or Allow with warning?
- Is the user on Business/Enterprise? (limited on Free)
- Is GitHub authentication still valid?
Org policies don't appear in the IDE:
- Is the IDE signed in to the right GitHub account?
- Is the user actually a member of the org?
- Have the changes propagated? Restart the IDE.
Course wrap-up
Whole-course summary
- M01 — Responsible AI (15–20%): generative AI can hallucinate; six principles; developer accountability.
- M02 — Copilot Features (25–30%): IDE, CLI, Agent / Plan / Ask, MCP, Code Review, cloud agent, memory, org governance.
- M03 — Data and Architecture (10–15%): data flow IDE → tokenization → prompt → LLM → filtering → IDE; Business/Enterprise = no training.
- M04 — Prompt Engineering (10–15%): Role + Task + Context + Format; zero-shot, few-shot, chain-of-thought, role prompting.
- M05 — Developer Productivity (10–15%): repetitive structures, boilerplate, docs, tests, edge cases, security warnings.
- M06 — Privacy & Safeguards (10–15%): exclusions org > repo > user; Duplication Detection Block / Allow-with-warning / Allow; security warnings.
Exam preparation checklist
- Read all six modules.
- Practice with the official exam sandbox: aka.ms/GHExamDemo-enu.
- Review the exam-ready checklist of every module the day before.
- Schedule the exam: examregistration.github.com.
Pass score: 700/1000. Duration: 45–75 minutes. Validity: one year. Most weight is in M02 (~25–30%), then M01 (~15–20%), then the rest (10–15% each). Read questions carefully — many ask for the "BEST" or "MOST APPROPRIATE" answer.
Next steps after the certification
Passing GH-300 validates your knowledge. Using Copilot well in production is a methodology question. AI Architect Mastery teaches the AI Driven Development Methodology — also known as structured Vibe Coding — a structured PRD → PLAN → TASK → IMPLEMENTATION workflow that turns ad hoc Copilot use into repeatable, production-quality work.
See the methodology See AAM courses
Official source documents
- Configuring content exclusions for GitHub Copilot
- Managing Copilot policies in your organization
- GitHub Copilot Trust Center
- GH-300 Study Guide
Ready to go further? The full course adds video walkthroughs, quizzes, and a pacing plan.
The GitHub Copilot GH-300 Certification Prep course on Udemy covers every module with structured video lessons and chapter quizzes — built on the same content as this free guide.