sensitive content exclusion not honored (option?)

[nimaai]

We have setup content exclusion using pattern matching in the copilot subscription of our organisation for some repos as we have some sensitive files there. It seems that this plugin is not honoring that; if I select content from a sensitive file and do :CopilotChat then the content of such a file is being analysed.

As far as I understand, copilot plugins themselves need to do something on their part for this matter. I have tried with the official: https://github.com/github/copilot.vim. Code-completion does not work in an excluded file and there is a message:

Error: Your organization 'zhdk' has disabled Copilot for this file

https://docs.github.com/en/copilot/managing-github-copilot-in-your-organization/configuring-content-exclusions-for-github-copilot

Am I perhaps some config option for this plugin?

[jellydn]

subscription of our organisation

Let's see if @gptlang or @deathbeam have tried this option. This is 1st time I heard about this setting.

Probably we need to have a option to exclude buffer by filename or repository.

[nimaai]

may be of interest: zbirenbaum/copilot.lua#74

[gptlang]

Excluding content from GitHub Copilot currently only affects code completion. GitHub Copilot Chat is not affected by these settings.

[gptlang]

This feature is available for organization accounts with a Copilot Business subscription.

It's a bit difficult for me to test. Could you try to MITM the copilot completion connection and see if the exclusions are included in the API response?

[deathbeam]

After you configure content exclusion, the client (for example, the Copilot extension for VS Code) sends the current repository URL to the GitHub server so that the server can return the correct policy to the client. URLs sent to the server in this way are not logged anywhere.

It looks like we would need to do this step and then act on the content policy on client side I would guess? I noticed that vscode sends the call to github to get some repo info fairly often. Probs wouldnt be so hard if someone can check the response for this content policy in e.g vscode

[deathbeam]

Found the url at least:

this.contentRestrictionsUrl=Cc.Utils.joinPath(s,"/copilot_internal/content_exclusion"

From https://raw.githubusercontent.com/github/copilot.vim/release/dist/agent.js

But setting up mitm proxy and checking would be way easier so we can see request/response. But i dont have business subscription either.

Also its pretty sad that we have to do this why is the api undocumented, not like they are gaining anything from it being undocumented.

[nimaai]

can someone give me exact steps to reproduce to get at the information you need? vscode, etc. because i have a copilot business subscription.

[gptlang]

Just run mitmproxy and look for any requests to the URL: https://github.com/copilot_internal/content_exclusion (it might be a different domain depending on your enterprise configuration). We just need the general shape of the request/responses

[nimaai]

i couldn't find anything using mitmproxy with vscode.

[gptlang]

It could be that it's cached for existing repositories rather than fetching it every time. Could you try it with a new repo?