Agent Keeper
Enterprise Ready

Govern GitHub Copilot Agent Mode

Copilot agents access your entire codebase, run terminal commands, and call external tools. Agent Keeper gives your security team full visibility and control.

No credit card required · Free tier forever · Works with existing Copilot Business & Enterprise

Copilot agent actions Agent Keeper can block

Terminal commands (runTerminalCommand)
File creation (createFile)
File editing (editFiles)
File deletion (deleteFile)
MCP tool calls
User prompts

Copilot has the strongest enforcement of any IDE — all action types can be blocked

Copilot is your most deployed AI agent

Millions of developers run Copilot agent mode. Most enterprises have zero security visibility into what it does.

Full workspace access

Copilot agents execute terminal commands, create and delete files, call MCP servers, and read your entire codebase — all with no external audit trail.

Zero enterprise visibility

Your developers run Copilot agent mode in VS Code all day. Security teams have no centralized view of what tools are invoked, what files are touched, or where data goes.

Compliance gaps

SOC 2, ISO 27001, and enterprise security policies require audit trails for automated system access. Copilot agent mode produces none of this out of the box.

Complete action enforcement

Every Copilot agent action type is covered. Block, warn, or allow per policy — with full audit logging regardless.

Copilot Agent ActionCan Be Blocked
Terminal commands (runTerminalCommand)Blocked
File creation (createFile)Blocked
File editing (editFiles)Blocked
File deletion (deleteFile)Blocked
MCP tool callsBlocked
User promptsBlocked

How it works

Four steps from zero to full Copilot governance.

1

Install in one command

Run the Agent Keeper installer with the Copilot target. Hooks integrate with VS Code's native agent hook system — no marketplace extension required.

bash <(curl -fsSL https://www.agentkeeper.dev/install-hooks.sh) --ide copilot

Works with Copilot Business and Copilot Enterprise — no additional GitHub setup needed

2

Hooks integrate with VS Code

Agent Keeper registers against VS Code's agent hook system, intercepting every Copilot action before execution. No extension. No proxy. No code changes.

Pre-execution hook

Evaluates tool calls before Copilot runs them

Prompt hook

Scans user input before Copilot processes it

File operation hook

Intercepts create, edit, and delete actions

MCP call hook

Audits every external tool server invocation

3

All tool calls scanned before execution

Behavioral detection patterns tuned for zero false positives on normal development. Dangerous tool calls are stopped before Copilot executes them.

Credential exfiltrationReverse shellsCI/CD tamperingPrompt injectionSecurity control bypassSupply chain attacksSensitive file accessNetwork data exfiltration
4

Dashboard shows activity across all Copilot users

One dashboard for your entire Copilot fleet. Compliance percentage, active developers, blocked actions, and a complete SOC 2 audit trail.

97%

Compliance

84

Developers

32

Actions Blocked

1.2k

Sessions / 24h

Built for enterprise security

Every feature designed to give your security team control without blocking the developers who depend on Copilot.

Prompt Injection Detection

Every Copilot prompt scanned before processing. Catches social engineering, jailbreaks, and embedded instructions in file content or MCP tool responses. All prompts logged to the threat feed.

Strongest Tool Enforcement

Copilot has the most complete hook coverage of any IDE — every action type can be blocked. Terminal commands, file ops, and MCP calls all enforce policy before execution.

SOC 2 Audit Trail

Every tool call logged with timestamps, user identity, and session context. Meets the AI activity audit requirements for SOC 2 Type II and ISO 27001 compliance.

No VS Code Extension Needed

Agent Keeper integrates with VS Code’s native agent hook system. No marketplace extension to manage, approve, or update. Works with your existing Copilot Business or Enterprise setup.

Unified Agent Dashboard

The same dashboard your team uses for Claude Code, Cursor, and Windsurf. One security policy view across all AI coding agents — not one-per-IDE.

Fleet-Wide Policy Enforcement

Push policies to every Copilot developer in your org simultaneously. Version-pinning, tool allowlists, MCP server restrictions, and blocked-command rules — all centrally managed.

What GitHub gives you vs. what you need

Copilot Business and Enterprise are a great start. Agent Keeper fills the security gaps your compliance team cares about.

CapabilityGitHub Copilot+ Agent Keeper
Copilot usage analytics
Content exclusions
IP indemnification controls
Real-time tool call blocking
Prompt injection detection
MCP call audit trail
Terminal command policy
Fleet compliance dashboard
SOC 2 agent audit log
Cross-IDE unified policy

Simple, transparent pricing

Start free — no credit card required. Scale when your team grows.

Free

For individual developers

$0forever
  • 1 workstation
  • Full monitoring
  • All detection patterns
  • 7-day history
Most Popular

Pro

For small teams

$19/mo
  • 3 workstations
  • Custom policies
  • 90-day audit log
  • Tool-level controls
  • Email alerts

Team

For security teams

$29/seat/mo
  • Unlimited workstations
  • Fleet dashboard
  • Compliance reporting
  • MCP call controls
  • RBAC & webhook alerts
  • Priority support

Need enterprise features? Contact us for enterprise pricing

Copilot, governed. One command.

Full audit trail, real-time enforcement, and a unified dashboard across every AI coding agent your team uses.

$ bash <(curl -fsSL https://www.agentkeeper.dev/install-hooks.sh) --ide copilot

Works with existing VS Code Copilot setup — no extension needed

No credit card required · Setup in under a minute