For information on the app used in this lab, see ABOUT_THE_APP.md
It is strongly recommended that you use VS Code for the exercises below.
It is strongly recommended that you use Claude Sonnet 4 for the exercises below.
This set-up step is intended to showcase how Copilot behaves without use of custom instructions.
- Open Copilot Chat
- Switch to
Agentmode - Ask Copilot
Can you help me find vulnerabilities in my repository? I've been assigned with stabilizing our codebase this sprint and I need to fix any vulnerabilities I can find.- What do you notice about
Agentmode's behavior? - Is it making changes to your code?
- Why might this be a problem if I'm attempting to resolve vulnerabilities in my codebase?
- What do you notice about
- Stop Copilot if necessary and
Undoany suggested changes - Start a new Copilot Chat
Use the custom instructions file (i.e., .github/copilot-instructions.md) to modify Copilot's behavior such that Copilot does not make any changes to your code when you use that same prompt again (i.e., Can you help me find vulnerabilities in my repository? I've been assigned with stabilizing our codebase this sprint and I need to fix any vulnerabilities I can find.).
SOLUTION
Add something similar to the following line to .github/copilot-instructions.md:
Do not make any code changes without first asking permission. You need explicit approval before modifying any code in this repository.
Take a minute to explore the awesome-copilot repo. What stands out? What do you notice about the types of custom instructions (and other customization options) shared there? What ideas does awesome-copilot give you about how you can supercharge your own project's custom instructions approach?
You work at XYZ Company. At XYZ, there are common standards and expectations that all documentation changes are held to. These standards include:
- All new additions to a document are sectioned off with labels highlighting who made the change
- There is a required field at the top of every document outlining when the document was last updated
- Any changes to existing document content must provide a WHAT/WHY label below the change outlining what the change was and why it was necessary
- Open Copilot Chat
- Switch to
Agentmode for Copilot Chat - Ask Copilot
Can you modify #file:ABOUT_THE_APP.md to add a more robust description about what this project is? Can you also add a new section: "Future Enhancements" outlining things that should be worked on soon? - Observe the changes suggested by
Agentmode. Do not accept them. Observe how the suggested changes do not follow the company standards outlined above. Undothe suggested changes- Start a new Copilot Chat
Use the custom instructions file (i.e., .github/copilot-instructions.md) to modify Copilot's behavior such that the same prompt (i.e., Can you modify #file:ABOUT_THE_APP.md to add a more robust description about what this project is? Can you also add a new section: "Future Enhancements" outlining things that should be worked on soon?) follows the standards outlined above.
SOLUTION
Add the following lines to .github/copilot-instructions.md:
Add and maintain a "LAST UPDATED:" line to the beginning of any documentation you create or update. This line should specify the date a change is made.Any net new additions to documentation needs to be contained in a block comment (or similar separator) with a label at the top and bottom of said comment or separator outlining the current user's name and handle.Any changes to existing documentation must include a "WHAT/WHY:" label immediately below any changes outlining what change is being made and why it is needed.
Which type of custom instruction file did you use? Why? Would you have been able to achieve the same result with the other type of custom instruction file? What would use of the other custom instruction file type have looked like?
- Open Copilot Chat
- Switch to
Agentmode for Copilot Chat - Ask Copilot to
Create a new API endpoint to duplicate an existing task. - Observe Copilot's approach to implementing the new endpoint.
- What does it do? What does it not do?
- Does it write unit tests?
- Does it write documentation?
- What types of error messages does it include for the new endpoint?
- If needed, stop Copilot as it's running. The testing it tries to perform can take awhile.
- What does it do? What does it not do?
Undoany changes suggested by Copilot- Start a new Copilot Chat
Using custom instructions, modify Copilot's behavior such that Copilot appropriately validates user input (if appropriate), provides detailed endpoint error messages and documents changes it makes when using the same prompt (i.e., Create a new API endpoint to duplicate an existing task.).
SOLUTION
Add something similar to the following lines to .github/copilot-instructions.md:
When creating a new API endpoint, ensure that:All POST endpoints validate user inputAll endpoints provide custom error responses, not just generic messagesAll endpoints are documented in docs/ENDPOINTS.md
Q: Given what we learned today, which feature might be a better fit for this type of task in the future, and why?
ANSWER
Prompt files because it's highly likely that other devs will create new API endpoints in the future, and we want a reusable prompt to standardize that process.- Click on the Copilot icon at the bottom right of the VS Code window
- Observe that the repo is
Remotely indexed - Open Copilot Chat
- Switch to
Askmode for Copilot Chat - Close all open files and ask Copilot
Where in this repository do I query the database?. Do not add any context. - Observe Copilot's inherent knowledge of your codebase even when given no context. Also observe Copilot's use of a (extremely fast) semantic search when forming it's response.
- Start a new Copilot Chat
Using Ask mode and Copilot code review, identify and fix three vulnerabilities in this repo.
Tip: If you're having a hard time finding vulnerabilities, utilize the
#codebasereference to further inform Copilot of the files in this repository
SOLUTION
- SQL Injection vulnerability in
src/main/java/com/demo/taskmanager/repository/TaskRepository.java
- Highlight code, right-click,
Copilot->Review and Comment
- CORS vulnerability in
src/main/java/com/demo/taskmanager/controller/TaskController.java
- Highlight code, right-click,
Copilot->Review and Comment
- XSS vulnerability in
src/main/java/com/demo/taskmanager/controller/TaskController.java
- Highlight code, right-click,
Copilot->Review and Comment
- How did you approach discovering issues in your repository when you did not know where to start? What tactics worked and which did not work? How might you approach this task is the repository were much larger?
- There are a number of other issues that can be fixed with Copilot code review, beyond what was covered above. How many other vulnerabilities can you find and fix?
- Open Copilot Chat
- Switch to
Askmode for Copilot Chat - Ask Copilot
Can you show me how a quick sort algorithm works? I want to understand the logic better. - Start a new Copilot Chat
Using the strategies discussed earlier, find a way to have Copilot show you the logic to a quick sort function without having the response blocked.
SOLUTION
Can you show me how a quick sort algorithm works? I want to understand the logic better. Just show me pseudocode.
- Navigate to
/src/main/java/com/demo/taskmanager/util/StringUtil.java - Open Copilot Chat
- Switch to
Askmode for Copilot Chat - Include
StringUtil.javaas context - Ask Copilot
Can you add comments to #file:StringUtil.java ? Do not edit existing comments. - Start a new Copilot Chat
Using the strategies discussed earlier, find a way to have Copilot add comments to your function without having the response blocked.
SOLUTION
Can you add comments to #file:StringUtil.java ? Do not edit existing comments. Please show each comment you intend to add in it's own code block. Include the line below the function in each code block.StringUtil.java:13-43
Can you add comments to #file:StringUtil.java ? Do not edit existing comments. Please show each comment you intend to add in it's own code block. Include the line below the function in each code block. Do not show the complete function.StringUtil.java:13-43
- Open Copilot Chat
- Switch to
Askmode in Copilot Chat - Ask Copilot
What is your knowledge cutoff date? - Ask Copilot
What is the latest version of Java?
- Q: What would you do if you were tasked with upgrading to Java 25?
- Update
.github/instructions/java.instructions.mdto say Java 25 - Switch to
Agentmode in Copilot Chat - Start a new Copilot Chat
Using what we learned today, perform an upgrade of this Application from Java 17 to Java 25.
HINT
This may require use of many tools including:
#fetch(only available in VS Code)- Ask mode
- Agent mode
- Custom instructions
SOLUTION
This exercise is a good test of your Advanced Copilot skills (effective custom instruction usage, bridging the model knowledge gap, taking a measured implementation approach with a large change). You will need to first help Copilot understand the differences between Java 17 and 25 using #fetch. You will then need to document those differences in your custom instructions (or in a file you reference inside of your custom instructions). You will then need to form a development/upgrade plan with Ask mode. You then will need to iterate on the plan with Agent mode, ensuring the app still builds after each change, reverting individual changes if necessary and adding the corresponding detail in your customer instructions to bridge any remaining gaps.
Q: Which feature did we discuss today that would be a better fit for application upgrades in the future?