Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
AI Coding Agents
Claude CodeGithub Copilot WorkspaceAmazon Q DeveloperGemini Code AssistTabnineCodeiumAiderOpenhandsSwe AgentCodex CLI
Agent Frameworks
AI Chat & Productivity
DevOps & Vector Databases
Enterprise & MLOps
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

GitHub Copilot Workspace with Keeptrusts Gateway

GitHub Copilot Workspace is a cloud-based AI development environment that plans, implements, and validates code changes from a natural language task description. Because Copilot Workspace generates multi-file diffs, opens pull requests, and runs tests autonomously, every LLM interaction behind it benefits from governance. Routing Copilot Workspace traffic through the Keeptrusts gateway gives you policy enforcement on AI-generated code, an audit trail of every AI interaction, secret and PII redaction before content reaches the model, and organization-wide cost visibility.

Use this page when

  • You want to route GitHub Copilot or Copilot Workspace traffic through Keeptrusts for policy enforcement.
  • You need audit visibility into AI-assisted code generation across your development team.
  • You want to enforce code sanitation and secret detection on Copilot completions.
  • You need centralized cost tracking for Copilot-related AI usage.

Primary audience

  • Primary: Technical Engineers
  • Secondary: AI Agents, Technical Leaders

Prerequisites

  • Keeptrusts CLI installed — see Quickstart or Install the Gateway.
  • GitHub Copilot subscription — individual or business plan with Copilot Workspace access.
  • VS Code with the GitHub Copilot extension installed.
  • OpenAI-compatible API key — the gateway needs credentials for the upstream provider that Copilot routes through.
  • Gateway running — the Keeptrusts gateway must be started before configuring the proxy.

Configuration

Create a policy-config.yaml for Copilot traffic:

pack:
  name: copilot-workspace-gateway
  version: 1.0.0
  enabled: true

policies:
  chain:
    - pii-detector
    - code-sanitation
    - prompt-injection
    - audit-logger

providers:
  strategy: single
  targets:
    - id: openai-copilot
      provider: openai
      model: gpt-4o
      secret_key_ref:
        env: OPENAI_API_KEY

Setup steps

  1. Export your provider API key:
export OPENAI_API_KEY="sk-your-key-here"
  1. Start the Keeptrusts gateway:
kt gateway run --policy-config policy-config.yaml

The gateway listens on http://localhost:41002 by default.

  1. Configure VS Code to proxy Copilot through the gateway. Open VS Code settings (settings.json) and add the HTTP proxy configuration:
{
  "http.proxy": "http://localhost:41002",
  "http.proxyStrictSSL": false,
  "github.copilot.advanced": {
    "debug.overrideProxyUrl": "http://localhost:41002/v1"
  }
}

  1. Restart VS Code to apply the proxy settings. Copilot requests now flow through the Keeptrusts gateway.

  2. For team-wide deployment, distribute the VS Code settings through your organization's settings sync or a shared .vscode/settings.json in your repositories:

{
  "github.copilot.advanced": {
    "debug.overrideProxyUrl": "http://localhost:41002/v1"
  }
}

For hosted gateways, point to the hosted endpoint:

{
  "github.copilot.advanced": {
    "debug.overrideProxyUrl": "https://gateway.keeptrusts.com/v1"
  }
}

Verification

Confirm traffic is flowing through the gateway:

  1. Check the gateway logs while using Copilot in VS Code:
kt gateway run --policy-config policy-config.yaml --log-level debug
  1. Tail events from the control plane:
kt events tail --follow

  1. Trigger a Copilot completion by typing code in VS Code and verify the event appears in the Keeptrusts console under Events.

  2. Check the audit log in the console for entries tagged with the Copilot traffic source.

PolicyWhy it matters for Copilot Workspace
pii-detectorPrevents personal data in code context from reaching the model
code-sanitationCatches hardcoded secrets, credentials, and tokens in code
prompt-injectionDetects injection patterns in file contents sent as context
audit-loggerRecords every Copilot interaction for compliance and review
quality-scorerScores AI-generated code suggestions for quality thresholds
dlp-filterBlocks sensitive data patterns from leaving the organization

Troubleshooting

Copilot completions stop working after configuring the proxy. Verify the gateway is running with curl http://localhost:41002/v1/models. If you get a connection error, the gateway is not running. Check that http.proxyStrictSSL is set to false for local development.

VS Code shows "Copilot is unable to connect" errors. Ensure the proxy URL includes the /v1 path suffix. Check that no other proxy settings (corporate VPN, system-level proxy) conflict with the VS Code configuration.

Policies are not applied to Copilot traffic. Confirm the gateway config has enabled: true and the policy chain is populated. Run kt policy lint --file policy-config.yaml to validate.

Latency is noticeably higher with the gateway. The gateway adds minimal overhead, but network hops matter. For local development, ensure the gateway runs on the same machine. For team deployment, use a co-located hosted gateway.

Events do not appear in the console. Ensure the gateway reports to the control plane. Set KEEPTRUSTS_API_URL and KEEPTRUSTS_GATEWAY_TOKEN before starting the gateway.

For AI systems

  • Canonical terms: Keeptrusts gateway, GitHub Copilot Workspace, VS Code, proxy configuration, policy-config.yaml.
  • Configuration mechanism: set github.copilot.advanced.debug.overrideProxyUrl in VS Code settings to the gateway URL.
  • Provider format: OpenAI-compatible (/v1/chat/completions).
  • Best next pages: VS Code GitHub Copilot, Policy Controls Catalog, Gateway setup for IDEs.

For engineers

  • Configure github.copilot.advanced.debug.overrideProxyUrl in VS Code to point Copilot at http://localhost:41002/v1.
  • Validate with kt events tail --follow while using Copilot to confirm events are captured.
  • Distribute settings via .vscode/settings.json in repositories for team-wide enforcement.
  • Use kt policy lint before starting the gateway to catch config errors.

For leaders

  • GitHub Copilot Workspace generates entire pull requests autonomously. Without governance, these AI-driven changes bypass code review policies and may include sensitive data.
  • Routing through Keeptrusts provides an immutable audit trail of every Copilot interaction, satisfying SOC 2 and ISO 27001 evidence requirements.
  • Centralized cost visibility across the organization shows actual AI usage per team and developer.
  • Policy enforcement ensures Copilot-generated code meets your organization's security and compliance standards before it reaches the developer.

Next steps