GitHub Copilot does not "steal" your code in the sense of publishing it or handing it to other users verbatim by default, but the honest answer to whether it uses your code depends entirely on which product tier and settings you're on — individual and free-tier usage has historically been eligible for training data collection unless you opt out, while GitHub Copilot Business and Enterprise plans contractually exclude customer code from being used to train Copilot's underlying models. Separately from training data, there's a second, distinct question that trips teams up just as often: even if Copilot never "learned" from your specific repo, can the code it suggests to you carry someone else's license obligations? Both questions matter for anyone shipping code with Copilot's help, and they have different answers. This post walks through both.
Does GitHub Copilot train on your code?
Whether GitHub Copilot trains on your code depends on your plan and your settings, not on a single blanket answer. For individual users on Copilot Free or Copilot Individual, GitHub's documentation has stated that prompts and suggestions may be used to fine-tune Copilot's models unless the user explicitly opts out of that data usage in their Copilot settings — meaning by default, code you write while using Copilot personally can feed back into model training data. GitHub Copilot Business and GitHub Copilot Enterprise are governed by different contractual terms: GitHub has committed that prompts, suggestions, and code snippets processed under these plans are not used to train Copilot's foundation models, which is the specific assurance most engineering organizations need before allowing Copilot on proprietary codebases. If your organization cares about this distinction, the setting to check isn't buried — it's in Copilot's own user or organization-level privacy settings, and it's worth confirming directly rather than assuming your plan's default behavior.
Does GitHub Copilot use your code ownership rights, or does it belong to you?
Code you write yourself, even with Copilot's assistance, remains yours under standard authorship principles, but the code Copilot suggests to you is a separate question with more legal ambiguity. GitHub's position is that suggestions Copilot generates don't carry GitHub's own IP claim, and the terms of service place responsibility on the developer to review and use suggestions appropriately, similar to using any other code snippet from any other source. The genuinely unresolved territory — which was the subject of a real class-action lawsuit filed against GitHub, Microsoft, and OpenAI in 2022 — is whether training a model on billions of lines of public, often permissively-or-restrictively licensed code, and then having it reproduce snippets that resemble that training data, creates a licensing or copyright obligation for the end user who accepts the suggestion. That litigation has worked through the courts with mixed and evolving outcomes, and it hasn't produced a single settled answer that applies cleanly to every situation, which is why "does it belong to you" and "are you clear of licensing risk" are two different questions with two different levels of certainty.
Can Copilot suggest code that carries license obligations from its training data?
Yes — this is the more concrete, practical risk, and it's documented rather than hypothetical: Copilot has been shown, particularly in earlier versions and with permissive settings, to occasionally reproduce longer verbatim or near-verbatim snippets from its training data, including code originally released under licenses (GPL and similar copyleft licenses, for example) that carry attribution or redistribution obligations. GitHub responded to this concern by adding a code-referencing/duplication-detection feature in Copilot for Business and Enterprise that can flag when a suggestion closely matches a public code snippet, along with a filter setting that can block suggestions matching public code above a configurable similarity threshold. This matters because your organization's own license compliance obligations don't disappear just because the copied snippet arrived via an AI suggestion instead of a manual copy-paste from Stack Overflow — if a GPL-licensed function ends up in your proprietary codebase, the same open source license management and legal exposure questions apply either way.
What should engineering teams actually do about Copilot and licensing risk?
Engineering teams should treat AI-suggested code the same way they'd treat any third-party code entering the codebase: scan it, know what's in it, and don't assume a suggestion is license-clean just because an AI generated it. Enable Copilot's public-code-matching filter where it's available, since it directly reduces the odds of verbatim copyleft-licensed snippets landing in your repository unnoticed. Beyond Copilot's own settings, run standard software composition analysis and license scanning across your codebase as a backstop — these tools are format-agnostic about how code entered the repo, so they'll flag a GPL-licensed snippet whether a developer typed it, copy-pasted it, or accepted it from an AI suggestion. Finally, set organizational policy explicitly rather than leaving it to individual developer judgment: decide which Copilot tier your company uses (Business/Enterprise if code confidentiality and training-data exclusion matter to you), whether the duplicate-detection filter is mandatory, and how AI-suggested code gets reviewed before merge.
FAQ
Does GitHub Copilot Business train on my company's code?
No — GitHub's terms for Copilot Business and Enterprise state that customer prompts and code are not used to train Copilot's underlying models, unlike the default setting for some individual/free tiers.
Can I get sued for using code Copilot suggested?
The direct legal exposure to an individual developer is low, but if a suggestion reproduces a licensed snippet (e.g., copyleft-licensed code) and it ends up shipped in your product, your organization can inherit the license's obligations the same way it would from any other unlicensed code copy. A 2022 class action against GitHub, Microsoft, and OpenAI specifically tested this territory in court.
How do I stop Copilot from suggesting code that matches public repositories?
Enable the "suggestions matching public code" filter available in Copilot for Business and Enterprise settings, which blocks or flags suggestions above a similarity threshold to known public code.
Is scanning AI-generated code different from scanning normal code?
Not fundamentally — license scanning and SCA tools evaluate the code itself, not how it entered your repository, so the same scans that catch a manually copy-pasted GPL snippet will catch one introduced via an AI suggestion.
How Safeguard Helps
Safeguard's SCA and license scanning treat AI-suggested code no differently than any other code entering your repository — it evaluates what's actually there, flagging copyleft or otherwise obligation-carrying license matches regardless of whether a human wrote it, copied it, or accepted it from a tool like Copilot. That gives engineering teams a consistent compliance backstop that doesn't depend on remembering to check every AI suggestion by hand.