VS Code Adds "Co-Authored-by Copilot" to Every Commit

VS Code's Copilot extension silently injects a Co-Authored-by trailer into your commits — even when you wrote every line yourself. Here's exactly how to stop it.

TLDR GitHub Copilot's VS Code extension automatically appends a Co-authored-by: GitHub Copilot trailer to commit messages whenever it's involved in generating them — and sometimes even when it isn't. This affects attribution records, open-source contribution histories, and potentially employer IP policies. You can neutralize it with a git hook, a VS Code settings change, or a global gitconfig rule — each with different trade-offs.

If you've glanced at your git log recently and noticed an unfamiliar line at the bottom of commit messages you wrote entirely yourself, you're not imagining things. GitHub Copilot — or more precisely, the VS Code Copilot extension — has been quietly stamping its name onto commits as a co-author, regardless of whether it touched a single line in that push. This isn't a conspiracy; it's an opt-out-by-default attribution system that most developers never knowingly agreed to. What follows is a precise breakdown of how the injection works, why GitHub built it this way, and — most usefully — exactly which settings, hooks, and configs will make it stop.

VS Code source control panel showing Copilot commit message generation

What the Trailer Actually Looks Like

Before fixing anything, it helps to know exactly what you're dealing with. The injected text is a standard git commit trailer — a key-value pair appended after a blank line at the end of your commit message body. It follows the same format used by git interpret-trailers and tools like Gerrit and GitHub's own merge infrastructure:

feat: add user authentication flow

Implement JWT-based login with refresh token rotation.

Co-authored-by: GitHub Copilot <github-copilot[bot]@users.noreply.github.com>

That last line is what Copilot injects. The email address github-copilot[bot]@users.noreply.github.com is a real GitHub bot account, which means GitHub's contribution graph and commit attribution engine actually registers this as a co-authorship — not a comment, not metadata you can ignore. It's a first-class git object embedded in your commit history permanently once pushed.

Where It Shows Up

GitHub's commit view: The commit will display a "Co-authored by GitHub Copilot" badge alongside your avatar.
git log --format=full: The trailer appears in the full commit body.
git shortlog: Depending on parsing, Copilot may appear as a contributor in project stats.
GitHub's contributor graph: The bot account can register as a contributor on your repository.

Warning Once you've pushed a commit containing this trailer to a shared remote, rewriting history (via git rebase -i or git filter-branch) to remove it is a destructive operation that will force-push and break teammates' local histories. Prevention is significantly easier than remediation.

The Commit Where It's Most Likely to Appear

The injection is most aggressive when you use VS Code's Generate Commit Message feature — the sparkle (✨) icon in the Source Control sidebar. Click it, Copilot drafts a message, and the co-author trailer is bundled in before you even confirm. But reports from developers confirm it also appears in commits where the message was written manually, particularly if Copilot Chat was active in that session and had been used to generate any code in the staged files.

The Mechanism Behind the Injection

GitHub Copilot's VS Code extension integrates with VS Code's Source Control Manager (SCM) API at a low level. When you stage files and open the commit message input box, Copilot registers as a SCM input box provider and can prepopulate or modify that text field — including appending trailers programmatically before you type a single character.

This is not a rogue feature. It's documented behavior tied to GitHub's AI attribution philosophy: if an AI model substantially contributed to a piece of work, GitHub believes that contribution should be recorded. The problem is the execution: "substantially contributed" has been interpreted very broadly by the extension, and the opt-out UX is buried several menus deep rather than being a prominent first-run prompt.

How VS Code's SCM API Enables This

VS Code exposes vscode.scm.inputBox and related APIs that extensions can hook into. The Copilot extension uses this to:

Observe which files are staged and their diffs.
Determine whether Copilot was invoked (or merely active) during editing of those files.
Generate a commit message via the Copilot API.
Inject the message — including the trailer — into the commit input field before submission.

The injection happens client-side in VS Code, not on GitHub's servers, which means server-side rules or branch protections can't catch it before it enters your history.

Info This behavior is distinct from GitHub's server-side Copilot attribution for pull requests. What VS Code's extension does is a client-side text injection into the commit message field — a different code path entirely.

Does It Happen Without Using the Generate Feature?

Yes — and this is the part that frustrates developers most. Users report the trailer appearing even when:

They wrote the commit message manually (not via the sparkle button).
The staged changes were 100% hand-typed.
Copilot Chat was open but not consulted for the current task.

The extension's heuristic for "Copilot was involved" is loose. If Copilot was active during the editing session for any file in the diff — even if you dismissed every suggestion — it may still append the trailer. This is the core of the complaint: it's not attribution for actual AI contribution, it's attribution by proximity.

Why This Matters Beyond Aesthetics

A ghost co-author in your git log might seem like a cosmetic annoyance, but there are real downstream consequences worth understanding before you decide how urgently to act.

Developer reviewing git log in terminal showing co-authored commits

Intellectual Property and Employer Policies

Many employers — particularly in regulated industries like finance, healthcare, and defense contracting — have explicit IP policies about AI-generated code. A Co-authored-by: GitHub Copilot line in a commit to a proprietary codebase is a documented record that AI tooling was involved in that code's creation. Even if Copilot only autocompleted a closing bracket, that trailer creates an audit trail that legal teams may need to address.

If your company hasn't explicitly cleared Copilot use for production code, this trailer is a liability you didn't sign up for.

Open-Source Licensing Implications

The legal status of AI-generated code and its compatibility with copyleft licenses (GPL, AGPL) is still unsettled. Projects with strict contribution policies may reject or demand history rewrites for commits that include Copilot attribution — the FSF and other organizations have published positions on this. If you're maintaining an open-source project with contributors who expect clean provenance, Copilot trailers in your history complicate that.

Contributor Statistics and Hiring Portfolios

GitHub profiles and contribution graphs are increasingly used as informal portfolios — by recruiters, by potential collaborators, by conference program committees. Having a bot listed as a co-author on commits in your public repositories muddies the attribution signal that those graphs are meant to provide. It's a small thing, but it's your history.

Warning If you're a freelancer or consultant whose clients review your git history as part of delivery acceptance, Copilot attribution on client-owned repositories could trigger contract questions you'd rather not have.

Four Ways to Stop It

There's no single canonical fix that works for every workflow. The right approach depends on whether you want a global solution, a per-repository override, or something that preserves Copilot's commit message generation but strips only the trailer.

Option 1 — VS Code Extension Settings

The most direct route is disabling the behavior from within VS Code's settings. Open settings (Ctrl+, or Cmd+,), then search for "copilot commit". You're looking for options under the GitHub Copilot extension related to commit message generation and co-author attribution.

In settings.json, the relevant configuration path looks like this:

{
  "github.copilot.chat.generateCommitMessage.enabled": false
}

Disabling commit message generation entirely stops the injection at the source — Copilot won't populate the commit input field at all, so there's no opportunity to append the trailer. If you still want AI-assisted commit messages but without the attribution line, some versions of the extension expose a separate toggle for the co-author trailer specifically. Navigate to Extensions > GitHub Copilot > Settings in the VS Code sidebar to check what's available in your installed version, as the exact setting names have shifted across Copilot extension releases.

Tip VS Code's settings UI will show you the current extension version alongside its settings. If you're on an older Copilot build, updating the extension may give you finer-grained controls over attribution behavior — Microsoft has responded to community feedback on this.

Option 2 — Git Hook (Most Reliable)

A prepare-commit-msg hook runs automatically before the commit message editor opens, and it can surgically remove the Copilot trailer regardless of how it got there. This approach works independently of VS Code, survives extension updates, and applies to any git client you use in the repository.

Create the hook file at .git/hooks/prepare-commit-msg:

#!/bin/sh
# Strip GitHub Copilot co-author trailer from commit messages
sed -i '/^Co-authored-by: GitHub Copilot/Id' "$1"

Then make it executable:

chmod +x .git/hooks/prepare-commit-msg

For a team-wide solution, use a shared hooks directory committed to the repository and configure git to use it:

# In .gitconfig or the repo's local config
git config core.hooksPath .githooks

Then commit your hook in .githooks/prepare-commit-msg with the same content above. Every developer who clones the repo and runs git config core.hooksPath .githooks (or if you automate this in a setup script) will have the stripping behavior applied.

Info The -i flag on sed edits the file in-place. On macOS, BSD sed requires an explicit backup extension: sed -i '' '/^Co-authored-by: GitHub Copilot/Id' "$1". Add a shell conditional if your team uses both Linux and macOS.

Option 3 — Disable Copilot Per Workspace

If your concern is repository-specific (e.g., a client project or an open-source repo with strict provenance rules), you can disable Copilot entirely for that workspace without touching your global setup. In the repository root, create or edit .vscode/settings.json:

{
  "github.copilot.enable": {
    "*": false
  }
}

This disables all Copilot features — completions, chat, and commit message generation — in that workspace only. When you switch to a personal project, Copilot behaves normally. The downside is that you lose all Copilot assistance in that repo, not just the co-author injection.

Option 4 — Global gitconfig Cleanup Rule

If you're seeing the trailer leak into commits from multiple tools and environments (not just VS Code), a global prepare-commit-msg hook in your home directory's git template covers everything:

# Set a global hooks template directory
git config --global init.templateDir ~/.git-templates

# Create the directory and hook
mkdir -p ~/.git-templates/hooks
cat > ~/.git-templates/hooks/prepare-commit-msg << 'EOF'
#!/bin/sh
sed -i '/^Co-authored-by: GitHub Copilot/Id' "$1"
EOF
chmod +x ~/.git-templates/hooks/prepare-commit-msg

Any new repository you initialize or clone after this point will inherit this hook automatically. For existing repositories, run git init in the repo root — it's safe on existing repos and will copy the template hooks without touching your history.

Comparing Your Options

Method	Scope	Removes Trailer	Preserves Completions	Team-Shareable	Survives Extension Updates
VS Code setting (disable gen)	Global or workspace	Yes	No	Via settings.json commit	Yes
`prepare-commit-msg` hook (local)	Per repository	Yes	Yes	Via `.githooks/` pattern	Yes
Workspace disable (`copilot.enable`)	Per repository	Yes	No	Via `.vscode/settings.json`	Yes
Global git template hook	All repos (new + future)	Yes	Yes	No (user-level)	Yes
Disable Copilot extension entirely	Global	Yes	No	N/A	N/A

Best for individuals who want to keep Copilot completions: prepare-commit-msg hook + global template.

Best for teams with shared policies: Committed .githooks/ directory with setup documentation.

Best for sensitive client repos: Workspace-level copilot.enable: false committed to .vscode/settings.json.

Cleaning Up Commits That Already Have It

If you've already pushed commits with the Copilot trailer to a private repository and want to clean the history, the operation requires a forced rewrite. Only do this on branches where you're the sole contributor and you understand the consequences of changing commit SHAs.

# Interactive rebase to edit recent commits
git rebase -i HEAD~10

# For each offending commit, mark it 'reword' then remove the trailer line
# Or use filter-branch for bulk cleaning:
git filter-branch --msg-filter \
  'sed "/^Co-authored-by: GitHub Copilot/Id"' \
  HEAD~20..HEAD

After rewriting, you'll need to force-push:

git push --force-with-lease origin your-branch

Warning --force-with-lease is safer than --force because it will refuse to push if someone else has pushed to the branch since your last fetch. It won't protect public shared branches — coordinate with your team before doing this on anything other than a personal feature branch.

For repositories already pushed to public GitHub where you don't want to rewrite history, the pragmatic answer is: document the situation in your project's CONTRIBUTING file, add a hook going forward, and accept that the old commits are what they are. History rewrites on active public repos cause more problems than they solve.

GitHub repository settings showing branch protection rules

Quick Checklist

Work through these in order based on your situation:

Confirm you're seeing the trailer: Run git log --format=full -5 and check for Co-authored-by: GitHub Copilot at the bottom of any commit body.
Install the prepare-commit-msg hook in the affected repository — this is the lowest-friction, highest-reliability fix.
Check your VS Code Copilot settings: Open settings, search "copilot commit", and disable commit message generation if you don't use the sparkle button.
For sensitive repositories: Add a .vscode/settings.json that disables Copilot for that workspace, and commit it so teammates inherit the setting.
For team environments: Create a .githooks/ directory, add the prepare-commit-msg script, commit it, and add git config core.hooksPath .githooks to your project's setup instructions or Makefile.
Set the global git template if you work across many personal repos and want set-it-and-forget-it coverage.
Audit recent commits on shared branches: Use git log --grep="Co-authored-by: GitHub Copilot" --oneline to find affected commits before deciding whether history cleanup is warranted.
Verify the fix works: Stage a file, let VS Code open the commit dialog, check that the trailer is absent before confirming the commit.

Sources & Further Reading

GitHub Docs — Commit Trailer Attribution — GitHub's official documentation on how co-author trailers work within GitHub's contribution graph and what the Co-authored-by format means for repository statistics and pull request attribution.
VS Code GitHub Copilot Extension Changelog (marketplace.visualstudio.com) — Release notes for the Copilot extension document when commit message generation was introduced and subsequent changes to attribution behavior; search for versions from late 2023 onward.
git-scm.com — githooks Documentation — The authoritative reference for the prepare-commit-msg hook, its invocation context, arguments, and how it interacts with the commit process across different git clients.
Software Freedom Conservancy — Copyleft and AI-Generated Code — The SFC's published analysis of how AI model outputs interact with GPL and AGPL licensing obligations, relevant for open-source maintainers deciding how to handle Copilot attribution in their projects.
GitHub Community Forum — "Copilot adding Co-authored-by without my input" — Ongoing developer discussion threads documenting real-world cases of the injection behavior, user-confirmed workarounds, and GitHub staff responses about the intended design vs. reported edge cases.