Copilot Extensions and Marketplace
GitHub Copilot is designed to be extensible. Through Copilot Extensions, it is possible to expand the AI assistant's capabilities with third-party integrations, custom tools, and specialized agents. Extensions allow you to connect Copilot to databases, cloud services, testing platforms, monitoring tools, and much more, transforming it into a centralized hub for the entire development workflow.
In this article we will explore the extensions ecosystem, the available types, how to integrate them into your workflow, and how to build custom extensions for your team's specific needs.
Complete Series Overview
| # | Article | Focus |
|---|---|---|
| 1 | Foundation and Mindset | Setup and mindset |
| 2 | Ideation and Requirements | From idea to MVP |
| 3 | Backend Architecture | API and database |
| 4 | Frontend Structure | Organization and naming |
| 5 | Prompt Engineering | Prompts and MCP Agents |
| 6 | Testing and Quality | Unit, integration, E2E |
| 7 | Documentation | README, API docs, ADR |
| 8 | Deploy and DevOps | Docker, CI/CD |
| 9 | Evolution | Scalability and maintenance |
| 10 | Coding Agent | Autonomous GitHub agent |
| 11 | Code Review | Automated review |
| 12 | Copilot Edits and Agent Mode | Multi-file editing |
| 13 | GitHub Spark | No-code micro-apps |
| 14 | Copilot Spaces and Memory | Shared context |
| 15 | AI Models | Multi-model and selection |
| 16 | Customization | Instructions and configuration |
| 17 | Enterprise and Business | Plans, analytics, policy |
| 18 | You are here → Extensions and Marketplace | Extensions and integrations |
| 19 | Security | Security and compliance |
Copilot Extensions Overview
Copilot Extensions are applications that extend the functionality of GitHub Copilot. They are available on the GitHub Marketplace and can be installed at both individual and organizational levels. Extensions integrate directly with Copilot Chat, allowing developers to interact with external tools without leaving their IDE or browser.
Extensions Architecture
Copilot Extensions are built as GitHub Apps, which ensures cross-platform compatibility and a robust authentication and authorization model. When a user invokes an extension through Copilot Chat, the request is routed through the GitHub infrastructure to the extension's endpoint, which processes the request and returns a response.
Copilot Extension Flow
| Step | Actor | Action | Detail |
|---|---|---|---|
| 1 | User | Invokes extension in chat | @extension-name how can I...? |
| 2 | GitHub | Authenticates the request | Verifies user and app permissions |
| 3 | GitHub | Forwards to endpoint | HTTP POST to the extension server |
| 4 | Extension | Processes the request | Calls external APIs, analyzes data |
| 5 | Extension | Generates response | Text, code, links, actions |
| 6 | GitHub | Returns response | Formatted in the Copilot chat |
Types of Extensions
GitHub distinguishes two main types of extensions, each with different characteristics and implementation complexity.
Full Extensions (Agents)
- Complete applications with server-side logic
- Can call external APIs
- Manage state and sessions
- Support complex multi-step flows
- Require their own hosting infrastructure
- Greater flexibility and power
- Development time: weeks/months
Skillsets (Lightweight)
- Lightweight and task-specific extensions
- Defined through configuration, minimal code
- Focus on a single capability
- Quick to build and deploy
- No complex infrastructure required
- Ideal for simple automations
- Development time: hours/days
Skillsets: Lightweight Extensions
Skillsets are the simplest way to extend Copilot with custom functionality. They are ideal for specific and repetitive tasks that don't require complex logic. A skillset is essentially a tool definition that Copilot can use to respond to specific requests.
Skillset Structure
{
"name": "db-query-helper",
"description": "Helps developers write and optimize SQL queries for PostgreSQL",
"version": "1.0.0",
"skills": [
{
"name": "explain-query",
"description": "Analyze and explain a SQL query step by step",
"parameters": {
"query": {
"type": "string",
"description": "The SQL query to analyze"
},
"database": {
"type": "string",
"description": "Target database type",
"enum": ["postgresql", "mysql", "sqlite"],
"default": "postgresql"
}
}
},
{
"name": "optimize-query",
"description": "Suggest optimizations for a SQL query including index recommendations",
"parameters": {
"query": {
"type": "string",
"description": "The SQL query to optimize"
},
"table_info": {
"type": "string",
"description": "Table schemas and current indexes"
},
"expected_rows": {
"type": "number",
"description": "Expected number of rows in result"
}
}
},
{
"name": "generate-migration",
"description": "Generate a database migration script from a description",
"parameters": {
"description": {
"type": "string",
"description": "Description of schema changes"
},
"format": {
"type": "string",
"description": "Migration format",
"enum": ["flyway", "liquibase", "prisma", "raw-sql"],
"default": "flyway"
}
}
}
]
}Use Cases for Skillsets
Common Skillsets for Development Teams
| Skillset | Function | Trigger | Output |
|---|---|---|---|
| Code Formatter | Formats code according to company standards | @formatter format this code | Formatted code + diff |
| Regex Builder | Generates regex from natural description | @regex validate Italian fiscal code | Regex pattern + test cases |
| API Mock Generator | Generates mock data from OpenAPI schema | @mock generate 10 users | JSON with realistic data |
| Changelog Writer | Generates changelog from commit history | @changelog since v2.1.0 | Formatted Markdown changelog |
| Dependency Checker | Checks for outdated and vulnerable dependencies | @deps check this project | Report with versions and CVEs |
| i18n Helper | Generates translations for missing keys | @i18n translate to Italian | JSON/YAML file with translations |
GitHub Apps Integration
Full Copilot Extensions are built as GitHub Apps. This means they inherit the entire security, authentication, and authorization model of GitHub Apps, ensuring a secure and controllable integration.
Authentication and Authorization
Extensions Security Model
| Level | Mechanism | Description |
|---|---|---|
| App-level | JWT (JSON Web Token) | Identifies the app itself to GitHub |
| Installation-level | Installation Access Token | Token specific to the installation in the org |
| User-level | OAuth User Access Token | Actions on behalf of the specific user |
| Permissions | Granular permissions | Access only to necessary resources (repo, issues, PRs) |
| Webhooks | HMAC-SHA256 signature | Verifies authenticity of received events |
Required Permissions
Each extension declares the permissions it needs. The user or the organization admin must explicitly approve them before installation. The principle of least privilege should guide the choice of permissions.
{
"name": "Copilot DB Assistant",
"description": "Database query helper for Copilot Chat",
"url": "https://db-assistant.example.com",
"hook_attributes": {
"url": "https://db-assistant.example.com/webhooks"
},
"redirect_url": "https://db-assistant.example.com/auth/callback",
"public": true,
"default_events": [
"issues",
"pull_request"
],
"default_permissions": {
"contents": "read",
"issues": "write",
"pull_requests": "read",
"metadata": "read"
},
"copilot_agent": {
"url": "https://db-assistant.example.com/copilot/agent",
"description": "Helps with database queries and migrations"
}
}MCP Integration in the Extensions Context
The Model Context Protocol (MCP) is a complementary alternative to Copilot Extensions for connecting external tools to Copilot. While extensions follow the GitHub Apps model, MCP offers a standardized protocol for connecting tools and data sources.
GitHub MCP Registry
The GitHub MCP Registry is a curated discovery service for MCP servers. It works as a catalog that allows you to quickly find and install verified MCP servers, reducing the risk of insecure integrations.
Comparison: Extensions vs MCP Servers
| Aspect | Copilot Extensions | MCP Servers |
|---|---|---|
| Platform | GitHub Marketplace | MCP Registry + local configuration |
| Authentication | GitHub OAuth / App tokens | Varies (API key, OAuth, none) |
| Hosting | External server (cloud) | Local (stdio) or remote (HTTP/SSE) |
| Setup complexity | Medium (GitHub App) | Low (config file) |
| Cross-platform | All Copilot environments | Primarily IDE (VS Code) |
| Governance | GitHub Marketplace review | User/org responsibility |
| Use case | SaaS integrations, complex workflows | Local tools, databases, file system |
| Distribution | Public (Marketplace) | Private or public (Registry) |
Toolsets: Grouping MCP Tools
Toolsets are a mechanism for grouping related MCP tools under a single namespace. This simplifies management when you have many active MCP servers simultaneously, allowing you to enable/disable groups of tools with a single operation.
{
"servers": {
"development-tools": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@dev-tools/mcp-server"],
"toolsets": {
"database": {
"description": "Database management tools",
"tools": ["query", "migrate", "seed", "backup"]
},
"testing": {
"description": "Testing utilities",
"tools": ["generate-test", "run-test", "coverage-report"]
},
"documentation": {
"description": "Documentation generation",
"tools": ["generate-docs", "update-readme", "create-adr"]
}
}
},
"cloud-services": {
"type": "remote",
"url": "https://cloud-mcp.example.com/sse",
"toolsets": {
"aws": {
"description": "AWS service management",
"tools": ["s3-upload", "lambda-deploy", "cloudwatch-logs"]
},
"monitoring": {
"description": "Monitoring and alerting",
"tools": ["check-health", "get-metrics", "create-alert"]
}
}
}
}
}Third-Party Agents
One of the most significant evolutions of the Copilot ecosystem is the integration of third-party agents directly into the platform. These agents bring the capabilities of alternative AI models within the Copilot experience.
Available Agents
Third-Party Agents in Copilot
| Agent | Provider | Specialization | Availability | Model |
|---|---|---|---|---|
| Claude | Anthropic | Deep code analysis, refactoring, documentation | Pro+ / Enterprise | Claude Sonnet 4 |
| Codex | OpenAI | Code generation, advanced completions | Pro+ / Enterprise | Codex / o3-mini |
| Gemini | Multimodal understanding, long context | Pro+ / Enterprise | Gemini 2.5 Pro |
When to Use Each Agent
| Scenario | Recommended Agent | Rationale |
|---|---|---|
| Legacy codebase refactoring | Claude | Excellent at analyzing complex code and proposing gradual restructuring |
| Rapid boilerplate generation | Native Copilot (GPT-4) | Optimized for fast completions and scaffolding |
| UI screenshot analysis | Gemini | Multimodal understanding for analyzing interface images |
| Complex algorithmic debugging | Codex / o3-mini | Strong in logical reasoning and algorithmic problem solving |
| Detailed technical documentation | Claude | Produces high-quality technical text with long context |
| Framework migration | Claude or native Copilot | Deep understanding of different framework patterns |
Note on Availability
Third-party agents are currently in public preview and available only for Pro+ and Enterprise plans. Availability and specific models may change over time as new providers are integrated into the platform.
Using third-party agents consumes premium requests from your monthly budget. Requests to advanced models may consume more premium requests compared to requests to Copilot's base model.
Building Your Own Copilot Extension
If the extensions available on the Marketplace don't cover your team's specific needs, you can build your own Copilot Extension. The process requires creating a GitHub App with a server endpoint that handles Copilot requests.
Prerequisites
What You Need to Build an Extension
- GitHub Account: With access to create GitHub Apps
- Web server: To host the extension endpoint (Node.js, Python, Go, etc.)
- HTTPS domain: The endpoint must be accessible via HTTPS
- Knowledge of GitHub Apps API: To manage authentication and webhooks
- Copilot Extensions SDK: Official SDK to simplify development
Extension Architecture
# Copilot Extension Architecture
GitHub Infrastructure
+-------------------+
| |
User in IDE ---> | Copilot Chat |
"@my-ext help" | (message router) |
| |
+--------+----------+
|
HTTP POST (authenticated)
|
+--------v----------+
| |
| Your Extension |
| Server |
| |
| +---------------+ |
| | Request | |
| | Handler | |
| +-------+-------+ |
| | |
| +-------v-------+ |
| | Business | |
| | Logic | |
| +-------+-------+ |
| | |
| +-------v-------+ |
| | External | |
| | Services | |
| | (DB, API, | |
| | tools) | |
| +---------------+ |
| |
+--------+----------+
|
HTTP Response (streaming)
|
+--------v----------+
| |
| Copilot Chat |
| (rendered to |
| user) |
| |
+-------------------+Basic Implementation with Node.js
import express from 'express';
import { Octokit } from '@octokit/rest';
import { createNodeMiddleware } from '@octokit/webhooks';
import { verifyRequestByKeyId } from '@copilot-extensions/preview-sdk';
const app = express();
app.use(express.json());
// Main endpoint for Copilot Chat
app.post('/copilot/agent', async (req, res) => {
try {
// 1. Verify request authenticity
const signature = req.headers['github-public-key-signature'] as string;
const keyId = req.headers['github-public-key-identifier'] as string;
const body = JSON.stringify(req.body);
const isValid = await verifyRequestByKeyId(body, signature, keyId, {
token: process.env.GITHUB_TOKEN!
});
if (!isValid) {
return res.status(401).json({ error: 'Invalid signature' });
}
// 2. Extract the user message
const messages = req.body.messages;
const lastMessage = messages[messages.length - 1];
const userQuery = lastMessage.content;
// 3. Process the request based on content
const response = await processQuery(userQuery, req.body);
// 4. Return response in streaming (SSE format)
res.setHeader('Content-Type', 'text/event-stream');
res.setHeader('Cache-Control', 'no-cache');
res.setHeader('Connection', 'keep-alive');
// Send the response as an event stream
res.write(`data: