Introducing Tenki's code reviewer: deep, context-aware reviews that actually find bugs.Try it for Free
Back to Blog
AI Agents
Mar 2026

Copilot Coding Agent Observability: From Black Box to Audit Trail

Eddie Wang
Eddie Wangengineering

Share Article:

Between March 17 and March 20, 2026, GitHub shipped five observability features for Copilot coding agent in rapid succession. Commit-to-session tracing, configurable validation tools, improved session logs, live monitoring through Raycast, and session filters for organizational oversight. Taken together, they represent the first serious attempt to make AI agent work auditable.

If you're running Copilot coding agent across a team, this changes the calculus. Before last week, you could assign tasks to the agent and review its PRs, but the space between "task assigned" and "PR opened" was largely a black box. Now there's a paper trail.

Commit-to-Session Tracing

Every commit from Copilot coding agent already listed Copilot as the author and the human who assigned the task as co-author. That's useful for git blame, but it didn't tell you why the agent made a particular change.

Starting March 20, each agent commit includes an Agent-Logs-Url trailer in the commit message. That trailer is a permanent link back to the full session logs for the task that produced the commit.

This is most valuable during two activities: code review and post-incident analysis. During review, if a diff looks odd or an approach seems wrong, you can click through to the session logs and see exactly what the agent considered, what files it read, and what tools it ran before making that change. During incident response, you can trace a problematic commit directly to the agent's reasoning chain without hunting through GitHub's UI.

The trailer shows up in git log output, so you don't need the GitHub web interface to find it. Any tooling that parses commit messages can extract the session URL programmatically.

Configurable Validation Tools

When Copilot coding agent writes code, it doesn't just open a PR and walk away. It runs your project's tests and linter, plus a set of GitHub's own security and quality checks: CodeQL, the GitHub Advisory Database, secret scanning, and Copilot code review. If any of them flag an issue, the agent tries to fix it before requesting human review.

These built-in checks are free, enabled by default, and don't require a GitHub Advanced Security license. But they're not always appropriate. CodeQL analysis on a large monorepo can take a long time, and that delay might not be worth it for a minor text change. Some teams have their own security scanning pipelines and don't want redundant checks.

As of March 18, repository admins can toggle individual validation tools on or off from the Copilot > Coding agent section in repository settings. You pick which checks the agent runs before it opens a PR.

For teams with strict compliance requirements, leaving all of them on makes sense. For teams optimizing for throughput on low-risk tasks, disabling CodeQL for repositories where it adds ten minutes to every agent session is a reasonable tradeoff. The point is that you get to decide, per repository, rather than accepting a one-size-fits-all default.

Session Log Improvements

Session logs existed before last week, but they were sparse. You could see what the agent did, broadly, but the details were buried in verbose GitHub Actions logs if you wanted to dig deeper.

The March 19 update added three things:

  • Built-in setup step visibility. Before the agent starts your task, it clones the repository and initializes the agent firewall (if you've enabled one). These steps now appear in the session logs with start and finish timestamps, so you can tell whether a slow session was caused by setup overhead or by the actual task.
  • Custom setup step output. If you've configured a copilot-setup-steps.yml file to customize the agent's development environment, the output from those steps now streams into the session logs. Previously you had to jump to Actions to debug a failed setup step.
  • Subagent activity tracking. Copilot can delegate subtasks to subagents, often spinning one up to research and understand your codebase before making changes. Subagent activity is now collapsed by default with a status line showing what it's working on, expandable to the full output on demand.

The subagent visibility is particularly useful. When a session takes longer than expected, you can see whether the agent is stuck in a research loop, waiting on a slow tool, or actually making progress on a subtask. That's the difference between "the agent is slow" and knowing specifically what's slow about it.

Live Monitoring Through Raycast

Also on March 20, GitHub released live log streaming for the GitHub Copilot Raycast extension. Install the extension, open Raycast, run the View Tasks command, pick a session, and you get a live tail of the agent's logs without leaving whatever you're working on.

This matters more than it sounds. The web-based session logs on GitHub already supported real-time viewing, but switching to a browser tab and navigating to the right session breaks your flow. With Raycast, you can glance at agent progress with a keyboard shortcut, the same way you'd check a build status or a notification. It turns agent monitoring from an active task into a passive one.

For engineering managers supervising multiple agent sessions across a team, this is the difference between a 30-second context switch and a 3-second one. The practical effect is that you'll actually check on sessions, rather than waiting until the PR appears.

Session Filters for Organizational Oversight

The session visibility improvements also apply at the organizational level. You can now filter and search agent sessions across repositories, making it feasible to answer questions like: how many agent sessions ran this week? Which ones are still in progress? Which ones failed?

This is the foundation for any kind of agent governance policy. You can't enforce "all agent PRs must be reviewed within 4 hours" if you can't even see all active agent sessions in one place. The filters give you that single pane of glass.

Combined with commit-to-session tracing, you now have a complete audit trail from organizational session overview down to individual commits and the reasoning behind them.

What This Means for Trust-but-Verify

The operating model for AI coding agents has always been trust-but-verify: assign a task, let the agent work, review the output. The problem with that model wasn't trust or verification individually. It was the gap between them. If something went wrong, there was no efficient way to understand what the agent did or why.

These five features close that gap. Not completely, but enough to change the risk profile of delegating work to agents. Consider the workflow now available:

  1. Assign a task to Copilot coding agent
  2. Monitor progress in real time through Raycast or the web UI
  3. When the PR opens, review the diff normally
  4. If anything looks off, click the Agent-Logs-Url in the commit trailer to see the agent's full reasoning
  5. At the org level, filter sessions to track throughput, failures, and patterns

That's a workflow that an engineering manager can actually defend in a compliance review. It's not perfect: you still can't intervene during a session beyond canceling it, and the logs show what the agent did but not necessarily all the alternatives it considered. But it's a significant step beyond "we reviewed the PR."

Getting Started

All of these features are available now for Copilot Pro, Pro+, Business, and Enterprise subscribers. Business and Enterprise organizations need an admin to enable Copilot coding agent from the Policies page first.

For validation tools, go to your repository's Settings > Copilot > Coding agent and configure which checks you want the agent to run. For Raycast integration, install the GitHub Copilot extension. Commit-to-session tracing and improved session logs work automatically with no configuration needed.

If your team has been cautious about Copilot coding agent adoption because of auditability concerns, these features directly address that. The agent's work is no longer a black box. It's traced, logged, configurable, and filterable. The question shifts from "can we trust the agent" to "are we reviewing agent work effectively," and that's a much more productive question to answer.

Tags

#github-copilot#ai-agents#observability

Recommended for you

What's next in your stack.

MCP security scanning concept diagram showing how to audit AI agents and connected tools, highlighting security checks, permission boundaries, and risk analysis in agent-to-tool integrations.
AI Agents
·Apr 2026

MCP Security Scanning: Audit Your AI Agent's Tools

Hayssem Vazquez-Elsayed
Hayssem Vazquez-Elsayed
Explaining the hidden CI tax of AI coding agents, showing how automated code generation increases continuous integration workload, including more builds, test runs, and pipeline costs in a software development workflow.
AI Agents
·Apr 2026

The Hidden CI Tax of AI Coding Agents

Eddie Wang
Eddie Wang

GET TENKI

Smarter reviews. Faster builds. Start for Free in less than 2 min.

Book demo for Tenki CloudBook a demo with Marina