Introduction
You already use GitHub Copilot to autocomplete lines and functions. But if you're treating it like a smarter autocomplete, you're leaving 80% of its value on the table. The real power of Copilot — especially in 2026 with the latest models like GPT-4o and Claude 4 Sonnet integrated — lies in structured prompting for higher-level tasks: generating commit messages, explaining legacy code, and conducting thorough code reviews.
This article is a battle-tested collection of 10 prompts I use daily in production. Each prompt includes a concrete example, why it works, and the exact output you can expect. No fluff, no theory — just prompts that ship.
1. Generate a descriptive commit message
Prompt:
You are an expert software engineer. Given the following git diff, write a concise but descriptive commit message following the Conventional Commits specification (type(scope): description). Focus on the 'why' and 'what', not the 'how'. Diff:
[diff]
Why it works: Copilot sees the full diff, not just a summary. The explicit instruction to follow Conventional Commits eliminates vague messages like "fix bug" and produces something actionable: fix(auth): handle token refresh race condition on login.
Example output:
fix(api): add null check for user object in profile endpoint
- Prevents NullPointerException when user session expires
- Adds early return with 401 status
2. Explain a complex function in simple terms
Prompt:
Explain this function to a junior developer who knows JavaScript but not this specific library. Include:
- What the function does in one sentence
- The input/output types
- Any side effects or edge cases
- A simple analogy for the logic
[code]
Why it works: Without constraints, Copilot might give a shallow answer. The explicit request for an analogy and a one-sentence summary forces it to simplify genuinely complex logic.
Example output for a debounce function:
One sentence: This function delays calling the callback until the user stops typing for 300ms.
Input: a function, a delay in ms
Output: a new debounced function
Side effect: the returned function clears the previous timer on each call
Analogy: It's like a waiter who only goes to the kitchen after the last customer finishes ordering.
3. Generate unit tests for an existing function
Prompt:
Generate Jest unit tests for the following function. Cover:
- Happy path with typical inputs
- Edge cases (empty inputs, null, unexpected types)
- Error cases (invalid arguments, network failures)
Use describe/it blocks and mock external dependencies. Function:
[code]
Why it works: Specifying "Jest" and the coverage categories prevents generic test generation. Copilot will actually mock fetch or axios calls and test error handling.
Example output:
describe('fetchUserProfile', () => {
it('returns user data for valid ID', async () => {
global.fetch = jest.fn().mockResolvedValue({
json: () => ({ id: 1, name: 'Alice' })
});
const result = await fetchUserProfile(1);
expect(result.name).toBe('Alice');
});
it('throws error for invalid ID', async () => {
await expect(fetchUserProfile(null)).rejects.toThrow('Invalid user ID');
});
});
4. Review a pull request for security issues
Prompt:
Review this pull request diff for security vulnerabilities. Focus on:
- SQL injection, XSS, CSRF
- Hardcoded secrets or API keys
- Insecure direct object references (IDOR)
- Missing input validation
- Authentication bypasses
For each issue found, provide: severity (critical/high/medium/low), affected lines, and a suggested fix.
[diff]
Why it works: The explicit list of vulnerability types narrows Copilot's focus. Without it, you get generic "add error handling" suggestions. This prompt surfaces real security flaws.
Example output:
🔴 Critical: SQL injection on line 45
- Code: `db.query('SELECT * FROM users WHERE id = ' + userId)`
- Fix: Use parameterized query `db.query('SELECT * FROM users WHERE id = $1', [userId])`
5. Refactor a messy function into smaller pieces
Prompt:
Refactor this function into smaller, single-responsibility functions. Follow these principles:
- Each function does one thing
- Functions are pure where possible (no side effects)
- Names describe intent, not implementation
- Keep the public API unchanged
Original code:
[code]
Why it works: Copilot understands the original function's intent and can decompose it. The "keep public API unchanged" constraint prevents breaking changes.
6. Generate a SQL query from a natural language description
Prompt:
Generate a PostgreSQL query for the following request. Use proper JOINs, indexes, and avoid N+1 queries. Assume tables: users(id, name, email), orders(id, user_id, total, created_at).
Request: "Find all users who placed an order over $100 in the last 30 days, sorted by total spent descending"
Why it works: Giving the table schema explicitly removes ambiguity. The "avoid N+1" directive ensures Copilot writes a single optimized query.
Example output:
SELECT u.name, u.email, SUM(o.total) as total_spent
FROM users u
JOIN orders o ON u.id = o.user_id
WHERE o.total > 100 AND o.created_at > NOW() - INTERVAL '30 days'
GROUP BY u.id, u.name, u.email
ORDER BY total_spent DESC;
7. Explain a regex step by step
Prompt:
Explain this regex as if I'm a beginner. Break it down token by token, and give an example of strings that match and don't match. Regex:
/^(?=.*[A-Z])(?=.*[a-z])(?=.*\d).{8,}$/
Example output:
Token breakdown:
- ^ : start of string
- (?=.*[A-Z]) : lookahead for at least one uppercase letter
- (?=.*[a-z]) : lookahead for at least one lowercase letter
- (?=.*\d) : lookahead for at least one digit
- .{8,} : any character, 8 or more times
- $ : end of string
Matches: "Password1", "Hello123"
Does not match: "password", "PASSWORD1", "Pass1" (only 6 chars)
8. Generate a Dockerfile for a specific stack
Prompt:
Generate a production-ready Dockerfile for a Node.js 20 application using Express. Requirements:
- Multi-stage build (install deps in build stage, copy only production files to final stage)
- Use alpine base image
- Run as non-root user
- Set NODE_ENV=production
- Expose port 3000
- Health check endpoint at /health
Why it works: The detailed requirements eliminate the need for back-and-forth. Copilot will generate a complete, secure Dockerfile.
9. Generate a CI/CD pipeline configuration
Prompt:
Generate a GitHub Actions workflow for a Node.js project with:
- Triggers: push to main, pull requests to main
- Lint with ESLint
- Run Jest tests with coverage
- Build the project
- Deploy to AWS ECS if the branch is main and tests pass
- Cache node_modules for faster runs
Use matrix strategy for Node 18, 20, 22.
Why it works: The matrix strategy and caching instructions are specific enough to avoid generic YAML. Copilot produces a ready-to-use .github/workflows/ci.yml.
10. Generate code documentation in JSDoc format
Prompt:
Add JSDoc comments to this function. Include:
- @param with type and description
- @returns with type and description
- @throws if any errors are expected
- @example showing typical usage
[code]
Example output:
/**
* Fetches a user's profile by ID.
* @param {number} userId - The user's unique identifier.
* @returns {Promise<Object>} The user object with id, name, email.
* @throws {Error} If userId is not a positive integer or network fails.
* @example
* const user = await fetchUserProfile(42);
* console.log(user.name); // 'Alice'
*/
Conclusion
These 10 prompts transform GitHub Copilot from a line completer into a full-stack assistant that writes commit messages, reviews security, explains legacy code, and generates infrastructure. The key is specificity: tell Copilot exactly what you want, including format, constraints, and examples.
Start by adding the commit message prompt to your .git/hooks/prepare-commit-msg — it's the easiest win. Then work your way up to code review prompts. Your team will thank you.
ASI Biont supports connecting to GitHub via API — for detailed integration guides and course materials on AI-assisted development, visit asibiont.com/courses.
Comments