GitHub Copilot went generally available on June 21, 2022, after a technical preview that began in 2021. Six months of paid adoption has produced real data on how developers use it and what the limitations are.
What Copilot excels at
Copilot is strongest at: generating boilerplate code from context, completing well-understood patterns (CRUD operations, HTTP client setup, test assertions), writing docstrings and comments from function signatures, and translating code between languages. For these tasks, the time savings are substantial. A developer who would spend 10 minutes writing boilerplate completes it in 2 minutes with Copilot.
What Copilot struggles with
Copilot is weakest at: novel algorithm design, complex business logic with multiple interacting conditions, security-sensitive code where correctness is non-negotiable, and code that requires understanding of your specific codebase's patterns and naming conventions. The suggestions in these cases are often plausible-looking but incorrect, requiring more time to evaluate and fix than to write from scratch.
The security question
Research published in 2022 showed that Copilot suggests insecure code in some scenarios. Specifically, for code involving security-sensitive patterns (SQL queries, file path construction, cryptographic operations), Copilot can suggest code that is vulnerable to injection, path traversal, or uses deprecated cryptographic functions. Developers using Copilot for security-sensitive code should apply the same scrutiny they would apply to any untrusted source.
The developer workflow change
The most accurate characterisation of Copilot after six months of production use: it is a very good autocomplete that sometimes suggests complete function implementations. It reduces the time from thinking about what to write to having a draft implementation. It shifts the developer's cognitive work from writing to reviewing and adjusting. Most developers who use it consistently report they would not want to code without it.