A developer starts a Copilot CLI session for a repository cleanup task. Copilot may read files, search the codebase, edit local files, and run Git inspection commands, but it must not fetch external URLs or push commits. Which option best describes this permission configuration? Select one answer.
cd ~/work/order-service
copilot \
--available-tools='bash,edit,view,grep,glob' \
--allow-tool='shell(git:*)' \
--deny-tool='shell(git push)'
# Prompt:
# Update the deprecated Jest config, run the affected tests,
# and prepare a local commit summary for review.Choose an answer
Tap an option to check your answer.
Correct answer: Restricts tool choices and blocks git push.
Why this is the answer
The correct option is "Restricts tool choices and blocks git push" because the --available-tools flag explicitly limits Copilot to bash, edit, view, grep, and glob. Additionally, the --allow-tool='shell(git:)' grants permission for all git commands, but this is immediately overridden and refined by --deny-tool='shell(git push)', which specifically prevents Copilot from executing git push. This combination precisely matches the requirements: restricted tools and a blocked git push. "Gives shell full access through git wildcard" is incorrect because the git: wildcard is immediately followed by a deny rule for git push, preventing full access. "Requires allow-all-tools before editing files" is incorrect; the edit tool is explicitly allowed, and there's no general allow-all-tools requirement for file editing. "Deny rule is ignored after allow rule" is incorrect; in Copilot CLI, deny rules take precedence and refine allow rules, ensuring git push is blocked despite the broader git: allowance.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed