Back to Blog
ResearchMarch 29, 2026 · 7 min read

Cursor Hit $2B Revenue. Copilot Has 4.7M Users. Neither Leaves a Trace in Your Git History.

51% of GitHub commits are AI-assisted. Cursor has $2B ARR. GitHub Copilot has 4.7M subscribers. None of them leave attribution in your git history — and that's a compliance crisis.

Published by GitIntel Research

TLDR

  1. Zero git attribution by default.

GitHub Copilot generates an average of 46% of code written by its users — with Java developers hitting 61%. Cursor, deployed at more than half of the Fortune 500, is on a similar trajectory. Developers retain 88% of Copilot suggestions in their final submissions, meaning the AI output isn't being heavily edited — it's shipping.

The headline stat: as of early 2026, over 51% of all code committed to GitHub was either generated or substantially assisted by AI code generators. That's 256 billion lines of AI-assisted code written in 2024 alone. And the vast majority of it is invisible to your git history.

What Your Git Log Actually Shows

We mapped every major AI coding tool against what it leaves in a git commit. The results are bleak:

| Tool | Users / Scale | Git Attribution | Detectable? | | --- | --- | --- | --- | | {row.tool} | {row.users} | {row.attribution} | {row.detectable ? "YES" : "NO"} |

Source: GitIntel Research, March 2026. Market share estimates based on wearetenet.com and getpanto.ai analysis.

Why the Attribution Gap Is a Crisis, Not a Footnote

Most engineering discussions treat AI attribution as a "nice to have" — a curiosity about how much AI your team uses. That framing is dangerously wrong. Here's what actually depends on knowing:

1. License compliance is now ambiguous

GitHub Copilot was trained on public repositories including GPL-licensed code. The EU AI Act (effective August 2026) requires disclosure of AI-generated content in high-risk systems. FOSS foundations like the Linux Foundation are actively drafting AI disclosure policies. If your codebase is 46% Copilot-generated and you can't prove it, you can't defend it.

2. Security audits are flying blind

A March 2026 Stanford and MIT study analyzed over 2 million AI-generated code snippets and found 14.3% contained security vulnerabilities , compared to 9.1% in equivalent human-written code. If your security team can't identify which commits are AI-generated, they can't prioritize audits against the higher-risk population.

3. Code review quality is degrading invisibly

GitClear's 153M-line analysis found AI-assisted code has 41% higher churn rates and 4x more copy-paste duplication than human-written code. You cannot tune your review process for AI-generated code if you don't know which commits are AI-generated.

4. "Only 84% trust AI tools" — but nobody's

verifying

84% of developers say they use or plan to use AI tools, but only 33% fully trust them. That trust gap exists precisely because teams lack the data to measure outcomes. Tracking attribution is how you close it.

The 6% We Can Actually See

When GitIntel scanned 6,500 recent commits across 13 major open source repositories, we found 5.8% AI attribution rate — almost entirely from Claude Code's Co-Authored-By trailers.

$ git log --format="%H %s" | head -5 a4f2c1d feat: add streaming support for tool calls b8e3a92 fix: resolve race condition in worker pool c1d4f3e refactor: extract auth middleware d2e5b7f chore: update dependencies e3f6c8a feat: implement retry logic

$ gitintel scan --format table ┌─────────────────┬───────────┬──────────────┐ │ Repo │ AI Commits│ AI % │ ├─────────────────┼───────────┼──────────────┤ │ Deno │ 206/500 │ 41.2% │ │ Claude Code │ 63/500 │ 12.6% │ │ Next.js │ 27/500 │ 5.4% │ │ Ruff │ 20/500 │ 4.0% │ └─────────────────┴───────────┴──────────────┘ Total: 5.8% (floor — true rate is higher)

The critical word is *floor*. We're detecting attribution that developers chose to leave in. The 46% of code that Copilot writes, the Cursor tab completions, the ChatGPT snippets — all of it is invisible. Our 5.8% detection rate against an estimated 51% true AI rate means we're seeing roughly **one in nine AI-generated commits**.

The math: If 51% of GitHub commits are AI-assisted and GitIntel detects 5.8% via explicit attribution trailers, then approximately 45 percentage points of AI-generated code is currently invisible to any automated tooling. At GitHub's 4.3 million AI repositories, that's a lot of undocumented, untracked, unaudited code in production.

This Is a Tool Design Choice, Not a Technical Limitation

Claude Code adds attribution automatically. The commit trailer it produces looks like this:

Co-Authored-By: Claude noreply@anthropic.com

This is a standard git feature. It costs nothing to implement. It requires no new infrastructure. GitHub Copilot and Cursor have simply chosen not to add it — likely because attribution transparency creates friction in their sales narratives about seamless developer productivity.

There is no technical barrier. The git trailer spec ( git interpret-trailers ) has existed since 2013. The Co-Authored-By convention is used by GitHub for co-authorship since 2018. This is a policy decision, not an engineering one.

What transparent attribution would look like

A Copilot-honest commit message

feat: add rate limiting middleware

Implemented sliding window rate limiter with Redis backend. Token bucket fallback for local development.

Co-Authored-By: GitHub Copilot copilot@github.com AI-Tool: github-copilot@1.248.0 AI-Generated-Lines: 127/183 (69%)

What You Can Do Right Now

While the tool vendors debate attribution policy, there are immediate steps engineering teams can take:

1. Scan what you can detect

Run GitIntel on your repos to establish the explicit attribution baseline. Even 5.8% detection is actionable — Deno's 41% is a policy conversation starter.

cd your-repo && gitintel scan --format json | jq '.summary'

2. Set a team attribution policy

Add a Git commit template ( `.gitmessage` ) that includes an AI disclosure field. Make it a PR checklist item. This is manual, but it works until tools catch up.

3. Switch to tools that self-disclose

Claude Code is currently the only major tool that adds attribution trailers by default. If transparency matters to your org, that's a real differentiator — not just a feature footnote.

4. Watch the EU AI Act deadline

August 2026: high-risk AI system disclosure requirements take effect. If any of your software falls under that definition and you're shipping AI-generated code, your current git history won't help you comply. Start building the paper trail now.

The Bigger Picture: Trust at Scale

The AI coding market is growing faster than any software category in history. Cursor doubled its annualized revenue from $1B to $2B in three months. That velocity means AI-generated code is reaching production at a pace that outstrips any governance framework currently in place.

The 33% full-trust figure is not surprising — it's rational. Developers know that AI tools make mistakes one in four times, that 14.3% of AI snippets carry security vulnerabilities, and that there's no reliable way to identify which parts of their codebase came from which tool. They're being asked to trust black boxes in systems that need audit trails.

Attribution won't fix that trust gap on its own. But it's the prerequisite for everything else: security auditing, quality measurement, license review, compliance reporting. You cannot govern what you cannot see.

See what's hiding in your git history

GitIntel scans for the 6% you can detect today. Open source, local-first, no data leaves your machine.

# Install GitIntel
curl -fsSL https://gitintel.com/install.sh | sh

# Scan your repo
cd your-repo
gitintel scan

# Get the full picture
gitintel scan --format json > ai-audit.json

View on GitHub

Open source (MIT) · Local-first · No data leaves your machine

Data sourced from wearetenet.com, getpanto.ai, netcorpsoftwaredevelopment.com, and GitIntel Research. Market data as of Q1 2026.

Related reading on GitIntel: