Access Reviews for Code Execution

Imagine a development pipeline where every piece of code that runs on production servers has been vetted by an access review, and the review evidence is automatically captured for auditors. In that world, a rogue command never slips past a gate, and compliance teams can prove who approved each execution without hunting through log files.

Why code execution needs access reviews

Running code on shared infrastructure is a high‑risk activity. Engineers often receive broad "execute" permissions on CI runners, Kubernetes pods, or remote shells. Those permissions are granted once, rarely revisited, and they bypass any human checkpoint. When a new script is introduced, the organization relies on the developer’s good intentions rather than a documented approval process. The result is a blind spot: a malicious insider or a compromised credential can launch arbitrary commands, exfiltrate data, or disrupt services, and the incident leaves little trace of who authorized the action.

What traditional setups get right – and where they stop

Most modern environments already enforce strong identity foundations. Single sign‑on, OIDC or SAML tokens, and least‑privilege IAM roles ensure that only known identities can start a session. That setup is essential; it tells the system *who* is trying to connect. However, identity verification alone does not answer *what* the identity is allowed to do at the moment of execution. Once the token is accepted, the request travels directly to the target – a database, a container, or an SSH daemon – without any intermediate check. No audit record of the specific command is created, no inline data masking occurs, and there is no workflow to pause a risky operation for a human sign‑off.

Putting the review gate in the data path

The missing piece is a control surface that sits between the authenticated identity and the resource it wants to touch. By inserting a gateway at the protocol layer, every execution request can be inspected, logged, and, if necessary, routed through an approval workflow before it reaches the target. This approach satisfies three requirements simultaneously:

• It keeps the enforcement point outside the agent that runs the code, so the agent cannot bypass the check.
• It records the exact command, the identity that issued it, and the outcome, providing reliable evidence for auditors.
• It can mask sensitive response fields (such as passwords or tokens) before they appear in logs or user terminals.

Only a data‑path gateway can guarantee that these outcomes happen for every execution, regardless of the underlying identity system.

How hoop.dev enforces access reviews for code execution

hoop.dev implements the gateway described above. It authenticates users via OIDC/SAML, reads group membership, and then places the request in front of a configurable policy engine. When a developer initiates a code run, whether through kubectl exec, an SSH session, or a database client, hoop.dev intercepts the wire‑level request.

At that point hoop.dev checks the configured access‑review policy. If the policy requires a human sign‑off, the request is paused and a notification is sent to the designated approver. Once the approver grants permission, hoop.dev forwards the command to the target. Every step – the pause, the approval, the command itself, and the response – is recorded in a session log that can be replayed later. Because hoop.dev sits in the data path, the target never sees the raw credential; the gateway presents its own service identity, keeping secrets out of the hands of the executing process.

In addition to approval workflows, hoop.dev can mask fields in real time. For example, if a command returns a database password, hoop.dev replaces the value with a placeholder before it reaches the user’s console or log aggregation system. This inline masking prevents accidental leakage of sensitive data while still preserving the context needed for debugging.

All of these enforcement outcomes – just‑in‑time approval, session recording, and inline masking – exist only because hoop.dev occupies the data path. Without that placement, identity verification alone would not be enough to produce the audit evidence required for effective access reviews.

Getting started

To adopt this model, teams first configure their identity provider (Okta, Azure AD, Google Workspace, etc.) as an OIDC source. Next they deploy the hoop.dev gateway near the resources they want to protect, using the Docker Compose quick‑start or a Kubernetes manifest. The gateway is then pointed at the target systems – a Kubernetes cluster, an SSH host, or a database – and the desired access‑review policies are defined in the UI or via the policy API. Detailed steps are covered in the getting‑started guide and the broader learn section.

Explore the full implementation on GitHub.

FAQ

Do access reviews replace existing IAM policies?

No. IAM determines *who* can start a session. Access reviews add a layer that decides *what* that session may do at the moment of execution.

Can I apply access reviews to existing workloads without redeploying them?

Yes. Because hoop.dev sits in front of the protocol, you only need to point your client tools at the gateway address. The underlying workloads remain unchanged.

What happens to a session if the approver does not respond?

hoop.dev enforces a configurable timeout. After the timeout the request is automatically denied and the attempt is logged as a rejected execution.