All posts
June 18, 20264 min read

Putting access controls around Devin: database access for AI coding agents (on CI/CD pipelines)

When AI coding agents run as part of a CI/CD pipeline, every database access they issue should be traceable, limited to the exact tables they need, and never expose sensitive customer data. The ideal pipeline records each database interaction, masks personally identifiable information in query results, and requires a human approval before any destructive command is executed. With those controls in place, a compromised build agent cannot silently exfiltrate data or corrupt production tables, and

Free White Paper

CI/CD Credential Management + AI Model Access Control: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When AI coding agents run as part of a CI/CD pipeline, every database access they issue should be traceable, limited to the exact tables they need, and never expose sensitive customer data. The ideal pipeline records each database interaction, masks personally identifiable information in query results, and requires a human approval before any destructive command is executed. With those controls in place, a compromised build agent cannot silently exfiltrate data or corrupt production tables, and auditors can see exactly who asked what, when, and why.

Achieving that state is more than a nice‑to‑have checklist. It requires a single enforcement point that can see every SQL statement, apply policy, and produce immutable evidence without slowing down the developer workflow. The enforcement must sit between the AI agent and the database so that the agent never talks directly to the backend.

How teams often connect AI agents to databases today

In many organisations, AI‑driven code‑completion tools like Devin are given a static database user name and password that live in the CI/CD secret store. The build container injects those credentials and opens a direct TCP connection to the production database. Because the credential is shared across all pipeline runs, any compromise of the secret – for example a leaked environment variable or a mis‑configured fork – instantly grants unrestricted read and write access to the entire data store. The connection bypasses any central policy engine, so there is no record of which query was issued, no way to hide sensitive columns, and no chance to pause a dangerous operation for review.

That approach also defeats the principle of least privilege. The AI agent often needs only read‑only access to a handful of tables, yet the shared credential typically has broader rights to simplify configuration. When the pipeline fails, logs may contain raw query strings and result sets, leaking data to anyone who can read the CI logs. In short, the current model provides a direct path from the agent to the database with no audit trail, no masking, and no approval workflow.

The missing piece: a non‑human identity with just‑in‑time enforcement

What we need is a way to issue short‑lived, identity‑bound tokens for the AI agent, scoped to the exact database role it should assume for a single pipeline run. The token‑issuance step is the setup layer – it decides who the request is and whether the run is allowed to start. However, that setup alone does not enforce any policy on the data path. The request still travels straight to the database, meaning the database itself must enforce masking, command blocking, and logging, which it cannot do without substantial changes to the engine.

Therefore, the precondition we are fixing is the identity and credential model, while acknowledging that the request still reaches the target directly, with no visibility, no inline data protection, and no human gatekeeping. The missing enforcement point must sit between the AI agent and the database.

Introducing hoop.dev as the data‑path gateway

hoop.dev provides that enforcement point. It is a Layer 7 gateway that proxies every database connection from the AI agent to the backend. Because the gateway sits in the data path, hoop.dev can inspect each SQL packet, apply policy, and record the session before the query ever reaches the database.

Continue reading? Get the full guide.

CI/CD Credential Management + AI Model Access Control: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

In the setup phase, developers configure OIDC or SAML authentication for the CI system. The AI agent obtains a short‑lived token from the identity provider, and hoop.dev validates that token, extracts group membership, and maps it to a database role that is no broader than required for the job. The token never reaches the database; hoop.dev translates the request into a credential that the backend accepts.

Enforcement outcomes that only hoop.dev can guarantee

  • hoop.dev masks sensitive columns in query results, ensuring that personally identifiable information never leaves the gateway in clear text.
  • hoop.dev blocks or routes destructive commands – such as DROP, ALTER, or DELETE – to a human approval workflow before they are executed.
  • hoop.dev records every session, capturing the full request and response stream for replay and audit.
  • hoop.dev enforces just‑in‑time access, revoking the permission the moment the pipeline step finishes.

Each of those outcomes exists because hoop.dev sits in the data path. Without the gateway, the AI agent would talk directly to the database and none of these controls could be applied.

Why this architecture satisfies security and compliance goals

Because hoop.dev is the only component that can see the traffic, it produces evidence that auditors demand for database access controls: per‑user logs, approval timestamps, and masked result sets. The evidence is stored outside the CI runner and outside the database, keeping the audit data separate from the production environment.

The approach also reduces blast radius. If an attacker compromises the CI secret store, they only obtain a token that is valid for a single pipeline run and for a narrowly scoped role. Any attempt to run a destructive command will be intercepted by hoop.dev and require a manual sign‑off, buying time for detection and response.

Getting started

To try this in your own environment, follow the getting‑started guide. The documentation walks through deploying the gateway, registering a PostgreSQL connection, and configuring OIDC authentication for your CI system. For deeper details on masking policies, approval workflows, and session replay, see the feature documentation.

FAQ

Do I need to change my existing database credentials?

No. hoop.dev holds the credential internally and presents a short‑lived, scoped credential to the database on behalf of the AI agent.

Will masking affect query performance?

Masking is applied at the protocol layer after the database returns the result set, so the impact is minimal and predictable.

Can I audit historical runs?

Yes. hoop.dev stores each session record, which can be replayed or exported for forensic analysis.

The source code and contribution guidelines are available on GitHub: https://github.com/hoophq/hoop.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot