Putting access controls around GitHub Copilot: database access for AI coding agents (on internal SaaS)

Why database access needs tighter controls for AI coding agents

When a development team equips GitHub Copilot with the ability to query internal databases, the convenience can quickly turn into a compliance nightmare. An AI coding agent runs without a human in the loop, yet it can issue SELECT, INSERT or UPDATE statements that touch personally identifiable information, financial records, or proprietary schemas. Because the agent authenticates with a static service account, every request appears identical, making it impossible to tell which engineer triggered a particular query or whether the query was part of a legitimate code‑completion request. The result is a blind spot: privileged database access that is hard to audit, impossible to approve on a per‑query basis, and risky from a data‑leak perspective.

What the current setup provides and where it falls short

Most organizations already have the basic building blocks in place. Identity providers such as Okta or Azure AD issue OIDC tokens for non‑human service accounts, and those tokens are mapped to a role that grants the agent a database‑level credential. This satisfies the requirement that the request originates from an authenticated identity. However, the request still travels directly from the agent to the database engine. No gateway sits in the data path, so there is no place to enforce inline policies. The database sees a perfectly valid connection and executes every command it receives. Consequently, there is no real‑time approval workflow, no command‑level audit, no automatic masking of sensitive columns, and no replayable session record. The organization is left with a standing permission that cannot be revoked on demand and no evidence to satisfy auditors.

How hoop.dev creates a secure data path for database access

hoop.dev is designed exactly for this gap. It acts as a Layer 7 gateway that sits between the AI coding agent and the target database. The agent authenticates to hoop.dev with its OIDC token, and hoop.dev validates the token against the identity provider. From that point onward, every database request passes through hoop.dev’s data path. Because enforcement happens only in the gateway, hoop.dev can apply the full suite of controls that were missing before.

Just‑in‑time access

hoop.dev evaluates the intent of each query against a policy that maps identities to allowed operations. If a request exceeds the predefined scope, hoop.dev can pause the session and route the request to a human approver. Approval decisions are recorded, providing a clear audit trail for every elevated query.

Inline data masking

When a response contains columns marked as sensitive, such as SSN, credit‑card numbers, or internal identifiers, hoop.dev masks those fields in real time before they reach the AI agent. The agent never sees the raw values, reducing the risk of accidental leakage while still allowing the code‑completion workflow to function.

Command‑level audit and session recording

Every statement that passes through the gateway is logged with the originating identity, timestamp, and outcome. hoop.dev also records the full session stream, enabling replay for forensic analysis or compliance reviews. Because the recording happens in the gateway, the database itself does not need to be modified to produce these logs.

Policy‑driven blocking

Administrators can define patterns of disallowed commands, such as DROP TABLE, ALTER USER, or mass‑delete statements. hoop.dev intercepts those commands and blocks them before they reach the database, preventing destructive actions from being executed by an uncontrolled AI agent.

Putting the pieces together

The overall architecture follows a clear separation of concerns. The identity provider supplies the token that proves who the agent is. hoop.dev consumes that token and becomes the sole enforcement point. All enforcement outcomes, just‑in‑time approvals, masking, audit, and blocking, exist because hoop.dev sits in the data path. Removing hoop.dev would revert the system to the original blind spot where the agent talks directly to the database with no guardrails.

Getting started

To try this approach, start with the getting‑started guide. It walks you through deploying the gateway, registering a PostgreSQL or MySQL connection, and configuring OIDC authentication for your service accounts. The documentation also shows how to define masking rules and approval policies that are tailored to AI coding agents. Because hoop.dev is open source, you can review the implementation or contribute improvements directly on GitHub.

Further reading

The learn section provides deeper insight into each feature, including best‑practice guidance for policy design, audit‑log retention, and integrating with existing CI/CD pipelines.

FAQ

Does hoop.dev store database credentials?

No. The gateway holds the credential only in memory for the duration of a session. Users and agents never see the raw secret.

Can I use hoop.dev with existing database users?

Yes. You can configure the gateway to use any credential that the database accepts, including IAM‑based authentication for supported cloud databases.

How does hoop.dev handle high‑throughput workloads?

The gateway operates at the protocol layer and is built to scale horizontally. You can run multiple instances behind a load balancer to handle increased query volume without losing policy enforcement.