Putting access controls around GitHub Copilot: database access for AI coding agents (on Postgres)

Giving an AI coding assistant unrestricted database access is a recipe for data leakage.

Teams often grant GitHub Copilot a static credential that can connect directly to a Postgres instance. The credential lives in CI pipelines, in developer machines, and sometimes even in the Copilot configuration itself. Because the connection bypasses any runtime guard, every query, whether generated by a typo, a hallucination, or a malicious prompt, executes with full privileges. No audit trail is kept, no sensitive columns are hidden, and no human ever sees the request before it runs.

Even when an organization uses service accounts or short‑lived tokens, the connection still goes straight to the database. The identity system decides which agent may start the session, but the database sees only a network socket. Without a control point on the data path, policy enforcement is impossible.

Why database access needs a dedicated gateway

Database access for AI agents must be observable and enforceable at the point where the query leaves the agent and reaches the server. Only a gateway that sits between the two can inspect the wire‑protocol, apply masking rules, require approvals, and capture a replay‑able record. The gateway also isolates the credential from the agent, ensuring the AI never sees the secret it uses to authenticate.

Common mistakes to avoid when granting GitHub Copilot database access

Hard‑coding credentials. Embedding a password or key in the Copilot prompt or in CI configuration creates a permanent backdoor.
Relying on network segmentation alone. Firewalls cannot distinguish a legitimate developer query from a generated one.
Skipping audit logging. Without a record, you cannot prove who asked for which data, violating compliance and forensic needs.
Never masking sensitive columns. Columns such as SSNs or API keys are returned in clear text to the AI, which may then store them elsewhere.
Granting broad roles. Giving the AI super‑user rights amplifies the impact of any erroneous or malicious query.

Enforcing database access with hoop.dev

hoop.dev provides the required control surface. First, an identity provider (Okta, Azure AD, Google Workspace, etc.) issues an OIDC token for the Copilot service account. The token proves who is requesting access, but the token alone does not grant any database privileges.

Next, hoop.dev is deployed as a Layer 7 gateway inside the same network as the Postgres server. The gateway holds the actual database credential, so the AI never sees it. Every request from Copilot passes through hoop.dev before reaching the database.

hoop.dev records each session. The gateway writes a replayable log that captures the full query, the responding rows, and the identity that initiated the request. This log satisfies forensic and compliance needs without requiring changes to the database.

hoop.dev masks sensitive data in real time. When a query returns columns marked as sensitive, the gateway replaces the values with placeholders before they reach the AI, preventing accidental exfiltration.

Continue reading? Get the full guide.

AI Model Access Control + Vector Database Access Control: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

hoop.dev blocks dangerous commands. Statements that attempt to drop tables, alter schemas, or run arbitrary code are intercepted and rejected, protecting the database from destructive actions.

hoop.dev routes high‑risk queries for human approval. If a query touches a restricted schema or exceeds a defined cost threshold, the gateway pauses execution and presents an approval request to a designated reviewer. Only after explicit consent does the query proceed.

All of these enforcement outcomes exist because hoop.dev sits in the data path; the identity system alone cannot provide them.

Just‑in‑time approvals

When an AI‑generated query matches a policy rule, hoop.dev creates a temporary approval workflow. The request is held until a human reviewer validates the intent, then the gateway forwards the query to Postgres.

Inline data masking

Administrators declare which columns are sensitive in the gateway configuration. hoop.dev strips those values from the response stream, ensuring the AI only sees masked placeholders.

Session recording and replay

Every interaction is stored in a log that can be replayed for audit, debugging, or incident response. The log includes the original query, the masked result, and the approving user (if any).

Getting started

To protect GitHub Copilot’s database access, begin with the getting‑started guide. It walks you through deploying the gateway, configuring OIDC, and registering a Postgres connection. All configuration details are documented in the learn portal, and the full source code is available on GitHub.

Explore the hoop.dev repository for installation scripts, Helm charts, and contribution guidelines.

FAQ

Does hoop.dev replace the existing database authentication?

No. The gateway holds the credential and presents it to Postgres on behalf of the AI service. The database continues to enforce its own authentication and authorization policies.

Can I use hoop.dev with other AI assistants?

Yes. The architecture is agnostic to the client. Any service that can present an OIDC token and speak the underlying protocol (Postgres in this case) can be protected by the same gateway.

What happens if a query is blocked?

hoop.dev returns an error to the client indicating the policy violation. The error contains no sensitive data and can be logged for later analysis.