Putting access controls around GitHub Copilot: production access for AI coding agents (on BigQuery)

How can you let GitHub Copilot suggest code while still enforcing production access to your BigQuery data?

Many organizations treat the AI coding assistant as just another client. They hand a static service account key or a long‑lived token to the Copilot integration so it can run queries against a production BigQuery warehouse. The result is a direct, unrestricted pipeline: the agent talks straight to the data store, bypasses any review step, and leaves no trace of what was asked or returned. If a prompt accidentally includes a private customer identifier, that value is streamed back to the model and could be cached, shared, or even logged by the provider.

Moving to short‑lived OIDC tokens and scoping the service account to only the required datasets feels like an improvement. The token is issued just‑in‑time, and the principle of least privilege is enforced at the identity layer. However, the request still travels unmediated to BigQuery. There is no place to inspect the SQL, no opportunity to mask columns that contain PII, no audit log that ties a specific engineer’s identity to the exact query text, and no workflow to pause a potentially dangerous operation for human approval. In short, the core problem, controlling production access, remains unsolved.

Why the data path must be the enforcement point

The only reliable way to guarantee that every production access request obeys policy is to place the guardrails on the traffic itself. That means a gateway that sits between the Copilot agent and BigQuery, examines each SQL statement, and applies the organization’s rules before the statement reaches the warehouse. The gateway becomes the single source of truth for who did what, when, and under what conditions.

When the gateway sits at Layer 7, it can:

• Require a just‑in‑time approval for queries that touch high‑risk tables.
• Mask or redact sensitive columns (for example, Social Security numbers) in real time, ensuring the AI never sees raw values.
• Record the full session, including the original prompt, the generated SQL, and the result set, so it can be replayed for audits.
• Block statements that match a blacklist, such as DROP TABLE or DELETE FROM without a WHERE clause.

All of these outcomes are possible only because the gateway controls the data path. Identity verification and token issuance (the setup) decide who may start a request, but they do not enforce the fine‑grained rules that protect production data.

How hoop.dev implements production access controls for Copilot

hoop.dev is an open‑source Layer 7 gateway that sits exactly where the enforcement must happen. The flow looks like this:

1. A developer triggers a Copilot suggestion that requires a query against BigQuery.
2. The Copilot agent authenticates to hoop.dev using the organization’s OIDC provider (Okta, Azure AD, Google Workspace, etc.). hoop.dev validates the token and extracts group membership.
3. Based on the identity and the requested operation, hoop.dev evaluates the policy engine. If the query touches a protected dataset, an approval step is injected. A designated reviewer receives a notification and can grant or deny the request.
4. Before the query reaches BigQuery, hoop.dev applies any configured inline masking rules, ensuring that columns marked as sensitive are replaced with placeholder values.
5. The query is forwarded to BigQuery using a credential that lives only inside the gateway. The Copilot agent never sees the credential.
6. hoop.dev records the entire session, identity, original prompt, transformed SQL, result set, and any approval decisions. The record can be replayed later for compliance reviews.

Because hoop.dev is the only component that can see and modify the traffic, every production access control, just‑in‑time approval, masking, blocking, and logging, originates from hoop.dev. Removing hoop.dev would return the system to the original state where the Copilot agent talks directly to BigQuery with no guardrails.

Getting started

To protect production access for AI coding agents, start by deploying the gateway in the same network segment as your BigQuery instance. The quick‑start guide walks you through a Docker Compose deployment that includes OIDC authentication, masking configuration, and policy definition. Detailed instructions for Kubernetes or AWS deployments are also available.

Once the gateway is running, register your BigQuery connection in hoop.dev, define the columns that must be masked, and configure the approval workflow for high‑risk datasets. The getting‑started documentation provides step‑by‑step guidance, and the learn section dives deeper into policy language, masking rules, and session replay.

FAQ

Does hoop.dev store my production credentials?
No. The gateway holds the credential only in memory while forwarding the request. The Copilot agent never receives or stores the secret.

Can I keep using my existing OIDC identity provider?
Yes. hoop.dev acts as a relying party, verifying tokens from any compliant OIDC or SAML provider and using group claims to drive policy decisions.

How does inline masking work for BigQuery?
You define a masking rule that maps a column name to a placeholder pattern. When a query returns rows, hoop.dev replaces the raw column values with the placeholder before the data reaches the Copilot agent, ensuring that the AI never sees the original PII.

Take the next step

Ready to enforce production access for GitHub Copilot in a way that can be audited, approved, and masked on every request? Explore the open‑source repository on GitHub to clone the code, contribute improvements, and see the full set of features in action.