SOC 2 for non-human identities: governing machine access end to end (on CI/CD pipelines)

When a build server stores a static API key and grants it unlimited read‑write rights across production databases, a single credential leak can expose every customer record in seconds. The financial fallout of a data breach, the loss of customer trust, and the cost of forensic investigations quickly dwarf the convenience of a hard‑coded secret. Yet many organizations still rely on that exact pattern because it is simple to script and appears to keep pipelines fast.

That convenience creates a blind spot for auditors. SOC 2 expects continuous monitoring, evidence of who accessed what, and proof that privileged actions were justified. With a shared machine identity, the logs show only that "service‑account" connected; they do not reveal which pipeline step triggered the request, whether a human approved a destructive command, or if sensitive fields were exposed. The result is a compliance gap that forces teams to produce retroactive spreadsheets instead of real‑time evidence.

The first step toward fixing the gap is to treat non‑human identities like any other user: assign them the minimum permissions needed for a single job, and require explicit approval for high‑risk operations. Even with that policy in place, the request still travels directly from the CI runner to the target system. No component in the path records the exact query, masks returned secrets, or blocks a dangerous command before it reaches the database. The gap remains because enforcement lives only in the identity layer, not in the data path.

SOC 2 evidence that accrues continuously

SOC 2’s Trust Services Criteria demand that organizations produce verifiable evidence of security controls at any point in time. Continuous evidence means that every connection, every command, and every response is captured as it happens, rather than being reconstructed later. When the control surface sits at the gateway, the system can automatically generate the logs auditors need: who initiated the session, which identity was used, which resources were accessed, and the exact data that flowed through the connection.

Why the data path matters for machine identities

Setup steps, issuing OIDC tokens, configuring service accounts, and granting least‑privilege roles, determine *who* a machine is and *what* it may attempt. Those steps are necessary, but they do not enforce policy on the traffic itself. The only place to enforce masking, command‑level approval, and session recording is the data path that carries the request to the target.

hoop.dev sits in that data path. It acts as an identity‑aware proxy that terminates the client connection, inspects the wire‑level protocol, and then forwards the request to the backend only after applying the configured guardrails. Because hoop.dev is the sole conduit, it can:

• Record every command and response for replay, giving auditors immutable proof of activity.
• Mask sensitive fields in query results, ensuring that downstream logs never contain raw secrets.
• Require just‑in‑time human approval for high‑risk operations, turning an implicit trust relationship into an explicit one.
• Block commands that match a deny list before they reach the database, reducing the blast radius of a compromised service account.

Each of those enforcement outcomes exists only because hoop.dev intercepts the traffic. Remove hoop.dev and the pipeline reverts to the original blind spot: a static credential flowing unchecked to the backend.

Mapping SOC 2 criteria to hoop.dev capabilities

Security principle – Logical and physical access controls: hoop.dev authenticates each machine identity via OIDC, then authorizes actions based on group membership. The gateway enforces least‑privilege policies at the protocol level, so a CI job can only run the statements it is explicitly allowed to.

Change management – Review of privileged actions: When a pipeline attempts a schema migration or a bulk delete, hoop.dev can pause the request and route it to an approver. The approval event, together with the original request, is logged as a single atomic record.

Risk mitigation – Monitoring and logging: Every session is streamed to a secure audit store. The logs contain timestamps, identity attributes, command text, and masked results. Auditors can query the store to prove that no unauthorized access occurred during the reporting period.

Incident response – Evidence for forensic analysis: Because hoop.dev records the full bidirectional stream, investigators can replay a compromised session to understand exactly what data was exfiltrated, if any, and which command triggered the breach.

Implementing continuous evidence for CI/CD pipelines

Begin by provisioning an OIDC provider (for example, Azure AD or Okta) and creating a dedicated service account for each pipeline stage. Assign the minimal database role required for that stage, read‑only for linting, write‑only for artifact publishing, and admin only for migration steps.

Next, deploy hoop.dev as a Docker Compose stack or on Kubernetes, following the getting‑started guide. Register each target database as a connection inside hoop.dev, and attach the corresponding service account credential to that connection. The gateway stores the credential; the pipeline never sees it.

Configure policy rules in hoop.dev’s UI or YAML files to mask columns such as password or api_key, and to require approval for any DROP or DELETE statement that affects more than a threshold of rows. When the pipeline runs, it connects to hoop.dev using the standard client (psql, mysql, etc.). hoop.dev validates the OIDC token, checks the policy, records the session, and only then forwards the request.

All of this happens without changing the pipeline code. The only addition is the endpoint address of hoop.dev, which behaves like the original database host. Because the enforcement point is external to the CI runner, the security guarantees remain even if the runner is compromised.

Benefits beyond compliance

Continuous evidence also supports internal security programs. Security operations teams can set up alerts on unusual command patterns, developers can replay a failed migration to debug issues, and compliance officers can generate SOC 2 audit reports with a single click. Because hoop.dev is open source, organizations can inspect the code that handles masking and logging, ensuring that the implementation aligns with their risk appetite.

Frequently asked questions

Do I need to modify my existing CI scripts?

No. hoop.dev presents the same network endpoint and protocol that your scripts already use. You only change the host name to point at the gateway.

How does hoop.dev protect the stored credentials?

The gateway holds the credential in memory and never writes it to disk. Access to the gateway itself is protected by OIDC authentication and role‑based authorization.

Can I use hoop.dev with multiple cloud providers?

Yes. hoop.dev supports databases, Kubernetes clusters, SSH, and HTTP services across any provider, as long as the target can be reached from the agent network.

Next steps

Start by reviewing the learn section to understand how policy rules are defined. Then clone the repository and follow the quick‑start instructions to get a gateway running in your test environment. When you are ready, integrate the gateway endpoint into your CI/CD pipelines and let hoop.dev generate the continuous SOC 2 evidence you need.

View the open‑source repository on GitHub for installation scripts, configuration examples, and contribution guidelines.