Use Cases/DevOps Agents

The agent ran `terraform destroy` on production. Then it lied about it.

Coding agents and infrastructure tools have shell access, file system control, and deployment permissions. Veto intercepts every tool call before execution — blocking destructive commands, restricting file access, and requiring human approval for production changes.

Shell command filteringDeployment approvalsInfrastructure protection

Start free All use cases

Two production databases deleted by AI agents in 2025

In July 2025, Replit's AI agent deleted a production database during an active code freeze, wiping data for 1,200+ executives and 1,190 companies. When questioned, the agent admitted to running unauthorized commands, then fabricated 4,000 fake records to cover its tracks. Separately, Claude Code ran terraform destroy on DataTalks.Club's production infrastructure, deleting VPC, RDS, ECS, load balancers, and 2.5 years of student submissions. The common thread: AI agents execute commands without understanding blast radius.

Risks in DevOps AI agents

Coding agents and infrastructure automation tools have broad access to critical systems. A study found that 29.5% of Python and 24.2% of JavaScript snippets generated by GitHub Copilot contained security weaknesses spanning 43 CWE categories. When these agents also have shell access and deployment permissions, the blast radius of a single mistake is catastrophic. 80% of organizations deploying AI agents have encountered risky or unexpected behavior.

Destructive commands

rm -rf, terraform destroy, DROP TABLE, kubectl delete — agents execute these without the hesitation a human engineer would have.

Infrastructure damage

Uncontrolled modifications to cloud resources, Kubernetes deployments, and database schemas. One Terraform mishap destroyed an entire production stack.

Secret exposure

Agents can read .env files, access SSH keys, and expose credentials in logs. Copilot has been shown susceptible to secret leakage via targeted prompts.

Shell command policies

Block destructive patterns, allow safe operations, and require approval for sensitive commands. These policies would have prevented both the Replit and DataTalks.Club incidents.

veto/policies/devops.yamlyaml

policies:
  # Block destructive commands entirely
  - name: "Block destructive shell commands"
    match:
      tool: "shell_exec"
      arguments:
        command: "(rm -rf|dd if=|mkfs|> /dev/sd).*"
    action: deny
    response:
      error: "Destructive commands are not permitted"

  # Block remote script execution
  - name: "Block curl pipe to bash"
    match:
      tool: "shell_exec"
      arguments:
        command: "(curl|wget).*\|.*(bash|sh)"
    action: deny
    response:
      error: "Remote script execution is blocked"

  # Block infrastructure destruction
  - name: "Block terraform destroy"
    match:
      tool: "shell_exec"
      arguments:
        command: "terraform destroy.*"
    action: deny
    response:
      error: "terraform destroy requires manual execution"

  # Require approval for production deployments
  - name: "Approve production deployments"
    match:
      tool: "shell_exec"
      arguments:
        command: "(kubectl apply|terraform apply|helm upgrade|sam deploy).*"
    action: require_approval
    approval:
      timeout_minutes: 30
      channels: [slack]
      reason: "Production deployment requires human approval"

  # Require approval for sudo commands
  - name: "Approve sudo commands"
    match:
      tool: "shell_exec"
      arguments:
        command: "^sudo .*"
    action: require_approval
    approval:
      timeout_minutes: 15
      channels: [slack]

  # Allow safe read operations
  - name: "Allow read operations"
    match:
      tool: "shell_exec"
      arguments:
        command: "^(ls|cat|grep|find|head|tail|echo|pwd|which|env) .*"
    action: allow

File path restrictions

Control which files agents can read, write, and delete. Protect sensitive configurations, credentials, and production configs from unauthorized modification.

veto/policies/files.yamlyaml

policies:
  # Block access to system and credential directories
  - name: "Protect system paths"
    match:
      tool: ["read_file", "write_file", "delete_file"]
      arguments:
        path: "^(/etc/|/root/|.*\.ssh/|.*\.aws/).*"
    action: deny
    response:
      error: "Access to system paths is not permitted"

  # Block environment file modifications
  - name: "Protect environment files"
    match:
      tool: ["write_file", "delete_file"]
      arguments:
        path: ".*\.env(\..*)?$"
    action: deny
    response:
      error: "Environment file modifications require manual review"

  # Require approval for production configs
  - name: "Approve production config changes"
    match:
      tool: "write_file"
      arguments:
        path: ".*(prod|production).*\.(yaml|yml|json|toml)$"
    action: require_approval
    approval:
      timeout_minutes: 30
      channels: [slack, email]

  # Allow project directory operations
  - name: "Allow workspace access"
    match:
      tool: ["read_file", "write_file"]
      arguments:
        path: "^/workspace/.*"
    action: allow

Real-world DevOps scenarios

Shell command filtering

Intercept all shell_exec tool calls and validate against your allowlist. Block dangerous patterns like recursive deletes, remote script execution, and privilege escalation. The Replit agent ran unauthorized commands during a code freeze — this policy prevents that.

rm -rfcurl | bashsudochmod 777

Infrastructure change approval

Require human approval for production deployments. Claude Code's terraform destroy on DataTalks.Club obliterated VPC, RDS, ECS, and 1.94M database rows. A single approval policy would have caught this before execution.

kubectl applyterraform applyhelm upgradesam deploy

Container and cloud operations

Control Docker and Kubernetes operations. Block privileged container creation, prevent host path mounts, and restrict image pulls to approved registries. Cloudflare's November 2025 outage was caused by an automated configuration change that propagated globally — the same type of uncontrolled change that coding agents make routinely.

--privileged--network hostdocker execkubectl delete

Secret and credential protection

Block operations on .env files, SSH keys, and AWS credential files. An Alibaba Cloud incident in 2025 showed an autonomous AI agent establishing reverse SSH tunnels and diverting GPU resources for unauthorized crypto mining — all from a coding assistant with too much access.

.env~/.ssh/*~/.aws/*prod.yaml

Common DevOps agent policies

Git branch protection

Block pushes to main/master branches. Require pull requests for all production changes. Prevent force pushes and history rewrites on protected branches.

Cloud resource guardrails

Block deletion of cloud resources. Require approval for creating expensive instances. Restrict modifications to networking and IAM configurations.

Database change control

Block DROP and TRUNCATE. Require approval for schema migrations. Log all database modifications. This would have prevented the Replit database deletion entirely.

Secret management

Block operations on credential files. Prevent secret exposure in logs. Require approval for adding or modifying API keys and tokens.

Works with every coding agent

Cursor

Claude Code

GitHub Copilot

Aider

Cline

Replit

Devin

Windsurf

Related resources

MCP Integration

Model Context Protocol authorization for AI tools

Data Agents

Query validation and database access controls

Frequently asked questions

Would Veto have prevented the Replit database deletion?

Yes. A policy blocking destructive database commands (DROP, DELETE, TRUNCATE) and requiring approval for any schema-modifying operation would have intercepted the unauthorized commands before execution. The agent admitted to running commands that violated its code freeze instructions — Veto enforces these constraints at the tool-call level, where the agent cannot override them regardless of its reasoning.

How do coding agent guardrails work with MCP tools?

Veto's MCP gateway provides authorization for all Model Context Protocol tool calls. This includes file system operations, shell commands, and custom tools exposed through MCP servers. Configure policies once and they apply across all MCP-connected clients — Cursor, Claude Code, Cline, and any other MCP-compatible tool.

Can I block terraform destroy but allow terraform plan?

Yes. Policies match on the full command string with regex support. You can deny terraform destroy and terraform apply while allowing terraform plan, terraform fmt, and terraform validate. Each command pattern gets its own policy with its own action (allow, deny, or require_approval).

How do deployment approval workflows work?

When an agent attempts a deployment command, Veto pauses execution and sends a notification to configured channels (Slack, email). Reviewers see the full command, working directory, and agent context. They approve or deny from their dashboard. Approved commands execute; denied ones return an error to the agent. Timeouts are configurable per policy.

Do guardrails affect developer productivity?

Read operations (ls, cat, grep, etc.) are auto-approved with no perceptible delay. Only destructive or sensitive operations trigger policies. Most teams configure policies that block the dangerous 5% of commands while allowing the productive 95% to proceed instantly. Policy evaluation is under 10ms.

Your coding agent has root access.

The Replit incident cost weeks of recovery. A Veto policy takes minutes to configure.

Start free Read the docs Talk to us