PingOne Privilege

Agent commit tracking

A Git Server is a system used to host and manage Git repositories, allowing teams to collaborate on code and track changes effectively.

To protect sensitive Git servers, you need just-in-time, least-privilege access with full session visibility and control in front of Git servers. PingOne Privilege acts as an in-line security gateway to meet this need.

You can use PingOne Privilege to:

  • Enforce time-bound privileged access to Git.

  • Insert the credentials that Git servers need.

  • Audit and review Git activity.

  • Apply fine-grained access control at the level of individual tools, prompts, and resources.

Goals

When you complete this tutorial, you’ll know:

  • How to use PingOne Privilege to front Git servers for AI-driven access.

  • How to configure Git integration so AI agents use SSH certificate authority (CA) authentication and their commits are attributable.

  • How to use Session Logs and Activity Logs to audit Git access.

What you’ll do

  1. Prepare Git integration for AI agent commit tracking:

Preparation

Before getting started, complete the preparation tasks in this section.

Preparation task 1: Environment and access

Ensure that:

  1. You have a PingOne tenant with the PingOne Privilege service added.

  2. You can access the PingOne Privilege admin console as an administrator.

Preparation task 2: Git providers

For Git integration, you’ll need one of the following:

  • A GitHub Enterprise organization where you are an organization admin, so you can:

    • Manage SSH certificate authorities under Settings > Security > SSH and GPG keys > SSH certificate authorities.

  • A GitLab SaaS group where you can:

    • Generate a Personal Access Token (PAT) with the api scope.

    • Call the Group SSH certificates REST API:

      curl --header "PRIVATE-TOKEN: <YOUR_PRIVATE_TOKEN>"
--url "https://gitlab.com/api/v4/groups/<YOUR_GROUP_PATH>/ssh_certificates?title=Procyon-CA&key=<YOUR_PROCYON_SSH_CA_KEY>"

You’ll use these permissions to trust the PingOne Privilege SSH CA in your Git providers so that SSH certificates minted by PingOne Privilege for AI agents are accepted.

Configure Git integration for AI agent commit tracking

This task configures GitHub or GitLab to trust PingOne Privilege’s SSH CA and sets up a Git Server application in PingOne Privilege.

Step 1: Create a Git Server application in PingOne Privilege

  1. In the PingOne Privilege admin console, go to Targets > Agentic Apps.

  2. Click Add Application.

  3. Select Git Server as the application type.

  4. Configure the application:

    • Name: Choose a recognizable internal name.

    • Type: Choose GitHub or GitLab.

    • Leave advanced options at default values unless you have specific internal requirements.

  5. Save the application.

This application represents Git access mediated by PingOne Privilege, using SSH CA authentication instead of user-managed private-keys.

Step 2: Trust PingOne Privilege SSH CA in GitHub

  1. In the PingOne Privilege admin console, go to Targets > Agentic Apps.

  2. In the Git Server app you created, copy the public key.

  3. In GitHub Enterprise:

    1. Go to Settings > SSH and GPG keys.

    2. Click New SSH Key.

    3. Enter a Title for the SSH key.

    4. Paste the public key into the Key field.

    5. Click Add SSH key.

GitHub now treats certificates issued by PingOne Privilege as trusted for SSH operations.

Step 3: Trust PingOne Privilege SSH CA in GitLab SaaS

  1. In the PingOne Privilege admin console, go to Targets > Agentic Apps.

  2. In the Git Server app you created, copy the public key.

  3. In GitLab SaaS, create a Personal Access Token (PAT) with api scope.

  4. Use the GitLab Group API to register the CA:

    curl --request POST \
    --header "PRIVATE-TOKEN: <YOUR_PRIVATE_TOKEN" \
    --url "https://gitlab.com/api/v4/groups/<YOUR_GROUP_PATH>/ssh_certificates?title=Procyon-CA&key=<YOUR_PRIVILEGE_SSH_CA_KEY>"

    Replace <YOUR_GROUP_PATH> with your group path and <YOUR_PRIVILEGE_SSH_CA_KEY> with the SSH public key you copied from PingOne Privilege.

Step 4: Configure Git policies for users and AI agents

  1. In the PingOne Privilege admin console, go to Targets > Agentic Apps.

  2. In the Active Applications tab, click More Infor in your Git Server application.

  3. Create or edit a policy and configure:

    • User mapping:

      • For each user, specify their GitHub or GitLab username.

      • The username must match exactly what is configured in the Git provider.

    • Time-bound access:

      • Configure how long an approval or session remains valid.

    • Optional: AI push blocking

      • If required by your security model, enable the option to block code pushes for AI agents.

  4. Save the policy.

Git access through this application now satisfies PingOne Privilege policy decisions.

Validation

To confirm the integration:

  1. In the PingOne Privilege admin console, go to Targets > Agentic Apps.

  2. In the Active Applications tab, click More Infor in your Git Server application.

  3. Open the Agent Resources tab.

  4. Copy the generated git clone command for GitHub or GitLab.

  5. Adjust the command to reference the target organization or group and repository.

  6. Paste and run the command in an AI agent terminal.

  7. Verify that:

    • The clone succeeds when a matching policy exists.

    • If no policy exists, the request is denied and logged, prompting policy creation.

  8. Perform a small test change and push from the AI agent terminal.

  9. In your Git provider’s commit user interface, verify that:

    • The commit is associated with the correct user.

    • The commit can be identified as coming from the AI agent flow based on your configured conventions.

  10. In the PingOne Privilege admin console:

    1. Go to Activity > Activity Logs.

    2. Filter by User and Event Time to see individual Git operations.