Success story: A robotics company closes the SDLC token loophole with developer-first Zero Trust
A fast-growing robotics company protected source code and CI/CD by closing the “token loophole” in traditional device trust—using EDAMAME to continuously verify device posture on every Git interaction, without slowing developers.
“It’s night and day — we went from hoping our device checks worked to knowing our code is untouchable from anything but a secure device.”
VP Engineering
Robotics company
Challenge
A fast-growing robotics company where proprietary software is core intellectual property had invested in an identity provider with device trust and a traditional MDM. As the organization scaled, the team identified a critical gap: once developers obtained long‑lived credentials (PATs or SSH keys), those credentials could be used outside the managed environment with no ongoing device checks.
In other words: SSO and device compliance at login were strong—but the moment work shifted to Git operations, “Zero Trust” guarantees could quietly fall apart. A stolen token could potentially access private repositories from an untrusted device or network.
Security challenges — closing the SDLC token loophole
Persistent credentials bypassing device trust: device trust protected the initial login, but PATs/SSH keys stayed valid from any machine until revoked or expired. That made credential theft a direct risk to source code and secrets.
MDM limitations in a diverse environment: engineers worked across macOS and Linux with a mix of corporate and BYOD devices. MDM could enforce baselines on enrolled devices, but it couldn’t reliably block a
git cloneorgit pushfrom an unmonitored endpoint using cached credentials.Maintaining velocity and autonomy: security controls had to be invisible in daily development—fitting naturally into Git workflows and CI, without repeated prompts, VPN friction, or heavy lockdown.
Bottom line: the team needed continuous, posture-aware enforcement at the point of code access—so both identity and device posture were verified for every interaction.
Solution
After upgrading to GitHub Enterprise for advanced access controls, the company adopted EDAMAME to implement true Zero Trust across the SDLC. EDAMAME integrates with GitHub to continuously verify device posture on every code interaction, creating what the team described as a “virtual air gap” around source code—without changing developer workflows.
Dynamic allow-lists driven by posture
EDAMAME continuously evaluates device posture (patch level, baseline protections, integrity signals). When a device is in a known-good state, EDAMAME automatically authorizes it for repository access; if it falls out of compliance, access is revoked quickly.
Token-aware enforcement (closing the loophole)
Because access is continuously tied to device posture, leaked PATs/SSH keys become far less useful. Even if credentials are stolen, repository operations from an untrusted endpoint are blocked—enforcing device trust after authentication, not just at login.
Lightweight agent, BYOD-friendly
Developers keep full control of their machines and tools on macOS and Linux. EDAMAME’s posture attestation is lightweight and privacy-friendly—extending protection to contractors and BYOD without requiring invasive MDM profiles.
CI/CD coverage
The company extended the same posture requirements to CI runners. Only compliant runners can retrieve code and secrets during builds, preventing misconfigured or compromised CI jobs from becoming a backdoor.
Results
Closed a critical security gap
The company sealed the SDLC token loophole: source code and secrets are accessible only from trusted, compliant endpoints. Stolen tokens become dramatically less valuable when the device gate remains enforced on every Git operation.
Preserved developer agility
Engineers kept their preferred tools on macOS and Linux with no new day-to-day steps. Controls operate as an always-on safety net—no extra VPN workflow and no repeated MFA prompts for Git operations.
Stronger compliance and customer confidence
With unified posture enforcement and access evidence, the company can demonstrate to customers and auditors that only trusted devices touch source code and build infrastructure—turning a complex assurance problem into a continuously verified signal.
“IP protection is paramount; EDAMAME creates a virtual air gap around our code and secrets.”
Want to see EDAMAME on your environment?
We’ll help you validate posture-based access controls for repos, CI runners, and internal apps in days — not months.