- Source: GL_Instance, GL_Group, GL_Project, GL_PipelineSchedule
- Destination: GL_InstanceVariable, GL_GroupVariable, GL_ProjectVariable, GL_PipelineVariable, GL_SecureFile
The traversable GL_Defines edge connects a scope owner to its CI/CD variables and secure files. The source node determines the scope at which the variable or file is defined:
- Instance → GL_InstanceVariable — variable injected into all pipelines instance-wide
- Group → GL_GroupVariable — variable injected into all pipelines within the group and subgroups
- Project → GL_ProjectVariable — variable injected into all pipelines for this project
- PipelineSchedule → GL_PipelineVariable — variable injected only into pipelines triggered by this schedule
- Project → GL_SecureFile — secure file accessible to project pipeline jobs
GL_Defines is traversable because CI/CD variables flow into pipeline jobs: an attacker who can read variables (via GL_ManageVariables permission or by triggering a job that prints them) can obtain the variable values — including credentials, API tokens, and private keys. The GL_IsToken edge is added to variable nodes when their value is found to be a valid PAT.
graph LR
instance("fa:fa-building GL_Instance")
group("fa:fa-user-group GL_Group myorg")
project("fa:fa-diagram-project GL_Project myorg/backend")
sched("fa:fa-clock-rotate-left GL_PipelineSchedule nightly")
ivar("fa:fa-sliders GL_InstanceVariable GL_OBAL_TOKEN")
gvar("fa:fa-sliders GL_GroupVariable GROUP_DEPLOY_KEY")
pvar("fa:fa-sliders GL_ProjectVariable AWS_SECRET")
svar("fa:fa-sliders GL_PipelineVariable TARGET_ENV")
sf("fa:fa-file-shield GL_SecureFile signing.p12")
pat("fa:fa-key GL_AccessToken api-token")
instance -->|GL_Defines| ivar
group -->|GL_Defines| gvar
project -->|GL_Defines| pvar
project -->|GL_Defines| sf
sched -->|GL_Defines| svar
pvar -->|GL_IsToken| pat