- Source: GL_InstanceRole, GL_ProjectRole
- Destination: GL_LeakedSecret
The traversable GL_CanReadSecret edge indicates that a role can read a specific secret. It is emitted during enrichment for secrets that are exposed through publicly accessible resources (public job logs, public artifacts, or public variables).
GL_InstanceRole → GL_LeakedSecret — The Unauthenticated or Member instance role can reach a secret because it is stored in a public or internal resource that anyone with the corresponding access level can view.
GL_ProjectRole → GL_LeakedSecret — A project role can access a secret through resources scoped to that project (job logs, artifacts, or CI/CD variables accessible at that permission level).
This edge bridges the credential discovery path: it connects an attacker's reachable role to a concrete secret without requiring full project membership.
graph LR
unauth("fa:fa-user-tie GL_InstanceRole Unauthenticated")
reporter("fa:fa-user-tie GL_ProjectRole myproject/Reporter")
secret("fa:fa-key GL_LeakedSecret api-key-prod")
unauth -->|GL_CanReadSecret| secret
reporter -->|GL_CanReadSecret| secret