- Source: GL_InstanceRole, GL_ProjectRole
- Destination: GL_Project
The non-traversable GL_DownloadJobArtifacts edge indicates that a role can download CI/CD job artifacts from this project. It has two forms:
GL_ProjectRole → GL_Project — Project members of Reporter role and above can download job artifacts.
GL_InstanceRole → GL_Project — For public projects, the Unauthenticated instance role can download artifacts. For internal projects, the Member instance role can download them, subject to the project's artifact visibility setting.
Although non-traversable, this edge is significant because job artifacts often contain build outputs, deployment packages, configuration files, and secrets that were inadvertently included. Combined with GL_ContainsCredentialsFor findings from artifact scanning, this edge anchors the "download artifact → find credentials" attack path.
graph LR
unauth("fa:fa-user-tie GL_InstanceRole Unauthenticated")
reporter("fa:fa-user-tie GL_ProjectRole myproject/Reporter")
project("fa:fa-diagram-project GL_Project myorg/backend public")
unauth -.->|GL_DownloadJobArtifacts| project
reporter -.->|GL_DownloadJobArtifacts| project