- Source: GL_InstanceRole, GL_ProjectRole
- Destination: GL_Project
The non-traversable GL_ViewJobLogs edge indicates that a role can view CI/CD job execution logs for this project. It has two forms:
GL_ProjectRole → GL_Project — Project members of Reporter role and above can view job logs.
GL_InstanceRole → GL_Project — For public projects, the Unauthenticated instance role can view job logs. For internal projects, the Member instance role can view them. This reflects GitLab's CI/CD visibility settings.
Although non-traversable, this edge is significant because job logs frequently contain sensitive output: printed environment variables, API responses, SSH key fingerprints, credentials echoed by scripts, and other secrets. Combined with GL_ContainsCredentialsFor findings from log scanning, this edge anchors the "read logs → find credentials" attack path.
graph LR
unauth("fa:fa-user-tie GL_InstanceRole Unauthenticated")
reporter("fa:fa-user-tie GL_ProjectRole myproject/Reporter")
project("fa:fa-diagram-project GL_Project myorg/backend public")
unauth -.->|GL_ViewJobLogs| project
reporter -.->|GL_ViewJobLogs| project