Skip to content

GL_LeakedSecret.md

Latest commit

 

History

History
50 lines (39 loc) · 2.33 KB

GL_LeakedSecret.md

File metadata and controls

50 lines (39 loc) · 2.33 KB

GL_LeakedSecret

Represents a credential or secret value discovered within the GitLab instance — typically found in job logs, job artifact archives, or repository history by a secret scanner (Gitleaks, TruffleHog, Pipeleek, etc.). GL_LeakedSecret nodes capture the raw value and metadata about how the credential was found.

If the discovered value is confirmed to be a valid GitLab personal access token (verified via API call), a GL_IsToken edge is added directly to the corresponding GL_AccessToken node rather than (or in addition to) the GL_LeakedSecret node.

Properties

Property Name Data Type Description
name string Rule or detector name that identified this secret
detector string Name of the scanning tool or detector (e.g., gitleaks, trufflehog, pipeleek)
verified bool Whether the credential has been verified as valid via API
value string The raw credential value discovered

Edge Properties on GL_ContainsCredentialsFor

When a GL_ContainsCredentialsFor edge is created to this node, it carries context about where the secret was found:

Property Name Description
detector Scanning tool that found the secret
rule Detection rule name
file File path where the secret was found
commit Git commit SHA (for repository findings)
line Line number in the source file
link Direct URL to the finding
job_name Job name (for artifact/log findings)
source_type Type of source: repository, artifact, or log

Diagram

flowchart TD
    GL_InstanceRole[fa:fa-user-tie GL_InstanceRole]
    GL_LeakedSecret[fa:fa-key GL_LeakedSecret]
    GL_ProjectRole[fa:fa-user-tie GL_ProjectRole]
    GL_Variable[fa:fa-sliders GL_Variable]
    GL_JobLog[fa:fa-scroll GL_JobLog]
    GL_JobArtifact[fa:fa-file-zipper GL_JobArtifact]
    GL_AccessToken[fa:fa-key GL_AccessToken]

    GL_InstanceRole -->|GL_CanReadSecret| GL_LeakedSecret
    GL_ProjectRole -->|GL_CanReadSecret| GL_LeakedSecret
    GL_Variable -->|GL_ContainsCredentialsFor| GL_LeakedSecret
    GL_JobLog -->|GL_ContainsCredentialsFor| GL_LeakedSecret
    GL_JobArtifact -->|GL_ContainsCredentialsFor| GL_LeakedSecret
    GL_LeakedSecret -->|GL_IsToken| GL_AccessToken
Loading