- Source: GL_ProjectRole
- Destination: GL_Branch
The traversable GL_CanPush edge indicates that a project role can push commits directly to this branch. The edge is conditioned on branch protection rules:
- Unprotected branches — Developer role and above can push directly.
- Protected branches — Only roles explicitly listed in the branch's push allowance can push. This is typically Maintainer or Owner, unless push restrictions have been configured otherwise.
Code pushed to a branch is executed by CI/CD pipelines, giving the attacker arbitrary code execution in the pipeline context — with access to all CI/CD variables, secure files, and the runner's execution environment. Combined with GL_BuildsOn, this represents the full "push to runner" escalation path.
graph LR
user("fa:fa-user GL_User alice")
devRole("fa:fa-user-tie GL_ProjectRole myproject/Developer")
branch("fa:fa-code-branch GL_Branch develop")
runner("fa:fa-gears GL_Runner shared-runner")
user -->|GL_HasRole| devRole
devRole -->|GL_CanPush| branch
branch -.->|GL_BuildsOn| runner