- Source: GL_Variable, GL_JobArtifact, GL_JobLog
- Destination: GL_LeakedSecret
| Property | Type | Description |
|---|---|---|
| detector | string | Scanning tool that found the credential (e.g., trufflehog, pipeleek) |
| rule | string | Detection rule name |
| confidence | string | Scanner confidence level (e.g., high, medium, low); present for Pipeleek findings only |
| file | string | File path where the credential was found |
| commit | string | Git commit SHA; present for repository findings |
| line | integer | Line number in the source file |
| link | string | Direct URL to the finding in the GitLab UI |
| job_name | string | Job name; present for artifact and log findings |
| source_type | string | Finding source: archive (job artifact) or log (job log); absent for repository and variable findings |
The traversable GL_ContainsCredentialsFor edge is created during enrichment when a secret scanner (TruffleHog, Pipeleek, or similar) finds a credential in a CI/CD variable, job artifact, or job log. The destination is a GL_LeakedSecret node representing the discovered credential.
This edge is traversable because credentials discovered in accessible CI/CD outputs give an attacker live authentication material. An attacker with read access to a public project's job logs (GL_ViewJobLogs), or who can read CI/CD variables (GL_ManageVariables), may be able to obtain credentials through this path. The GL_IsToken edge is added to GL_LeakedSecret nodes when their value is found to be a valid GitLab PAT.
graph LR
variable("fa:fa-sliders GL_Variable AWS_SECRET")
artifact("fa:fa-file-zipper GL_JobArtifact build.zip")
log("fa:fa-scroll GL_JobLog deploy")
secret("fa:fa-key GL_LeakedSecret AWS_SECRET_ACCESS_KEY")
variable -->|GL_ContainsCredentialsFor| secret
artifact -->|GL_ContainsCredentialsFor| secret
log -->|GL_ContainsCredentialsFor| secret