- Source: GL_ProjectRole, GL_GroupRole
- Destination: GL_Project, GL_Group
The non-traversable GL_ManageVariables edge indicates that a role can create, update, and delete CI/CD variables for the project or group. It has two forms:
GL_ProjectRole → GL_Project — Project maintainer and above can manage CI/CD variables for the project.
GL_GroupRole → GL_Group — Group maintainer and above can manage CI/CD variables for the group.
Although non-traversable, this edge is significant for two reasons: (1) An attacker with this permission can read all unmasked, non-hidden variable values via the API. (2) An attacker can modify variable values to inject malicious credentials or override configuration that affects pipeline behavior.
graph LR
maintRole("fa:fa-user-tie GL_ProjectRole myproject/Maintainer")
project("fa:fa-diagram-project GL_Project myorg/backend")
pvar("fa:fa-sliders GL_ProjectVariable AWS_SECRET")
groupMaintRole("fa:fa-user-tie GL_GroupRole myorg/Maintainer")
group("fa:fa-user-group GL_Group myorg")
gvar("fa:fa-sliders GL_GroupVariable AZ_SECRET")
maintRole -.->|GL_ManageVariables| project
project -->|GL_Defines| pvar
groupMaintRole -.->|GL_ManageVariables| group
group -->|GL_Defines| gvar