Represents a branch within a GitLab repository. Branch nodes capture the branch's protection status and head commit. They are the focal point of CI/CD execution attack paths: code pushed or merged to a branch triggers pipelines that run on runners and have access to CI/CD variables and secure files.
Protected branches restrict who can push and merge. The access_level of runners determines whether a runner will execute jobs triggered from protected vs. unprotected branches — modeled via GL_BuildsOn edges in the enrichment phase.
Branches can also be the source of federated credential abuse via GL_CanAssumeIdentity edges to Entra service principals.
| Property Name | Data Type | Description |
|---|---|---|
| name | string | Fully-qualified branch name (e.g., MyProject/main) |
| branch | string | Short branch name (e.g., main) |
| commit | string | Short SHA of the branch's current HEAD commit |
| web_url | string | URL to the branch in the GitLab UI |
| default | bool | Whether this is the project's default branch |
| protected | bool | Whether this branch has a protection rule applied |
| merged | bool | Whether this branch has been merged into the default branch |
flowchart TD
AZServicePrincipal[fa:fa-robot AZServicePrincipal]
Computer[fa:fa-desktop Computer]
GL_Branch[fa:fa-code-branch GL_Branch]
GL_Pipeline[fa:fa-angles-right GL_Pipeline]
GL_User[fa:fa-user GL_User]
GL_Repository[fa:fa-box-archive GL_Repository]
GL_ProjectRole[fa:fa-user-tie GL_ProjectRole]
GL_Runner[fa:fa-gears GL_Runner]
GL_Branch -.->|GL_Triggers| GL_Pipeline
GL_Pipeline -.->|GL_RunsOn| GL_Branch
GL_User -.->|GL_PushedTo| GL_Branch
GL_Repository -.->|GL_HasBranch| GL_Branch
GL_ProjectRole -->|GL_CanPush| GL_Branch
GL_ProjectRole -->|GL_CanMerge| GL_Branch
GL_Branch -.->|GL_BuildsOn| GL_Runner
GL_Branch -->|GL_CanAssumeIdentity| AZServicePrincipal
GL_Branch -->|GL_BuildsAsSystem| Computer