Represents a GitLab CI/CD runner — a process that picks up and executes CI/CD jobs. Runners are the execution environment for all pipeline jobs; compromising a runner or gaining the ability to run jobs on a runner is a critical attack path. Runners can be scoped to an instance (shared), a group, or a project, and their access_level controls whether they execute jobs from unprotected branches, protected branches, or both.
Runner manager processes (the gitlab-runner agent) are modeled as separate GL_RunnerManager nodes connected via GL_ManagedBy.
| Property Name | Data Type | Description |
|---|---|---|
| name | string | Runner name or description |
| description | string | Runner description |
| paused | bool | Whether the runner is paused (will not pick up new jobs) |
| online | bool | Whether the runner is currently connected |
| is_shared | bool | Whether this is an instance-level shared runner |
| runner_type | string | Scope: instance_type, group_type, or project_type |
| status | string | Current status: idle, active, offline, or paused |
| tag_list | string[] | Tags used for job routing |
| contacted_at | datetime | Last time the runner contacted the GitLab instance |
| maintenance_note | string | Operator maintenance notes |
| run_untagged | bool | Whether this runner accepts jobs without tags |
| locked | bool | Whether the runner is locked to its current project |
| access_level | string | not_protected (runs all jobs) or ref_protected (only protected branch jobs) |
| maximum_timeout | integer | Maximum job timeout in seconds |
flowchart TD
GL_Job[fa:fa-gear GL_Job]
GL_Runner[fa:fa-gears GL_Runner]
GL_RunnerManager[fa:fa-server GL_RunnerManager]
GL_Group[fa:fa-user-group GL_Group]
GL_Project[fa:fa-diagram-project GL_Project]
GL_Branch[fa:fa-code-branch GL_Branch]
GL_Job -.->|GL_ExecutedBy| GL_Runner
GL_Runner -.->|GL_ManagedBy| GL_RunnerManager
GL_Runner -.->|GL_AssignedTo| GL_Group
GL_Group -.->|GL_CanUseRunner| GL_Runner
GL_Project -.->|GL_CanUseRunner| GL_Runner
GL_Branch -.->|GL_BuildsOn| GL_Runner