Base node kind for CI/CD variables across all scopes. Concrete variable nodes (GL_InstanceVariable, GL_GroupVariable, GL_ProjectVariable, GL_PipelineVariable) inherit this kind, so queries against GL_Variable match all of them regardless of scope.
GL_Variable nodes are the primary source for credential discovery: if a variable's value is found to contain a secret by a scanner (TruffleHog, Pipeleek), a GL_ContainsCredentialsFor edge is added to the corresponding GL_LeakedSecret node. If the value is a valid GitLab access token, a GL_IsToken edge is added to the corresponding GL_AccessToken node.
flowchart TD
GL_InstanceVariable[fa:fa-sliders GL_InstanceVariable]
GL_GroupVariable[fa:fa-sliders GL_GroupVariable]
GL_ProjectVariable[fa:fa-sliders GL_ProjectVariable]
GL_PipelineVariable[fa:fa-sliders GL_PipelineVariable]
GL_LeakedSecret[fa:fa-key GL_LeakedSecret]
GL_AccessToken[fa:fa-key GL_AccessToken]
GL_InstanceVariable -->|GL_ContainsCredentialsFor| GL_LeakedSecret
GL_GroupVariable -->|GL_ContainsCredentialsFor| GL_LeakedSecret
GL_ProjectVariable -->|GL_ContainsCredentialsFor| GL_LeakedSecret
GL_PipelineVariable -->|GL_ContainsCredentialsFor| GL_LeakedSecret
GL_InstanceVariable -->|GL_IsToken| GL_AccessToken
GL_GroupVariable -->|GL_IsToken| GL_AccessToken
GL_ProjectVariable -->|GL_IsToken| GL_AccessToken
GL_PipelineVariable -->|GL_IsToken| GL_AccessToken