- Source: GL_InstanceVariable, GL_GroupVariable, GL_ProjectVariable, GL_PipelineVariable, GL_LeakedSecret
- Destination: GL_AccessToken
The traversable GL_IsToken edge is created when a CI/CD variable's value or a discovered secret value is confirmed to be a valid, active GitLab personal access token — verified by making an API call with the value during collection or enrichment.
When a PAT value is found and verified:
- The corresponding
GL_AccessTokennode is identified (or created) with the token's metadata. - A
GL_IsTokenedge is added from the variable or secret node to the PAT node. - A
GL_HasPrivilegeOfedge is added from the PAT to the owning user (if identifiable).
This edge directly connects accessible CI/CD configuration or scanning findings to a live credential with known user-level access.
graph LR
pvar("fa:fa-sliders GL_ProjectVariable DEPLOY_TOKEN")
secret("fa:fa-key GL_LeakedSecret glpat-xxx")
pat("fa:fa-key GL_PersonalAccessToken alice-deploy")
user("fa:fa-user GL_User alice")
pvar -->|GL_IsToken| pat
secret -->|GL_IsToken| pat
pat -->|GL_HasPrivilegeOf| user