- Source: GL_ProjectRole, GL_InstanceRole
- Destination: GL_Repository
The non-traversable GL_CanPull edge indicates that a role can clone or pull from the repository. It has two forms:
GL_ProjectRole → GL_Repository — Any project role of Reporter or above can pull from the repository. This edge is created for all applicable project roles.
GL_InstanceRole → GL_Repository — For public projects, the Unauthenticated instance role can pull. For internal projects, the Member instance role can pull. This reflects GitLab's visibility-based access model.
Although non-traversable, this edge is significant because pulling repository contents may expose secrets, credentials, or sensitive configuration that was committed to source code. Combined with GL_ContainsCredentialsFor findings from repository scanning, this edge anchors the "read code → find credentials" attack path.
graph LR
reporter("fa:fa-user-tie GL_ProjectRole myproject/Reporter")
member("fa:fa-user-tie GL_InstanceRole Member")
repo("fa:fa-box-archive GL_Repository myproject")
reporter -.->|GL_CanPull| repo
member -.->|GL_CanPull| repo