- Source: GL_ProjectRole
- Destination: GL_Repository
The non-traversable GL_ManageProtectedBranches edge indicates that a role can add, modify, or remove branch protection rules for the repository. Maintainer role and above typically have this permission.
Although non-traversable, this edge is significant because removing branch protections enables direct push to previously protected branches, effectively creating GL_CanPush paths where none existed before. An attacker with this permission can circumvent code review requirements and pipeline approval gates, enabling arbitrary code injection into production pipelines.
graph LR
maintRole("fa:fa-user-tie GL_ProjectRole myproject/Maintainer")
repo("fa:fa-box-archive GL_Repository myproject")
branch("fa:fa-code-branch GL_Branch main")
maintRole -.->|GL_ManageProtectedBranches| repo
repo -.->|GL_HasBranch| branch