- Source: GL_Branch
- Destination:
Computer(Active Directory, from BloodHound)
The traversable GL_BuildsAsSystem edge is a hybrid cross-subgraph edge connecting a GitLab branch to a domain-joined Windows computer. It is created when a runner uses a shell executor and its runner manager process is hosted on an Active Directory Computer node (via GL_HostedOn).
Because the shell executor runs CI/CD jobs directly as the runner manager's system user (rather than inside a container), an attacker who can push code to this branch can execute arbitrary commands as SYSTEM on the domain-joined host.
graph LR
user("fa:fa-user GL_User alice")
devRole("fa:fa-user-tie GL_ProjectRole myproject/Developer")
branch("fa:fa-code-branch GL_Branch main")
computer("fa:fa-desktop Computer WIN-RUNNER01")
user -->|GL_HasRole| devRole
devRole -->|GL_CanPush| branch
branch -->|GL_BuildsAsSystem| computer