From 2cecc20a827ed4967fa21c2bd703b70fbb63049d Mon Sep 17 00:00:00 2001 From: JonasBK Date: Thu, 9 Apr 2026 11:46:00 +0200 Subject: [PATCH 01/16] update schema, queries, pz rules, and descriptions based on GitHound updates --- descriptions/edges/GH_CallsWorkflow.md | 10 ++++ descriptions/edges/GH_CanAccess.md | 2 +- descriptions/edges/GH_CanPwnRequest.md | 59 +++++++++++++++++++ descriptions/edges/GH_CanWriteBranch.md | 2 +- descriptions/edges/GH_ClosePullRequest.md | 2 +- descriptions/edges/GH_DependsOn.md | 3 + descriptions/edges/GH_DeploysTo.md | 3 + descriptions/edges/GH_HasExternalIdentity.md | 2 +- descriptions/edges/GH_HasJob.md | 3 + .../edges/GH_HasSamlIdentityProvider.md | 2 +- descriptions/edges/GH_HasStep.md | 3 + .../edges/GH_ManageSettingsProjects.md | 2 +- descriptions/edges/GH_ManageTopics.md | 2 +- descriptions/edges/GH_MapsToUser.md | 2 +- ..._OrgBypassSecretScanningClosureRequests.md | 2 +- descriptions/edges/GH_ReadRepoContents.md | 4 -- descriptions/edges/GH_TransferRepository.md | 2 +- descriptions/edges/GH_UsesSecret.md | 19 ++++++ descriptions/edges/GH_UsesVariable.md | 19 ++++++ .../edges/GH_ViewSecretScanningAlerts.md | 2 +- .../GH_WriteOrganizationActionsVariables.md | 2 +- descriptions/nodes/GH_BranchProtectionRule.md | 2 +- descriptions/nodes/GH_OrgSecret.md | 2 +- descriptions/nodes/GH_OrgVariable.md | 2 +- descriptions/nodes/GH_RepoRole.md | 2 +- descriptions/nodes/GH_Repository.md | 2 +- descriptions/nodes/GH_WorkflowJob.md | 3 + descriptions/nodes/GH_WorkflowStep.md | 3 + extension/privilege_zone_rules/README.md | 42 +++++++++++++ .../t0-all-repo-admin-role.json | 2 +- .../t0-app-installations-all-repos.json | 4 +- .../t0-apps-all-repos.json | 2 +- .../t0-external-identities-owners.json | 2 +- .../t0-organizations.json | 2 +- .../privilege_zone_rules/t0-owner-users.json | 2 +- .../privilege_zone_rules/t0-owners-role.json | 2 +- .../t0-pats-all-repos.json | 4 +- .../t0-privilege-escalation-roles.json | 4 +- .../t0-privilege-escalation-users.json | 4 +- .../t0-saml-identity-providers.json | 2 +- .../actions-sha-pinning-not-required.json | 4 +- .../saved_searches/active-leaked-secrets.json | 4 +- .../advanced-security-disabled-new-repos.json | 4 +- .../saved_searches/all-actions-allowed.json | 4 +- .../app-installations-all-repos.json | 4 +- ...branch-protection-admins-not-enforced.json | 4 +- .../branch-protection-deletions-allowed.json | 4 +- .../branch-protection-force-pushes.json | 4 +- ...anch-protection-no-code-owner-reviews.json | 4 +- .../branch-protection-no-pr-reviews.json | 4 +- .../branch-protection-no-status-checks.json | 4 +- .../branch-protection-self-approval.json | 4 +- .../branch-protection-stale-reviews.json | 4 +- .../bypass-pr-requirements.json | 4 +- .../dangerous-branch-perms.json | 4 +- .../default-repository-permissions.json | 4 +- .../demo-sso-to-cloud-round-trip.json | 6 +- .../dependabot-alerts-disabled-new-repos.json | 4 +- ...dependabot-updates-disabled-new-repos.json | 4 +- .../dependency-graph-disabled-new-repos.json | 4 +- .../environments-admin-bypass.json | 4 +- extension/saved_searches/expired-pats.json | 4 +- .../external-identities-without-scim.json | 4 +- .../github-to-azure-identity.json | 4 +- .../saved_searches/global-repo-perms.json | 4 +- .../saved_searches/hybrid-identities.json | 4 +- .../members-can-change-repo-visibility.json | 4 +- .../members-can-create-pages.json | 4 +- .../members-can-create-public-repos.json | 4 +- .../members-can-delete-repos.json | 4 +- .../members-can-fork-private-repos.json | 4 +- ...bers-can-invite-outside-collaborators.json | 4 +- extension/saved_searches/org-owners.json | 4 +- .../saved_searches/orgs-without-2fa.json | 4 +- .../saved_searches/pats-all-repo-access.json | 4 +- .../saved_searches/pending-pat-requests.json | 4 +- .../private-repos-forking-allowed.json | 4 +- .../privileged-custom-org-roles.json | 4 +- .../privileged-hybrid-identities.json | 4 +- extension/saved_searches/public-repos.json | 4 +- .../push-protection-disabled-new-repos.json | 4 +- .../push-to-protected-branches.json | 4 +- .../repos-secret-scanning-disabled.json | 4 +- ...s-vulnerable-to-workflow-secret-exfil.json | 4 +- .../saved_searches/repository-workflows.json | 4 +- .../saved_searches/saml-configuration.json | 4 +- .../secret-scanning-alerts.json | 4 +- .../secret-scanning-disabled-new-repos.json | 4 +- .../secrets-reachable-by-user.json | 4 +- .../saved_searches/team-membership-admin.json | 4 +- extension/saved_searches/team-structure.json | 4 +- .../saved_searches/unprotected-branches.json | 4 +- ...rotected-default-branch-with-workflow.json | 4 +- .../unprotected-default-branches.json | 4 +- .../web-commit-signoff-not-required.json | 4 +- extension/schema.json | 2 +- 96 files changed, 311 insertions(+), 148 deletions(-) create mode 100644 descriptions/edges/GH_CallsWorkflow.md create mode 100644 descriptions/edges/GH_CanPwnRequest.md create mode 100644 descriptions/edges/GH_DependsOn.md create mode 100644 descriptions/edges/GH_DeploysTo.md create mode 100644 descriptions/edges/GH_HasJob.md create mode 100644 descriptions/edges/GH_HasStep.md create mode 100644 descriptions/edges/GH_UsesSecret.md create mode 100644 descriptions/edges/GH_UsesVariable.md create mode 100644 descriptions/nodes/GH_WorkflowJob.md create mode 100644 descriptions/nodes/GH_WorkflowStep.md create mode 100644 extension/privilege_zone_rules/README.md diff --git a/descriptions/edges/GH_CallsWorkflow.md b/descriptions/edges/GH_CallsWorkflow.md new file mode 100644 index 0000000..1c6f616 --- /dev/null +++ b/descriptions/edges/GH_CallsWorkflow.md @@ -0,0 +1,10 @@ +## General Information + +The traversable `GH_CallsWorkflow` edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. Created by `Parse-GitHoundWorkflow`, this edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. + +### Local vs. remote reusable workflows + +- **Local** (`./. github/workflows/_ci.yml`): the destination is matched by `name` against workflows in the same repository. +- **Remote** (`org/repo/.github/workflows/file.yml@ref`): the destination is matched by the full reference string. If the called workflow has not been collected, the edge destination will not resolve. + +The `reusable_ref` property on the edge always contains the raw `uses:` value from the workflow file. diff --git a/descriptions/edges/GH_CanAccess.md b/descriptions/edges/GH_CanAccess.md index bef81e0..6b21cfb 100644 --- a/descriptions/edges/GH_CanAccess.md +++ b/descriptions/edges/GH_CanAccess.md @@ -1,3 +1,3 @@ -# General Information +## General Information The non-traversable `GH_CanAccess` edge indicates that a personal access token or app installation has been granted access to specific repositories. It is created by `Git-HoundPersonalAccessToken` and `Git-HoundPersonalAccessTokenRequest` for PATs, and by `Git-HoundAppInstallation` for app installations. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. diff --git a/descriptions/edges/GH_CanPwnRequest.md b/descriptions/edges/GH_CanPwnRequest.md new file mode 100644 index 0000000..e02989a --- /dev/null +++ b/descriptions/edges/GH_CanPwnRequest.md @@ -0,0 +1,59 @@ +## General Information + +The traversable `GH_CanPwnRequest` edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. Created by `Get-PwnRequestEdges`, this is a computed edge that combines workflow analysis with repository access and fork policy evaluation. + +### Pwn Request Conditions + +A workflow is considered pwn-requestable (`is_pwn_requestable = true`) when **all** of the following are true: + +1. **`pull_request_target` trigger**: The workflow is triggered by `pull_request_target`, which runs in the context of the base branch (not the fork) and has access to the base branch's secrets and permissions. +2. **Attacker-controlled checkout**: A step uses `actions/checkout` with a `ref` parameter pointing to the pull request head, meaning attacker-supplied code from the fork replaces the trusted repository contents. Detected ref patterns: + - `${{ github.event.pull_request.head.sha }}` + - `${{ github.event.pull_request.head.ref }}` + - `${{ github.head_ref }}` + +### Edge Drawing Conditions + +An edge is drawn from a `GH_RepoRole` to the repository (and its branches) when: + +1. **Read access**: The role has a `GH_ReadRepoContents` edge to the repository (read access is the minimum required to fork). +2. **Forkability**: The repository can be forked by the role holder: + - **Public repos**: Always forkable by anyone on GitHub. + - **Private/internal repos**: Requires both the organization setting `members_can_fork_private_repositories = true` AND the repository setting `allow_forking = true`. +3. **Pwn-requestable workflow**: The repository has at least one workflow with `is_pwn_requestable = true`. + +### Branch Targeting + +- If the `pull_request_target` trigger has a `branches:` filter (e.g., `branches: [main]`), edges are drawn only to matching branches and the repository. +- If unconstrained, edges are drawn to the repository and all of its branches. + +### Attack Impact + +An attacker who exploits a pwn request gains code execution in the workflow runner with access to: + +- **Repository secrets** scoped to the base branch +- **Organization secrets** accessible by the repository +- **GITHUB_TOKEN** with the workflow's declared permissions (often `write`) +- **OIDC tokens** if `id-token: write` is set, enabling cloud identity assumption via `GH_CanAssumeIdentity` +- **Environment secrets** if the workflow job targets a deployment environment + +### Caveats + +- **OIDC traversal requires `id-token: write`**: The attack chain from `GH_CanPwnRequest` through `GH_CanAssumeIdentity` to a cloud role is only valid if the pwn-requestable workflow (or job) explicitly declares `id-token: write` in its `permissions:` block. The `id-token` permission defaults to `none` and is never implicitly granted — even when the workflow has no `permissions:` block at all. The `permissions` property on the `GH_WorkflowJob` node can be inspected to verify this. +- **GITHUB_TOKEN permissions**: The `permissions:` block controls what the `GITHUB_TOKEN` can do (e.g., push commits, create releases), but has no effect on secret access, OIDC token requests (governed separately by `id-token`), or arbitrary code execution. A workflow with `contents: read` is still fully exploitable via pwn request for secret exfiltration and lateral movement — only write-back to the repository is limited. + +```mermaid +graph LR + role("GH_RepoRole repo-read") + repo("GH_Repository private-app") + branch("GH_Branch main") + wf("GH_Workflow vulnerable-ci.yml") + secret("GH_RepoSecret DEPLOY_KEY") + cloud("AWSRole deploy-prod") + + role -- GH_CanPwnRequest --> repo + role -- GH_CanPwnRequest --> branch + repo -.- |GH_HasWorkflow| wf + repo -.- |GH_Contains| secret + branch -- GH_CanAssumeIdentity --> cloud +``` \ No newline at end of file diff --git a/descriptions/edges/GH_CanWriteBranch.md b/descriptions/edges/GH_CanWriteBranch.md index b45bbc0..e0b7847 100644 --- a/descriptions/edges/GH_CanWriteBranch.md +++ b/descriptions/edges/GH_CanWriteBranch.md @@ -1,4 +1,4 @@ -# General Information +## General Information The traversable `GH_CanWriteBranch` edge is a computed edge indicating that a role or actor can push to a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from `GH_User` or `GH_Team` are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. diff --git a/descriptions/edges/GH_ClosePullRequest.md b/descriptions/edges/GH_ClosePullRequest.md index abe27ce..bc6ec67 100644 --- a/descriptions/edges/GH_ClosePullRequest.md +++ b/descriptions/edges/GH_ClosePullRequest.md @@ -1,3 +1,3 @@ -# General Information +## General Information The non-traversable `GH_ClosePullRequest` edge represents a role's ability to close pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_DependsOn.md b/descriptions/edges/GH_DependsOn.md new file mode 100644 index 0000000..a799856 --- /dev/null +++ b/descriptions/edges/GH_DependsOn.md @@ -0,0 +1,3 @@ +## General Information + +The non-traversable `GH_DependsOn` edge represents a `needs:` dependency between two jobs in the same workflow. Created by `Parse-GitHoundWorkflow`, this edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. diff --git a/descriptions/edges/GH_DeploysTo.md b/descriptions/edges/GH_DeploysTo.md new file mode 100644 index 0000000..a72867a --- /dev/null +++ b/descriptions/edges/GH_DeploysTo.md @@ -0,0 +1,3 @@ +## General Information + +The non-traversable `GH_DeploysTo` edge links a workflow job to the GitHub Environment it targets via the `environment:` key. Created by `Parse-GitHoundWorkflow`, this edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. diff --git a/descriptions/edges/GH_HasExternalIdentity.md b/descriptions/edges/GH_HasExternalIdentity.md index 24ca725..f7426f7 100644 --- a/descriptions/edges/GH_HasExternalIdentity.md +++ b/descriptions/edges/GH_HasExternalIdentity.md @@ -1,3 +1,3 @@ -# General Information +## General Information The non-traversable `GH_HasExternalIdentity` edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. Created by `Git-HoundGraphQlSamlProvider`, this edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the `GH_MapsToUser` edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. diff --git a/descriptions/edges/GH_HasJob.md b/descriptions/edges/GH_HasJob.md new file mode 100644 index 0000000..5c49fe9 --- /dev/null +++ b/descriptions/edges/GH_HasJob.md @@ -0,0 +1,3 @@ +## General Information + +The traversable `GH_HasJob` edge links a workflow to each of its jobs. Created by `Parse-GitHoundWorkflow`, this edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. diff --git a/descriptions/edges/GH_HasSamlIdentityProvider.md b/descriptions/edges/GH_HasSamlIdentityProvider.md index 6206c33..95a544e 100644 --- a/descriptions/edges/GH_HasSamlIdentityProvider.md +++ b/descriptions/edges/GH_HasSamlIdentityProvider.md @@ -1,3 +1,3 @@ -# General Information +## General Information The non-traversable `GH_HasSamlIdentityProvider` edge represents the relationship between an organization and its SAML identity provider configuration. Created by `Git-HoundGraphQlSamlProvider`, this edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. diff --git a/descriptions/edges/GH_HasStep.md b/descriptions/edges/GH_HasStep.md new file mode 100644 index 0000000..27aab07 --- /dev/null +++ b/descriptions/edges/GH_HasStep.md @@ -0,0 +1,3 @@ +## General Information + +The traversable `GH_HasStep` edge links a job to each of its steps in execution order. Created by `Parse-GitHoundWorkflow`, this edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. diff --git a/descriptions/edges/GH_ManageSettingsProjects.md b/descriptions/edges/GH_ManageSettingsProjects.md index e41206e..18b9be4 100644 --- a/descriptions/edges/GH_ManageSettingsProjects.md +++ b/descriptions/edges/GH_ManageSettingsProjects.md @@ -1,3 +1,3 @@ -# General Information +## General Information The non-traversable `GH_ManageSettingsProjects` edge represents a role's ability to manage project board settings on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ManageTopics.md b/descriptions/edges/GH_ManageTopics.md index 0ca7330..78c101b 100644 --- a/descriptions/edges/GH_ManageTopics.md +++ b/descriptions/edges/GH_ManageTopics.md @@ -1,3 +1,3 @@ -# General Information +## General Information The non-traversable `GH_ManageTopics` edge represents a role's ability to manage repository topics used for discovery and classification. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_MapsToUser.md b/descriptions/edges/GH_MapsToUser.md index 935cc95..ec0d949 100644 --- a/descriptions/edges/GH_MapsToUser.md +++ b/descriptions/edges/GH_MapsToUser.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as AZUser, OktaUser, or PingOneUser) in hybrid graph scenarios. It is created by `Git-HoundGraphQlSamlProvider` for SAML-linked identities and `Git-HoundScimUser` for SCIM-provisioned identities. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. +The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](https://bloodhound.specterops.io/resources/nodes/az-user), [Okta_User](https://bloodhound.specterops.io/opengraph/extensions/oktahound/reference/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. It is created by `Git-HoundGraphQlSamlProvider` for SAML-linked identities and `Git-HoundScimUser` for SCIM-provisioned identities. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. diff --git a/descriptions/edges/GH_OrgBypassSecretScanningClosureRequests.md b/descriptions/edges/GH_OrgBypassSecretScanningClosureRequests.md index e21538b..62aec77 100644 --- a/descriptions/edges/GH_OrgBypassSecretScanningClosureRequests.md +++ b/descriptions/edges/GH_OrgBypassSecretScanningClosureRequests.md @@ -1,3 +1,3 @@ -# General Information +## General Information The non-traversable `GH_OrgBypassSecretScanningClosureRequests` edge represents that a role can bypass secret scanning closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows closing secret scanning alerts without going through the standard review and approval process, which is significant because an attacker could use it to suppress alerts about leaked credentials and prevent incident response teams from being notified. diff --git a/descriptions/edges/GH_ReadRepoContents.md b/descriptions/edges/GH_ReadRepoContents.md index 233e67f..bab175e 100644 --- a/descriptions/edges/GH_ReadRepoContents.md +++ b/descriptions/edges/GH_ReadRepoContents.md @@ -1,7 +1,3 @@ ---- -kind: GH_ReadRepoContents -is_traversable: false ---- ## General Information The non-traversable `GH_ReadRepoContents` edge represents a role's ability to read repository contents including source code, issues, and pull requests. This is the base level of repository access, available to all roles at the Read permission level and above (Read, Triage, Write, Maintain, Admin). diff --git a/descriptions/edges/GH_TransferRepository.md b/descriptions/edges/GH_TransferRepository.md index a70b090..042a381 100644 --- a/descriptions/edges/GH_TransferRepository.md +++ b/descriptions/edges/GH_TransferRepository.md @@ -1,3 +1,3 @@ -# General Information +## General Information The non-traversable `GH_TransferRepository` edge represents that a role has the ability to transfer repositories to or from the organization. This permission is typically restricted to Owners, as transferring a repository can move it outside of the organization's security controls, branch protection rules, and audit logging. An attacker with this permission could transfer a repository to an organization they control, effectively exfiltrating the codebase and its associated secrets. diff --git a/descriptions/edges/GH_UsesSecret.md b/descriptions/edges/GH_UsesSecret.md new file mode 100644 index 0000000..86eb72d --- /dev/null +++ b/descriptions/edges/GH_UsesSecret.md @@ -0,0 +1,19 @@ +## General Information + +The traversable `GH_UsesSecret` edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. Created by `Parse-GitHoundWorkflow`, this edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. + +### Matching strategy + +Edges use `match_by: property` with two matchers to disambiguate between secrets with the same name across repositories: + +- **GH_RepoSecret** is matched by `name` + `repository_id` (the GitHub node_id of the repository). +- **GH_OrgSecret** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level secret scope). + +This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two `GH_UsesSecret` edges — one to the repo-level secret and one to the org-level secret — reflecting that either could supply the value at runtime depending on scope precedence. + +### Context property + +The edge carries a `context` property indicating where the reference was found: +- `with` — inside a `with:` input block of a `uses:` action step +- `env` — inside the step's `env:` block +- `run` — inline within a `run:` shell script diff --git a/descriptions/edges/GH_UsesVariable.md b/descriptions/edges/GH_UsesVariable.md new file mode 100644 index 0000000..cbf58c3 --- /dev/null +++ b/descriptions/edges/GH_UsesVariable.md @@ -0,0 +1,19 @@ +## General Information + +The non-traversable `GH_UsesVariable` edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. Created by `Parse-GitHoundWorkflow`, this edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). + +### Matching strategy + +Edges use `match_by: property` with two matchers to disambiguate between variables with the same name across repositories: + +- **GH_RepoVariable** is matched by `name` + `repository_id` (the GitHub node_id of the repository). +- **GH_OrgVariable** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level variable scope). + +This means one `${{ vars.MY_VAR }}` expression can produce up to two `GH_UsesVariable` edges — one to the repo-level variable and one to the org-level variable. + +### Context property + +The edge carries a `context` property indicating where the reference was found: +- `with` — inside a `with:` input block of a `uses:` action step +- `env` — inside the step's `env:` block +- `run` — inline within a `run:` shell script diff --git a/descriptions/edges/GH_ViewSecretScanningAlerts.md b/descriptions/edges/GH_ViewSecretScanningAlerts.md index 0b54721..d5f3e66 100644 --- a/descriptions/edges/GH_ViewSecretScanningAlerts.md +++ b/descriptions/edges/GH_ViewSecretScanningAlerts.md @@ -1,3 +1,3 @@ -# General Information +## General Information The non-traversable `GH_ViewSecretScanningAlerts` edge represents that a role can view secret scanning alerts at the organization or repository level. This edge is dynamically generated from custom role permissions discovered by the collector. Secret scanning alerts may reveal details about leaked credentials, including partial or full secret values and the locations where they were detected. This makes the permission significant for security because an attacker with access to view these alerts could harvest exposed credentials for use in lateral movement or privilege escalation. diff --git a/descriptions/edges/GH_WriteOrganizationActionsVariables.md b/descriptions/edges/GH_WriteOrganizationActionsVariables.md index 71e2ebd..50261c7 100644 --- a/descriptions/edges/GH_WriteOrganizationActionsVariables.md +++ b/descriptions/edges/GH_WriteOrganizationActionsVariables.md @@ -1,3 +1,3 @@ -# General Information +## General Information The non-traversable `GH_WriteOrganizationActionsVariables` edge represents that a role can write organization-level GitHub Actions variables. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level variables are available to workflows across multiple repositories and often contain configuration values such as environment URLs, feature flags, and service endpoints. An attacker with this permission could overwrite existing variables to redirect workflows to malicious endpoints or alter application behavior. diff --git a/descriptions/nodes/GH_BranchProtectionRule.md b/descriptions/nodes/GH_BranchProtectionRule.md index 96d9c5e..0841e99 100644 --- a/descriptions/nodes/GH_BranchProtectionRule.md +++ b/descriptions/nodes/GH_BranchProtectionRule.md @@ -21,7 +21,7 @@ Branch protection rules are critical security controls. Key settings to review: The only branch protection configuration that blocks the write-access → workflow → secrets exfiltration attack path is `push_restrictions` + `blocks_creations` on a `*` pattern rule. However, users with `GH_PushProtectedBranch`, `GH_AdminTo`, `GH_RestrictionsCanPush`, or `GH_EditRepoProtections` can bypass this control. -For complete analysis, see [MITIGATING_CONTROLS.md](../MITIGATING_CONTROLS.md). +For complete analysis, see [BloodHound Docs: GitHound - Mitigating Controls](https://bloodhound.specterops.io/opengraph/extensions/githound/reference/mitigating-controls). ### Identifying Bypass Actors diff --git a/descriptions/nodes/GH_OrgSecret.md b/descriptions/nodes/GH_OrgSecret.md index 024cca1..cf8213b 100644 --- a/descriptions/nodes/GH_OrgSecret.md +++ b/descriptions/nodes/GH_OrgSecret.md @@ -1,3 +1,3 @@ ## Description -Represents an organization-level GitHub Actions secret. Organization secrets can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how GH_HasSecret edges are resolved to repository nodes. +Represents an organization-level GitHub Actions secret. Organization secrets can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how `GH_HasSecret` edges are resolved to repository nodes. diff --git a/descriptions/nodes/GH_OrgVariable.md b/descriptions/nodes/GH_OrgVariable.md index 472e233..a5b97a7 100644 --- a/descriptions/nodes/GH_OrgVariable.md +++ b/descriptions/nodes/GH_OrgVariable.md @@ -1,3 +1,3 @@ ## Description -Represents an organization-level GitHub Actions variable. Organization variables can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how GH_HasVariable edges are resolved to repository nodes. Unlike secrets, variable values are readable via the API. +Represents an organization-level GitHub Actions variable. Organization variables can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how `GH_HasVariable` edges are resolved to repository nodes. Unlike secrets, variable values are readable via the API. diff --git a/descriptions/nodes/GH_RepoRole.md b/descriptions/nodes/GH_RepoRole.md index 945f129..108c57d 100644 --- a/descriptions/nodes/GH_RepoRole.md +++ b/descriptions/nodes/GH_RepoRole.md @@ -1,3 +1,3 @@ ## Description -Represents a repository-level permission role. Each repository has five default roles (Read, Write, Admin, Triage, Maintain) plus any custom repository roles defined at the organization level. Repo roles define what actions a user or team can perform on a specific repository. Default roles form an inheritance hierarchy (Triage → Read, Maintain → Write, Admin includes all), and custom roles inherit from one of the base roles. +Represents a repository-level permission role. Each repository has five default roles (Read, Write, Admin, Triage, Maintain) plus any custom repository roles defined at the organization level. Repo roles define what actions a user or team can perform on a specific repository. Default roles form an inheritance hierarchy (Triage -> Read, Maintain -> Write, Admin includes all), and custom roles inherit from one of the base roles. diff --git a/descriptions/nodes/GH_Repository.md b/descriptions/nodes/GH_Repository.md index 82569a3..0f9382b 100644 --- a/descriptions/nodes/GH_Repository.md +++ b/descriptions/nodes/GH_Repository.md @@ -1,3 +1,3 @@ ## Description -Represents a GitHub repository within the organization. Repository nodes capture metadata about the repo including visibility, Actions enablement status, and security configuration. Repository role nodes (GH_RepoRole) are created alongside each repository to represent the permission levels available. +Represents a GitHub repository within the organization. Repository nodes capture metadata about the repo including visibility, Actions enablement status, and security configuration. Repository role nodes (`GH_RepoRole`) are created alongside each repository to represent the permission levels available. diff --git a/descriptions/nodes/GH_WorkflowJob.md b/descriptions/nodes/GH_WorkflowJob.md new file mode 100644 index 0000000..b375adf --- /dev/null +++ b/descriptions/nodes/GH_WorkflowJob.md @@ -0,0 +1,3 @@ +## Description + +Represents a single job within a GitHub Actions workflow. Jobs are the top-level execution units of a workflow — they run on a runner, hold a set of steps, and can declare permissions, environments, and dependencies on other jobs. diff --git a/descriptions/nodes/GH_WorkflowStep.md b/descriptions/nodes/GH_WorkflowStep.md new file mode 100644 index 0000000..fac90e4 --- /dev/null +++ b/descriptions/nodes/GH_WorkflowStep.md @@ -0,0 +1,3 @@ +## Description + +Represents a single step within a GitHub Actions job. A step is either a `uses:` action reference or a `run:` shell command. Steps are the leaf nodes of the workflow execution tree and are the primary location where secrets and variables are consumed. diff --git a/extension/privilege_zone_rules/README.md b/extension/privilege_zone_rules/README.md new file mode 100644 index 0000000..cbe753e --- /dev/null +++ b/extension/privilege_zone_rules/README.md @@ -0,0 +1,42 @@ +# Privilege Zone Classification Rules + +This directory contains Tier Zero (T0) classification rules for GitHub organizations collected by GitHound. These rules identify assets whose compromise grants control over the entire organization or the ability to compromise everything else. + +For the full rationale and classification methodology, see [Documentation/TIER_ZERO.md](../Documentation/TIER_ZERO.md). + +## Rule Format + +Each rule is a JSON file with the following schema: + +| Field | Type | Description | +|-------|------|-------------| +| `name` | string | Display name prefixed with `GitHub: Tier Zero` | +| `description` | string | Explanation of why this asset is T0 | +| `cypher` | string | Cypher query that returns nodes to classify as T0 | +| `enabled` | boolean | Whether the rule is active | +| `allow_disable` | boolean | Whether the rule can be disabled by the user | + +All rules use `RETURN n` (returning individual nodes for classification) rather than `RETURN p` (returning paths for visualization). + +## Rules + +### Control Plane — Organizational Authority + +| Rule | File | Description | +|------|------|-------------| +| Tier Zero Organizations | [t0-organizations.json](t0-organizations.json) | The organization itself — root trust boundary | +| Tier Zero Owners Role | [t0-owners-role.json](t0-owners-role.json) | The owners org role — full administrative control | +| Tier Zero Owner Users | [t0-owner-users.json](t0-owner-users.json) | Users holding the owners role | +| Tier Zero SAML Identity Providers | [t0-saml-identity-providers.json](t0-saml-identity-providers.json) | SAML IdP — controls SSO authentication | +| Tier Zero External Identities (Owner-Mapped) | [t0-external-identities-owners.json](t0-external-identities-owners.json) | IdP identities mapped to org owners | +| Tier Zero Privilege Escalation Roles | [t0-privilege-escalation-roles.json](t0-privilege-escalation-roles.json) | Custom roles with `write_organization_custom_org_role` — guaranteed self-escalation to all_repo_admin | +| Tier Zero Privilege Escalation Users | [t0-privilege-escalation-users.json](t0-privilege-escalation-users.json) | Users holding privilege escalation roles | + +### Data Plane — Universal Repository Access + +| Rule | File | Description | +|------|------|-------------| +| Tier Zero All-Repo Admin Role | [t0-all-repo-admin-role.json](t0-all-repo-admin-role.json) | Synthetic role granting admin on every repository | +| Tier Zero App Installations (All Repositories) | [t0-app-installations-all-repos.json](t0-app-installations-all-repos.json) | App installations scoped to all repositories | +| Tier Zero Apps (All-Repository Installations) | [t0-apps-all-repos.json](t0-apps-all-repos.json) | App definitions with all-repository installations | +| Tier Zero PATs (All Repositories) | [t0-pats-all-repos.json](t0-pats-all-repos.json) | Personal access tokens scoped to all repositories | diff --git a/extension/privilege_zone_rules/t0-all-repo-admin-role.json b/extension/privilege_zone_rules/t0-all-repo-admin-role.json index bbf5314..eff2bed 100644 --- a/extension/privilege_zone_rules/t0-all-repo-admin-role.json +++ b/extension/privilege_zone_rules/t0-all-repo-admin-role.json @@ -1,7 +1,7 @@ { "name": "GitHub: Tier Zero All-Repo Admin Role", "description": "The synthetic all_repo_admin role grants admin access to every repository in the organization. This role is inherited by the owners role via GH_HasBaseRole and cascades admin permissions including branch protection editing, secret access, and deploy key management to all repositories.", - "cypher": "MATCH (n:GH_OrgRole) WHERE n.name ENDS WITH '/all_repo_admin' RETURN n", + "cypher": "MATCH (n:GH_OrgRole)\nWHERE n.name ENDS\nWITH '/all_repo_admin'\nRETURN n", "enabled": true, "zone": "Tier Zero", "allow_disable": true diff --git a/extension/privilege_zone_rules/t0-app-installations-all-repos.json b/extension/privilege_zone_rules/t0-app-installations-all-repos.json index 3fcf3f8..cf6850e 100644 --- a/extension/privilege_zone_rules/t0-app-installations-all-repos.json +++ b/extension/privilege_zone_rules/t0-app-installations-all-repos.json @@ -1,7 +1,7 @@ { "name": "GitHub: Tier Zero App Installations (All Repositories)", - "description": "GitHub App installations scoped to all repositories in the organization that have at least one write permission. A compromised app credential grants write access to every repository. Installations with only read permissions are excluded — they pose a data exfiltration risk but do not grant control over the organization.", - "cypher": "MATCH (n:GH_AppInstallation {repository_selection:'all'}) WHERE n.permissions CONTAINS '\"write\"' RETURN n", + "description": "GitHub App installations scoped to all repositories in the organization that have at least one write permission. A compromised app credential grants write access to every repository. Installations with only read permissions are excluded \u2014 they pose a data exfiltration risk but do not grant control over the organization.", + "cypher": "MATCH (n:GH_AppInstallation {repository_selection:'all'})\nWHERE n.permissions CONTAINS '\"write\"'\nRETURN n", "enabled": true, "zone": "Tier Zero", "allow_disable": true diff --git a/extension/privilege_zone_rules/t0-apps-all-repos.json b/extension/privilege_zone_rules/t0-apps-all-repos.json index aec4744..040e7e8 100644 --- a/extension/privilege_zone_rules/t0-apps-all-repos.json +++ b/extension/privilege_zone_rules/t0-apps-all-repos.json @@ -1,7 +1,7 @@ { "name": "GitHub: Tier Zero Apps (All-Repository Installations)", "description": "GitHub App definitions whose installations have write access to all repositories. The app owner controls the private key that can generate tokens for any installation. Compromise of the app's private key grants write access to every repository in organizations where it is installed. Apps whose installations have only read permissions are excluded.", - "cypher": "MATCH (n:GH_App)-[:GH_InstalledAs]->(i:GH_AppInstallation {repository_selection:'all'}) WHERE i.permissions CONTAINS '\"write\"' RETURN n", + "cypher": "MATCH (n:GH_App)-[:GH_InstalledAs]->(i:GH_AppInstallation {repository_selection:'all'})\nWHERE i.permissions CONTAINS '\"write\"'\nRETURN n", "enabled": true, "zone": "Tier Zero", "allow_disable": true diff --git a/extension/privilege_zone_rules/t0-external-identities-owners.json b/extension/privilege_zone_rules/t0-external-identities-owners.json index 261f275..7b95fec 100644 --- a/extension/privilege_zone_rules/t0-external-identities-owners.json +++ b/extension/privilege_zone_rules/t0-external-identities-owners.json @@ -1,7 +1,7 @@ { "name": "GitHub: Tier Zero External Identities (Owner-Mapped)", "description": "External identities from SAML/SCIM providers that map to GitHub users holding the owners role. Compromise of these external identities in the identity provider grants organizational owner access to GitHub via SSO.", - "cypher": "MATCH (n:GH_ExternalIdentity)-[:GH_MapsToUser]->(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) RETURN n", + "cypher": "MATCH (n:GH_ExternalIdentity)-[:GH_MapsToUser]->(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'})\nRETURN n", "enabled": true, "zone": "Tier Zero", "allow_disable": true diff --git a/extension/privilege_zone_rules/t0-organizations.json b/extension/privilege_zone_rules/t0-organizations.json index 4fa6d83..e0335b4 100644 --- a/extension/privilege_zone_rules/t0-organizations.json +++ b/extension/privilege_zone_rules/t0-organizations.json @@ -1,7 +1,7 @@ { "name": "GitHub: Tier Zero Organizations", "description": "GitHub organizations are the root trust boundary for all repositories, teams, users, and settings. Compromise of the organization grants full administrative control over all contained assets.", - "cypher": "MATCH (n:GH_Organization) RETURN n", + "cypher": "MATCH (n:GH_Organization)\nRETURN n", "enabled": true, "zone": "Tier Zero", "allow_disable": true diff --git a/extension/privilege_zone_rules/t0-owner-users.json b/extension/privilege_zone_rules/t0-owner-users.json index ffcb1e5..2bd2834 100644 --- a/extension/privilege_zone_rules/t0-owner-users.json +++ b/extension/privilege_zone_rules/t0-owner-users.json @@ -1,7 +1,7 @@ { "name": "GitHub: Tier Zero Owner Users", "description": "Users who hold the organization owners role have full administrative control over the GitHub organization. Compromise of any owner account grants control over all repositories, secrets, SSO configuration, and cloud identities.", - "cypher": "MATCH (n:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) RETURN n", + "cypher": "MATCH (n:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'})\nRETURN n", "enabled": true, "zone": "Tier Zero", "allow_disable": true diff --git a/extension/privilege_zone_rules/t0-owners-role.json b/extension/privilege_zone_rules/t0-owners-role.json index 9efcd39..972da2f 100644 --- a/extension/privilege_zone_rules/t0-owners-role.json +++ b/extension/privilege_zone_rules/t0-owners-role.json @@ -1,7 +1,7 @@ { "name": "GitHub: Tier Zero Owners Role", "description": "The owners organization role grants full administrative control including all repository admin, member management, SSO configuration, app management, and billing. Owners inherit all_repo_admin, cascading admin access to every repository, secret, environment, and cloud identity in the organization.", - "cypher": "MATCH (n:GH_OrgRole {short_name:'owners'}) RETURN n", + "cypher": "MATCH (n:GH_OrgRole {short_name:'owners'})\nRETURN n", "enabled": true, "zone": "Tier Zero", "allow_disable": true diff --git a/extension/privilege_zone_rules/t0-pats-all-repos.json b/extension/privilege_zone_rules/t0-pats-all-repos.json index 63e85d2..211536f 100644 --- a/extension/privilege_zone_rules/t0-pats-all-repos.json +++ b/extension/privilege_zone_rules/t0-pats-all-repos.json @@ -1,7 +1,7 @@ { "name": "GitHub: Tier Zero PATs (All Repositories)", - "description": "Fine-grained personal access tokens scoped to all repositories in the organization that have at least one write permission. A single compromised token grants write access to every repository. PATs with only read permissions are excluded — they pose a data exfiltration risk but do not grant control over the organization.", - "cypher": "MATCH (n:GH_PersonalAccessToken {repository_selection:'all'}) WHERE n.permissions CONTAINS '\"write\"' RETURN n", + "description": "Fine-grained personal access tokens scoped to all repositories in the organization that have at least one write permission. A single compromised token grants write access to every repository. PATs with only read permissions are excluded \u2014 they pose a data exfiltration risk but do not grant control over the organization.", + "cypher": "MATCH (n:GH_PersonalAccessToken {repository_selection:'all'})\nWHERE n.permissions CONTAINS '\"write\"'\nRETURN n", "enabled": true, "zone": "Tier Zero", "allow_disable": true diff --git a/extension/privilege_zone_rules/t0-privilege-escalation-roles.json b/extension/privilege_zone_rules/t0-privilege-escalation-roles.json index a29fa1c..fab7a43 100644 --- a/extension/privilege_zone_rules/t0-privilege-escalation-roles.json +++ b/extension/privilege_zone_rules/t0-privilege-escalation-roles.json @@ -1,7 +1,7 @@ { "name": "GitHub: Tier Zero Privilege Escalation Roles", - "description": "Custom organization roles with write_organization_custom_org_role permission can modify organization role definitions, including setting the base_role to inherit all_repo_admin. Since this permission only exists on custom organization roles, the holder can escalate the role they already hold — a guaranteed self-escalation path to full organizational control.", - "cypher": "MATCH (n:GH_OrgRole)-[:GH_WriteOrganizationCustomOrgRole]->(:GH_Organization) RETURN n", + "description": "Custom organization roles with write_organization_custom_org_role permission can modify organization role definitions, including setting the base_role to inherit all_repo_admin. Since this permission only exists on custom organization roles, the holder can escalate the role they already hold \u2014 a guaranteed self-escalation path to full organizational control.", + "cypher": "MATCH (n:GH_OrgRole)-[:GH_WriteOrganizationCustomOrgRole]->(:GH_Organization)\nRETURN n", "enabled": true, "zone": "Tier Zero", "allow_disable": true diff --git a/extension/privilege_zone_rules/t0-privilege-escalation-users.json b/extension/privilege_zone_rules/t0-privilege-escalation-users.json index 6292a6e..330db20 100644 --- a/extension/privilege_zone_rules/t0-privilege-escalation-users.json +++ b/extension/privilege_zone_rules/t0-privilege-escalation-users.json @@ -1,7 +1,7 @@ { "name": "GitHub: Tier Zero Privilege Escalation Users", - "description": "Users who hold custom organization roles with write_organization_custom_org_role permission. These users can modify organization role definitions — including the role they hold — to set the base_role to all_repo_admin, granting themselves admin access to every repository in the organization.", - "cypher": "MATCH (n:GH_User)-[:GH_HasRole|GH_HasBaseRole*1..]->(:GH_OrgRole)-[:GH_WriteOrganizationCustomOrgRole]->(:GH_Organization) RETURN n", + "description": "Users who hold custom organization roles with write_organization_custom_org_role permission. These users can modify organization role definitions \u2014 including the role they hold \u2014 to set the base_role to all_repo_admin, granting themselves admin access to every repository in the organization.", + "cypher": "MATCH (n:GH_User)-[:GH_HasRole|GH_HasBaseRole*1..]->(:GH_OrgRole)-[:GH_WriteOrganizationCustomOrgRole]->(:GH_Organization)\nRETURN n", "enabled": true, "zone": "Tier Zero", "allow_disable": true diff --git a/extension/privilege_zone_rules/t0-saml-identity-providers.json b/extension/privilege_zone_rules/t0-saml-identity-providers.json index 61160f1..bacd75c 100644 --- a/extension/privilege_zone_rules/t0-saml-identity-providers.json +++ b/extension/privilege_zone_rules/t0-saml-identity-providers.json @@ -1,7 +1,7 @@ { "name": "GitHub: Tier Zero SAML Identity Providers", "description": "SAML identity providers control authentication for all organization members via SSO. Compromise of the identity provider grants the ability to impersonate any user, including organization owners, by manipulating SAML assertions or resetting credentials.", - "cypher": "MATCH (n:GH_SamlIdentityProvider) RETURN n", + "cypher": "MATCH (n:GH_SamlIdentityProvider)\nRETURN n", "enabled": true, "zone": "Tier Zero", "allow_disable": true diff --git a/extension/saved_searches/actions-sha-pinning-not-required.json b/extension/saved_searches/actions-sha-pinning-not-required.json index abfe080..bffd975 100644 --- a/extension/saved_searches/actions-sha-pinning-not-required.json +++ b/extension/saved_searches/actions-sha-pinning-not-required.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Actions SHA Pinning Not Required", - "query": "MATCH (org:GH_Organization {actions_sha_pinning_required: false}) RETURN org LIMIT 1000", + "name": "GitHub: Actions SHA Pinning Not Required", + "query": "MATCH (org:GH_Organization {actions_sha_pinning_required: false})\nRETURN org\nLIMIT 1000", "description": "Finds organizations that do not require SHA pinning for GitHub Actions. Without pinning, actions referenced by tag can be silently replaced with malicious versions." } diff --git a/extension/saved_searches/active-leaked-secrets.json b/extension/saved_searches/active-leaked-secrets.json index 1083cc8..9198c61 100644 --- a/extension/saved_searches/active-leaked-secrets.json +++ b/extension/saved_searches/active-leaked-secrets.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Active Leaked Secrets", - "query": "MATCH p=(:GH_Repository)-[:GH_Contains]->(alert:GH_SecretScanningAlert {state: 'open', validity: 'active'}) RETURN p LIMIT 1000", + "name": "GitHub: Active Leaked Secrets", + "query": "MATCH p=(:GH_Repository)-[:GH_Contains]->(alert:GH_SecretScanningAlert {state: 'open', validity: 'active'})\nRETURN p\nLIMIT 1000", "description": "Finds secret scanning alerts that are both unresolved and confirmed active. These are valid, usable credentials committed to source code and represent an immediate compromise risk." } diff --git a/extension/saved_searches/advanced-security-disabled-new-repos.json b/extension/saved_searches/advanced-security-disabled-new-repos.json index 9c98a6c..868c7ab 100644 --- a/extension/saved_searches/advanced-security-disabled-new-repos.json +++ b/extension/saved_searches/advanced-security-disabled-new-repos.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Advanced Security Disabled for New Repositories", - "query": "MATCH (org:GH_Organization {advanced_security_enabled_for_new_repositories: false}) RETURN org LIMIT 1000", + "name": "GitHub: Advanced Security Disabled for New Repositories", + "query": "MATCH (org:GH_Organization {advanced_security_enabled_for_new_repositories: false})\nRETURN org\nLIMIT 1000", "description": "Finds organizations where GitHub Advanced Security is not automatically enabled for new repositories. New repositories will lack code scanning, secret scanning, and other GHAS features." } diff --git a/extension/saved_searches/all-actions-allowed.json b/extension/saved_searches/all-actions-allowed.json index b680912..d0d5117 100644 --- a/extension/saved_searches/all-actions-allowed.json +++ b/extension/saved_searches/all-actions-allowed.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] All GitHub Actions Allowed", - "query": "MATCH (org:GH_Organization {actions_allowed_actions: 'all'}) RETURN org LIMIT 1000", + "name": "GitHub: All GitHub Actions Allowed", + "query": "MATCH (org:GH_Organization {actions_allowed_actions: 'all'})\nRETURN org\nLIMIT 1000", "description": "Finds organizations that allow all GitHub Actions to run, including third-party actions from the marketplace. This creates supply chain risk if a malicious or compromised action is used." } diff --git a/extension/saved_searches/app-installations-all-repos.json b/extension/saved_searches/app-installations-all-repos.json index 2c51fdc..b1a21f2 100644 --- a/extension/saved_searches/app-installations-all-repos.json +++ b/extension/saved_searches/app-installations-all-repos.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] App Installations with Access to All Repositories", - "query": "MATCH (app:GH_AppInstallation {repository_selection: 'all'}) RETURN app LIMIT 1000", + "name": "GitHub: App Installations with Access to All Repositories", + "query": "MATCH (app:GH_AppInstallation {repository_selection: 'all'})\nRETURN app\nLIMIT 1000", "description": "Finds GitHub App installations that have access to every repository in the organization. A compromised app credential would affect all repositories." } diff --git a/extension/saved_searches/branch-protection-admins-not-enforced.json b/extension/saved_searches/branch-protection-admins-not-enforced.json index 0cbd07c..9f1a8a8 100644 --- a/extension/saved_searches/branch-protection-admins-not-enforced.json +++ b/extension/saved_searches/branch-protection-admins-not-enforced.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Branch Protection Rules - Admins Not Enforced", - "query": "MATCH p=(:GH_BranchProtectionRule {enforce_admins: false})-[:GH_ProtectedBy]->(:GH_Branch) RETURN p LIMIT 1000", + "name": "GitHub: Branch Protection Rules - Admins Not Enforced", + "query": "MATCH p=(:GH_BranchProtectionRule {enforce_admins: false})-[:GH_ProtectedBy]->(:GH_Branch)\nRETURN p\nLIMIT 1000", "description": "Finds branch protection rules where administrators can bypass all protections. Admins can push directly, skip reviews, and override status checks on these branches." } diff --git a/extension/saved_searches/branch-protection-deletions-allowed.json b/extension/saved_searches/branch-protection-deletions-allowed.json index b11181e..2e036c1 100644 --- a/extension/saved_searches/branch-protection-deletions-allowed.json +++ b/extension/saved_searches/branch-protection-deletions-allowed.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Branch Protection Rules - Deletions Allowed", - "query": "MATCH p=(:GH_BranchProtectionRule {allows_deletions: true})-[:GH_ProtectedBy]->(:GH_Branch) RETURN p LIMIT 1000", + "name": "GitHub: Branch Protection Rules - Deletions Allowed", + "query": "MATCH p=(:GH_BranchProtectionRule {allows_deletions: true})-[:GH_ProtectedBy]->(:GH_Branch)\nRETURN p\nLIMIT 1000", "description": "Finds protected branches that can be deleted. Branch deletion can result in loss of code and removal of audit history." } diff --git a/extension/saved_searches/branch-protection-force-pushes.json b/extension/saved_searches/branch-protection-force-pushes.json index 461bfeb..fec33b7 100644 --- a/extension/saved_searches/branch-protection-force-pushes.json +++ b/extension/saved_searches/branch-protection-force-pushes.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Branch Protection Rules - Force Pushes Allowed", - "query": "MATCH p=(:GH_BranchProtectionRule {allows_force_pushes: true})-[:GH_ProtectedBy]->(:GH_Branch) RETURN p LIMIT 1000", + "name": "GitHub: Branch Protection Rules - Force Pushes Allowed", + "query": "MATCH p=(:GH_BranchProtectionRule {allows_force_pushes: true})-[:GH_ProtectedBy]->(:GH_Branch)\nRETURN p\nLIMIT 1000", "description": "Finds branches where force pushes are allowed. Force pushes can rewrite commit history, potentially hiding malicious changes or destroying audit trails." } diff --git a/extension/saved_searches/branch-protection-no-code-owner-reviews.json b/extension/saved_searches/branch-protection-no-code-owner-reviews.json index 2c02969..8d270ff 100644 --- a/extension/saved_searches/branch-protection-no-code-owner-reviews.json +++ b/extension/saved_searches/branch-protection-no-code-owner-reviews.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Branch Protection Rules - No Code Owner Reviews", - "query": "MATCH p=(:GH_BranchProtectionRule {require_code_owner_reviews: false})-[:GH_ProtectedBy]->(:GH_Branch) RETURN p LIMIT 1000", + "name": "GitHub: Branch Protection Rules - No Code Owner Reviews", + "query": "MATCH p=(:GH_BranchProtectionRule {require_code_owner_reviews: false})-[:GH_ProtectedBy]->(:GH_Branch)\nRETURN p\nLIMIT 1000", "description": "Finds branches where code owner reviews are not required. Changes to security-critical paths can be merged without authorization from the designated code owners." } diff --git a/extension/saved_searches/branch-protection-no-pr-reviews.json b/extension/saved_searches/branch-protection-no-pr-reviews.json index 430edc8..21250d9 100644 --- a/extension/saved_searches/branch-protection-no-pr-reviews.json +++ b/extension/saved_searches/branch-protection-no-pr-reviews.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Branch Protection Rules - No Pull Request Reviews Required", - "query": "MATCH p=(:GH_BranchProtectionRule {required_pull_request_reviews: false})-[:GH_ProtectedBy]->(:GH_Branch) RETURN p LIMIT 1000", + "name": "GitHub: Branch Protection Rules - No Pull Request Reviews Required", + "query": "MATCH p=(:GH_BranchProtectionRule {required_pull_request_reviews: false})-[:GH_ProtectedBy]->(:GH_Branch)\nRETURN p\nLIMIT 1000", "description": "Finds branches where pull request reviews are not required. Code can be merged directly without peer review, increasing the risk of undetected vulnerabilities or malicious changes." } diff --git a/extension/saved_searches/branch-protection-no-status-checks.json b/extension/saved_searches/branch-protection-no-status-checks.json index ea5ae42..68e639a 100644 --- a/extension/saved_searches/branch-protection-no-status-checks.json +++ b/extension/saved_searches/branch-protection-no-status-checks.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Branch Protection Rules - No Status Checks Required", - "query": "MATCH p=(:GH_BranchProtectionRule {requires_status_checks: false})-[:GH_ProtectedBy]->(:GH_Branch) RETURN p LIMIT 1000", + "name": "GitHub: Branch Protection Rules - No Status Checks Required", + "query": "MATCH p=(:GH_BranchProtectionRule {requires_status_checks: false})-[:GH_ProtectedBy]->(:GH_Branch)\nRETURN p\nLIMIT 1000", "description": "Finds branches where CI/CD status checks are not required before merging. Code with failing tests or security scans can be merged into protected branches." } diff --git a/extension/saved_searches/branch-protection-self-approval.json b/extension/saved_searches/branch-protection-self-approval.json index f30c85a..53870bf 100644 --- a/extension/saved_searches/branch-protection-self-approval.json +++ b/extension/saved_searches/branch-protection-self-approval.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Branch Protection Rules - Self-Approval Allowed", - "query": "MATCH p=(:GH_BranchProtectionRule {require_last_push_approval: false})-[:GH_ProtectedBy]->(:GH_Branch) RETURN p LIMIT 1000", + "name": "GitHub: Branch Protection Rules - Self-Approval Allowed", + "query": "MATCH p=(:GH_BranchProtectionRule {require_last_push_approval: false})-[:GH_ProtectedBy]->(:GH_Branch)\nRETURN p\nLIMIT 1000", "description": "Finds branches where the author of the last push can approve their own pull request. This allows a single person to both write and approve code changes." } diff --git a/extension/saved_searches/branch-protection-stale-reviews.json b/extension/saved_searches/branch-protection-stale-reviews.json index cb00960..87f56eb 100644 --- a/extension/saved_searches/branch-protection-stale-reviews.json +++ b/extension/saved_searches/branch-protection-stale-reviews.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Branch Protection Rules - Stale Reviews Not Dismissed", - "query": "MATCH p=(:GH_BranchProtectionRule {dismisses_stale_reviews: false})-[:GH_ProtectedBy]->(:GH_Branch) RETURN p LIMIT 1000", + "name": "GitHub: Branch Protection Rules - Stale Reviews Not Dismissed", + "query": "MATCH p=(:GH_BranchProtectionRule {dismisses_stale_reviews: false})-[:GH_ProtectedBy]->(:GH_Branch)\nRETURN p\nLIMIT 1000", "description": "Finds branches where stale reviews are not dismissed when new commits are pushed. An attacker could get a review approved, then push additional malicious commits that inherit the stale approval." } diff --git a/extension/saved_searches/bypass-pr-requirements.json b/extension/saved_searches/bypass-pr-requirements.json index f98796d..9ab14b9 100644 --- a/extension/saved_searches/bypass-pr-requirements.json +++ b/extension/saved_searches/bypass-pr-requirements.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Users Who Can Bypass Pull Request Requirements", - "query": "MATCH p=(actor)-[:GH_BypassPullRequestAllowances]->(rule:GH_BranchProtectionRule)-[:GH_ProtectedBy]->(branch:GH_Branch) RETURN p LIMIT 1000", + "name": "GitHub: Users Who Can Bypass Pull Request Requirements", + "query": "MATCH p=(actor)-[:GH_BypassPullRequestAllowances]->(rule:GH_BranchProtectionRule)-[:GH_ProtectedBy]->(branch:GH_Branch)\nRETURN p\nLIMIT 1000", "description": "Finds users and teams that can bypass pull request review requirements on protected branches. These actors can merge code without any reviews." } diff --git a/extension/saved_searches/dangerous-branch-perms.json b/extension/saved_searches/dangerous-branch-perms.json index c82bc4f..72313be 100644 --- a/extension/saved_searches/dangerous-branch-perms.json +++ b/extension/saved_searches/dangerous-branch-perms.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Dangerous Branch Permissions", - "query": "MATCH p=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_PushProtectedBranch|GH_BypassBranchProtection]-(r:GH_Repository) MATCH p1=(:GH_User)-[:GH_BypassPullRequestAllowances|GH_RestrictionsCanPush]->(rule:GH_BranchProtectionRule)-[:GH_ProtectedBy]->(b:GH_Branch) RETURN p,p1 LIMIT 1000", + "name": "GitHub: Dangerous Branch Permissions", + "query": "MATCH p=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_PushProtectedBranch|GH_BypassBranchProtection]-(r:GH_Repository)\nMATCH p1=(:GH_User)-[:GH_BypassPullRequestAllowances|GH_RestrictionsCanPush]->(rule:GH_BranchProtectionRule)-[:GH_ProtectedBy]->(b:GH_Branch)\nRETURN p,p1\nLIMIT 1000", "description": "Identifies users with dangerous branch permissions in a GitHub organization, including bypass allowances on protection rules." } diff --git a/extension/saved_searches/default-repository-permissions.json b/extension/saved_searches/default-repository-permissions.json index 31de342..5c943d6 100644 --- a/extension/saved_searches/default-repository-permissions.json +++ b/extension/saved_searches/default-repository-permissions.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Organizations with default repository permission", - "query": "MATCH (o:GH_Organization) WHERE o.default_repository_permission <> 'none' RETURN o LIMIT 1000", + "name": "GitHub: Organizations with default repository permission", + "query": "MATCH (o:GH_Organization)\nWHERE o.default_repository_permission <> 'none'\nRETURN o\nLIMIT 1000", "description": "Returns organizations that have a default repository permission other than 'none'." } diff --git a/extension/saved_searches/demo-sso-to-cloud-round-trip.json b/extension/saved_searches/demo-sso-to-cloud-round-trip.json index fecbdb1..8c30327 100644 --- a/extension/saved_searches/demo-sso-to-cloud-round-trip.json +++ b/extension/saved_searches/demo-sso-to-cloud-round-trip.json @@ -1,5 +1,5 @@ { - "name": "[Demo] SSO Round-Trip: Azure/Okta → GitHub → Cloud Identity", - "query": "MATCH p1=(extUser)-[:SyncedToGHUser]->(ghUser:GH_User) MATCH p2=(ghUser)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_WriteRepoContents]->(:GH_Repository)-[:GH_CanAssumeIdentity]->(cred:AZFederatedIdentityCredential) RETURN p1, p2 LIMIT 1000", - "description": "The cloud-to-cloud pivot through GitHub: a compromised Azure or Okta identity syncs to a GitHub user via SSO. That GitHub user has write access to repositories configured with OIDC federation to Azure workload identities. The attacker pivots from one cloud identity through GitHub into a completely different Azure identity — crossing cloud boundaries twice in a single attack chain." + "name": "[Demo] SSO Round-Trip: Azure/Okta \u2192 GitHub \u2192 Cloud Identity", + "query": "MATCH p1=(extUser)-[:SyncedToGHUser]->(ghUser:GH_User)\nMATCH p2=(ghUser)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_WriteRepoContents]->(:GH_Repository)-[:GH_CanAssumeIdentity]->(cred:AZFederatedIdentityCredential)\nRETURN p1, p2\nLIMIT 1000", + "description": "The cloud-to-cloud pivot through GitHub: a compromised Azure or Okta identity syncs to a GitHub user via SSO. That GitHub user has write access to repositories configured with OIDC federation to Azure workload identities. The attacker pivots from one cloud identity through GitHub into a completely different Azure identity \u2014 crossing cloud boundaries twice in a single attack chain." } diff --git a/extension/saved_searches/dependabot-alerts-disabled-new-repos.json b/extension/saved_searches/dependabot-alerts-disabled-new-repos.json index aea3a6d..c71c8c2 100644 --- a/extension/saved_searches/dependabot-alerts-disabled-new-repos.json +++ b/extension/saved_searches/dependabot-alerts-disabled-new-repos.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Dependabot Alerts Disabled for New Repositories", - "query": "MATCH (org:GH_Organization {dependabot_alerts_enabled_for_new_repositories: false}) RETURN org LIMIT 1000", + "name": "GitHub: Dependabot Alerts Disabled for New Repositories", + "query": "MATCH (org:GH_Organization {dependabot_alerts_enabled_for_new_repositories: false})\nRETURN org\nLIMIT 1000", "description": "Finds organizations where Dependabot alerts are not enabled for new repositories. Vulnerable dependencies in new repositories will go undetected." } diff --git a/extension/saved_searches/dependabot-updates-disabled-new-repos.json b/extension/saved_searches/dependabot-updates-disabled-new-repos.json index c216811..bfbc704 100644 --- a/extension/saved_searches/dependabot-updates-disabled-new-repos.json +++ b/extension/saved_searches/dependabot-updates-disabled-new-repos.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Dependabot Security Updates Disabled for New Repositories", - "query": "MATCH (org:GH_Organization {dependabot_security_updates_enabled_for_new_repositories: false}) RETURN org LIMIT 1000", + "name": "GitHub: Dependabot Security Updates Disabled for New Repositories", + "query": "MATCH (org:GH_Organization {dependabot_security_updates_enabled_for_new_repositories: false})\nRETURN org\nLIMIT 1000", "description": "Finds organizations where Dependabot security update PRs are not enabled for new repositories. Known vulnerable dependencies will not receive automated fix PRs." } diff --git a/extension/saved_searches/dependency-graph-disabled-new-repos.json b/extension/saved_searches/dependency-graph-disabled-new-repos.json index ec6d916..0b72d5a 100644 --- a/extension/saved_searches/dependency-graph-disabled-new-repos.json +++ b/extension/saved_searches/dependency-graph-disabled-new-repos.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Dependency Graph Disabled for New Repositories", - "query": "MATCH (org:GH_Organization {dependency_graph_enabled_for_new_repositories: false}) RETURN org LIMIT 1000", + "name": "GitHub: Dependency Graph Disabled for New Repositories", + "query": "MATCH (org:GH_Organization {dependency_graph_enabled_for_new_repositories: false})\nRETURN org\nLIMIT 1000", "description": "Finds organizations where the dependency graph is not enabled for new repositories. Without the dependency graph, transitive dependency vulnerabilities cannot be tracked." } diff --git a/extension/saved_searches/environments-admin-bypass.json b/extension/saved_searches/environments-admin-bypass.json index c8b8100..08447e4 100644 --- a/extension/saved_searches/environments-admin-bypass.json +++ b/extension/saved_searches/environments-admin-bypass.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Environments Where Admins Can Bypass Protections", - "query": "MATCH p=(:GH_Repository)-[:GH_HasEnvironment]->(env:GH_Environment {can_admins_bypass: true}) RETURN p LIMIT 1000", + "name": "GitHub: Environments Where Admins Can Bypass Protections", + "query": "MATCH p=(:GH_Repository)-[:GH_HasEnvironment]->(env:GH_Environment {can_admins_bypass: true})\nRETURN p\nLIMIT 1000", "description": "Finds deployment environments where administrators can bypass protection rules such as required reviewers and wait timers. Admins can deploy to these environments without any approval." } diff --git a/extension/saved_searches/expired-pats.json b/extension/saved_searches/expired-pats.json index d32312f..e849144 100644 --- a/extension/saved_searches/expired-pats.json +++ b/extension/saved_searches/expired-pats.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Expired Personal Access Tokens", - "query": "MATCH p=(:GH_User)-[:GH_HasPersonalAccessToken]->(token:GH_PersonalAccessToken {token_expired: true}) RETURN p LIMIT 1000", + "name": "GitHub: Expired Personal Access Tokens", + "query": "MATCH p=(:GH_User)-[:GH_HasPersonalAccessToken]->(token:GH_PersonalAccessToken {token_expired: true})\nRETURN p\nLIMIT 1000", "description": "Finds expired personal access tokens that still exist. Expired tokens should be cleaned up to reduce credential inventory and audit noise." } diff --git a/extension/saved_searches/external-identities-without-scim.json b/extension/saved_searches/external-identities-without-scim.json index 78c46d2..805b85f 100644 --- a/extension/saved_searches/external-identities-without-scim.json +++ b/extension/saved_searches/external-identities-without-scim.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] External Identities Without SCIM Provisioning", - "query": "MATCH (ei:GH_ExternalIdentity) WHERE ei.scim_identity_username = '' RETURN ei LIMIT 1000", + "name": "GitHub: External Identities Without SCIM Provisioning", + "query": "MATCH (ei:GH_ExternalIdentity)\nWHERE ei.scim_identity_username = ''\nRETURN ei\nLIMIT 1000", "description": "Finds external identities that lack SCIM synchronization. Without SCIM, user deprovisioning in the identity provider will not automatically revoke GitHub access." } diff --git a/extension/saved_searches/github-to-azure-identity.json b/extension/saved_searches/github-to-azure-identity.json index 51d2e47..f1e6c2e 100644 --- a/extension/saved_searches/github-to-azure-identity.json +++ b/extension/saved_searches/github-to-azure-identity.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] GitHub-to-Azure Identity Assumptions", - "query": "MATCH p=(src)-[:GH_CanAssumeIdentity]->(cred:AZFederatedIdentityCredential) RETURN p LIMIT 1000", + "name": "GitHub: GitHub-to-Azure Identity Assumptions", + "query": "MATCH p=(src)-[:GH_CanAssumeIdentity]->(cred:AZFederatedIdentityCredential)\nRETURN p\nLIMIT 1000", "description": "Finds GitHub entities (repositories, branches, environments) that can assume Azure identities via OIDC federation. Verify that each trust relationship is intentional and scoped appropriately." } diff --git a/extension/saved_searches/global-repo-perms.json b/extension/saved_searches/global-repo-perms.json index 4fd5e53..4eda589 100644 --- a/extension/saved_searches/global-repo-perms.json +++ b/extension/saved_searches/global-repo-perms.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Global Repo Permissions", - "query": "MATCH p=(:GH_User)-[:GH_HasBaseRole|GH_HasRole|GH_MemberOf*1..3]->(role:GH_OrgRole) WHERE role.short_name CONTAINS 'all_repo_' RETURN p LIMIT 1000", + "name": "GitHub: Global Repo Permissions", + "query": "MATCH p=(:GH_User)-[:GH_HasBaseRole|GH_HasRole|GH_MemberOf*1..3]->(role:GH_OrgRole)\nWHERE role.short_name CONTAINS 'all_repo_'\nRETURN p\nLIMIT 1000", "description": "Returns all users who hold a global repository permission role (i.e., roles that are not default)." } diff --git a/extension/saved_searches/hybrid-identities.json b/extension/saved_searches/hybrid-identities.json index 55aabfa..756adc9 100644 --- a/extension/saved_searches/hybrid-identities.json +++ b/extension/saved_searches/hybrid-identities.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] External Identities", - "query": "MATCH p=(s)-[]->(d:GH_User) WHERE s:AZUser OR s:OktaUser RETURN p LIMIT 1000", + "name": "GitHub: External Identities", + "query": "MATCH p=(s)-[]->(d:GH_User)\nWHERE s:AZUser\nOR s:Okta_User\nRETURN p\nLIMIT 1000", "description": "Returns all external identities (e.g., Azure or Okta users) that are associated with GitHub users." } diff --git a/extension/saved_searches/members-can-change-repo-visibility.json b/extension/saved_searches/members-can-change-repo-visibility.json index d0d9247..9e2289a 100644 --- a/extension/saved_searches/members-can-change-repo-visibility.json +++ b/extension/saved_searches/members-can-change-repo-visibility.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Members Can Change Repository Visibility", - "query": "MATCH (org:GH_Organization {members_can_change_repo_visibility: true}) RETURN org LIMIT 1000", + "name": "GitHub: Members Can Change Repository Visibility", + "query": "MATCH (org:GH_Organization {members_can_change_repo_visibility: true})\nRETURN org\nLIMIT 1000", "description": "Finds organizations where members can change repository visibility. This allows any member to make a private repository public, potentially exposing source code and secrets." } diff --git a/extension/saved_searches/members-can-create-pages.json b/extension/saved_searches/members-can-create-pages.json index a8b3fcd..2ddad3a 100644 --- a/extension/saved_searches/members-can-create-pages.json +++ b/extension/saved_searches/members-can-create-pages.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Members Can Create GitHub Pages", - "query": "MATCH (org:GH_Organization {members_can_create_pages: true}) RETURN org LIMIT 1000", + "name": "GitHub: Members Can Create GitHub Pages", + "query": "MATCH (org:GH_Organization {members_can_create_pages: true})\nRETURN org\nLIMIT 1000", "description": "Finds organizations where members can create GitHub Pages sites. Pages can be used to host phishing content, data exfiltration endpoints, or other malicious resources." } diff --git a/extension/saved_searches/members-can-create-public-repos.json b/extension/saved_searches/members-can-create-public-repos.json index 8999da0..0161941 100644 --- a/extension/saved_searches/members-can-create-public-repos.json +++ b/extension/saved_searches/members-can-create-public-repos.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Members Can Create Public Repositories", - "query": "MATCH (org:GH_Organization {members_can_create_public_repositories: true}) RETURN org LIMIT 1000", + "name": "GitHub: Members Can Create Public Repositories", + "query": "MATCH (org:GH_Organization {members_can_create_public_repositories: true})\nRETURN org\nLIMIT 1000", "description": "Finds organizations where members can create internet-facing public repositories. This increases the risk of accidental exposure of proprietary code or secrets." } diff --git a/extension/saved_searches/members-can-delete-repos.json b/extension/saved_searches/members-can-delete-repos.json index 03a293b..a5dde56 100644 --- a/extension/saved_searches/members-can-delete-repos.json +++ b/extension/saved_searches/members-can-delete-repos.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Members Can Delete Repositories", - "query": "MATCH (org:GH_Organization {members_can_delete_repositories: true}) RETURN org LIMIT 1000", + "name": "GitHub: Members Can Delete Repositories", + "query": "MATCH (org:GH_Organization {members_can_delete_repositories: true})\nRETURN org\nLIMIT 1000", "description": "Finds organizations where members can delete repositories. This poses a risk of accidental or malicious destruction of code and audit history." } diff --git a/extension/saved_searches/members-can-fork-private-repos.json b/extension/saved_searches/members-can-fork-private-repos.json index 9a74216..a05d24b 100644 --- a/extension/saved_searches/members-can-fork-private-repos.json +++ b/extension/saved_searches/members-can-fork-private-repos.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Members Can Fork Private Repositories", - "query": "MATCH (org:GH_Organization {members_can_fork_private_repositories: true}) RETURN org LIMIT 1000", + "name": "GitHub: Members Can Fork Private Repositories", + "query": "MATCH (org:GH_Organization {members_can_fork_private_repositories: true})\nRETURN org\nLIMIT 1000", "description": "Finds organizations where members can fork private repositories to personal accounts. Forked copies leave organizational control and oversight." } diff --git a/extension/saved_searches/members-can-invite-outside-collaborators.json b/extension/saved_searches/members-can-invite-outside-collaborators.json index 6cd7b53..c722138 100644 --- a/extension/saved_searches/members-can-invite-outside-collaborators.json +++ b/extension/saved_searches/members-can-invite-outside-collaborators.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Members Can Invite Outside Collaborators", - "query": "MATCH (org:GH_Organization {members_can_invite_outside_collaborators: true}) RETURN org LIMIT 1000", + "name": "GitHub: Members Can Invite Outside Collaborators", + "query": "MATCH (org:GH_Organization {members_can_invite_outside_collaborators: true})\nRETURN org\nLIMIT 1000", "description": "Finds organizations where any member can invite external users. This can lead to unauthorized third-party access to repositories without centralized oversight." } diff --git a/extension/saved_searches/org-owners.json b/extension/saved_searches/org-owners.json index 939420b..0559270 100644 --- a/extension/saved_searches/org-owners.json +++ b/extension/saved_searches/org-owners.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Organization Owners", - "query": "MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) RETURN p LIMIT 1000", + "name": "GitHub: Organization Owners", + "query": "MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'})\nRETURN p\nLIMIT 1000", "description": "Returns all users hold the organization owners role." } diff --git a/extension/saved_searches/orgs-without-2fa.json b/extension/saved_searches/orgs-without-2fa.json index 5bd5378..d305de7 100644 --- a/extension/saved_searches/orgs-without-2fa.json +++ b/extension/saved_searches/orgs-without-2fa.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Organizations without 2FA", - "query": "MATCH (o:GH_Organization) WHERE o.two_factor_requirement_enabled = false RETURN o LIMIT 1000", + "name": "GitHub: Organizations without 2FA", + "query": "MATCH (o:GH_Organization)\nWHERE o.two_factor_requirement_enabled = false\nRETURN o\nLIMIT 1000", "description": "Returns organizations that do not require two-factor authentication." } diff --git a/extension/saved_searches/pats-all-repo-access.json b/extension/saved_searches/pats-all-repo-access.json index 640a7b0..ad65049 100644 --- a/extension/saved_searches/pats-all-repo-access.json +++ b/extension/saved_searches/pats-all-repo-access.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] PATs with Access to All Repositories", - "query": "MATCH p=(:GH_User)-[:GH_HasPersonalAccessToken]->(token:GH_PersonalAccessToken {repository_selection: 'all'}) RETURN p LIMIT 1000", + "name": "GitHub: PATs with Access to All Repositories", + "query": "MATCH p=(:GH_User)-[:GH_HasPersonalAccessToken]->(token:GH_PersonalAccessToken {repository_selection: 'all'})\nRETURN p\nLIMIT 1000", "description": "Finds fine-grained personal access tokens scoped to all repositories. A single compromised token grants access to every repository in the organization." } diff --git a/extension/saved_searches/pending-pat-requests.json b/extension/saved_searches/pending-pat-requests.json index 994c52d..4c60b2b 100644 --- a/extension/saved_searches/pending-pat-requests.json +++ b/extension/saved_searches/pending-pat-requests.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Pending PAT Requests", - "query": "MATCH p=(:GH_User)-[:GH_HasPersonalAccessTokenRequest]->(req:GH_PersonalAccessTokenRequest) RETURN p LIMIT 1000", + "name": "GitHub: Pending PAT Requests", + "query": "MATCH p=(:GH_User)-[:GH_HasPersonalAccessTokenRequest]->(req:GH_PersonalAccessTokenRequest)\nRETURN p\nLIMIT 1000", "description": "Finds pending fine-grained personal access token requests awaiting approval. Review these to ensure requested permissions are appropriate before granting access." } diff --git a/extension/saved_searches/private-repos-forking-allowed.json b/extension/saved_searches/private-repos-forking-allowed.json index e5c6d0b..2c75fbb 100644 --- a/extension/saved_searches/private-repos-forking-allowed.json +++ b/extension/saved_searches/private-repos-forking-allowed.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Private Repositories with Forking Allowed", - "query": "MATCH (repo:GH_Repository {visibility: 'private', allow_forking: true}) RETURN repo LIMIT 1000", + "name": "GitHub: Private Repositories with Forking Allowed", + "query": "MATCH (repo:GH_Repository {visibility: 'private', allow_forking: true})\nRETURN repo\nLIMIT 1000", "description": "Finds private repositories that allow forking. Forked copies of private repositories can leave organizational governance and visibility." } diff --git a/extension/saved_searches/privileged-custom-org-roles.json b/extension/saved_searches/privileged-custom-org-roles.json index 56e9522..367a9bd 100644 --- a/extension/saved_searches/privileged-custom-org-roles.json +++ b/extension/saved_searches/privileged-custom-org-roles.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Privileged Custom Org Roles", - "query": "MATCH p=(role:GH_OrgRole {type:'custom'})-[r]->(dest) WHERE dest:GH_Organization OR dest:GH_OrgRole RETURN p LIMIT 1000", + "name": "GitHub: Privileged Custom Org Roles", + "query": "MATCH p=(role:GH_OrgRole {type:'custom'})-[r]->(dest)\nWHERE dest:GH_Organization\nOR dest:GH_OrgRole\nRETURN p\nLIMIT 1000", "description": "Returns all custom organization roles that are privileged (i.e., have permissions that are not default)" } diff --git a/extension/saved_searches/privileged-hybrid-identities.json b/extension/saved_searches/privileged-hybrid-identities.json index 04a27e5..daff24a 100644 --- a/extension/saved_searches/privileged-hybrid-identities.json +++ b/extension/saved_searches/privileged-hybrid-identities.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Privileged Hybrid Identities", - "query": "MATCH p=()-[:GH_SyncedTo]->(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) RETURN p LIMIT 1000", + "name": "GitHub: Privileged Hybrid Identities", + "query": "MATCH p=()-[:GH_SyncedTo]->(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'})\nRETURN p\nLIMIT 1000", "description": "Returns all hybrid identities (e.g., Azure or Okta users) that are associated with GitHub users who hold the organization owners role." } diff --git a/extension/saved_searches/public-repos.json b/extension/saved_searches/public-repos.json index 27ce306..4ea897b 100644 --- a/extension/saved_searches/public-repos.json +++ b/extension/saved_searches/public-repos.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Public Repositories", - "query": "MATCH (repo:GH_Repository {private: false}) RETURN repo LIMIT 1000", + "name": "GitHub: Public Repositories", + "query": "MATCH (repo:GH_Repository {private: false})\nRETURN repo\nLIMIT 1000", "description": "Returns all public repositories." } diff --git a/extension/saved_searches/push-protection-disabled-new-repos.json b/extension/saved_searches/push-protection-disabled-new-repos.json index 6d3b680..269fa14 100644 --- a/extension/saved_searches/push-protection-disabled-new-repos.json +++ b/extension/saved_searches/push-protection-disabled-new-repos.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Secret Scanning Push Protection Disabled for New Repositories", - "query": "MATCH (org:GH_Organization {secret_scanning_push_protection_enabled_for_new_repositories: false}) RETURN org LIMIT 1000", + "name": "GitHub: Secret Scanning Push Protection Disabled for New Repositories", + "query": "MATCH (org:GH_Organization {secret_scanning_push_protection_enabled_for_new_repositories: false})\nRETURN org\nLIMIT 1000", "description": "Finds organizations where push protection is not enabled for new repositories. Without push protection, secrets can be committed without being blocked before they reach the repository." } diff --git a/extension/saved_searches/push-to-protected-branches.json b/extension/saved_searches/push-to-protected-branches.json index 349617b..dc147e0 100644 --- a/extension/saved_searches/push-to-protected-branches.json +++ b/extension/saved_searches/push-to-protected-branches.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Users Who Can Push to Protected Branches", - "query": "MATCH p=(actor)-[:GH_RestrictionsCanPush]->(rule:GH_BranchProtectionRule)-[:GH_ProtectedBy]->(branch:GH_Branch) RETURN p LIMIT 1000", + "name": "GitHub: Users Who Can Push to Protected Branches", + "query": "MATCH p=(actor)-[:GH_RestrictionsCanPush]->(rule:GH_BranchProtectionRule)-[:GH_ProtectedBy]->(branch:GH_Branch)\nRETURN p\nLIMIT 1000", "description": "Finds users and teams that are allowed to push directly to protected branches when push restrictions are enabled. These actors bypass the normal pull request workflow." } diff --git a/extension/saved_searches/repos-secret-scanning-disabled.json b/extension/saved_searches/repos-secret-scanning-disabled.json index d0ed64b..c4becc5 100644 --- a/extension/saved_searches/repos-secret-scanning-disabled.json +++ b/extension/saved_searches/repos-secret-scanning-disabled.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Repositories with Secret Scanning Disabled", - "query": "MATCH (repo:GH_Repository {secret_scanning: 'disabled'}) RETURN repo LIMIT 1000", + "name": "GitHub: Repositories with Secret Scanning Disabled", + "query": "MATCH (repo:GH_Repository {secret_scanning: 'disabled'})\nRETURN repo\nLIMIT 1000", "description": "Finds repositories where secret scanning is disabled. Committed credentials in these repositories will not be detected by GitHub." } diff --git a/extension/saved_searches/repos-vulnerable-to-workflow-secret-exfil.json b/extension/saved_searches/repos-vulnerable-to-workflow-secret-exfil.json index 525672e..c98b364 100644 --- a/extension/saved_searches/repos-vulnerable-to-workflow-secret-exfil.json +++ b/extension/saved_searches/repos-vulnerable-to-workflow-secret-exfil.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Repos Vulnerable to Workflow Secret Exfiltration", - "query": "MATCH p1=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_CanCreateBranch]->(repo:GH_Repository)-[:GH_HasSecret]->(s) WHERE (s:GH_RepoSecret OR s:GH_OrgSecret) OPTIONAL MATCH p2=(repo)<-[:GH_CanCreateBranch]-(:GH_User) OPTIONAL MATCH p3=(repo)<-[:GH_CanCreateBranch]-(:GH_Team)<-[:GH_HasRole|GH_MemberOf|GH_AddMember*1..]-(:GH_User) RETURN p1, p2, p3 LIMIT 1000", + "name": "GitHub: Repos Vulnerable to Workflow Secret Exfiltration", + "query": "MATCH p1=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_CanCreateBranch]->(repo:GH_Repository)-[:GH_HasSecret]->(s)\nWHERE (s:GH_RepoSecret\nOR s:GH_OrgSecret)\nOPTIONAL MATCH p2=(repo)<-[:GH_CanCreateBranch]-(:GH_User)\nOPTIONAL MATCH p3=(repo)<-[:GH_CanCreateBranch]-(:GH_Team)<-[:GH_HasRole|GH_MemberOf|GH_AddMember*1..]-(:GH_User)\nRETURN p1, p2, p3\nLIMIT 1000", "description": "Secrets reachable by users who can create new branches (computed by Compute-GitHoundBranchAccess). The GH_CanCreateBranch edge accounts for branch protection rules, push restrictions, blocks_creations settings, and all bypass mechanisms (admin, push_protected_branch, pushAllowances). Edges emit from RepoRole in the common case; per-actor edges from User/Team are only present when per-rule allowances grant additional access beyond the role." } diff --git a/extension/saved_searches/repository-workflows.json b/extension/saved_searches/repository-workflows.json index 6a421f7..bcaed4f 100644 --- a/extension/saved_searches/repository-workflows.json +++ b/extension/saved_searches/repository-workflows.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Repository Workflows", - "query": "MATCH p=(:GH_Repository)-[:GH_HasWorkflow]->(:GH_Workflow) RETURN p LIMIT 1000", + "name": "GitHub: Repository Workflows", + "query": "MATCH p=(:GH_Repository)-[:GH_HasWorkflow]->(:GH_Workflow)\nRETURN p\nLIMIT 1000", "description": "Returns all repository workflows" } diff --git a/extension/saved_searches/saml-configuration.json b/extension/saved_searches/saml-configuration.json index a1b532a..33a0f1c 100644 --- a/extension/saved_searches/saml-configuration.json +++ b/extension/saved_searches/saml-configuration.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] SAML Configuration Mapping", - "query": "MATCH p=(OIP:GH_SamlIdentityProvider)-[:GH_HasExternalIdentity]->(EI:GH_ExternalIdentity) MATCH p1=(OIP)<-[:GH_HasSamlIdentityProvider]-(:GH_Organization) MATCH p2=(EI)-[:GH_MapsToUser]->() RETURN p,p1,p2 LIMIT 1000", + "name": "GitHub: SAML Configuration Mapping", + "query": "MATCH p=(OIP:GH_SamlIdentityProvider)-[:GH_HasExternalIdentity]->(EI:GH_ExternalIdentity)\nMATCH p1=(OIP)<-[:GH_HasSamlIdentityProvider]-(:GH_Organization)\nMATCH p2=(EI)-[:GH_MapsToUser]->()\nRETURN p,p1,p2\nLIMIT 1000", "description": "Finds SAML Identity Providers, their external identities, and mapped users." } diff --git a/extension/saved_searches/secret-scanning-alerts.json b/extension/saved_searches/secret-scanning-alerts.json index 64b608d..4cb0801 100644 --- a/extension/saved_searches/secret-scanning-alerts.json +++ b/extension/saved_searches/secret-scanning-alerts.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Secret Scanning Alerts", - "query": "MATCH p=(repo:GH_Repository)-[:GH_Contains]->(:GH_SecretScanningAlert {state:'open'}) RETURN p LIMIT 1000", + "name": "GitHub: Secret Scanning Alerts", + "query": "MATCH p=(repo:GH_Repository)-[:GH_Contains]->(:GH_SecretScanningAlert {state:'open'})\nRETURN p\nLIMIT 1000", "description": "Returns all repositories that have secret scanning alerts." } diff --git a/extension/saved_searches/secret-scanning-disabled-new-repos.json b/extension/saved_searches/secret-scanning-disabled-new-repos.json index ffd1bf9..42ca05a 100644 --- a/extension/saved_searches/secret-scanning-disabled-new-repos.json +++ b/extension/saved_searches/secret-scanning-disabled-new-repos.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Secret Scanning Disabled for New Repositories", - "query": "MATCH (org:GH_Organization {secret_scanning_enabled_for_new_repositories: false}) RETURN org LIMIT 1000", + "name": "GitHub: Secret Scanning Disabled for New Repositories", + "query": "MATCH (org:GH_Organization {secret_scanning_enabled_for_new_repositories: false})\nRETURN org\nLIMIT 1000", "description": "Finds organizations where secret scanning is not automatically enabled for new repositories. New repositories will not detect committed credentials until manually enabled." } diff --git a/extension/saved_searches/secrets-reachable-by-user.json b/extension/saved_searches/secrets-reachable-by-user.json index 9a5264d..77004e5 100644 --- a/extension/saved_searches/secrets-reachable-by-user.json +++ b/extension/saved_searches/secrets-reachable-by-user.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Secrets Reachable by User", - "query": "MATCH p=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_WriteRepoContents]->(:GH_Repository)-[:GH_HasSecret]->(s) WHERE s:GH_RepoSecret OR s:GH_OrgSecret RETURN p LIMIT 1000", + "name": "GitHub: Secrets Reachable by User", + "query": "MATCH p=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_WriteRepoContents]->(:GH_Repository)-[:GH_HasSecret]->(s)\nWHERE s:GH_RepoSecret\nOR s:GH_OrgSecret\nRETURN p\nLIMIT 1000", "description": "Returns all repo and org secrets reachable by users through write access. Users with write access can create GitHub Actions workflows to access secrets." } diff --git a/extension/saved_searches/team-membership-admin.json b/extension/saved_searches/team-membership-admin.json index 49e5dab..35614ad 100644 --- a/extension/saved_searches/team-membership-admin.json +++ b/extension/saved_searches/team-membership-admin.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Team Membership Admins", - "query": "MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_TeamRole)-[:GH_AddMember]->(team:GH_Team) MATCH p1=(team)<-[:GH_MemberOf]-(:GH_Team)<-[:GH_AddMember]-(:GH_TeamRole)<-[:GH_HasRole]-(:GH_User) RETURN p,p1 LIMIT 1000", + "name": "GitHub: Team Membership Admins", + "query": "MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_TeamRole)-[:GH_AddMember]->(team:GH_Team)\nMATCH p1=(team)<-[:GH_MemberOf]-(:GH_Team)<-[:GH_AddMember]-(:GH_TeamRole)<-[:GH_HasRole]-(:GH_User)\nRETURN p,p1\nLIMIT 1000", "description": "Returns all users who hold the maintainer role over a team, this also represents team nesting." } diff --git a/extension/saved_searches/team-structure.json b/extension/saved_searches/team-structure.json index 89dea37..25c592e 100644 --- a/extension/saved_searches/team-structure.json +++ b/extension/saved_searches/team-structure.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Team Structure", - "query": "MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_TeamRole)-[:GH_MemberOf*1..]->(:GH_Team) RETURN p LIMIT 1000", + "name": "GitHub: Team Structure", + "query": "MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_TeamRole)-[:GH_MemberOf*1..]->(:GH_Team)\nRETURN p\nLIMIT 1000", "description": "Returns the structure of teams within organizations, including team roles and their members." } diff --git a/extension/saved_searches/unprotected-branches.json b/extension/saved_searches/unprotected-branches.json index d6e8353..b5ace62 100644 --- a/extension/saved_searches/unprotected-branches.json +++ b/extension/saved_searches/unprotected-branches.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Unprotected Branches", - "query": "MATCH p=(repo:GH_Repository)-[:GH_HasBranch]-(:GH_Branch {protected: false}) RETURN p LIMIT 1000", + "name": "GitHub: Unprotected Branches", + "query": "MATCH p=(repo:GH_Repository)-[:GH_HasBranch]-(:GH_Branch {protected: false})\nRETURN p\nLIMIT 1000", "description": "Returns all unprotected branches in repositories." } diff --git a/extension/saved_searches/unprotected-default-branch-with-workflow.json b/extension/saved_searches/unprotected-default-branch-with-workflow.json index 5d1ced0..51af78b 100644 --- a/extension/saved_searches/unprotected-default-branch-with-workflow.json +++ b/extension/saved_searches/unprotected-default-branch-with-workflow.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Repositories with Workflows and Unprotected Default Branch", - "query": "MATCH p=(repo:GH_Repository)-[:GH_HasWorkflow]->(:GH_Workflow) MATCH p1=(repo)-[:GH_HasBranch]->(branch:GH_Branch) WHERE repo.default_branch = branch.short_name RETURN p1 LIMIT 1000", + "name": "GitHub: Repositories with Workflows and Unprotected Default Branch", + "query": "MATCH p=(repo:GH_Repository)-[:GH_HasWorkflow]->(:GH_Workflow)\nMATCH p1=(repo)-[:GH_HasBranch]->(branch:GH_Branch)\nWHERE repo.default_branch = branch.short_name\nRETURN p1\nLIMIT 1000", "description": "Returns all repositories that have GitHub Actions workflows and an unprotected default branch. This means that users with GH_WriteRepoContents to the Repository can overwrite or change the workflow." } diff --git a/extension/saved_searches/unprotected-default-branches.json b/extension/saved_searches/unprotected-default-branches.json index e13ef2f..b9add1b 100644 --- a/extension/saved_searches/unprotected-default-branches.json +++ b/extension/saved_searches/unprotected-default-branches.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Unprotected Default Branches", - "query": "MATCH p=(repo:GH_Repository)-[:GH_HasBranch]-(branch:GH_Branch {protected: false}) WHERE repo.default_branch = branch.short_name RETURN p LIMIT 1000", + "name": "GitHub: Unprotected Default Branches", + "query": "MATCH p=(repo:GH_Repository)-[:GH_HasBranch]-(branch:GH_Branch {protected: false})\nWHERE repo.default_branch = branch.short_name\nRETURN p\nLIMIT 1000", "description": "Returns all default branches in repositories that are not protected." } diff --git a/extension/saved_searches/web-commit-signoff-not-required.json b/extension/saved_searches/web-commit-signoff-not-required.json index cf65620..896d383 100644 --- a/extension/saved_searches/web-commit-signoff-not-required.json +++ b/extension/saved_searches/web-commit-signoff-not-required.json @@ -1,5 +1,5 @@ { - "name": "[GitHub] Web Commit Signoff Not Required", - "query": "MATCH (org:GH_Organization {web_commit_signoff_required: false}) RETURN org LIMIT 1000", + "name": "GitHub: Web Commit Signoff Not Required", + "query": "MATCH (org:GH_Organization {web_commit_signoff_required: false})\nRETURN org\nLIMIT 1000", "description": "Finds organizations that do not require sign-off for web-based commits. Without signoff, commit attribution cannot be verified." } diff --git a/extension/schema.json b/extension/schema.json index 3eb8e32..0737048 100644 --- a/extension/schema.json +++ b/extension/schema.json @@ -801,4 +801,4 @@ } ], "relationship_findings": [] -} +} \ No newline at end of file From e55195ad1e23628bdcc1eeffa3347c545dff84e1 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Thu, 9 Apr 2026 14:04:27 +0200 Subject: [PATCH 02/16] add og-docs-automation submodule --- .gitmodules | 3 + .../extensions/githound/reference/gh_app.png | Bin 0 -> 1136 bytes .../githound/reference/gh_appinstallation.png | Bin 0 -> 1028 bytes .../githound/reference/gh_branch.png | Bin 0 -> 1049 bytes .../reference/gh_branchprotectionrule.png | Bin 0 -> 1071 bytes .../githound/reference/gh_enterprise.png | Bin 0 -> 1311 bytes .../githound/reference/gh_enterpriserole.png | Bin 0 -> 1147 bytes .../githound/reference/gh_enterpriseteam.png | Bin 0 -> 1205 bytes .../githound/reference/gh_environment.png | Bin 0 -> 1145 bytes .../reference/gh_environmentsecret.png | Bin 0 -> 1027 bytes .../reference/gh_environmentvariable.png | Bin 0 -> 1009 bytes .../reference/gh_externalidentity.png | Bin 0 -> 1042 bytes .../githound/reference/gh_organization.png | Bin 0 -> 1137 bytes .../githound/reference/gh_orgrole.png | Bin 0 -> 1152 bytes .../githound/reference/gh_orgsecret.png | Bin 0 -> 1020 bytes .../githound/reference/gh_orgvariable.png | Bin 0 -> 1001 bytes .../reference/gh_personalaccesstoken.png | Bin 0 -> 1154 bytes .../gh_personalaccesstokenrequest.png | Bin 0 -> 1089 bytes .../githound/reference/gh_reporole.png | Bin 0 -> 1021 bytes .../githound/reference/gh_reposecret.png | Bin 0 -> 1030 bytes .../githound/reference/gh_repository.png | Bin 0 -> 1022 bytes .../githound/reference/gh_repovariable.png | Bin 0 -> 1012 bytes .../reference/gh_samlidentityprovider.png | Bin 0 -> 1095 bytes .../reference/gh_secretscanningalert.png | Bin 0 -> 1105 bytes .../extensions/githound/reference/gh_team.png | Bin 0 -> 1122 bytes .../githound/reference/gh_teamrole.png | Bin 0 -> 1080 bytes .../extensions/githound/reference/gh_user.png | Bin 0 -> 1034 bytes .../githound/reference/gh_workflow.png | Bin 0 -> 1244 bytes .../githound/reference/gh_workflowjob.png | Bin 0 -> 1362 bytes .../githound/reference/gh_workflowstep.png | Bin 0 -> 1174 bytes .../opengraph/extensions/githound/docs.json | 162 ++++ .../reference/edges/gh_addassignee.mdx | 25 + .../reference/edges/gh_addcollaborator.mdx | 25 + .../githound/reference/edges/gh_addlabel.mdx | 25 + .../githound/reference/edges/gh_addmember.mdx | 25 + .../githound/reference/edges/gh_adminto.mdx | 25 + .../edges/gh_bypassbranchprotection.mdx | 25 + .../edges/gh_bypasspullrequestallowances.mdx | 25 + .../reference/edges/gh_callsworkflow.mdx | 21 + .../githound/reference/edges/gh_canaccess.mdx | 31 + .../reference/edges/gh_canassumeidentity.mdx | 14 + .../reference/edges/gh_cancreatebranch.mdx | 76 ++ .../reference/edges/gh_caneditprotection.mdx | 51 ++ .../reference/edges/gh_canpwnrequest.mdx | 70 ++ .../edges/gh_canreadsecretscanningalert.mdx | 42 ++ .../reference/edges/gh_canwritebranch.mdx | 110 +++ .../reference/edges/gh_closediscussion.mdx | 25 + .../reference/edges/gh_closeissue.mdx | 25 + .../reference/edges/gh_closepullrequest.mdx | 25 + .../githound/reference/edges/gh_contains.mdx | 60 ++ .../edges/gh_convertissuestodiscussions.mdx | 25 + .../edges/gh_creatediscussioncategory.mdx | 25 + .../reference/edges/gh_createrepository.mdx | 25 + .../edges/gh_createsolomergequeueentry.mdx | 25 + .../githound/reference/edges/gh_createtag.mdx | 25 + .../reference/edges/gh_createteam.mdx | 25 + .../edges/gh_deletealertscodescanning.mdx | 25 + .../reference/edges/gh_deletediscussion.mdx | 25 + .../edges/gh_deletediscussioncomment.mdx | 25 + .../reference/edges/gh_deleteissue.mdx | 25 + .../githound/reference/edges/gh_deletetag.mdx | 25 + .../githound/reference/edges/gh_dependson.mdx | 14 + .../githound/reference/edges/gh_deploysto.mdx | 14 + .../edges/gh_editcategoryondiscussion.mdx | 25 + .../edges/gh_editdiscussioncategory.mdx | 25 + .../edges/gh_editdiscussioncomment.mdx | 25 + .../edges/gh_editrepoannouncementbanners.mdx | 25 + .../gh_editrepocustompropertiesvalues.mdx | 25 + .../reference/edges/gh_editrepometadata.mdx | 25 + .../edges/gh_editrepoprotections.mdx | 25 + .../reference/edges/gh_hasbaserole.mdx | 27 + .../githound/reference/edges/gh_hasbranch.mdx | 25 + .../reference/edges/gh_hasenvironment.mdx | 28 + .../edges/gh_hasexternalidentity.mdx | 25 + .../githound/reference/edges/gh_hasjob.mdx | 14 + .../edges/gh_haspersonalaccesstoken.mdx | 25 + .../gh_haspersonalaccesstokenrequest.mdx | 25 + .../githound/reference/edges/gh_hasrole.mdx | 36 + .../edges/gh_hassamlidentityprovider.mdx | 25 + .../githound/reference/edges/gh_hassecret.mdx | 28 + .../githound/reference/edges/gh_hasstep.mdx | 14 + .../reference/edges/gh_hasvariable.mdx | 28 + .../reference/edges/gh_hasworkflow.mdx | 25 + .../reference/edges/gh_installedas.mdx | 25 + .../reference/edges/gh_invitemember.mdx | 25 + .../reference/edges/gh_jumpmergequeue.mdx | 25 + .../reference/edges/gh_managedeploykeys.mdx | 25 + .../edges/gh_managediscussionbadges.mdx | 25 + .../edges/gh_manageorganizationwebhooks.mdx | 14 + .../edges/gh_managereposecurityproducts.mdx | 25 + .../edges/gh_managesecurityproducts.mdx | 25 + .../edges/gh_managesettingsmergetypes.mdx | 25 + .../edges/gh_managesettingspages.mdx | 25 + .../edges/gh_managesettingsprojects.mdx | 25 + .../reference/edges/gh_managesettingswiki.mdx | 25 + .../reference/edges/gh_managetopics.mdx | 25 + .../reference/edges/gh_managewebhooks.mdx | 25 + .../reference/edges/gh_mapstouser.mdx | 25 + .../reference/edges/gh_markasduplicate.mdx | 25 + .../githound/reference/edges/gh_memberof.mdx | 27 + ...orgbypasscodescanningdismissalrequests.mdx | 14 + ...orgbypasssecretscanningclosurerequests.mdx | 14 + ...wandmanagesecretscanningbypassrequests.mdx | 14 + ...andmanagesecretscanningclosurerequests.mdx | 14 + .../githound/reference/edges/gh_owns.mdx | 25 + .../reference/edges/gh_protectedby.mdx | 25 + .../edges/gh_pushprotectedbranch.mdx | 25 + .../reference/edges/gh_readcodescanning.mdx | 25 + ...gh_readorganizationactionsusagemetrics.mdx | 14 + .../gh_readorganizationcustomorgrole.mdx | 14 + .../gh_readorganizationcustomreporole.mdx | 14 + .../reference/edges/gh_readrepocontents.mdx | 25 + .../reference/edges/gh_removeassignee.mdx | 25 + .../reference/edges/gh_removelabel.mdx | 25 + .../reference/edges/gh_reopendiscussion.mdx | 25 + .../reference/edges/gh_reopenissue.mdx | 25 + .../reference/edges/gh_reopenpullrequest.mdx | 25 + .../reference/edges/gh_requestprreview.mdx | 25 + .../edges/gh_resolvedependabotalerts.mdx | 25 + .../edges/gh_resolvesecretscanningalerts.mdx | 29 + .../edges/gh_restrictionscanpush.mdx | 25 + .../reference/edges/gh_runorgmigration.mdx | 25 + .../edges/gh_setinteractionlimits.mdx | 25 + .../reference/edges/gh_setissuetype.mdx | 25 + .../reference/edges/gh_setmilestone.mdx | 25 + .../reference/edges/gh_setsocialpreview.mdx | 25 + .../githound/reference/edges/gh_syncedto.mdx | 25 + .../edges/gh_togglediscussionanswer.mdx | 25 + .../gh_togglediscussioncommentminimize.mdx | 25 + .../reference/edges/gh_transferrepository.mdx | 25 + .../reference/edges/gh_usessecret.mdx | 30 + .../reference/edges/gh_usesvariable.mdx | 30 + .../reference/edges/gh_validtoken.mdx | 25 + .../edges/gh_viewdependabotalerts.mdx | 25 + .../edges/gh_viewsecretscanningalerts.mdx | 29 + .../reference/edges/gh_writecodescanning.mdx | 25 + .../gh_writeorganizationactionssecrets.mdx | 14 + .../gh_writeorganizationactionssettings.mdx | 14 + .../gh_writeorganizationactionsvariables.mdx | 14 + .../gh_writeorganizationcustomorgrole.mdx | 14 + .../gh_writeorganizationcustomreporole.mdx | 14 + ...writeorganizationnetworkconfigurations.mdx | 14 + .../reference/edges/gh_writerepocontents.mdx | 25 + .../edges/gh_writerepopullrequests.mdx | 25 + .../githound/reference/nodes/gh_app.mdx | 42 ++ .../reference/nodes/gh_appinstallation.mdx | 49 ++ .../githound/reference/nodes/gh_branch.mdx | 58 ++ .../nodes/gh_branchprotectionrule.mdx | 80 ++ .../reference/nodes/gh_environment.mdx | 50 ++ .../reference/nodes/gh_environmentsecret.mdx | 40 + .../nodes/gh_environmentvariable.mdx | 40 + .../reference/nodes/gh_externalidentity.mdx | 46 ++ .../reference/nodes/gh_organization.mdx | 81 ++ .../githound/reference/nodes/gh_orgrole.mdx | 67 ++ .../githound/reference/nodes/gh_orgsecret.mdx | 43 ++ .../reference/nodes/gh_orgvariable.mdx | 43 ++ .../nodes/gh_personalaccesstoken.mdx | 49 ++ .../nodes/gh_personalaccesstokenrequest.mdx | 43 ++ .../githound/reference/nodes/gh_reporole.mdx | 172 +++++ .../reference/nodes/gh_reposecret.mdx | 42 ++ .../reference/nodes/gh_repository.mdx | 197 +++++ .../reference/nodes/gh_repovariable.mdx | 42 ++ .../nodes/gh_samlidentityprovider.mdx | 44 ++ .../nodes/gh_secretscanningalert.mdx | 47 ++ .../githound/reference/nodes/gh_team.mdx | 56 ++ .../githound/reference/nodes/gh_teamrole.mdx | 46 ++ .../githound/reference/nodes/gh_user.mdx | 71 ++ .../githound/reference/nodes/gh_workflow.mdx | 40 + .../reference/nodes/gh_workflowjob.mdx | 11 + .../reference/nodes/gh_workflowstep.mdx | 11 + .../reference/privilege-zone-rules.mdx | 136 ++++ .../extensions/githound/reference/queries.mdx | 696 ++++++++++++++++++ .../extensions/githound/reference/schema.mdx | 196 +++++ docs/og-docs-automation | 1 + docs/og-docs.json | 12 + 175 files changed, 5635 insertions(+) create mode 100644 .gitmodules create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_app.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_appinstallation.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_branch.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_branchprotectionrule.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_enterprise.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_enterpriserole.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_enterpriseteam.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_environment.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_environmentsecret.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_environmentvariable.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_externalidentity.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_organization.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_orgrole.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_orgsecret.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_orgvariable.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_personalaccesstoken.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_personalaccesstokenrequest.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_reporole.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_reposecret.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_repository.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_repovariable.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_samlidentityprovider.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_secretscanningalert.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_team.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_teamrole.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_user.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_workflow.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_workflowjob.png create mode 100644 docs/official-docs/images/extensions/githound/reference/gh_workflowstep.png create mode 100644 docs/official-docs/opengraph/extensions/githound/docs.json create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addassignee.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addcollaborator.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addlabel.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addmember.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_adminto.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_callsworkflow.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canaccess.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canassumeidentity.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_cancreatebranch.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_caneditprotection.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canpwnrequest.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canwritebranch.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closediscussion.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closeissue.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closepullrequest.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_contains.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createrepository.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createtag.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createteam.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussion.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deleteissue.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletetag.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_dependson.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deploysto.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepometadata.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoprotections.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbaserole.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbranch.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasenvironment.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasjob.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasrole.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassecret.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasstep.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasvariable.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasworkflow.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_installedas.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_invitemember.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managedeploykeys.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingspages.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingswiki.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managetopics.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managewebhooks.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_mapstouser.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_markasduplicate.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_memberof.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_owns.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_protectedby.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readcodescanning.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readrepocontents.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removeassignee.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removelabel.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopendiscussion.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenissue.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_requestprreview.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_runorgmigration.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setissuetype.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setmilestone.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setsocialpreview.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_syncedto.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_transferrepository.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usessecret.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usesvariable.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_validtoken.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writecodescanning.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepocontents.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_app.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_appinstallation.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branch.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environment.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentsecret.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentvariable.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_externalidentity.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_organization.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgrole.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgsecret.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgvariable.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reporole.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reposecret.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repository.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repovariable.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_team.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_teamrole.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_user.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflow.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowjob.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowstep.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/privilege-zone-rules.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/queries.mdx create mode 100644 docs/official-docs/opengraph/extensions/githound/reference/schema.mdx create mode 160000 docs/og-docs-automation create mode 100644 docs/og-docs.json diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..c297b02 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "docs/og-docs-automation"] + path = docs/og-docs-automation + url = https://github.com/SpecterOps/og-docs-automation diff --git a/docs/official-docs/images/extensions/githound/reference/gh_app.png b/docs/official-docs/images/extensions/githound/reference/gh_app.png new file mode 100644 index 0000000000000000000000000000000000000000..e3d3ba189337847f434919c62eb171a4357ad3ad GIT binary patch literal 1136 zcmV-$1dscPP)?1=kkT9NG;mG-+Dh z_7DTr_Mi}y96SXz>BU1+8>rBtP4pDkLL^0qrBFAAsFx*s*nlgcyJ*?<)LGZVBm~;S zyE7SgW4F7rrC9zN&tD4qP-NVMf4{GcL6_ySRMoF0JQXWf{&# zIv!(Xa)eCkfSmD*IWh$aNWh-9=3MHFiWpadMWLqV14xK0T1T?qX zy*{qbukv4FX>>p(aUvWR-I!^>)8gzRIJ;1EF*&u*<2yIG?d#ySuY=I!2y$w_=$zo} z0*!6$AVREdY}Eq}gzNcw`ANZ;E7=S?D?hWdvWSw+oanRGH_{y(raSm$!LX&{F@74l zq&Ck1iP~Ia4)C}G1H53EFa=4MDlwoHi?g2UUxN8?ilB64b~WR20B{~jesPM$f?oU>*vO!XGOCe!%nf5C9IZkD>XHAu-9ReZ4qs)&dG5GkKKbBQErvR76`-Gw#43 ztxgwz#UiH47+wEGOHxu>JN}6&{1Y?Snwkw`H|Azk0!zTdD$?;HI}aBPM69+3x<4PL zJ2+fbI+hW4gZ`J>Vcdbws5@gdEKqmGio@H3>%)&xj*m1~x&s4z`ppkq=(}V(PbI%R z7F3DPklTCtSF%mOZTI$YeLiHmP__8+nqMUxMPy*Zl}yfcWRj6BmPQ8+sk9m>*$hjg zgR1e2-Z(&Q{&?UC@I@wdV12n0<{j6&rkkl8q~kG`$ATR0#q`D#`Z2`{lTE-4LTdX) z#w#pL=7_FqVLajXatNp-#u4QiAhMV{FhGmbh1FKCofc7=WjWjvrCFX5&LHlbRTrxc z-~p8vrw=$~aheYa;YPJQm&k<(;bNJ$<@qLM{_(%dJfUob&Cmn@0000ZL1-IC6ox;m&;}Vv+k<=&j#X&ERty$I)xoAHu6nUAm4d`R80epDfE!YP9X=!&|>vgh?P?e2IbaXf-Q)15INLEm3^!1ppy#KDkwC`p*_sb zW-RYYE2%#$?9R--|DQK+=FJmcylt$pYcA@e3^H@|H$+a_gkVM_5}*SQ4bhN7%`&TmHM8%i|A>f>>fR zu%&a`PdJ5@?gsg(Bd2hOX804Nr=sn<>jMP~>_r;!t~viEg7B0t|BLL99HyTH5mRhnmy zf9Y$+k@y@pe>xja-zH||VU=_l0*J)tERD>kugKu(3I4z+3z-$mzF0CPUlT5jV6a>J zP;^H9!7*aVl&wvrJ!lH(XO{iK?J;+m&jpML0nX0({{xB#!mdsOCHjp4CvXABAhw4c zBJnxg9B% z%9+E*3i9sI2?|&B9pfeS=Jl(t+wJ4e=1l`{UcWlk=k|E{{K|FG-+kXzg^^uOu= zt6h&`E3}$AmC`;NnJ)oY&TSEj&Nxb9?MJZ-k(cv;Z7OZYu-9jL1B7RsW>AGAj}Zf4 zWTs+ayK5{A0&!_I?}=Fe83PSOX1sLpWS3ZSk$2xa*VSOFsq@j)MZ%wa>S*kp^kumN zRuT2XnJd{IFcpfG0000_i%O4Xs|3W2!2 z8{*AfvK2d|L!raDQ_>-g10BM3s1rKmmW#3+g$tYl9dvL|-H^kh9CvW1c6fTqlP&Ay zOf6)EEx;f#br#rfT7*N(B=SeJ03y5hue8c%RSwpz$B}o6KJ{U2&)CH> zhku^X?e}!xAHacY4;Tp7^J3$1Y|S12Ipx-a7}0O{o7lzWA@a`-Yq7r5${v<+FKW9T zk56{Lkj;6(&xMT!h}}N8;acty0ClU%qm@knnt%KFeHHW5 zM7uNpJhGd~Pg7f58?rOBIZAp#1}iIvi0wmbDq-qHUTi#$+WYo)qODzAX5Ze9+D>I} zWc*MjVCM+qwW${pjird|8Qd9Zr;eosFNMp91f=~q3*3&!ma_|p$yFx&= zI6rtKlaRKVA?6)3mu5IFN_t`F?7t0@z-!>HA6#bg!ng!Ua66uSy~rV|7<`ej{ucyc zJOP48fEzC&Vo(&n6QK&1pF`Aew7sVz$(8ucSM6^{+Gd3kqT4ybtaRp|;|G^R#xlm& zt?I}aKMwrhQZ3n>93n3t0I_g8hzZhjKvpOm2SD)7(s33frDIu;1c*smPhLHvVy;F7 ziJ{G584Cpc9{SWQ&6Uj?kq7-N%B_d;1Z)xRy}^>q0ZNu}kJHND*d%E%cR!bFe}Txr z0f>4a5*ZG3rQ3u4)vbxe%pXYdu1XH^nh>B5oB&_?!JGV(SI=1d=wtM$*&C6&9glMB zp^PJv+*fVVE+!680+GM#*2Y*DlPzagJ+3jgXAvMp)DYJ*KxDB>SU1k(r=rv1c09WM zzi~SrE%!JUIT0JKnM9ry2GC;s%V~>SUQP$0A>1gh=NjP>AzU1AeLZ)`IOG2SW0`}Z T$-*GB00000NkvXXu0mjfD**9^ literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/githound/reference/gh_branchprotectionrule.png b/docs/official-docs/images/extensions/githound/reference/gh_branchprotectionrule.png new file mode 100644 index 0000000000000000000000000000000000000000..9dbf139c19fd020a542eba9fc69d59fb915b73af GIT binary patch literal 1071 zcmV+~1kn45P)ZKWH0w6vsclq)CKp`=miK4%By!As#FwQ&Nm*(ywvVgrIS0D$O$y26m%vYT5!&1Xp>5m_$)^#tp)9HI{B>A zopf>^9NfS6-uL(3@4esm4bZ!YKpaQ{lH~%>ELQ>80CW$wT}1*O0RMWt9#{Z6%7Du^ z5m*4y=8O2WpJXgZbYd7O=tBzm08rE_daZ$?R>`lwU~Bi#Y9|9M;Sdog03z@RhyvW0 z8zYmNY&q;ETDeYUWryYU7v?JknC%3j6M$&bxfqd$$fu`?P7L?txLp*rO7d=ry~-P! z&S#ro907>HE+EFI{S@xZAin)pU(QX@UmuaYTVi8--vl9JiG&qEE9~)UKgGrOPUW~= z5}*HUf;f?mGnRk81dv1hR(8yV5nN%j!q;oRQ`Y}s>f)en|BU+2 zqgCo=nfigk07mZj0e0`dZwqDmn_pS_VXxzgx=H%F#8 z0Zuk7zN8iaDQGXF=){oiomc5(!%`(90x%9Z)^SAcuMNBDS|Sh?x*17?{e1)IMOOg! z09#`*C4FtYZvalZidr>qw*(9pgI4JbKnnSYhXbCS$HM`~v|1XO-U47jWs^+ml4k&J zIu>7=fWhG?Y*ri<65#;z9#S!XZJdNl)bhtfr6ABel{U8b9rpo1?)Fqq6%mn#$=#lE z{H~SjR?1csFwW&=fXvE{tMTIE6;}`ud6?qj6;~S;AIpI5={Rl~`Sv;4Hn0n+NirX~ z@0Cu+v6T^JfCVY!qm;Yam5Ld}^SPmzy401B=&z5MNk28yoNfBEQL-WsNrVGDy5}BB zuM++ACo}h37$>ma4!{JV0V9cUfbYME{x78T!+Q$FXRiPbFw)&3rR~J;4X_5Jv`YQL zkEOqeT^?c7f4(p0idtp%&Mzh>IKWuBX8p%)Few5NFwXA|pLLP)ZPiP!f9LGQ1W{DHn=`tlmoCR0h;O-%&7?|YH+7@#Nda&z3 zuwZfsh|n$M(uC zpX&jF9dTfnzBF(inDTyTIfK4|QB*yTqUrQ#832T3vf~JZwL!gllWl7wIL|cj6&){23XYlkTRK2h##Zd^$ zlYIJSkW{G>~!BY`yV3y{`w21ApxBo*~PDfh7B2<~4ygZ;Sbk$8iEB@z+kw>{+} zrG=MP4vM^!=AKw$?eM=Sd{H zL*ox7yE&XQ`1Qwc0ZssOK*O`ZG)QlcbGVixSSycHtIVJqMOuzvb9LVD-&~!iAu~MA%SSx>uuuK$9N7W1b_V5-v0R=mbpk7@> z)e9(^j<8JD%Hy$f1$0aR>4a+zw44!Z`dVcM;U<<>2Sx#S`tVkp-0zR?g=B6cszL>Mli%jjSK0-je+tm*XR@T3ExgOm%U9_w9An_)3$dmbmdQ`wO?%BE&UbJz zIl`aZJB$>HU$pf_vEvBtUOweT+XYu&C|jhF{xGQJh8Zc%N9TAc+`0UrxA*JF3fzbi z@JMU|hqT- zEi>P91cdvEP)ZPe>eB9LGOy{*x)?)0Ltpr=g}6k<21?Nc5~-WyR29u3X(3VDqq{;&t3{}F3r)l=H9gE0EZryWX|`Zic4$xS;qA=M zuCueVNxm@5n>X+Ge&6@|z4!b5UK8G-0B-~RK)dY$$l9J2;3wdqfw^7L4m<$tZ1~6uJgu7HCy%9p;5Up(i0%rmM2u)xViinILmDpr2vuB^@CNN74i_{{Z z06zkq0MS^K*yy08upab%o#gy7sbtFR`VF|?M8b(cXGysd3;x>chr3j+ zEnR;u#np%pO_?Mr+;Pk{<_^#w3FBym-O}i3G?$TkToqZ z19V1XQF<=*x=xaqTjtv@zB$sryR!>`+Wl5dStX#5&*|ndeFa$YA$>m#5E~tIRSq0k zxg9?&uGN*d=@^&;$S>HRNg;Ck(xL8Gz#rN!ie-!df^E2q2{I>z=b6fS%L&TP7J^ zZEGdq(S?9zIbg?!tYXOLbWg&m#HRI*4^0stn&Q{>bj81VFv`dEz#mj=nFg zq{*yCb4&T$n|=CzX{?JyZI)W`QOZi0EzMF;jpSUSBFbg9G>n3Qwxyw&?Z=w+zgQ@e zoJ%+_W?#3LY#TmgUS0r5&M!MNPFDI>XoB?mw)LG}-)67Mh1D|FV#+!eDD44|g(InC z>WKf0f^+O&TU>Q)yU7Yo*z3fbP>usxU=p}7J2K5@D{-q7^SAhk^h6w!klLj>wn63v zzip2c3q@u}rp?dElFlO~*#^*|cB@P*zSxrN+PmYX?{|FnsVxk;ZQbB|S&9;+Jv53mYc%IESg|Niq6UhjCLZoO9vLKED+5;ynNQ{>9C_Azc3 zlMSE)WSWhQ3^aBzxtp+`_X@LnAz+diLtf7Snf0Qva|G28{!@Odcomw!I5gPP1gYd^ z^+}pU)|}6LS#1X%()i`{AZPiz}S6vlsXR@lVUy981v0>@6(G&wj<0w|YMAw9q$D1l3) z=8(bxL?k%$fC_33HJ3_>dMIjpKp-{22Up60sz?#ap$!Huks9!yR4FQTVk2S4YVk&L z@k-{;VR!Advrg?epET0$?9BVVoq6xgn zR9TT~0wmxLFaY3dJI#pe(<0&1kj*CuCFh7_Zs=XV0;kMGm zcXaY;@2!T(0c?WEwD%Tn$8Z^knE*d9;B4_S*&Aq>xDu1S0Ys|{)GaPLw!Q@()TQVB z{?+21%SwW*x_<|TWOX50OVRRmcvSz?1#Ai0iyu^PH#*!(e3tuhjM(ROeLFBs!AF=%K z6V}rU$V!5q*0+$A1V8>U&!fK|@Ip&Bg2iTPukf$J!|ZJUML^5f?RIZf)sdYbEAd%X zOd-qo@oRcq0~DV_$vMJ1YWA}U4t#A>ruGb69*ZtO_taXU#dXWGwt-F#{)K5Uq!;w-QTycusN?{F*o00V*0=!kqI3%o-Hww? z_I`6nMd=y6u8>jBo?=njTsa>29+;Aqgzfk2ZC*O^D$hORJP>&*7bURqHt8o(oqQB6 z@95a?VzLVK1Nhpe7;&Ae^I|e@%!FZ$yrzqZQN&r)>lvU{KK*S|IPG4nf}?nZUr1Y59LGP+d>BmAJ2qG}ET#}K3{oR3W3Ys^4u)-nhOK2x z+19Lmv1QRW>wM5XsOj4paqeLw86(2j1{qW%16N1fi#}-M9&U-HDrEY${2T0Td$>8* zn`;tp)Gu7P_ndRj_j`WlcYeR$Ifrpbz}r9ouxlQG9nF&feg|?5%v~3DAPW4~;1ksd ztci1V`Xpc+7#0m4ubZAeA5ND8tIdM7y%hjCouQB~A#ZJyh$nfnwXL0J0(d|Ti_{Vz z0gnJTz_tEf?v4gk!sC$L-Dh?>$}jUvqG=PjTunqZ0q!!n)ai0CH8+a$VuvAOJ>+zT z&-%ysYwv(E`Q@^hngS%?86bJQZX)xOn5C8zkqZ=ZMMC{!tgmhg5f{){LMuQuyT|J$ zwir1Tu^uPVmSVh7jy zd&TDjC_W$oe*^rw^+Q8P?a7}{k<%Ff)>k)?x3($diWTGZ{*>L_=Uvwa;`7BO;F1_< zguIX|aes7%L_BFos2prlM4g}uBfj~l%2upavb~P z{d*DBs2Bl38zxPO+@FU={38ji5Tf>Q#AEp=^oHpd7dIV|&w!-0dS+=4idPe`0!k>=`+-O#J$@xfnWbi;3z3Q#pvOmpH;67oYUY&e?!LBUTWLbc z%ijT?%uYv{`ug+3!Fva^*(?<+F-y(F7L|aswz{bvKda3`kKb2w)dC_tmpOByAhDxV zLj1h?t*Sl|Pg2O2`1sC^x|14(oX+sR_m=p)0PJWhq6uK!+TO}fsc%kQ6X;RM6}j%a zEw=d!H0fACLh*;LH+3HUI(ckuil%j`^$f_z6irryP51?U1L z3EjDOv!QC~t8h$v-Yd**M1T-6j8Z@XN)`(Y^x|}N&|-c;JuPxNL$UA=@>YgKd`TPY zL2VOqRDj8r(rBq~T z8a3)zmS#x12Crplm#7;-f=sQ1lnxacpe>3(DpJFM2YS>S*0xjzXF95{M#2XU=H~Agl$d{=!p)W zIRm&0+?E58WRS$AFrm1P9_~RO>;=FwZOX+8)~?O=a*l)D7wUgzfba3Jh?f8ZSOG=> zE>1*9-MruuHiP~2CF=`2WFGCyp+A8ujYKpOFzS#S1Mz+)?~D*i=q(Y~!!m6irZ;(! zFX511am08EFo3@SBa#gA@!byz^mU(#T%ug8@G!l}{??%sF@$0Xt&V&}l3$-qy*4>O zps$>8aUX$)fBZAWv z5JQ-r8}}~z`h4#573_QoJ>0|C%?ki*EbNG}!CtXALMj4)rGBuk5MD*u`uNxwi(78Afk=+>(F<=0<08-A5yl`OJ07R2- zp@)0iaXs8aD6ZG6@q)r}3otZb9K<2hEYIuxu0qC)-x>gYu$O^&zwC~8AfR zkFlQ#^Ouh*GOeofM}pXXR-#-yCeYXA`LE&0D8K!X0l3zMb6!gmHiDfm@nCw*-JNCH z{P^{H!?oMXIn2j-Zrr3XBn{V1*0eelT;?_YhphP+&?h(hM* z7(_v`1ho~Bfry8ZXfo*D@n?m_FMpT5e}cGy3-tn|h%9hEnhbLFjEd5q)0?tTd5*Yy z+@iFzZv8*NFTkgEzVzna<^hB68Jr6SPDL*3M@#JdIb!Eob&cP{WEB_zaet3}_U?%u zCL4=?srg=G_ErQ)5w{V~GoV`2g%Ub}bKUN(W|=nSqlz2lb(xe#RNSY2tj2)*ocwWm xpVxex*26%UQ9jQN92X%>T%h_qU!}zzzXG(ib32W2v)2Fs002ovPDHLkV1l28;nV;C literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/githound/reference/gh_environmentvariable.png b/docs/official-docs/images/extensions/githound/reference/gh_environmentvariable.png new file mode 100644 index 0000000000000000000000000000000000000000..bee0e8450034ab7af47f11a39ff9b29a9d01412e GIT binary patch literal 1009 zcmVY7I01KQ8I=7Xvz7$v;oX_M zS$D_XWSc(>%*Vt0|MNccywCsHLF3SXBrpu<(g9#fM;e#~@=d(k6FM*j{MY0$B?+vH z9Ujj#;1Y1wxsmAWVkjOarmO4?buDk&AxPQJp+!`5>ZRQV1-iw8;cb#35qp6`@m$ARH!MCIo92l()VowO1|@i4zV&QY@0!oa`446LU> zM=U+5@k34LJZqIX`QsC^mc8MAOb?P8KjdB;W`U9Oe>j)>0Mq%*>%idgWDj3`7HNtc zVB$`Oxy&n~5tX0Me9BNf%%cU1oMjX6`xxlm1;8Gyovc-M%5)cyRuK6(0dRVxw`p>~ zEjN+t-5g7N#MtNn01xK>*$^vnoB%WhI09mmX|&GkLG5g-c`l(daMGUi0H|CSCe+_m%5|^$x0``VFJOxbL$#{~l3oURXwd5HS@Vn^=DnJC-a{gtM>{ZX_Qkf4bUV+;I z1y}~&*+l+NNU2;<5H7~)Slfb*w!tQX&MNL;3Z@Nhhs|9jg6q}Po~TA|XF z<}$ChcK@vpqxFj|6dfB2IZ zxfOr~;1uu%YMW9M2qyY=GkI=*i%jWL<}$AU3W#*OrnK7ly#ek6-{h=v`=dpR{*N{G zXziOKH_QSje|mx;{`vyKdzf;J*I+UO41nn0qfHJbzoeGrdS9rJH#C^YBF-YlGeGq5 z;bafdh)TfU=2nX{nmu0@qgmCidIjM*H$ANCz-^izPH(ft;j|hWVi}$BT%(dA#1iLO fAJ1oK@QdF9`qxoc*w93B00000NkvXXu0mjf2%g}l literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/githound/reference/gh_externalidentity.png b/docs/official-docs/images/extensions/githound/reference/gh_externalidentity.png new file mode 100644 index 0000000000000000000000000000000000000000..0522f245b1b522c701133099811361bcd75ba6df GIT binary patch literal 1042 zcmV+t1nv8YP)KM)66XlaREs6k%DiLwcG7d5FDE-A!a2^6Kon~)0Iagb+9TQpKOdg`iO z%#8AEk3MWGIWRCEZ{9iYzK?ru2dzT|&HxD@C|v+M(zOEo29yuccS8h$Tfl#ZylzPX z>!PEq@Dm3 zcmRw6oF0#JZt{GMuo+CV$o;id9zD!BuO0(u-9)$v7_-UMzQ6z%FKGn&2U{ZE4?{1I zzL}y_Dq@qLwZ+sGpaRbTbvP78yPQN(x{gHdK!^(In<=)p@{Wj;NRfDBANd0yI2;O- zyz)6-ulHEw0A8<`Xe`dwW}Z^1=mRE!AAst90bc=$zQ6zHlxr~v~2phlWs8+=Z z;9p=Jz+-<80-pk0yrdmF>~2t$F0{)@=kc1&Srae|)@ncMf@=kV{y|QU$DPMnM}P`w z0OuypzcO+M5{Cw;9$*5jL#EYzejNDyz4QeJoW}_d*4fU;Xr$qf_g0o!T)5GcAhmFV zpI3ft*d`jQO+%s+doeVc`{lc7a@h<$Ekvkf7TMm+BSeL%Y0b5b#1-^70_t_{kSmIU zHj{L1BSV`>q9_WvY=-5#Y1cN2qBytRoxl*_I{)`pmdRzU^IQnQ{I_2=6(A#*&EQiM zE+nS*yq6*{<~i`!YepyV92hdq;(;h!NK8=`!k&UIKKl5xrsssA7g$`FLx>8|Sp2}~ zoi;W$JXkJDFQnkSm(e`P6m7(nEU1n$2Gn0!OlwCTY1bn)6hL0m z>mDp~kOsKFw))BiNE~UPyeAtzdYF;tr|mHGg6tD#;iVxdW7)HbKb}4z8jH8xkO)y> zabb?CwF9nW)en0d(PQAfst_j%&!5Q&qb>M;{%ijE`!9eEAc<|s+)U{X&>cDz=7X8` zn9@5-DYiEA057m|kE}AHb(5wY*^H1*$?|=)2?& z?xgF$yc>C|2m-e`d~tf4V-~0Tp<;#6DbH2xDZ&bInV04HIxUX)e*h9>0Czh)=>Px# M07*qoM6N<$f{%jPSpWb4 literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/githound/reference/gh_organization.png b/docs/official-docs/images/extensions/githound/reference/gh_organization.png new file mode 100644 index 0000000000000000000000000000000000000000..402f415250f7a1439ef2d148f70f5b83496511bd GIT binary patch literal 1137 zcmV-%1djWOP)skFge~ zM8r&h03?7AK>N8cp%3~r!dfVZ604si*t)r*zFGzPj6@g-2r1-(E9jwTatL>qw=UvJ zEVWnE73na%oA+_$SKwqwweMza_D(& z>Fp!uycTk)4Bz*DshR;G-K-enAg^{kxj1*1IU0&u-Phk`6 zbdJ8HeOE#cfV;~}`?;`M9pk_S3vxarfY(>v+gEDyr>Dp!w`=~HClX*__98c){OG_p zU$lchT}lh0#JAzkRMTYzdR3*>>b!IGB<`Rb9e2=6=jh3r!T?J7;y&BqbKwelRI}HL zytm_vc9>4$i3I4r8pRiV4uI~7LAtL->k?puXJcXY@oY27ey#qU5wgi`=Fdz~5ases zzIzLYPcZe@!{)Rfc&Fp?YXWLbnEj=^77C(7L6i*r+(9qh6N6>jprUl5oL1n3EWkYf zjy8eVy)iBCFHS^>-5WFXwK?s0dIH)oj6hjb$a>(b5iHdX&Bo9S{05vTh>~d(3Zg{( znF-Ba9-Cu%Z0^XUxl~4dT(ctIVzdQT4URSePb7e&t-b|l23=|HY65cW88d$kk;x$j zW-k(%9BN2_jw@|NzQZBT-EC;n!(cP6T~uy214{rq$u!m00f2NTi^XC=x|22asfB_l z>91@{O+XR(WD1q?MSQQ8cSM`h&Vz*w{`u=~0PZhruo++B{=!Dt=eV7hzkY+3)?@4> z(>U6MeREV|`NJPo0XKk~|NC*Q?gMGy3P56Hrt0x~RFv|2Bt~Xb^NPYrlg?)q7%b(B zo`=8wp+7Jl3w{{*ibop{0oH)GkW+7XDNO@TPfvipZ(@(-Qkocvt7l0bIo;Z((^TPK z1bzZy1##E@U~!YDUU-_8)?-H^&!sZVpP3?;%BtkOD4|zTtua{wo(E`;g$ccX$j0Q; z1Y6~LUsK5IYE1MZE+e;RfO4mcg>eTx*pAz^YRRQClpYnyt!LSauju!BkQdzNM&$Lv z4_xQ)&FOU-Y)&g7Acs+H&jpkeA%}REa(li+oqzlvKJIPR{!(~U00000NkvXXu0mjf D3oRE8 literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/githound/reference/gh_orgrole.png b/docs/official-docs/images/extensions/githound/reference/gh_orgrole.png new file mode 100644 index 0000000000000000000000000000000000000000..93a4fd8e43ff6f081721de7e1cf84a72524518e9 GIT binary patch literal 1152 zcmV-`1b_R9P)eB9LGOyixs+wlMv`)4q0(wL!rzB4D=wlds2kjg-U`{ zaDz${a_H`%(1XOaP+W@Oc2rYKgkOPg#A;dUlN`#mDx2GQc7(7I7mW z0b76qFfcw$GIQNh=!KeAA)C3&#>$!)Qh|6Q5{(EbrgEuAj`DH#6C%n*Uy2W-td^Kg zr1|Gr6;pZKB;!gz0-ger+~3RX+&n?)^s$r+)b%~46KRTt9YLZSnqFeTg`m z-)-<>cRvLD2jt%c3t~f$tZ-rmPxCC!$0dNsYB6A8(TZBMuykz)2wpyb3%6 zF4VM&?`#K9)2brL@WzEM-!23rAekrzFsc}8TGf~EdiDqFHx-*86`No?x9OPkLS476 zvThL&{%pp2w0nrTYq!|WZCZy>>F;GEHO6*sleufR80{Xif1%4>mM$%TQNyvF+j14C zX;sqkDQa2;05!h@I8L)QR?{lxT6c@CXRSgd7r@L)#lnuI;4re8B}bGi7JjF$@1quW zPzyWM^?iya0WczBHnZgNF%^5smJeX$XWv6z<~Qqg6*KHl0ZE!i9(% zUYAaBJGWpXv&Yn>tKw|THXD3E$eUEf}QYhcGD+gyy2=Fhk4vf~cYRAKkUwHHFw>;}THG-6$_d>a5 zU(>8H$pbRLVDeqYXFh1DFOU}-f;oZBOUEkSBgTK-n z?)|y%_r3S~{oe04#rQCQPl0)$6lnmBNLv9O0qsNlI}s&d8F+Qbwj2={i>ZV$1NZ^B zCOfi~JkztMQOz9bf=0Ta1K`zceAmOP+c?!a-Fn~V7lEINIgvO42JjG=0nn^6#zG|| z9ED!fp?!Z7x4I>}{sb-z6ERG{Oh9gAOoLP3%%YyjjYT{NuV&M_wZVSNB_O{Lh=~nqy_yk2)k3=rvJ07iD8|-biq=+(+lTZf8A4>A#ZR?H60Tf-Oc-tad$@g){ z@#qQs1bm$_4T?+g?sseWj`upz(nT`n@ays&kL@d~@;YuJj58EaLL5Es-no=` z=l^{5E4`*mx}ae!Q~+q--wgV6-e3MAcCA;l*}1wZKg&QvUcn*=YfmEId)A`YbO9(X zS!kAtW|DMP=lkF zbK(%;xC|HyFb5*YjPi5e^DklCyHANBODk)MxI%YC}Q?0+|c1iFZ52sp>9hcVyoK%1hgn;ql{Ba=SX){XF#7RH_ z{s!U0lY&Tbem*e)5f52WfOUYq&DKQh zpx1PwDcib&NDl6Sc-8)IL^$pd*Z>4ClUv=2T4;!*AQgvUYrL8r%@Y>^Qc@TqH<)|* zWCz_cnNm~XLef`Wmm?E{KF=1^P2017Q#6v*+^R z8-HBbzVe&A`=^K(xIHL9if8~Qv*+^Uzdxp=^v4aEsJuYDJ)sq*2Il_@{0@A%-*ivB z{9}jgho?xr^VX5by_(JL^)Ajz~B3heH;N& z#5F{D20+Hlp?_9JHFGG_YWS*oH5al~y7%JX%`-0^={baNX&sg%3`00006; z>p}WCzsR<1$6dZ4&`)~k`_+5D_j~UhpmAuxDWD&SNEg7mbln3Mfm{>c_C*Ak2L5aE znwA9C!~vgo8gLC577tS0ouqq1Bw{Mzt`5Ro9RTQtO}>D+m%lRxOj5%m zwFGFuBOnPd*msP}7v3)u)`MvknV4N;ZvMG=v<#f7CZd{vq)V>Fqbie^k|bimhKRk; z4V$6yB}{7zm;8(?rltT5cm`;x?oOshdkDVWwkL7{d$YvQ_!8OG4I$zVplj0N;Y2t{qd;Ew>M7E{?@_Due5-4Z-^fk|0ZA94gvoH8QAea z1jqF(Or2~x=BBm9z(^L;D(-rohy_`gI$2)phRxZFKa1sYU|n$+W8m!ey==IN*)>e7 zNIV+k?#&d_qdlmBHgv=0n;)L-5;WL%Of1L1@qh-r1X!B+xZzZj5lY_&VC}nfdDH%s zeZkQ965jn}T19$3dnlGi6yP*Chs<8cWyl#*D|^CS9mJ!mSe{mJ&UVthp_a(Kh(}e_ zKpXLBWk?76!s5375bk-Mh^ZBZGIS%)@U3NZ!>(x)O5Z0D3v&C5B#D^Hlkd}2?If;< zA_UZP|LE7cFZqs8n~B*qUmG=04o^@4-fcucGsqW8zVD?>ODcYb`vC>`3#d3m{!d7u zTv2ekn0*x>g(z1Rpd0yG_HP^#*Sdn!!|~wP7yBk)Zr&8P_Y~Z!lwIA}moS)CQEu5X z3Qk>~0etgU%H6u~vz0hzfLz1n*tE8|`juWc$JIa^lb4cJYeBVgEO$g>z_oDKVHT!N zwcLt%VQ-c=dvQ_phu2-cT^-Rfa4uii4*mYeOSxdY5u6|Xg+HGc09Js{fmh%hL;^XS z(rjl}Hy9YnVsHApyAjx%B?d;aV&mB^N4Y8WHh!;w2f(MMwbh>a?H@k+;0QZO-LMP7{`B(`@JkXmaGXeI2&jwyWqxygyyiTDLq6m5b)3h zrM~JO~vUh^~iRJk%)|=%q7hB9bjQcG-;^UE9O# zJDFW)bTs+Hz|K3*zW?Wap7;4`!aHQ38#n_bZ4ZEEd!~Rnz}UmyJ0c0(2magRbKj<* zE1GurCIdHs%VHs$3endUC8GpU5gI?HRY;u)H`J!0*9XRQvgp&fDHFCK_32^UxE16`_6LBL{t-|Lw zS9t!+qz3XQf_&zB z+dGp3$kAqIuD6j*h3YuOce@2{1D86K05jJPdnTXA7nxotu~yy!Afp8N_Ea1t;j5D~ zN>xr=eIeX2ig`IL1(KMi=jr$nPd?WRo1DG1f~r*|L&>G%=Xdu6{KpHeWK&`50J(I? zRaU@uk2D`<5BKHtLW%EsiU6=taa11|RNUa;I?<9G-dA`C|W z9_5R!SKv_5-6-rFU#u)QM5dyI0o{$(Z-ySS}sn*K2M2B67ngSN|5iU&O4yMxz2k2@Qzn z(jk8O{{1wi=WeZ#Us?xP!>m14Q`)%uIxqvA(+iuS$7-45ABH$6dk--?RINhq*s>_$ zYnUh3>@qtICbPgXFzffw9tV^0$yIy2*O}dm0z!$)nBy4$8707AcZ`e@Bp#Nms-|ic z)?U{}v$vD#82RjsIy zB9=0cj0_cpG?CIRVMv!sPL@s?j;&KeC1*m48nIla(37A;oy0NdVlbEtuixXfeP^FZ z`j<|+d)|-#^FGhL&qoizp#xWe95Ajt0K3X#0)GLeF7|GVaUc(zb@}8K1%1)eW=scu z0&Yq{+K4ba)rXOcFq#N4mIwi0*;NjlGc3D`S*Y;BK2i5s1McHv5kCcV;0Z7Zkj?b7 zlpAshJ7KSQ$^-L|%|bETQf$&90}72>F$f4<-i~j%wsr zMo1fx1`au{THqdVBb5x3U%3>R+$>ah^6ZGRQv<+AMwp+AGL~puUv_F-TYV+nv5xpT zT?NJwrswgkkw8A*D+<$EcGYuy<+~X3bI}HwWmmbj`dWTo26p9deGiz-X8QSNrg4!M z%FY?{KfmVXzbC$P3OmQdq8bxd&JUA_huABg%4>QFFg1if766uVLmkNhe);`?z2a$$ ze0HjzY-WI1-F;$StznMBu>j~AFbyKe1i9yB=Zww5yB7IqBE-gWoI8ud%ue;W^5(f? zi4dt|Sbk1xh}hn+s2!T3oQp%}%zZyl-nXsembtl1zxx`d9yGMg7x9*{M->8f9MlDtp8=;4>g_oVR>j;D@x)+agmeFxge8GYb`d z{OxVv`Ke??^|vQ9;2)r)-?}9iw?g+EQ-arX4N=9g-$sFM$+MXO9^d+;B^*mAx1x)fReP^8o*|u;+tO26&U2JfML5CmR(ir#5DkE?-HUmn0~r*L^d-(U!+GC4~*3- z;Mu7@KL0e#MNoEXT)+E9-hg$)zt>O^>4^VfLY8D76JM{slD>bA$iSs$1*8(YK>U9y zO5Y-Kk6V;BCx8m@2k`BFvDW`|=a?_9L`cMg<%wokc9rXQ-(cCNl6;za;FD^K<_*$WgM^+Wp$qv<)1v1%G);@`&1d{&{i(`%2>i&1C!zuG&Vu-t);>{bO%wZUh$0MzqTPn%V zTQT~<5EjJ}E9Lvaf|pByb1D>Fx@SN_Pex)cSJ%}e^pG+#l&kBJWGE>fA45bWtxq2# zF-vSb{)wh#0gyHfRw`>F@lV9Q1Vk2mmI3F5G~f%M4J13Z9VrVWI=0RG_CEkzOnx&G zZ_~8orxinVF?8&9B<8K!GXS&ImWAnA_UbRs%!NToSI09zu`1B&{KO;=R`2qv zzT*XBu8?P?vc{|W4i8rElAoB2B&!cQhUnqg+j$wt(6Mb6XNq)e8^9|PsUw7lCvxaM)o_J&P^u$dWnKNsG>Pn+^tgiERP#ea?fWq^`&rb(_ zs}!XeN$8TvUyjwC`cGldw@T*eNoYA%8M=CTb#x;#6FSfjK z&vCeZ<*JMguOacbWCwup{ZxTpf7=^LVHmDm{#Lf@7NP<>05N5a)1Tb=uf;zNAnhG&G%291-F!1=qpaLygBmJ7v2B z3VK~<4?7i8b~bL89z3+oWl&e4N8_a_Y?iT$LS*9Jbq)ij2PLn*#u*Z}!}C7ziSd0+ zY?m**kUW3h@ArLvf1cm(4D~|?J_l|ALFEBhSDqKZDlN&JMz!CWQFWOeMO zG{-}Pb5;Zd5l2to%z~@USH8N+K`u+X{}NrX`v7bvr|hu+;U9l>+*>d*td0-KzgK{D zX@WQiZ+9cNmKHh4WdZ0(%;AfU;){;blb8d9_ghPgj{7@8{rI9I@^2i359mM)sC<#* z7ufNAJ~Bv~5|VBH03F@osx?kfIAVaV0oOq!nUmtYZ0$JCwRk@~aScGbKY+&;3tVqS zYEo=rf;BOEy+$)3Pwh)6XQ@_ki>z>Hh+M=nT48yWHUMCdey4v{A`$ux5ui+N|wp$_>hdYnt}wx zwVVbb-hof)O+2rQtX}*+c2nAZ8F2&Wp}Ho_+Y_d>w8+}Tordzi6H1oJ+Qc16ZmQ$} zEl1Y>1Iz@(GfhMFfHfKS8la}k)gb|d)S&)N76$?#eM2#H3&SV z@#gd?@7SCkg^oBz*`DjzCPEx>p2PM$O`Tu-9}o9=+x5rtJOBUy07*qoM6N<$f)aw{ A9RL6T literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/githound/reference/gh_repository.png b/docs/official-docs/images/extensions/githound/reference/gh_repository.png new file mode 100644 index 0000000000000000000000000000000000000000..94aa31565571b9ec3b1e09f2201d35af7eee36e7 GIT binary patch literal 1022 zcmV-bvt>wwJ(Z?b6(BvZ-P(aV=Jba$C8Hle zfOjO{_wl`V@7~=ZJ``XdCOkm#`^zpAmCJ zJ2suBfpvN!rusl}k%&bCv`xK<-MiYOe$1u&^*tBsT?_x(i~Kf~QAuZWqF5CY z1ht*~K{*zAW>1@n>nz5O&Ds0TQX6{ZkkcQ(2Ph|))a$s#MkLba)_i>s<@hE@TxuvF zl~!X35F%~^NqjN^+y!FCKa>W zIZ@37!M=O~R69*$uFCD|!Ls`B`W4Gt$N*vqj)v#>o;%mjNC|ubxbe2*yt=f$MW9-7w>+HA sLLqRYIG!s^LPX$VmygGDlbC<}AGjBf2o93HVE_OC07*qoM6N<$f-7#LhYFkph5(;*0VJer7FYx}>iD)Te83d&Po3A4 zB(N$D*}PMM>%f?Jp!awg>^)9EYej2oL2Ew>fRW6Q&F^5C8KUu*teETacWwX?s?10= z0V=Qn1OY;NH{+L26$y8PnaUA<{ETS)rFgUioU0_Fl7L`=T=i=nA|rhSI$LWZE{BoK zFnV_pGrdKD{9HjyRRJpS3Q+YPFH={~;%;{AiCkdw%{HTV7KyK}2@zdLGoh4`F9`CP zYXkcx2XHq#n7KB9-s3Id5bqC5vA2LBzvkiL*hd^`I!q%m*sJmFPYJU5oetn{AO`PJ z;KQ1F<|i)JopUq2#mC_%n5kUJ^FU`S^Ai_~V*yRE_EQ`~iW^R&I~< z5zsuWMn0_=Cvo`{AwX+uu@x{GeQHZy6q?Ks{_dG=jLX?1Zruv-KCtin%gE-pZQn~} z9#rfC4+0ACJMf=P*+^qV5Y3grIr`cz7S`HO!8by1qQb-Zj i6mRgZJ&#f2AO8!&=uv|5m|8FZ0000{Qvof*_UV|lD1sNi20u~J=l0yY?eX>s_ zxu~Sa2I@mkz0^J@hxU+D$=9h4Jwzv4frhyDrAS~JRImS z^Vf9B1+H`9Z8C_o5U1l)!Jux}Vq;1{6Kf$THk1|9(abT}Ru2%d_b zGrlRnx4^QTaH*4wdHgtrRqW@77#JJ^K+kGaDrNMnMmiOzko(gpX9f74Q#^7S0R?yt z%m8?Nv-kt^HHGbPe3T~{kC90wLlT% zTl8A{-b*<^ueFbfsQ?Gs9;Kpw4wwfX1Ajxk2fhQoQkZ^Cz4!yy z>gFmZWj5As%k5Z21ZRza8{v9B{p{b-H)$_XB!=@V;bh)jPfc?BV_e+eZUM^i(1Yl=7%7M0Ldacb?OYsX9U>q>L{}Pw3 zEaGsgIGk#Yh*=msFk|Ux<^KQ+@CRTjg^bwQj-ux@^qj`dcC@3ldRCK{}5v zT;z2oiEk#W1YAH?<%4KqBfX&^D4!}RG_XJaySK{9(ouU9BMm!GeJJQ_;H=` z%1N1LPww(oWWXvS_UbAk1rZO^F4aqT=}S|Vn#KCsZMpX^5I1n4k$@zz4_t7mUV;lZ z|D&SxK8GSj|3ch7EsIhRg<=f2UMl9#y?K?wIWkVaeXuL#dRF7vle-jhnp8fAFtCQR z8k0?68bpp?3|#A|VEH}%)R^yeZZ|_fl2}HxXMhMs&(tgqr;5$iU(1$SYnIc<>?Y82 zno-UwqT=qlS#<*s>AX38$a^-YjZhG7lLi)I#e`oj6dh>VhFz zG!XEje<1&$&aSJ{E(oVL zeUFs(g@KuK@63DdIdi_oa1Rr>0IUHq%2fGwASt)u9T;aVpQK zlV7YW(^CNx_#H5fNSNg1RW#i@61l{Q?U3Evrc!t+l{k%J2~QjOJxQLrdg-Of0W{r9 z>gpwoNVtVVu8%8wKLOT!!5QB8a1D>9xgsd;XDK}Vg+CtsN->k=Me&eVr>8oUpH7^i z^xFY7=kGbd0d}D2f*8W|q(8di%I8kynC#~FRIO6i_4vwpUVl5?BCA>@9)I<%d^`>0 zr3F3%(!o@c*WOAEB(K>HdtZOYi$9Ng?m5amLDRiVhUXfx3BM1!d@RFs3fS@>{IL!Y zSy~)O4v_otK6d%ILq45|6Iw_%%%8h^AE(l~PvKYxOb@UOBFVUk^P25o?PojWx)C6G zd6l!PD@-Ti4SD-s-3;Ih&dA4Q4ui-AuYTk*yN~os?(2dECedEm#H9SBRaGmF$TispI z3r1wVL#9|D?de$UgW`UcgYCPn_xnS$s=vF!13Uo+`fXTp5f$%uT~m_Ro`&dRqE6+w zryGVP4=p5#zjt2sbqi|E|D-GxxKOo97|~9D4I)phu3$vN*rMdhqSF_O1@aoAhg<*a zAV>I}H(inIMu6Z#5+gd_Aaol=^1F3xY1FGyrSKHH-0B7^)0y!Ayk@|4+HQwZ3jlUJ zi00rHK;gk|-FpeCc=zzJU6Mk2w~zf&GCE(mnZ%g XvGR|!Z&}%)00000NkvXXu0mjfveFB* literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/githound/reference/gh_team.png b/docs/official-docs/images/extensions/githound/reference/gh_team.png new file mode 100644 index 0000000000000000000000000000000000000000..cc8c3c439920802317b6ff99eefcd682400115d2 GIT binary patch literal 1122 zcmV-o1fBbdP)ZF=!iC7{`BB4JuTTuf+y|0zSK1+(qXl?jS08C>Uyp(qyP7 z-{7$nb?ad88N5d+83Q>jO$NKw;D9<=4qluk=cQVd_*`r_kfCSghTfD8@9uJv?o=uE z9}aZyy?g(^zVChC`@RWAhXfRXG9ZT@05kN|fkVI^WACAmfv3RxF`uU)fw7nvGA99B zK*b+WvPBB>WpXnLnY2tME%tAB3>?>{-7#piblR6E;e9mV5iu5t6CeQxfC8|xu#UQ< z1%&?xt81bkYcyIlf5-rqqeMgrP&{%eH=XB~Z*_7r%1FfhXm<=Y_sdxC&hW^WJu$HY zB;XW~lx&fm)jFx9^ikwK9M@)Zzl?El=!=*mWQnkV!0bx4NcDd6TEzXR?3H{GJ?=<^ z)@Xo|o6fVdTE9_pfSuJknOn0UTpS#1-vTni^gLO69qV)Bq8WUmWQ${qXm<=Yo-O*X zbAUPNy=Wj#dlb3j+HAhKhjHEv#xiM{>h}jDM+QJ{Mqy=P-H#3pP$v++{|Df?dK$Um zV`s{gZ`z{}Ue zl1=88964T?zdM@JK7_dBK)|rWB+~F~&sZus#e+o=P0H=kz&EMnRIKojTc#!uHy6#H z-VasnxHiT`lXk}-la?vWmwWuXYgE}as#x7Kax;0N1tnXIy+_)e;BcNyBC42J z0qu@K<@e>_#0O-5=^VYO^W!%USy@ood{M?YKMdAn(lR^W{SlkkJlF|OKv-4J!hZ7p z`NuDR#_F1=OIpvI)iq`+BG+ zfF_8nW_8V;g;AoS;Ah0#^q{%L1@-|}*9@0z%>?3Jt^w%B+DL@`@P&_3IfXcCfE~UK z*Bh-G50px2eE5w6$F-^KE&JqGVRC>^ z`quvoG=Meho%!jjzyIW`%-4MJS>~h2{UqjH%RadoUNfvQX##l=2T5Jp8nZFk4##_s z*+&uJi>M&lGr+IuRC3b_spM1;EuuBMqJ8PLX1!T;8>mK+j|v&k8NWHzxn^_P4+&vL ozde`mT!b*O&4>29$%y~>Kd3OqIL;xF)&Kwi07*qoM6N<$g6Cf#B>(^b literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/githound/reference/gh_teamrole.png b/docs/official-docs/images/extensions/githound/reference/gh_teamrole.png new file mode 100644 index 0000000000000000000000000000000000000000..facdd141b455104f84d3b1b8991d761b205ae7b0 GIT binary patch literal 1080 zcmV-81jqY{P)`Me4F*RmR z0k(jwIS`K|NG+rZt1*IeA%b&a|5m#}f1uN9H#j;e(rRDG`xJoZI9SAqfC5y37{JQn zeKyw$mO?jlx*B`s0!Jq$bEpBNMv)jrAZ936!fKRXek>AJW1bWbqt$MZ+ey>ue#B6o zGRQa*P=Gd|#3KoIA5{qWm1`+C(I4pKcGA?FrzQy%$r3UF%k1$;f>%#!H&Q%|Og?Fn zu({(4Y0Xn09af|KzV(*dx2DH#*lIU8es{?G4`?HJ6+AQ8$etqBgqh)yE~DrX*uA+hp1xc zbTv=HM<+$=HLydHmub)w7EAF~%ba)|azX&ni5A z@sOnr)ze-EG#{ddvraJzovubEpR%k}Z`J_Y*KCaquN?)+QWYOYR;o8o9fkJF1zVJ> zH&5vgbn4Ah>3_|d?+zRT%&I5j)TilWsbRsefNQ~=8W{n zEAPdAXg>G2Q#Y{I{ATqEH;FH$q#ze2)tdYs5CO-8j z^anbbe9Bbbla+(LCIt8wcnf^r>1xw|pC9v8_-ogC&k3z|!%*Ikm22{vag9k0h=NG7 zn`>JWHYVHheYct23jvcv7SWyoBI~UzJ|L{d2>55Lye?X^p46JzZqhcQ=DfB)LqL(q yo6{mUY)*%vAk1jC=L&|45GK~SY|m?WJn{d_d$&hgkVjAe0000ZKWH0Q9LGPps6hr{KN}Ci3iymQba1OH#1Kk}L(U~CCKUM;1ipeG9o{|ZBW>cHrhNi-|)xbTM}`N)cEv=sR4PANhV61`xyuM#fL$kN|2rDUU6PS=5`7T)1ks)n1~oP*A`RiXFtu(J&8CwSm-R?GJo#lJhOAt?`!yd)SmE~5*O(1i zbc}S8^#IQdL+slc0B25hqZ;%>95@7Kt)??lwQ~zh7qgRz$nwf_zEu(B{6snB>K z#^QZZWuJ6dE!EZQrfajWCltu0(8=!@(J>91C+`xGUcmiCpnogqnXOl~_m&zpEDVpIhEDL4!#R z$bu}h8zT-Tn^nsj?|p8MLO_vNM~-KJOtse*QyA$a6Nz}YuA7ZEEvGk{4Mfr=vgbVW zu&M)PMjuYgyytK_2!V8?8qWpp6(L=0(;LrgMEuA90g5$yq&=1Bp#T5?07*qoM6N<$ Ef@_1~a{vGU literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/githound/reference/gh_workflow.png b/docs/official-docs/images/extensions/githound/reference/gh_workflow.png new file mode 100644 index 0000000000000000000000000000000000000000..b318aad0136672d0f55954e3b0dfcc8b17c68d09 GIT binary patch literal 1244 zcmV<21S9*2P)ZKTI2E7{-4lRH8(}SIMb5fVrrP3sO1AQcFgLC9uT|My)#F z2qSgkpE{HwaC9L<1B5lMu!nZQL);Cf7=_4F+e4L!H_kRog{$5n0jWB)!~Nkn+h9W; z=_G%5pTFn%-tT?i?|nTq4gm-Q5kPc20IK830K0(J#M)Ov1U7;HntV1L0_(za#Ww+1 z0%olj;b4Hs$N*BWAFx9F$0Iy|%}x^cy@L52^GUz_3Vi zZK^497nf)Y5RDMIgrQ)7naPI;-gcH(Gh}mbZ6^fSKPaP?D~Me_lza)X(}&=_-Z>o( z>}>(Mfx3BqefewT`7vfDAKLH2!2sTlb~ODI^{B#nVu${bC(Oz}0fyr$`BKgG3=7zi zCbia`<$`8L!9+Afa%~E=TtPcIL+bV0R!ODzC?5TVa!^9kPkEV`Au?L+TTXZ|iiqx7 zA?SwN%Y6(z}D%T2dI;xT{F(?0QkHf(L zv1o{7dXL>)!3^taa=5T2ptYC+t~|3^5IcQLIKt5#qPw{QkLMF;dUXPGaH)69A78%v z=U-yugAEI4Yx{u6=mWC30>z^W`pG#Sj}fY>asQ*_ONa$mKM2{o&g?>43J!#s+pu594Sm60P{9X zrT0+s#fAk)y?$P$7dXs4Bb#2ZcU|wMRPseg} zf^KryMd=;a{CB`M@RfR0Y1`TTgD(a?<&%$v8<8vdBE#cPt+=_}&uM=R2n8hd{0mJKK&e!LwY+P9jLFQT8E+x3Ght1e@l z`Hh=Z5lGT}bDHFq&8Zs#h8eB)T);dc3=?ZywC7nG-0}ZW%GQgfL9p`x0000Ze`r%z6vsc&VuZNYD6LVFU`+>G><_a!EGdXO5@Xo2@Me(Q8NRRWW}_MEP^JsW7$93 zA1^O`$;*qa?hEgaci(;IeDAsEe9yfamJdC!8*l+NvIk&R_V|El;L!?fmqiV54)}M4 z&p8=ERcOk5(*ym$VQIiIl{Kwaao` zj8r7Xm7W0}&;3cx`Q98ERRVh8cR+8nH?Z&Ar)VqJJ(Y6_+4KTedIp#e-jPUbMHUG; zfqdAF_6FJ~zI-Of#kkb=kwl_kJ66l)d;z$s>MXd&s1pF zu>N^-+4;3Cc7F3s^G{}R6OaX_U?~DMh@ofy3YDYLEQU?0Npn{1*MivFAzR^neeEOY64T!*dKh3(xp z3KBV!NaESqExoQ^1?&M)WQyzjYR^eRLt`s;E|Cunjd8W-WWl&#Hc(Y(kzV(#LezFF zEp~;GT>}R(*&A2vT!P8o$gY8dig8(0}8?RX<5m1xaOd^S3HsBoTqx*&jtJ{HA&?)9=1sztmgYFw1oFjb*W`m+q3!wBQ!joPbjO~fnYX>$vNsHJn91wldacDijowIASG02XpC(gPIl&u$_-}{Nv`*w;qJxB<(SMvgLsJ8Qe1*^!$qA9 zfZEn(jP?cq=7V>L`DgOqw1N&xi(R#Y$^_|_22m1sw_O^<)U2NI^01c@BFV9QJJc{Y zbDN3wV*t~u5p}>;RcB%I4y%IckM9jKAH2h+9WPSb+DyaSuc6zxfrt0z@jtEcsu{Tt;31c z?ZB9eRNNl~z|tye$o$N0qTWD39+>Qnv`q{a*gfxfUy|cDpDe{C!ftAA#MbM|i&xwq zBz)G#+{_YLwe2XDVyPQ?fCE;y1LsH|#gK?ZF9yiWm9A|Gg2{mGpjfh{@?i4AVJV@% z1G=BC9S@Bwh=_U6iM7M2`fsUrEI$z)2l@rGf&G)GpLi6D`-9x|ihKQ1uPdJyYRIM+ zxZpe_spE;9KgE%33fOLJZlwLvV6ly7f-LcFAy(d_VgeG0S)kI`+{nIfKly(SrSF_% zUQEz5;&$f`rK^kP{|#IN_CHP}*WRD{g-tKNps3^JA{B`-@z%%E%F~D|pOw!kcQKg) zwgXr@oHX@yuIyqmJWg~;4+_G*90C%F!-&^2KJ5;J#N>8PAf7p&`m$Pss1qx_oO*c1%V{z6h+&kj=X!Emgc#ySEM3p1SmuiV14bwl UMj$mb=>Px#07*qoM6N<$f)lxqU;qFB literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/githound/reference/gh_workflowstep.png b/docs/official-docs/images/extensions/githound/reference/gh_workflowstep.png new file mode 100644 index 0000000000000000000000000000000000000000..536e94bd2f487fb56bb183f8b24fdaed58beea28 GIT binary patch literal 1174 zcmV;H1Zn$;P)Sw!n*9sO>;py2NszP;gLAn{+m*Dz00}{YRAYgd_YL;ge*aY+rY`2vFumJqi;j>^N z=qO!n)_gz~$e4;~JVD=Jicna=e?EY}TiDksDhGy+R#jPFE3jQHTkYHhW^nL`69FHv z0Vn{;p)_OT*(TtB$=+^_`PoU<9~4ZL3Jl0d$OtG6a9=PS;m%hJgnE=?0Us5uqB4=W z#GlWf(EuN4kZ~m71O5Pf(RhOC+zOsEzSjab#i;8{WG?aa$)-u-0v1nL2{hdvjVJi_ z`;8L;AC>E$511rc!eJ$l18xSx5$@+V9CyCATVq=*vt3as34_Gq34%Qe!BE68PmH?G z)#0caj!8svHVFg}uBY%r$uZ{3OF8m$Qy6vm5%-+&F*=@Q7l7Iu zmfb7Kp){9=ui4ofI=8PUS^4ohUcG!FH4gCVLr)bpcP}rV$+f`MXaLJ)GnTdONJmRDnhE8t!mbLN;eO+g}s@gnj!3wxc0{-)@ z9|35sH60K;w}JzBJU%iL_oSYX+i3pR>jK^dr139p6>Yj;SZM*bk_bw?D6?TX=8DU< z`ag>ccm_z5CDz+-)9q+w48xumhM}{g+1)L(p;emwsO&;aG3-6J69^q1mqVbs&dfKr zTSyp2LnldCnT>cYv|+tW6KX6Q!*prLCf4Z*Ur7*4LWHb=3tF0iHhDl;*+6l?>5% zLJH7M`UX;rT*=tCQpkj;#a9T_Ef44p3MwwI4{TDq6MNEHbg)enR00!LZVHAW4tJ%rM&q z5)f^<2t=G(=}F}3Cs8x@Wkd(oK@=iW^v1$|X{*SM(Lu-T?nI2b&W+JQ6MWwaew2WX z#1~_O)~eO9Xcd+8NX!hC4IJ8EOo~7R;N#S1j9&Y)ql-y?Zi9i@?Z+WtlE@&g zXMpHp$)Pl%9)-8u-sWl1Dk^^;?4wmw)*lp(dTkOhbG~*w1HdAkUrrY};pOzG_z-S1 oujf7*AwsxV=kR)7 + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_AddAssignee | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_AddAssignee --> GH_Repository +``` + +## General Information + +The non-traversable [GH_AddAssignee](/opengraph/extensions/githound/reference/edges/gh_addassignee) edge represents a role's ability to assign users to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addcollaborator.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addcollaborator.mdx new file mode 100644 index 0000000..4860d39 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addcollaborator.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_AddCollaborator' +description: '[Organization] Org role can add outside collaborators' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_AddCollaborator | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | + +```mermaid +flowchart LR + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_OrgRole -- GH_AddCollaborator --> GH_Organization +``` + +## General Information + +The non-traversable [GH_AddCollaborator](/opengraph/extensions/githound/reference/edges/gh_addcollaborator) edge represents that a role has the ability to add outside collaborators to organization repositories. This permission is typically restricted to Owners, as it grants repository access to external users who are not members of the organization. Outside collaborators bypass organizational membership controls, making this permission significant for security because it can be used to grant access to untrusted external identities without the visibility that full membership provides. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addlabel.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addlabel.mdx new file mode 100644 index 0000000..7f16956 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addlabel.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_AddLabel' +description: '[Repository] Repo role can add labels to issues and pull requests' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_AddLabel | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_AddLabel --> GH_Repository +``` + +## General Information + +The non-traversable [GH_AddLabel](/opengraph/extensions/githound/reference/edges/gh_addlabel) edge represents a role's ability to add labels to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addmember.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addmember.mdx new file mode 100644 index 0000000..43b066c --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addmember.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_AddMember' +description: 'Team role can add members to the team (maintainer privilege)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | GH_AddMember | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | + +```mermaid +flowchart LR + GH_TeamRole["fa:fa-user-tie"]:::bhNode + GH_Team["fa:fa-user-group"]:::bhNode + GH_TeamRole -- GH_AddMember --> GH_Team +``` + +## General Information + +The traversable [GH_AddMember](/opengraph/extensions/githound/reference/edges/gh_addmember) edge indicates that a team role with the Maintainer permission level can add new members to the team. It is created by `Git-HoundTeam` when enumerating team membership roles. This edge is traversable because the ability to add members grants indirect access -- a maintainer can add any user to the team, and that user then inherits all of the team's repository permissions, effectively expanding the attack surface. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_adminto.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_adminto.mdx new file mode 100644 index 0000000..e732b04 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_adminto.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_AdminTo' +description: '[Repository] Repo role has admin access to the repository.' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_AdminTo --> GH_Repository +``` + +## General Information + +The non-traversable [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) edge represents a role's full administrative access to the repository. Admin is the highest built-in repository role and grants control over all repository settings, including dangerous operations like deleting the repository or modifying its visibility. Admin access bypasses most protections including branch protection rules, unless `enforce_admins` is explicitly enabled on the branch protection rule. This edge is a key permission in the computed branch access model and is a high-value target in attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection.mdx new file mode 100644 index 0000000..b1f7adc --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_BypassBranchProtection' +description: '[Repository] Repo role can bypass merge-gate branch protections (PR reviews, lock branch). Suppressed by enforce_admins.' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_BypassBranchProtection | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_BypassBranchProtection --> GH_Repository +``` + +## General Information + +The non-traversable [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) edge represents a role's ability to bypass branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Bypassing branch protection allows merging pull requests without satisfying required review or status check requirements, effectively circumventing the merge gate. This bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, which forces even admins to comply with the protection policy. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances.mdx new file mode 100644 index 0000000..56921b8 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_BypassPullRequestAllowances' +description: 'User or team can bypass pull request requirements on a branch protection rule' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_BypassPullRequestAllowances | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | + +```mermaid +flowchart LR + GH_User["fa:fa-user"]:::bhNode + GH_BranchProtectionRule["fa:fa-shield"]:::bhNode + GH_User -- GH_BypassPullRequestAllowances --> GH_BranchProtectionRule +``` + +## General Information + +The non-traversable [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) edge represents a per-actor allowance that bypasses the pull request review requirement on a branch protection rule. Created by `Git-HoundBranch` when collecting BPR bypass allowances, this edge identifies specific users or teams that can merge code without going through the normal PR review process. This is a significant security concern because these actors can push or merge changes directly, circumventing code review controls that protect branch integrity. Note that this bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, meaning even listed actors must follow the PR review requirement. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_callsworkflow.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_callsworkflow.mdx new file mode 100644 index 0000000..e2d0fc7 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_callsworkflow.mdx @@ -0,0 +1,21 @@ +--- +title: 'GH_CallsWorkflow' +description: '[Workflow] Job calls a reusable workflow — GH_WorkflowJob → GH_Workflow' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +## General Information + +The traversable [GH_CallsWorkflow](/opengraph/extensions/githound/reference/edges/gh_callsworkflow) edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. Created by `Parse-GitHoundWorkflow`, this edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. + +### Local vs. remote reusable workflows + +- **Local** (`./. github/workflows/_ci.yml`): the destination is matched by `name` against workflows in the same repository. +- **Remote** (`org/repo/.github/workflows/file.yml@ref`): the destination is matched by the full reference string. If the called workflow has not been collected, the edge destination will not resolve. + +The `reusable_ref` property on the edge always contains the raw `uses:` value from the workflow file. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canaccess.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canaccess.mdx new file mode 100644 index 0000000..bbce6e4 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canaccess.mdx @@ -0,0 +1,31 @@ +--- +title: 'GH_CanAccess' +description: 'Personal access token or app installation can access this repository or organization' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | GH_CanAccess | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | +| [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | GH_CanAccess | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | +| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | GH_CanAccess | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_PersonalAccessToken["fa:fa-key"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_AppInstallation["fa:fa-plug"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_PersonalAccessToken -- GH_CanAccess --> GH_Organization + GH_AppInstallation -- GH_CanAccess --> GH_Repository + GH_PersonalAccessToken -- GH_CanAccess --> GH_Repository +``` + +## General Information + +The non-traversable [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) edge indicates that a personal access token or app installation has been granted access to specific repositories. It is created by `Git-HoundPersonalAccessToken` and `Git-HoundPersonalAccessTokenRequest` for PATs, and by `Git-HoundAppInstallation` for app installations. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canassumeidentity.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canassumeidentity.mdx new file mode 100644 index 0000000..a2b8c8b --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canassumeidentity.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_CanAssumeIdentity' +description: 'Repository can assume this cloud identity via OIDC federation (Azure workload identity or AWS IAM role)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +## General Information + +The traversable [GH_CanAssumeIdentity](/opengraph/extensions/githound/reference/edges/gh_canassumeidentity) edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. Created by the collector when matching GitHub OIDC subject claims to cloud workload identity federation configurations, this edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_cancreatebranch.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_cancreatebranch.mdx new file mode 100644 index 0000000..f9d1efd --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_cancreatebranch.mdx @@ -0,0 +1,76 @@ +--- +title: 'GH_CanCreateBranch' +description: '[Repository - Computed] Role can create new branches in this repository (unprotected branches that bypass the merge gate)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CanCreateBranch | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_CanCreateBranch --> GH_Repository +``` + +## General Information + +The traversable [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch) edge is a computed edge indicating that a role or actor can create new branches in a repository. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) or [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. + +## Scenarios + +### `no_protection` — No wildcard BPR blocking creations + +No wildcard (`*`) BPR with `blocks_creations` exists. Any write-capable role can create new branches. + +```mermaid +graph LR + role("GH_RepoRole write") -->|GH_WriteRepoContents| repo("GH_Repository") + role ==>|GH_CanCreateBranch| repo +``` + +### `admin` — Admin bypasses wildcard BPR + +A wildcard BPR with `push_restrictions` and `blocks_creations` prevents branch creation. The admin role bypasses this restriction. + +```mermaid +graph LR + role("GH_RepoRole admin") -->|GH_AdminTo| repo("GH_Repository") + repo -->|GH_HasBranch| branch("GH_Branch main") + bpr("GH_BranchProtectionRule\npattern=*\npush_restrictions\nblocks_creations") -->|GH_ProtectedBy| branch + role ==>|GH_CanCreateBranch| repo +``` + +### `push_protected_branch` — Push-protected role bypasses wildcard BPR + +A wildcard BPR blocks creations. The [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) permission bypasses the push gate regardless of `enforce_admins`. + +```mermaid +graph LR + role("GH_RepoRole maintain") -->|GH_WriteRepoContents| repo("GH_Repository") + role -->|GH_PushProtectedBranch| repo + repo -->|GH_HasBranch| branch("GH_Branch main") + bpr("GH_BranchProtectionRule\npattern=*\npush_restrictions\nblocks_creations") -->|GH_ProtectedBy| branch + role ==>|GH_CanCreateBranch| repo +``` + +### `push_allowance` — Per-actor push restriction bypass + +User or Team listed in the wildcard BPR's `pushAllowances` can create branches. This is a per-actor delta edge — only emitted when the actor's role doesn't already grant [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch). + +```mermaid +graph LR + user("GH_User alice") -->|GH_HasRole| role("GH_RepoRole write") + role -->|GH_WriteRepoContents| repo("GH_Repository") + repo -->|GH_HasBranch| branch("GH_Branch main") + bpr("GH_BranchProtectionRule\npattern=*\npush_restrictions\nblocks_creations") -->|GH_ProtectedBy| branch + user -->|GH_RestrictionsCanPush| bpr + user ==>|GH_CanCreateBranch| repo +``` diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_caneditprotection.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_caneditprotection.mdx new file mode 100644 index 0000000..21485d0 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_caneditprotection.mdx @@ -0,0 +1,51 @@ +--- +title: 'GH_CanEditProtection' +description: '[Repository - Computed] Repo role can modify or remove the branch protection rules governing this branch (computed from GH_EditRepoProtections + GH_ProtectedBy)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CanEditProtection | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Branch["fa:fa-code-branch"]:::bhNode + GH_RepoRole -- GH_CanEditProtection --> GH_Branch +``` + +## General Information + +The traversable [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, this edge is emitted when the role has [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) or [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. + +## Scenarios + +### `admin` — Admin can edit protections + +The admin role has [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) which implicitly grants the ability to modify or remove any branch protection rule. + +```mermaid +graph LR + role("GH_RepoRole admin") -->|GH_AdminTo| repo("GH_Repository") + repo -->|GH_HasBranch| branch("GH_Branch main") + bpr("GH_BranchProtectionRule") -->|GH_ProtectedBy| branch + role ==>|GH_CanEditProtection| branch +``` + +### `edit_repo_protections` — Explicit edit permission + +A custom or standard role with the [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) permission can modify or remove branch protection rules. + +```mermaid +graph LR + role("GH_RepoRole custom") -->|GH_EditRepoProtections| repo("GH_Repository") + repo -->|GH_HasBranch| branch("GH_Branch main") + bpr("GH_BranchProtectionRule") -->|GH_ProtectedBy| branch + role ==>|GH_CanEditProtection| branch +``` diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canpwnrequest.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canpwnrequest.mdx new file mode 100644 index 0000000..7f63860 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canpwnrequest.mdx @@ -0,0 +1,70 @@ +--- +title: 'GH_CanPwnRequest' +description: '[Computed] Repo role can exploit a pwn-requestable workflow to execute arbitrary code with the target''s secrets and permissions — GH_RepoRole → GH_Repository / GH_Branch' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +## General Information + +The traversable [GH_CanPwnRequest](/opengraph/extensions/githound/reference/edges/gh_canpwnrequest) edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. Created by `Get-PwnRequestEdges`, this is a computed edge that combines workflow analysis with repository access and fork policy evaluation. + +### Pwn Request Conditions + +A workflow is considered pwn-requestable (`is_pwn_requestable = true`) when **all** of the following are true: + +1. **`pull_request_target` trigger**: The workflow is triggered by `pull_request_target`, which runs in the context of the base branch (not the fork) and has access to the base branch's secrets and permissions. +2. **Attacker-controlled checkout**: A step uses `actions/checkout` with a `ref` parameter pointing to the pull request head, meaning attacker-supplied code from the fork replaces the trusted repository contents. Detected ref patterns: + - `${{ github.event.pull_request.head.sha }}` + - `${{ github.event.pull_request.head.ref }}` + - `${{ github.head_ref }}` + +### Edge Drawing Conditions + +An edge is drawn from a [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) to the repository (and its branches) when: + +1. **Read access**: The role has a [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) edge to the repository (read access is the minimum required to fork). +2. **Forkability**: The repository can be forked by the role holder: + - **Public repos**: Always forkable by anyone on GitHub. + - **Private/internal repos**: Requires both the organization setting `members_can_fork_private_repositories = true` AND the repository setting `allow_forking = true`. +3. **Pwn-requestable workflow**: The repository has at least one workflow with `is_pwn_requestable = true`. + +### Branch Targeting + +- If the `pull_request_target` trigger has a `branches:` filter (e.g., `branches: [main]`), edges are drawn only to matching branches and the repository. +- If unconstrained, edges are drawn to the repository and all of its branches. + +### Attack Impact + +An attacker who exploits a pwn request gains code execution in the workflow runner with access to: + +- **Repository secrets** scoped to the base branch +- **Organization secrets** accessible by the repository +- **GITHUB_TOKEN** with the workflow's declared permissions (often `write`) +- **OIDC tokens** if `id-token: write` is set, enabling cloud identity assumption via [GH_CanAssumeIdentity](/opengraph/extensions/githound/reference/edges/gh_canassumeidentity) +- **Environment secrets** if the workflow job targets a deployment environment + +### Caveats + +- **OIDC traversal requires `id-token: write`**: The attack chain from [GH_CanPwnRequest](/opengraph/extensions/githound/reference/edges/gh_canpwnrequest) through [GH_CanAssumeIdentity](/opengraph/extensions/githound/reference/edges/gh_canassumeidentity) to a cloud role is only valid if the pwn-requestable workflow (or job) explicitly declares `id-token: write` in its `permissions:` block. The `id-token` permission defaults to `none` and is never implicitly granted — even when the workflow has no `permissions:` block at all. The `permissions` property on the [GH_WorkflowJob](/opengraph/extensions/githound/reference/nodes/gh_workflowjob) node can be inspected to verify this. +- **GITHUB_TOKEN permissions**: The `permissions:` block controls what the `GITHUB_TOKEN` can do (e.g., push commits, create releases), but has no effect on secret access, OIDC token requests (governed separately by `id-token`), or arbitrary code execution. A workflow with `contents: read` is still fully exploitable via pwn request for secret exfiltration and lateral movement — only write-back to the repository is limited. + +```mermaid +graph LR + role("GH_RepoRole repo-read") + repo("GH_Repository private-app") + branch("GH_Branch main") + wf("GH_Workflow vulnerable-ci.yml") + secret("GH_RepoSecret DEPLOY_KEY") + cloud("AWSRole deploy-prod") + + role -- GH_CanPwnRequest --> repo + role -- GH_CanPwnRequest --> branch + repo -.- |GH_HasWorkflow| wf + repo -.- |GH_Contains| secret + branch -- GH_CanAssumeIdentity --> cloud +``` diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert.mdx new file mode 100644 index 0000000..0e30b75 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert.mdx @@ -0,0 +1,42 @@ +--- +title: 'GH_CanReadSecretScanningAlert' +description: '[Computed] Role can read secret scanning alerts (computed from GH_ViewSecretScanningAlerts permission + GH_Contains)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +## General Information + +The traversable [GH_CanReadSecretScanningAlert](/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert) edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. Created by `Compute-GitHoundSecretScanningAccess` with no additional API calls, the computation cross-references [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) permission edges with [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) edge enables identity compromise of the token's owner. + +Each edge includes a `reason` property (`org_role_permission` or `repo_role_permission`) and a `query_composition` Cypher query showing the underlying graph evidence. + +## Scenarios + +### `org_role_permission` — Org role views alerts via organization + +An org role with [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) to the organization can read all secret scanning alerts across the entire org. The computation follows [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) edges from the organization to each alert. + +```mermaid +graph LR + role("GH_OrgRole security_manager") -->|GH_ViewSecretScanningAlerts| org("GH_Organization") + org -->|GH_Contains| alert("GH_SecretScanningAlert #42") + role ==>|GH_CanReadSecretScanningAlert| alert + alert -.->|GH_ValidToken| user("GH_User jdoe") +``` + +### `repo_role_permission` — Repo role views alerts via repository + +A repo role with [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) to the repository can read secret scanning alerts in that specific repo. The computation follows [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) edges from the repository to each alert. + +```mermaid +graph LR + role("GH_RepoRole admin") -->|GH_ViewSecretScanningAlerts| repo("GH_Repository") + repo -->|GH_Contains| alert("GH_SecretScanningAlert #17") + role ==>|GH_CanReadSecretScanningAlert| alert + alert -.->|GH_ValidToken| user("GH_User jdoe") +``` diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canwritebranch.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canwritebranch.mdx new file mode 100644 index 0000000..77bab32 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canwritebranch.mdx @@ -0,0 +1,110 @@ +--- +title: 'GH_CanWriteBranch' +description: '[Repository - Computed] Role can push to this branch after evaluating branch protection rules, push restrictions, and bypass allowances' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CanWriteBranch | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_CanWriteBranch | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_CanWriteBranch | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Branch["fa:fa-code-branch"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_Team["fa:fa-user-group"]:::bhNode + GH_RepoRole -- GH_CanWriteBranch --> GH_Branch + GH_User -- GH_CanWriteBranch --> GH_Branch + GH_Team -- GH_CanWriteBranch --> GH_Branch +``` + +## General Information + +The traversable [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) edge is a computed edge indicating that a role or actor can push to a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) or [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. + +## Scenarios + +### `no_protection` — Unprotected branch + +Branch has no BPR. Any write-capable role can push directly. + +```mermaid +graph LR + role("GH_RepoRole write") -->|GH_WriteRepoContents| repo("GH_Repository") + repo -->|GH_HasBranch| branch("GH_Branch develop") + role ==>|GH_CanWriteBranch| branch +``` + +### `admin` — Admin bypasses both gates + +BPR blocks both the merge gate (PR reviews) and push gate (push_restrictions). The admin role bypasses both gates. Requires `enforce_admins=false`; when `enforce_admins=true`, admin cannot bypass the merge gate. + +```mermaid +graph LR + role("GH_RepoRole admin") -->|GH_AdminTo| repo("GH_Repository") + repo -->|GH_HasBranch| branch("GH_Branch main") + bpr("GH_BranchProtectionRule\nrequired_pull_request_reviews\npush_restrictions\nenforce_admins=false") -->|GH_ProtectedBy| branch + role ==>|GH_CanWriteBranch| branch +``` + +### `push_protected_branch` — Push gate bypass + +Push gate blocked by `push_restrictions` (no merge gate block). The [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) permission bypasses the push gate regardless of `enforce_admins`. + +```mermaid +graph LR + role("GH_RepoRole maintain") -->|GH_WriteRepoContents| repo("GH_Repository") + role -->|GH_PushProtectedBranch| repo + repo -->|GH_HasBranch| branch("GH_Branch main") + bpr("GH_BranchProtectionRule\npush_restrictions") -->|GH_ProtectedBy| branch + role ==>|GH_CanWriteBranch| branch +``` + +### `bypass_branch_protection` — Merge gate bypass + +Merge gate blocked by PR reviews. The [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) permission bypasses the merge gate. Requires `enforce_admins=false`; suppressed when `enforce_admins=true`. + +```mermaid +graph LR + role("GH_RepoRole custom") -->|GH_WriteRepoContents| repo("GH_Repository") + role -->|GH_BypassBranchProtection| repo + repo -->|GH_HasBranch| branch("GH_Branch main") + bpr("GH_BranchProtectionRule\nrequired_pull_request_reviews\nenforce_admins=false") -->|GH_ProtectedBy| branch + role ==>|GH_CanWriteBranch| branch +``` + +### `push_allowance` — Per-actor push restriction bypass + +User or Team listed in the BPR's `pushAllowances` bypasses the push gate. This is a per-actor delta edge — only emitted when the actor's role-level access doesn't already cover the branch. + +```mermaid +graph LR + user("GH_User alice") -->|GH_HasRole| role("GH_RepoRole write") + role -->|GH_WriteRepoContents| repo("GH_Repository") + repo -->|GH_HasBranch| branch("GH_Branch main") + bpr("GH_BranchProtectionRule\npush_restrictions") -->|GH_ProtectedBy| branch + user -->|GH_RestrictionsCanPush| bpr + user ==>|GH_CanWriteBranch| branch +``` + +### `bypass_pr_allowance` — Per-actor PR review bypass + +User or Team listed in the BPR's `bypassPullRequestAllowances` bypasses the merge gate (PR reviews only, not `lock_branch`). Requires `enforce_admins=false`. This is a per-actor delta edge — only emitted when the actor's role-level access doesn't already cover the branch. + +```mermaid +graph LR + user("GH_User alice") -->|GH_HasRole| role("GH_RepoRole write") + role -->|GH_WriteRepoContents| repo("GH_Repository") + repo -->|GH_HasBranch| branch("GH_Branch main") + bpr("GH_BranchProtectionRule\nrequired_pull_request_reviews\nenforce_admins=false") -->|GH_ProtectedBy| branch + user -->|GH_BypassPullRequestAllowances| bpr + user ==>|GH_CanWriteBranch| branch +``` diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closediscussion.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closediscussion.mdx new file mode 100644 index 0000000..8be7000 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closediscussion.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_CloseDiscussion' +description: '[Repository] Repo role can close discussions' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CloseDiscussion | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_CloseDiscussion --> GH_Repository +``` + +## General Information + +The non-traversable [GH_CloseDiscussion](/opengraph/extensions/githound/reference/edges/gh_closediscussion) edge represents a role's ability to close discussions, preventing further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closeissue.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closeissue.mdx new file mode 100644 index 0000000..0e4e339 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closeissue.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_CloseIssue' +description: '[Repository] Repo role can close issues' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CloseIssue | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_CloseIssue --> GH_Repository +``` + +## General Information + +The non-traversable [GH_CloseIssue](/opengraph/extensions/githound/reference/edges/gh_closeissue) edge represents a role's ability to close issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closepullrequest.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closepullrequest.mdx new file mode 100644 index 0000000..5dc75bd --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closepullrequest.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ClosePullRequest' +description: '[Repository] Repo role can close pull requests' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ClosePullRequest --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) edge represents a role's ability to close pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_contains.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_contains.mdx new file mode 100644 index 0000000..a8e66ef --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_contains.mdx @@ -0,0 +1,60 @@ +--- +title: 'GH_Contains' +description: 'Container relationship for organizational hierarchy (enterprise contains orgs, org contains secrets/variables, repo contains secrets/variables, environment contains secrets/variables)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_Contains | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_Contains | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | +| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | GH_Contains | [GH_EnvironmentVariable](/opengraph/extensions/githound/reference/nodes/gh_environmentvariable) | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_Contains | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | +| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | GH_Contains | [GH_EnvironmentSecret](/opengraph/extensions/githound/reference/nodes/gh_environmentsecret) | + +```mermaid +flowchart LR + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoSecret["fa:fa-lock"]:::bhNode + GH_RepoVariable["fa:fa-lock-open"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_OrgVariable["fa:fa-lock-open"]:::bhNode + GH_SecretScanningAlert["fa:fa-key"]:::bhNode + GH_PersonalAccessToken["fa:fa-key"]:::bhNode + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_Environment["fa:fa-leaf"]:::bhNode + GH_EnvironmentVariable["fa:fa-lock-open"]:::bhNode + GH_BranchProtectionRule["fa:fa-shield"]:::bhNode + GH_AppInstallation["fa:fa-plug"]:::bhNode + GH_OrgSecret["fa:fa-lock"]:::bhNode + GH_PersonalAccessTokenRequest["fa:fa-key"]:::bhNode + GH_EnvironmentSecret["fa:fa-lock"]:::bhNode + GH_Repository -- GH_Contains --> GH_RepoSecret + GH_Repository -- GH_Contains --> GH_RepoVariable + GH_Organization -- GH_Contains --> GH_OrgVariable + GH_Organization -- GH_Contains --> GH_SecretScanningAlert + GH_Organization -- GH_Contains --> GH_PersonalAccessToken + GH_Organization -- GH_Contains --> GH_OrgRole + GH_Environment -- GH_Contains --> GH_EnvironmentVariable + GH_Repository -- GH_Contains --> GH_BranchProtectionRule + GH_Organization -- GH_Contains --> GH_AppInstallation + GH_Organization -- GH_Contains --> GH_OrgSecret + GH_Organization -- GH_Contains --> GH_PersonalAccessTokenRequest + GH_Environment -- GH_Contains --> GH_EnvironmentSecret +``` + +## General Information + +The non-traversable [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) edge represents structural containment within the GitHub resource hierarchy. The organization serves as the top-level container for users, teams, repositories, roles, secrets, app installations, and personal access tokens. Repositories contain their own repo-level secrets, and environments contain environment-scoped secrets. This edge is created by the collector to establish the organizational hierarchy of GitHub resources and is not traversable because containment alone does not imply privilege escalation. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions.mdx new file mode 100644 index 0000000..0544337 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ConvertIssuesToDiscussions' +description: '[Repository] Repo role can convert issues to discussions' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ConvertIssuesToDiscussions | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ConvertIssuesToDiscussions --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ConvertIssuesToDiscussions](/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions) edge represents a role's ability to convert issues to discussions, moving them from the issue tracker to the discussions forum. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory.mdx new file mode 100644 index 0000000..f62b1f7 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_CreateDiscussionCategory' +description: '[Repository] Repo role can create discussion categories' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CreateDiscussionCategory | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_CreateDiscussionCategory --> GH_Repository +``` + +## General Information + +The non-traversable [GH_CreateDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory) edge represents a role's ability to create new discussion categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createrepository.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createrepository.mdx new file mode 100644 index 0000000..f00952b --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createrepository.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_CreateRepository' +description: '[Organization] Org role can create repositories in the organization' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_CreateRepository | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | + +```mermaid +flowchart LR + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_OrgRole -- GH_CreateRepository --> GH_Organization +``` + +## General Information + +The non-traversable [GH_CreateRepository](/opengraph/extensions/githound/reference/edges/gh_createrepository) edge represents that a role has the ability to create new repositories within the organization. This permission is available to Owners and custom organization roles that have been granted the repository creation permission. Creating repositories can introduce new attack surface to an organization, as each new repository is a potential vector for code execution through GitHub Actions workflows, secret exposure, and supply chain attacks. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry.mdx new file mode 100644 index 0000000..a0c92b8 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_CreateSoloMergeQueueEntry' +description: 'Repo role can create solo merge queue entries' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CreateSoloMergeQueueEntry | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_CreateSoloMergeQueueEntry --> GH_Repository +``` + +## General Information + +The non-traversable [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry) edge represents a role's ability to create solo merge queue entries, effectively bypassing the merge queue by merging independently of other queued changes. This permission is available to Admin roles and custom roles that have been granted this specific permission. Solo merge queue entries skip the batching and ordering guarantees of the merge queue, allowing changes to land without waiting for or being tested alongside other pending merges. This can circumvent the integration testing benefits that merge queues provide. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createtag.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createtag.mdx new file mode 100644 index 0000000..0870763 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createtag.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_CreateTag' +description: '[Repository] Repo role can create tags and releases' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CreateTag | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_CreateTag --> GH_Repository +``` + +## General Information + +The non-traversable [GH_CreateTag](/opengraph/extensions/githound/reference/edges/gh_createtag) edge represents a role's ability to create tags and releases. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. Creating tags can trigger CI/CD workflows and publish release artifacts. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createteam.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createteam.mdx new file mode 100644 index 0000000..7d55564 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createteam.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_CreateTeam' +description: '[Organization] Org role can create teams in the organization' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_CreateTeam | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | + +```mermaid +flowchart LR + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_OrgRole -- GH_CreateTeam --> GH_Organization +``` + +## General Information + +The non-traversable [GH_CreateTeam](/opengraph/extensions/githound/reference/edges/gh_createteam) edge represents that a role has the ability to create teams within the organization. Teams are the primary mechanism for granting groups of users access to repositories, so team creation is a stepping stone to broader access. This edge is created by the collector when enumerating organization role permissions, and its security significance lies in the fact that a newly created team can be granted repository access and then populated with controlled accounts. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning.mdx new file mode 100644 index 0000000..a749d1a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_DeleteAlertsCodeScanning' +description: '[Repository] Repo role can delete code scanning alerts' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_DeleteAlertsCodeScanning | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_DeleteAlertsCodeScanning --> GH_Repository +``` + +## General Information + +The non-traversable [GH_DeleteAlertsCodeScanning](/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning) edge represents a role's ability to delete code scanning alerts from the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting code scanning alerts can obscure security vulnerabilities that have been detected in the codebase, which is significant from an audit and compliance perspective. An attacker with this permission could suppress evidence of vulnerabilities they have introduced. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussion.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussion.mdx new file mode 100644 index 0000000..0013ea3 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussion.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_DeleteDiscussion' +description: '[Repository] Repo role can delete discussions' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_DeleteDiscussion | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_DeleteDiscussion --> GH_Repository +``` + +## General Information + +The non-traversable [GH_DeleteDiscussion](/opengraph/extensions/githound/reference/edges/gh_deletediscussion) edge represents a role's ability to delete discussions. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment.mdx new file mode 100644 index 0000000..cfdef69 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_DeleteDiscussionComment' +description: '[Repository] Repo role can delete discussion comments' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_DeleteDiscussionComment | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_DeleteDiscussionComment --> GH_Repository +``` + +## General Information + +The non-traversable [GH_DeleteDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment) edge represents a role's ability to delete discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deleteissue.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deleteissue.mdx new file mode 100644 index 0000000..93553ce --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deleteissue.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_DeleteIssue' +description: '[Repository] Repo role can delete issues' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_DeleteIssue | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_DeleteIssue --> GH_Repository +``` + +## General Information + +The non-traversable [GH_DeleteIssue](/opengraph/extensions/githound/reference/edges/gh_deleteissue) edge represents a role's ability to delete issues permanently. Deleted issues cannot be recovered. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting issues can destroy audit trails and remove evidence of security discussions or vulnerability reports. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletetag.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletetag.mdx new file mode 100644 index 0000000..ad55719 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletetag.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_DeleteTag' +description: '[Repository] Repo role can delete tags and releases' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_DeleteTag | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_DeleteTag --> GH_Repository +``` + +## General Information + +The non-traversable [GH_DeleteTag](/opengraph/extensions/githound/reference/edges/gh_deletetag) edge represents a role's ability to delete tags and releases. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting tags can break downstream dependency references and remove published artifacts. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_dependson.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_dependson.mdx new file mode 100644 index 0000000..19a3a10 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_dependson.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_DependsOn' +description: '[Workflow] Job must run after another job (needs: dependency) — ordering only, not an access path' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_DependsOn](/opengraph/extensions/githound/reference/edges/gh_dependson) edge represents a `needs:` dependency between two jobs in the same workflow. Created by `Parse-GitHoundWorkflow`, this edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deploysto.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deploysto.mdx new file mode 100644 index 0000000..58eff72 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deploysto.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_DeploysTo' +description: '[Workflow] Job deploys to a GitHub Environment — GH_WorkflowJob → GH_Environment' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_DeploysTo](/opengraph/extensions/githound/reference/edges/gh_deploysto) edge links a workflow job to the GitHub Environment it targets via the `environment:` key. Created by `Parse-GitHoundWorkflow`, this edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion.mdx new file mode 100644 index 0000000..2d0d543 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_EditCategoryOnDiscussion' +description: '[Repository] Repo role can change the category of a discussion' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditCategoryOnDiscussion | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_EditCategoryOnDiscussion --> GH_Repository +``` + +## General Information + +The non-traversable [GH_EditCategoryOnDiscussion](/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion) edge represents a role's ability to change the category of a discussion, moving it between categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory.mdx new file mode 100644 index 0000000..5ebdbd9 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_EditDiscussionCategory' +description: '[Repository] Repo role can edit discussion categories' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditDiscussionCategory | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_EditDiscussionCategory --> GH_Repository +``` + +## General Information + +The non-traversable [GH_EditDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory) edge represents a role's ability to edit discussion categories to reorganize discussion classification. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment.mdx new file mode 100644 index 0000000..aef36cd --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_EditDiscussionComment' +description: '[Repository] Repo role can edit discussion comments' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditDiscussionComment | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_EditDiscussionComment --> GH_Repository +``` + +## General Information + +The non-traversable [GH_EditDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment) edge represents a role's ability to edit discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners.mdx new file mode 100644 index 0000000..5f3019a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_EditRepoAnnouncementBanners' +description: '[Repository] Repo role can edit repository announcement banners' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_EditRepoAnnouncementBanners --> GH_Repository +``` + +## General Information + +The non-traversable [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) edge represents a role's ability to edit repository announcement banners displayed to visitors. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues.mdx new file mode 100644 index 0000000..72c9773 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_EditRepoCustomPropertiesValues' +description: '[Repository] Repo role can edit custom property values on the repository' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditRepoCustomPropertiesValues | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_EditRepoCustomPropertiesValues --> GH_Repository +``` + +## General Information + +The non-traversable [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues) edge represents a role's ability to edit custom property values on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Custom properties are organization-defined metadata fields on repositories that can be used for classification, compliance tagging, or policy enforcement via rulesets. Modifying custom property values could alter which organization-level rulesets apply to the repository, potentially bypassing security controls that are scoped by property-based targeting. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepometadata.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepometadata.mdx new file mode 100644 index 0000000..0fc7686 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepometadata.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_EditRepoMetadata' +description: '[Repository] Repo role can edit repository metadata' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditRepoMetadata | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_EditRepoMetadata --> GH_Repository +``` + +## General Information + +The non-traversable [GH_EditRepoMetadata](/opengraph/extensions/githound/reference/edges/gh_editrepometadata) edge represents a role's ability to edit repository metadata including description, homepage URL, and visibility settings. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoprotections.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoprotections.mdx new file mode 100644 index 0000000..a1d7f82 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoprotections.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_EditRepoProtections' +description: 'Repo role can edit branch protection rules' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_EditRepoProtections --> GH_Repository +``` + +## General Information + +The non-traversable [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) edge represents a role's ability to edit or remove branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Modifying a branch protection rule is an indirect bypass -- removing or weakening protections opens the branch to direct push or unreviewed merges, making this a high-severity permission from a security perspective. Attack paths that include this edge can escalate to full branch write access by first disabling protections. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbaserole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbaserole.mdx new file mode 100644 index 0000000..05a335a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbaserole.mdx @@ -0,0 +1,27 @@ +--- +title: 'GH_HasBaseRole' +description: 'Role inherits permissions from another role' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | + +```mermaid +flowchart LR + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_OrgRole -- GH_HasBaseRole --> GH_OrgRole + GH_RepoRole -- GH_HasBaseRole --> GH_RepoRole +``` + +## General Information + +The traversable [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) edge represents role inheritance within the GitHub permission hierarchy. Org roles inherit down to all-repo roles (e.g., Owners inherits to all_repo_admin), and custom roles inherit from their base roles (e.g., a custom_role inherits from write). It is created by `Git-HoundOrganization` (for org-to-repo role inheritance) and `Git-HoundRepository` (for repo-level role inheritance). This edge is traversable because it extends permissions through the role hierarchy, meaning a principal with a higher-level role implicitly holds all inherited lower-level roles. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbranch.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbranch.mdx new file mode 100644 index 0000000..3d2f357 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbranch.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_HasBranch' +description: 'Repository has this branch' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasBranch | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | + +```mermaid +flowchart LR + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Branch["fa:fa-code-branch"]:::bhNode + GH_Repository -- GH_HasBranch --> GH_Branch +``` + +## General Information + +The non-traversable [GH_HasBranch](/opengraph/extensions/githound/reference/edges/gh_hasbranch) edge represents the relationship between a repository and its branches. Created by `Git-HoundBranch`, this edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) model the effective access. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasenvironment.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasenvironment.mdx new file mode 100644 index 0000000..d840881 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasenvironment.mdx @@ -0,0 +1,28 @@ +--- +title: 'GH_HasEnvironment' +description: 'Repository or branch has/can deploy to this environment' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | GH_HasEnvironment | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasEnvironment | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | + +```mermaid +flowchart LR + GH_Branch["fa:fa-code-branch"]:::bhNode + GH_Environment["fa:fa-leaf"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Branch -- GH_HasEnvironment --> GH_Environment + GH_Repository -- GH_HasEnvironment --> GH_Environment +``` + +## General Information + +The non-traversable [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) edge represents the relationship between a repository or branch and its deployment environments. Created by `Git-HoundEnvironment`, this edge links environments to the repositories that define them and to the branches that are allowed to deploy to them (via deployment branch policies). Environments are security-relevant because they can gate access to secrets and cloud credentials, and their deployment branch policies control which branches can trigger deployments. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity.mdx new file mode 100644 index 0000000..7a78ed2 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_HasExternalIdentity' +description: 'SAML identity provider has this external identity' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | GH_HasExternalIdentity | [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | + +```mermaid +flowchart LR + GH_SamlIdentityProvider["fa:fa-id-badge"]:::bhNode + GH_ExternalIdentity["fa:fa-arrows-left-right"]:::bhNode + GH_SamlIdentityProvider -- GH_HasExternalIdentity --> GH_ExternalIdentity +``` + +## General Information + +The non-traversable [GH_HasExternalIdentity](/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity) edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. Created by `Git-HoundGraphQlSamlProvider`, this edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasjob.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasjob.mdx new file mode 100644 index 0000000..ab4c2fa --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasjob.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_HasJob' +description: '[Workflow] Workflow contains this job — GH_Workflow → GH_WorkflowJob' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +## General Information + +The traversable [GH_HasJob](/opengraph/extensions/githound/reference/edges/gh_hasjob) edge links a workflow to each of its jobs. Created by `Parse-GitHoundWorkflow`, this edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken.mdx new file mode 100644 index 0000000..cd3cfd8 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_HasPersonalAccessToken' +description: 'User owns this personal access token that has been granted access to the organization' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_HasPersonalAccessToken | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | + +```mermaid +flowchart LR + GH_User["fa:fa-user"]:::bhNode + GH_PersonalAccessToken["fa:fa-key"]:::bhNode + GH_User -- GH_HasPersonalAccessToken --> GH_PersonalAccessToken +``` + +## General Information + +The non-traversable [GH_HasPersonalAccessToken](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken) edge represents the relationship between a user and their fine-grained personal access tokens that have been granted access to the organization. Created by `Git-HoundPersonalAccessToken`, this edge links each approved token back to the user who created it. Fine-grained personal access tokens are security-significant because they provide programmatic access to organization resources with specific scoped permissions. Tracking token ownership is essential for understanding which users have standing API access and for identifying tokens that may need revocation. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest.mdx new file mode 100644 index 0000000..6f70c14 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_HasPersonalAccessTokenRequest' +description: 'User has a pending personal access token request for the organization' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_HasPersonalAccessTokenRequest | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | + +```mermaid +flowchart LR + GH_User["fa:fa-user"]:::bhNode + GH_PersonalAccessTokenRequest["fa:fa-key"]:::bhNode + GH_User -- GH_HasPersonalAccessTokenRequest --> GH_PersonalAccessTokenRequest +``` + +## General Information + +The non-traversable [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest) edge represents the relationship between a user and their pending personal access token requests awaiting organizational approval. Created by `Git-HoundPersonalAccessTokenRequest`, this edge links each pending token request back to the user who submitted it. Pending token requests are security-relevant because they represent access that may soon be granted, and reviewing them helps administrators understand what permissions users are requesting before approval. Organizations that require approval for fine-grained PATs will have these requests queued until an administrator acts on them. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasrole.mdx new file mode 100644 index 0000000..2760ec4 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasrole.mdx @@ -0,0 +1,36 @@ +--- +title: 'GH_HasRole' +description: 'User or team has a role assignment (org role, team role, or repo role)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_HasRole | [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_HasRole | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_HasRole | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_HasRole | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_HasRole | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | + +```mermaid +flowchart LR + GH_User["fa:fa-user"]:::bhNode + GH_TeamRole["fa:fa-user-tie"]:::bhNode + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_Team["fa:fa-user-group"]:::bhNode + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_User -- GH_HasRole --> GH_TeamRole + GH_User -- GH_HasRole --> GH_OrgRole + GH_Team -- GH_HasRole --> GH_OrgRole + GH_User -- GH_HasRole --> GH_RepoRole + GH_Team -- GH_HasRole --> GH_RepoRole +``` + +## General Information + +The traversable [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. It is created by `Git-HoundUser` (for org roles), `Git-HoundRepositoryRole` (for repo roles), and `Git-HoundTeam` (for team roles). Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider.mdx new file mode 100644 index 0000000..7d6a30b --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_HasSamlIdentityProvider' +description: 'Organization has this SAML identity provider configured' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) | [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | + +```mermaid +flowchart LR + GH_Organization["fa:fa-building"]:::bhNode + GH_SamlIdentityProvider["fa:fa-id-badge"]:::bhNode + GH_Organization -- GH_HasSamlIdentityProvider --> GH_SamlIdentityProvider +``` + +## General Information + +The non-traversable [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) edge represents the relationship between an organization and its SAML identity provider configuration. Created by `Git-HoundGraphQlSamlProvider`, this edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassecret.mdx new file mode 100644 index 0000000..a7d0d38 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassecret.mdx @@ -0,0 +1,28 @@ +--- +title: 'GH_HasSecret' +description: 'Repository or environment has access to this secret' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasSecret | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasSecret | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | + +```mermaid +flowchart LR + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoSecret["fa:fa-lock"]:::bhNode + GH_OrgSecret["fa:fa-lock"]:::bhNode + GH_Repository -- GH_HasSecret --> GH_RepoSecret + GH_Repository -- GH_HasSecret --> GH_OrgSecret +``` + +## General Information + +The traversable [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) edge represents the relationship between a repository or environment and the secrets accessible within that context. Created by `Git-HoundOrganizationSecret`, `Git-HoundSecret`, and `Git-HoundEnvironment`, this edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch)) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasstep.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasstep.mdx new file mode 100644 index 0000000..2113c64 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasstep.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_HasStep' +description: '[Workflow] Job contains this step — GH_WorkflowJob → GH_WorkflowStep' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +## General Information + +The traversable [GH_HasStep](/opengraph/extensions/githound/reference/edges/gh_hasstep) edge links a job to each of its steps in execution order. Created by `Parse-GitHoundWorkflow`, this edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasvariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasvariable.mdx new file mode 100644 index 0000000..1be0f33 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasvariable.mdx @@ -0,0 +1,28 @@ +--- +title: 'GH_HasVariable' +description: 'Repository has access to this variable (org-level or repo-level)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasVariable | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasVariable | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | + +```mermaid +flowchart LR + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoVariable["fa:fa-lock-open"]:::bhNode + GH_OrgVariable["fa:fa-lock-open"]:::bhNode + GH_Repository -- GH_HasVariable --> GH_RepoVariable + GH_Repository -- GH_HasVariable --> GH_OrgVariable +``` + +## General Information + +The traversable [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) edge represents the relationship between a repository and the variables accessible within that context. Created by `Git-HoundOrganizationSecret` and `Git-HoundVariable`, this edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch)) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasworkflow.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasworkflow.mdx new file mode 100644 index 0000000..db694d3 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasworkflow.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_HasWorkflow' +description: 'Repository has this workflow' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasWorkflow | [GH_Workflow](/opengraph/extensions/githound/reference/nodes/gh_workflow) | + +```mermaid +flowchart LR + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Workflow["fa:fa-cogs"]:::bhNode + GH_Repository -- GH_HasWorkflow --> GH_Workflow +``` + +## General Information + +The non-traversable [GH_HasWorkflow](/opengraph/extensions/githound/reference/edges/gh_hasworkflow) edge represents the relationship between a repository and its GitHub Actions workflows. Created by `Git-HoundWorkflow`, this edge links each discovered workflow definition to its parent repository. Workflows are significant from a security perspective because they can execute arbitrary code with repository permissions, access secrets, and assume cloud identities. This structural edge enables analysts to enumerate which workflows exist in a given repository. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_installedas.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_installedas.mdx new file mode 100644 index 0000000..79e172d --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_installedas.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_InstalledAs' +description: 'GitHub App is installed as this app installation on an organization' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_App](/opengraph/extensions/githound/reference/nodes/gh_app) | GH_InstalledAs | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | + +```mermaid +flowchart LR + GH_App["fa:fa-cube"]:::bhNode + GH_AppInstallation["fa:fa-plug"]:::bhNode + GH_App -- GH_InstalledAs --> GH_AppInstallation +``` + +## General Information + +The traversable [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) edge links a GitHub App to its installation within the organization. It is created by `Git-HoundAppInstallation` during app installation enumeration. This edge is traversable because it connects the app definition to its active installation, which determines the specific set of repositories and permissions the app has been granted. Understanding the relationship between an app and its installation is essential for tracing how app-level permissions translate into repository access. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_invitemember.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_invitemember.mdx new file mode 100644 index 0000000..87e92bf --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_invitemember.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_InviteMember' +description: '[Organization] Org role can invite members to the organization' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_InviteMember | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | + +```mermaid +flowchart LR + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_OrgRole -- GH_InviteMember --> GH_Organization +``` + +## General Information + +The non-traversable [GH_InviteMember](/opengraph/extensions/githound/reference/edges/gh_invitemember) edge represents that a role has the ability to invite new members to the organization. This permission is typically restricted to Owners, as inviting members expands the organization's trust boundary by granting new users access to internal resources. An attacker with this permission could invite a controlled account to gain persistent access to the organization's repositories, teams, and secrets. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue.mdx new file mode 100644 index 0000000..e78e16e --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_JumpMergeQueue' +description: 'Repo role can jump the merge queue' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_JumpMergeQueue --> GH_Repository +``` + +## General Information + +The non-traversable [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) edge represents a role's ability to jump ahead of other entries in the merge queue. This permission is available to Admin roles and custom roles that have been granted this specific permission. Merge queues enforce an ordered sequence of CI checks and merges; jumping the queue allows a principal to prioritize their changes ahead of others. While less severe than bypassing protections entirely, this permission can be used to accelerate the landing of malicious changes before other queued entries are reviewed or tested. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managedeploykeys.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managedeploykeys.mdx new file mode 100644 index 0000000..56fe2a1 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managedeploykeys.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ManageDeployKeys' +description: '[Repository] Repo role can manage deploy keys' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageDeployKeys | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ManageDeployKeys --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ManageDeployKeys](/opengraph/extensions/githound/reference/edges/gh_managedeploykeys) edge represents a role's ability to create, modify, and delete deploy keys for the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deploy keys provide SSH-based access to the repository, and a deploy key with write access can push commits directly without going through the GitHub web interface or API authentication. Managing deploy keys is security-significant because it enables the creation of persistent, credential-based access that operates outside the normal user authentication flow. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges.mdx new file mode 100644 index 0000000..4fdb7cc --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ManageDiscussionBadges' +description: '[Repository] Repo role can manage discussion badges' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageDiscussionBadges | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ManageDiscussionBadges --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ManageDiscussionBadges](/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges) edge represents a role's ability to manage discussion badges used to highlight discussion participants. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks.mdx new file mode 100644 index 0000000..6ff730b --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_ManageOrganizationWebhooks' +description: '[Organization] Org role can manage organization webhooks' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_ManageOrganizationWebhooks](/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks) edge represents that a role has the ability to manage organization-level webhooks. This edge is dynamically generated from custom organization role permissions discovered by the collector. Webhooks can be configured to send event data to external endpoints, making this permission significant for security because an attacker could create or modify webhooks to exfiltrate repository data, commit contents, or issue details to an attacker-controlled server, or use them as a persistence mechanism. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts.mdx new file mode 100644 index 0000000..b080a0f --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ManageRepoSecurityProducts' +description: 'Repo role can manage repo-level security products' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ManageRepoSecurityProducts --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) edge represents a role's ability to manage repository-specific security product settings. This permission is available to Admin roles and custom roles that have been granted this specific permission. Unlike the broader [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) permission, this edge is scoped to repository-level security configuration such as repository-specific scanning settings and alert management. Disabling repository-level security products can create blind spots in vulnerability detection for the specific repository. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts.mdx new file mode 100644 index 0000000..4f85ea4 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ManageSecurityProducts' +description: 'Repo role can manage security products' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageSecurityProducts | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ManageSecurityProducts --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) edge represents a role's ability to manage security product settings on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Managing security products allows enabling or disabling features such as secret scanning, code scanning, and Dependabot alerts. An attacker with this permission could disable security features to prevent detection of vulnerabilities or leaked secrets, making this a high-severity permission for security posture management. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes.mdx new file mode 100644 index 0000000..2cbc3f3 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ManageSettingsMergeTypes' +description: '[Repository] Repo role can manage allowed merge types' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ManageSettingsMergeTypes --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) edge represents a role's ability to configure allowed merge types (merge commit, squash, rebase) on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingspages.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingspages.mdx new file mode 100644 index 0000000..568ae64 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingspages.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ManageSettingsPages' +description: '[Repository] Repo role can manage GitHub Pages settings' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageSettingsPages | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ManageSettingsPages --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ManageSettingsPages](/opengraph/extensions/githound/reference/edges/gh_managesettingspages) edge represents a role's ability to manage GitHub Pages settings including enabling, disabling, and configuring the source. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects.mdx new file mode 100644 index 0000000..1210b15 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ManageSettingsProjects' +description: '[Repository] Repo role can manage project settings' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageSettingsProjects | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ManageSettingsProjects --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ManageSettingsProjects](/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects) edge represents a role's ability to manage project board settings on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingswiki.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingswiki.mdx new file mode 100644 index 0000000..e750ed0 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingswiki.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ManageSettingsWiki' +description: '[Repository] Repo role can manage wiki settings' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageSettingsWiki | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ManageSettingsWiki --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ManageSettingsWiki](/opengraph/extensions/githound/reference/edges/gh_managesettingswiki) edge represents a role's ability to enable or disable the repository wiki. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managetopics.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managetopics.mdx new file mode 100644 index 0000000..0d9fc02 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managetopics.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ManageTopics' +description: '[Repository] Repo role can manage repository topics' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageTopics | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ManageTopics --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ManageTopics](/opengraph/extensions/githound/reference/edges/gh_managetopics) edge represents a role's ability to manage repository topics used for discovery and classification. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managewebhooks.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managewebhooks.mdx new file mode 100644 index 0000000..b66f972 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managewebhooks.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ManageWebhooks' +description: '[Repository] Repo role can manage repository webhooks' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageWebhooks | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ManageWebhooks --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ManageWebhooks](/opengraph/extensions/githound/reference/edges/gh_managewebhooks) edge represents a role's ability to create, modify, and delete repository-level webhooks. This permission is available to Admin roles and custom roles that have been granted this specific permission. Webhooks can exfiltrate repository events and code changes to external endpoints, making this a security-sensitive permission. An attacker with this permission could configure a webhook to receive push event payloads containing commit diffs, effectively creating a covert channel for data exfiltration. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_mapstouser.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_mapstouser.mdx new file mode 100644 index 0000000..bad3328 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_mapstouser.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_MapsToUser' +description: 'External identity maps to a GitHub user or identity provider user' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | GH_MapsToUser | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | + +```mermaid +flowchart LR + GH_ExternalIdentity["fa:fa-arrows-left-right"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_ExternalIdentity -- GH_MapsToUser --> GH_User +``` + +## General Information + +The non-traversable [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](/resources/nodes/az-user), [Okta_User](/opengraph/extensions/oktahound/reference/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. It is created by `Git-HoundGraphQlSamlProvider` for SAML-linked identities and `Git-HoundScimUser` for SCIM-provisioned identities. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_markasduplicate.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_markasduplicate.mdx new file mode 100644 index 0000000..a7975d1 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_markasduplicate.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_MarkAsDuplicate' +description: '[Repository] Repo role can mark issues or pull requests as duplicates' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_MarkAsDuplicate | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_MarkAsDuplicate --> GH_Repository +``` + +## General Information + +The non-traversable [GH_MarkAsDuplicate](/opengraph/extensions/githound/reference/edges/gh_markasduplicate) edge represents a role's ability to mark issues or pull requests as duplicates. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_memberof.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_memberof.mdx new file mode 100644 index 0000000..ef7e160 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_memberof.mdx @@ -0,0 +1,27 @@ +--- +title: 'GH_MemberOf' +description: 'Team role is a member of a team, or team is a nested member of a parent team' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_MemberOf | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | +| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | GH_MemberOf | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | + +```mermaid +flowchart LR + GH_Team["fa:fa-user-group"]:::bhNode + GH_TeamRole["fa:fa-user-tie"]:::bhNode + GH_Team -- GH_MemberOf --> GH_Team + GH_TeamRole -- GH_MemberOf --> GH_Team +``` + +## General Information + +The traversable [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) edge represents team membership, linking a team role to its parent team or a child team to a parent team in nested team hierarchies. It is created by `Git-HoundTeam` during team enumeration. This edge is traversable because team membership extends access transitively -- a user who holds a role in a child team inherits the repository permissions of all ancestor teams in the nesting hierarchy, making it a key component of attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests.mdx new file mode 100644 index 0000000..abfaa69 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_OrgBypassCodeScanningDismissalRequests' +description: '[Organization] Org role can bypass code scanning dismissal requests' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_OrgBypassCodeScanningDismissalRequests](/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests) edge represents that a role can bypass code scanning dismissal requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows suppressing code scanning security findings without the standard review process, which is significant because an attacker could use it to hide vulnerabilities or malicious code patterns that would otherwise be flagged by automated scanning tools. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests.mdx new file mode 100644 index 0000000..0116f1d --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_OrgBypassSecretScanningClosureRequests' +description: '[Organization] Org role can bypass secret scanning closure requests' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_OrgBypassSecretScanningClosureRequests](/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests) edge represents that a role can bypass secret scanning closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows closing secret scanning alerts without going through the standard review and approval process, which is significant because an attacker could use it to suppress alerts about leaked credentials and prevent incident response teams from being notified. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx new file mode 100644 index 0000000..d8ace9a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_OrgReviewAndManageSecretScanningBypassRequests' +description: '[Organization] Org role can review and manage secret scanning bypass requests' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_OrgReviewAndManageSecretScanningBypassRequests](/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests) edge represents that a role can review and manage secret scanning push protection bypass requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Push protection prevents secrets from being committed to repositories, and bypass requests allow developers to override this protection for specific commits. An attacker with this permission could approve their own or an accomplice's bypass requests, allowing secrets to be committed to repositories without triggering push protection blocks. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx new file mode 100644 index 0000000..d198e48 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_OrgReviewAndManageSecretScanningClosureRequests' +description: '[Organization] Org role can review and manage secret scanning closure requests' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_OrgReviewAndManageSecretScanningClosureRequests](/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests) edge represents that a role can review and manage secret scanning alert closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Alert closure requests are part of the workflow for closing secret scanning alerts, and this permission controls who can approve or deny those requests. An attacker with this permission could approve closure requests to suppress alerts about actively leaked credentials, undermining the organization's secret scanning remediation process. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_owns.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_owns.mdx new file mode 100644 index 0000000..2f7b05e --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_owns.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_Owns' +description: 'Organization owns a repository' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Owns | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_Organization["fa:fa-building"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Organization -- GH_Owns --> GH_Repository +``` + +## General Information + +The traversable [GH_Owns](/opengraph/extensions/githound/reference/edges/gh_owns) edge represents that an organization owns a repository. Created by `Git-HoundRepository`, this edge establishes the foundation of the access control model by linking repositories to their owning organization. It is traversable because repository ownership is a critical relationship for understanding how organizational permissions cascade down to repository-level access, making it essential for attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_protectedby.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_protectedby.mdx new file mode 100644 index 0000000..436816a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_protectedby.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ProtectedBy' +description: 'Branch protection rule protects this branch' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | GH_ProtectedBy | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | + +```mermaid +flowchart LR + GH_BranchProtectionRule["fa:fa-shield"]:::bhNode + GH_Branch["fa:fa-code-branch"]:::bhNode + GH_BranchProtectionRule -- GH_ProtectedBy --> GH_Branch +``` + +## General Information + +The non-traversable [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) edge represents that a branch protection rule applies to a specific branch. Created by `Git-HoundBranch` when branch protection rules are collected, this edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed edge functions (`Compute-GitHoundBranchAccess`) to determine effective push access; the computed [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) edges carry traversability instead. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch.mdx new file mode 100644 index 0000000..6882acc --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_PushProtectedBranch' +description: '[Repository] Repo role can push to branches with push restrictions. Not affected by enforce_admins.' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_PushProtectedBranch | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_PushProtectedBranch --> GH_Repository +``` + +## General Information + +The non-traversable [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) edge represents a role's ability to push directly to branches that are protected by push restrictions. This permission is available to Admin and Maintain roles. This edge bypasses the push gate of branch protection, allowing direct commits to protected branches without going through the pull request workflow. Unlike merge gate bypasses (such as [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection)), this push gate bypass is NOT suppressed by the `enforce_admins` setting on the branch protection rule, making it a particularly potent permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readcodescanning.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readcodescanning.mdx new file mode 100644 index 0000000..ee5e08e --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readcodescanning.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ReadCodeScanning' +description: '[Repository] Repo role can read code scanning results' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ReadCodeScanning | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ReadCodeScanning --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ReadCodeScanning](/opengraph/extensions/githound/reference/edges/gh_readcodescanning) edge represents a role's ability to read code scanning analysis results and alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. Code scanning alerts may reveal exploitable vulnerabilities in the codebase. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics.mdx new file mode 100644 index 0000000..f2c3b13 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_ReadOrganizationActionsUsageMetrics' +description: '[Organization] Org role can read Actions usage metrics' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_ReadOrganizationActionsUsageMetrics](/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics) edge represents that a role can read GitHub Actions usage metrics for the organization. This edge is dynamically generated from custom organization role permissions discovered by the collector. Usage metrics provide visibility into workflow execution patterns, runner utilization, and billing data across the organization. While this is primarily an informational permission, it can reveal which repositories have active CI/CD pipelines and the scale of automation in use. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole.mdx new file mode 100644 index 0000000..3d0d73a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_ReadOrganizationCustomOrgRole' +description: '[Organization] Org role can read custom org role definitions' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_ReadOrganizationCustomOrgRole](/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole) edge represents that a role can read custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom org role definitions allows a user to enumerate the permissions granted to each custom role, which provides reconnaissance value for understanding the organization's access control model and identifying roles with elevated privileges. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole.mdx new file mode 100644 index 0000000..c466a88 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_ReadOrganizationCustomRepoRole' +description: '[Organization] Org role can read custom repo role definitions' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_ReadOrganizationCustomRepoRole](/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole) edge represents that a role can read custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom repo role definitions allows a user to enumerate the permissions granted to each custom repository role, which provides reconnaissance value for understanding repository-level access controls and identifying roles that grant elevated repository permissions. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readrepocontents.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readrepocontents.mdx new file mode 100644 index 0000000..fb1bb13 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readrepocontents.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ReadRepoContents' +description: '[Repository] Repo role can read repository contents' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ReadRepoContents | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ReadRepoContents --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) edge represents a role's ability to read repository contents including source code, issues, and pull requests. This is the base level of repository access, available to all roles at the Read permission level and above (Read, Triage, Write, Maintain, Admin). diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removeassignee.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removeassignee.mdx new file mode 100644 index 0000000..c71ea73 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removeassignee.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_RemoveAssignee' +description: '[Repository] Repo role can remove assignees from issues and pull requests' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_RemoveAssignee | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_RemoveAssignee --> GH_Repository +``` + +## General Information + +The non-traversable [GH_RemoveAssignee](/opengraph/extensions/githound/reference/edges/gh_removeassignee) edge represents a role's ability to remove assignees from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removelabel.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removelabel.mdx new file mode 100644 index 0000000..fd5ea7b --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removelabel.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_RemoveLabel' +description: '[Repository] Repo role can remove labels from issues and pull requests' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_RemoveLabel | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_RemoveLabel --> GH_Repository +``` + +## General Information + +The non-traversable [GH_RemoveLabel](/opengraph/extensions/githound/reference/edges/gh_removelabel) edge represents a role's ability to remove labels from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopendiscussion.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopendiscussion.mdx new file mode 100644 index 0000000..287ad49 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopendiscussion.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ReopenDiscussion' +description: '[Repository] Repo role can reopen discussions' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ReopenDiscussion | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ReopenDiscussion --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ReopenDiscussion](/opengraph/extensions/githound/reference/edges/gh_reopendiscussion) edge represents a role's ability to reopen closed discussions to allow further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenissue.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenissue.mdx new file mode 100644 index 0000000..aa7030c --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenissue.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ReopenIssue' +description: '[Repository] Repo role can reopen closed issues' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ReopenIssue | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ReopenIssue --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ReopenIssue](/opengraph/extensions/githound/reference/edges/gh_reopenissue) edge represents a role's ability to reopen closed issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest.mdx new file mode 100644 index 0000000..8f35857 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ReopenPullRequest' +description: '[Repository] Repo role can reopen closed pull requests' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ReopenPullRequest | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ReopenPullRequest --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ReopenPullRequest](/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest) edge represents a role's ability to reopen closed pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_requestprreview.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_requestprreview.mdx new file mode 100644 index 0000000..34531cd --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_requestprreview.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_RequestPrReview' +description: '[Repository] Repo role can request pull request reviews' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_RequestPrReview | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_RequestPrReview --> GH_Repository +``` + +## General Information + +The non-traversable [GH_RequestPrReview](/opengraph/extensions/githound/reference/edges/gh_requestprreview) edge represents a role's ability to request pull request reviews from specific users or teams. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts.mdx new file mode 100644 index 0000000..b4c1b2f --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ResolveDependabotAlerts' +description: '[Repository] Repo role can resolve Dependabot alerts' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ResolveDependabotAlerts | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ResolveDependabotAlerts --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ResolveDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts) edge represents a role's ability to dismiss or resolve Dependabot alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could dismiss valid alerts to suppress vulnerability warnings and prevent remediation. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts.mdx new file mode 100644 index 0000000..bcf707a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts.mdx @@ -0,0 +1,29 @@ +--- +title: 'GH_ResolveSecretScanningAlerts' +description: '[Organization] Org role can resolve secret scanning alerts' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_ResolveSecretScanningAlerts | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ResolveSecretScanningAlerts | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_OrgRole -- GH_ResolveSecretScanningAlerts --> GH_Organization + GH_RepoRole -- GH_ResolveSecretScanningAlerts --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) edge represents that a role can resolve (close) secret scanning alerts at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Resolving a secret scanning alert marks a leaked secret as addressed, which removes it from active monitoring dashboards. An attacker with this permission could suppress alerts about leaked credentials to prevent incident response teams from detecting and rotating compromised secrets. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush.mdx new file mode 100644 index 0000000..3d852c0 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_RestrictionsCanPush' +description: 'User or team is allowed to push to branches protected by this rule' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_RestrictionsCanPush | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | + +```mermaid +flowchart LR + GH_User["fa:fa-user"]:::bhNode + GH_BranchProtectionRule["fa:fa-shield"]:::bhNode + GH_User -- GH_RestrictionsCanPush --> GH_BranchProtectionRule +``` + +## General Information + +The non-traversable [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. Created by `Git-HoundBranch` when collecting BPR push allowances, this edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances), this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_runorgmigration.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_runorgmigration.mdx new file mode 100644 index 0000000..ce44776 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_runorgmigration.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_RunOrgMigration' +description: '[Repository] Repo role can run organization migrations' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_RunOrgMigration --> GH_Repository +``` + +## General Information + +The non-traversable [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) edge represents a role's ability to run organization migrations on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Organization migrations export repository data including source code, issues, and pull requests, which can be used to transfer repository contents to another organization. This permission is security-relevant because it enables bulk data export from the repository. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits.mdx new file mode 100644 index 0000000..0482d38 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_SetInteractionLimits' +description: '[Repository] Repo role can set interaction limits on the repository' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_SetInteractionLimits --> GH_Repository +``` + +## General Information + +The non-traversable [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) edge represents a role's ability to set temporary interaction limits to restrict who can comment, open issues, or create pull requests. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setissuetype.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setissuetype.mdx new file mode 100644 index 0000000..47ac743 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setissuetype.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_SetIssueType' +description: '[Repository] Repo role can set issue types' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_SetIssueType | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_SetIssueType --> GH_Repository +``` + +## General Information + +The non-traversable [GH_SetIssueType](/opengraph/extensions/githound/reference/edges/gh_setissuetype) edge represents a role's ability to set issue types. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setmilestone.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setmilestone.mdx new file mode 100644 index 0000000..bf66a6b --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setmilestone.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_SetMilestone' +description: '[Repository] Repo role can set milestones on issues and pull requests' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_SetMilestone | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_SetMilestone --> GH_Repository +``` + +## General Information + +The non-traversable [GH_SetMilestone](/opengraph/extensions/githound/reference/edges/gh_setmilestone) edge represents a role's ability to set milestones on issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setsocialpreview.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setsocialpreview.mdx new file mode 100644 index 0000000..7d8d434 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setsocialpreview.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_SetSocialPreview' +description: '[Repository] Repo role can set the repository social preview image' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_SetSocialPreview | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_SetSocialPreview --> GH_Repository +``` + +## General Information + +The non-traversable [GH_SetSocialPreview](/opengraph/extensions/githound/reference/edges/gh_setsocialpreview) edge represents a role's ability to set the repository social preview image shown in link previews. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_syncedto.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_syncedto.mdx new file mode 100644 index 0000000..2489c3f --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_syncedto.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_SyncedTo' +description: 'External identity (Azure, Okta, PingOne) is synced to this GitHub user via SSO/SCIM' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | GH_SyncedTo | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | + +```mermaid +flowchart LR + GH_ExternalIdentity["fa:fa-arrows-left-right"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_ExternalIdentity -- GH_SyncedTo --> GH_User +``` + +## General Information + +The traversable [GH_SyncedTo](/opengraph/extensions/githound/reference/edges/gh_syncedto) edge is a hybrid edge that maps an external IdP user to a GitHub user based on SCIM provisioning. Created by `Git-HoundScimUser` when SCIM data links an external identity to a GitHub account, this edge represents a confirmed identity linkage between an external identity provider and GitHub. It is traversable because compromising the IdP account provides a verified path to the corresponding GitHub account, making it a critical edge for cross-system attack path analysis. This edge enables analysts to trace access from enterprise identity providers like Azure AD, Okta, or PingOne into the GitHub environment. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer.mdx new file mode 100644 index 0000000..0bbd61d --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ToggleDiscussionAnswer' +description: '[Repository] Repo role can toggle discussion answers' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ToggleDiscussionAnswer | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ToggleDiscussionAnswer --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ToggleDiscussionAnswer](/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer) edge represents a role's ability to mark or unmark a discussion comment as the accepted answer. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize.mdx new file mode 100644 index 0000000..83c995b --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ToggleDiscussionCommentMinimize' +description: '[Repository] Repo role can minimize discussion comments' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ToggleDiscussionCommentMinimize | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ToggleDiscussionCommentMinimize --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize) edge represents a role's ability to minimize or restore discussion comments, hiding them from default view. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_transferrepository.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_transferrepository.mdx new file mode 100644 index 0000000..30ecd51 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_transferrepository.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_TransferRepository' +description: '[Organization] Org role can transfer repositories' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_TransferRepository | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | + +```mermaid +flowchart LR + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_OrgRole -- GH_TransferRepository --> GH_Organization +``` + +## General Information + +The non-traversable [GH_TransferRepository](/opengraph/extensions/githound/reference/edges/gh_transferrepository) edge represents that a role has the ability to transfer repositories to or from the organization. This permission is typically restricted to Owners, as transferring a repository can move it outside of the organization's security controls, branch protection rules, and audit logging. An attacker with this permission could transfer a repository to an organization they control, effectively exfiltrating the codebase and its associated secrets. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usessecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usessecret.mdx new file mode 100644 index 0000000..e59c8bf --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usessecret.mdx @@ -0,0 +1,30 @@ +--- +title: 'GH_UsesSecret' +description: '[Workflow] Step references a secret by name — GH_WorkflowStep → GH_Secret (name match)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +## General Information + +The traversable [GH_UsesSecret](/opengraph/extensions/githound/reference/edges/gh_usessecret) edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. Created by `Parse-GitHoundWorkflow`, this edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. + +### Matching strategy + +Edges use `match_by: property` with two matchers to disambiguate between secrets with the same name across repositories: + +- **GH_RepoSecret** is matched by `name` + `repository_id` (the GitHub node_id of the repository). +- **GH_OrgSecret** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level secret scope). + +This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two [GH_UsesSecret](/opengraph/extensions/githound/reference/edges/gh_usessecret) edges — one to the repo-level secret and one to the org-level secret — reflecting that either could supply the value at runtime depending on scope precedence. + +### Context property + +The edge carries a `context` property indicating where the reference was found: +- `with` — inside a `with:` input block of a `uses:` action step +- `env` — inside the step's `env:` block +- `run` — inline within a `run:` shell script diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usesvariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usesvariable.mdx new file mode 100644 index 0000000..6e78580 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usesvariable.mdx @@ -0,0 +1,30 @@ +--- +title: 'GH_UsesVariable' +description: '[Workflow] Step references a variable by name — GH_WorkflowStep → GH_Variable (name match)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_UsesVariable](/opengraph/extensions/githound/reference/edges/gh_usesvariable) edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. Created by `Parse-GitHoundWorkflow`, this edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). + +### Matching strategy + +Edges use `match_by: property` with two matchers to disambiguate between variables with the same name across repositories: + +- **GH_RepoVariable** is matched by `name` + `repository_id` (the GitHub node_id of the repository). +- **GH_OrgVariable** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level variable scope). + +This means one `${{ vars.MY_VAR }}` expression can produce up to two [GH_UsesVariable](/opengraph/extensions/githound/reference/edges/gh_usesvariable) edges — one to the repo-level variable and one to the org-level variable. + +### Context property + +The edge carries a `context` property indicating where the reference was found: +- `with` — inside a `with:` input block of a `uses:` action step +- `env` — inside the step's `env:` block +- `run` — inline within a `run:` shell script diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_validtoken.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_validtoken.mdx new file mode 100644 index 0000000..68403d5 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_validtoken.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ValidToken' +description: 'Secret scanning alert contains a valid, active token belonging to this user' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | GH_ValidToken | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | + +```mermaid +flowchart LR + GH_SecretScanningAlert["fa:fa-key"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_SecretScanningAlert -- GH_ValidToken --> GH_User +``` + +## General Information + +The traversable [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) edge represents a secret scanning alert that contains a valid, active GitHub Personal Access Token belonging to a specific user. Created by `Git-HoundSecretScanningAlert`, this edge is only emitted when the alert's state is `open`, the secret type is `github_personal_access_token`, and the token is confirmed valid by calling the GitHub API. This edge is traversable because possessing the leaked token grants the ability to act as the token's owner, effectively compromising that user's identity and all permissions granted to the token. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts.mdx new file mode 100644 index 0000000..b5894f7 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_ViewDependabotAlerts' +description: '[Repository] Repo role can view Dependabot alerts' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ViewDependabotAlerts | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_ViewDependabotAlerts --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ViewDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts) edge represents a role's ability to view Dependabot security alerts, which reveal known vulnerabilities in the repository's dependencies. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. This information could be used to identify and exploit unpatched vulnerabilities. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts.mdx new file mode 100644 index 0000000..7ffe0ad --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts.mdx @@ -0,0 +1,29 @@ +--- +title: 'GH_ViewSecretScanningAlerts' +description: '[Repository] Role can view secret scanning alerts' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_ViewSecretScanningAlerts | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ViewSecretScanningAlerts | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_OrgRole -- GH_ViewSecretScanningAlerts --> GH_Organization + GH_RepoRole -- GH_ViewSecretScanningAlerts --> GH_Repository +``` + +## General Information + +The non-traversable [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) edge represents that a role can view secret scanning alerts at the organization or repository level. This edge is dynamically generated from custom role permissions discovered by the collector. Secret scanning alerts may reveal details about leaked credentials, including partial or full secret values and the locations where they were detected. This makes the permission significant for security because an attacker with access to view these alerts could harvest exposed credentials for use in lateral movement or privilege escalation. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writecodescanning.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writecodescanning.mdx new file mode 100644 index 0000000..97cbd5d --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writecodescanning.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_WriteCodeScanning' +description: '[Repository] Repo role can upload code scanning results' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_WriteCodeScanning --> GH_Repository +``` + +## General Information + +The non-traversable [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) edge represents a role's ability to upload code scanning analysis results. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could upload falsified SARIF results to suppress real alerts or inject misleading findings. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets.mdx new file mode 100644 index 0000000..a135d15 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_WriteOrganizationActionsSecrets' +description: '[Organization] Org role can write Actions secrets' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_WriteOrganizationActionsSecrets](/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets) edge represents that a role can write organization-level GitHub Actions secrets. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level secrets are available to workflows across multiple repositories and often contain credentials for external systems such as cloud providers, package registries, and deployment targets. An attacker with this permission could overwrite existing secrets to inject malicious credentials or create new secrets to facilitate lateral movement. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings.mdx new file mode 100644 index 0000000..511dfd8 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_WriteOrganizationActionsSettings' +description: '[Organization] Org role can write Actions settings' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_WriteOrganizationActionsSettings](/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings) edge represents that a role can modify organization-level GitHub Actions settings. This edge is dynamically generated from custom organization role permissions discovered by the collector. These settings control which actions are allowed to run within the organization and the default permissions granted to the `GITHUB_TOKEN` in workflows. An attacker with this permission could weaken restrictions to allow untrusted third-party actions or elevate default token permissions to enable write access across repositories. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables.mdx new file mode 100644 index 0000000..9936815 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_WriteOrganizationActionsVariables' +description: '[Organization] Org role can write Actions variables' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_WriteOrganizationActionsVariables](/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables) edge represents that a role can write organization-level GitHub Actions variables. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level variables are available to workflows across multiple repositories and often contain configuration values such as environment URLs, feature flags, and service endpoints. An attacker with this permission could overwrite existing variables to redirect workflows to malicious endpoints or alter application behavior. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole.mdx new file mode 100644 index 0000000..8e5156b --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_WriteOrganizationCustomOrgRole' +description: '[Organization] Org role can write custom org role definitions' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ✅ + +## General Information + +The traversable [GH_WriteOrganizationCustomOrgRole](/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole) edge represents that a role can create or modify custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying organization role definitions can escalate privileges because an attacker could add permissions to an existing custom role that is already assigned to their account, including setting the base_role to inherit all_repo_admin. Since this permission can only belong to custom organization roles, the user necessarily holds the role they can modify — guaranteeing a self-escalation path. This makes it a Tier Zero privilege escalation vector. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole.mdx new file mode 100644 index 0000000..45bc626 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_WriteOrganizationCustomRepoRole' +description: '[Organization] Org role can write custom repo role definitions' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_WriteOrganizationCustomRepoRole](/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole) edge represents that a role can create or modify custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying repository role definitions can escalate privileges because an attacker could add permissions such as admin access, bypass branch protections, or secret management to a custom repo role that is already assigned to their account. This makes it a high-impact permission for gaining elevated access to repositories across the organization. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations.mdx new file mode 100644 index 0000000..2cac9e4 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_WriteOrganizationNetworkConfigurations' +description: '[Organization] Org role can write network configurations' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +## General Information + +The non-traversable [GH_WriteOrganizationNetworkConfigurations](/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations) edge represents that a role can modify organization network configurations. This edge is dynamically generated from custom organization role permissions discovered by the collector. Network configurations control how GitHub-hosted runners connect to private resources such as internal APIs, databases, and cloud services. An attacker with this permission could modify network settings to route runner traffic through attacker-controlled infrastructure or grant runners access to previously isolated network segments. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepocontents.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepocontents.mdx new file mode 100644 index 0000000..45e63a9 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepocontents.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_WriteRepoContents' +description: '[Repository] Repo role can write repository contents' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_WriteRepoContents | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_WriteRepoContents --> GH_Repository +``` + +## General Information + +The non-traversable [GH_WriteRepoContents](/opengraph/extensions/githound/reference/edges/gh_writerepocontents) edge represents a role's ability to push commits to the repository. This permission is available to Write, Maintain, and Admin roles. Pushing code can modify application behavior and introduce vulnerabilities, making this a security-significant edge. However, this edge represents only the raw permission; actual branch push capability is determined by the computed [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) edge, which factors in branch protection rules and push restrictions. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests.mdx new file mode 100644 index 0000000..039d68f --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests.mdx @@ -0,0 +1,25 @@ +--- +title: 'GH_WriteRepoPullRequests' +description: '[Repository] Repo role can create and merge pull requests' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: ❌ + +| Start | Kind | End | +|-------|-----------|-------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_WriteRepoPullRequests | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | + +```mermaid +flowchart LR + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoRole -- GH_WriteRepoPullRequests --> GH_Repository +``` + +## General Information + +The non-traversable [GH_WriteRepoPullRequests](/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests) edge represents a role's ability to create and merge pull requests in the repository. This permission is available to Write, Maintain, and Admin roles. Pull request merge access is security-significant because merging code into protected branches is a common vector for introducing unauthorized changes; however, actual merge capability on protected branches is further governed by branch protection rules and required reviews. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_app.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_app.mdx new file mode 100644 index 0000000..3992f63 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_app.mdx @@ -0,0 +1,42 @@ +--- +title: 'GH_App' +description: 'A GitHub App definition representing the registered application. The app owner controls the private key used to generate installation tokens.' +icon: '/images/extensions/githound/reference/gh_app.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub App definition — the registered application entity. The app owner holds the private key that can generate installation access tokens for **every** [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) of this app. If the private key is compromised, all installations across all organizations are affected. + +App definitions are retrieved via the public `GET /apps/{app_slug}` endpoint (no authentication required) after discovering unique app slugs from the organization's app installations. + + +## Edges + +```mermaid +flowchart LR + + GH_App["fa:fa-cube"]:::bhNode + GH_AppInstallation["fa:fa-plug"]:::bhNode + GH_App -- GH_InstalledAs --> GH_AppInstallation +``` + +### Inbound Edges + +No incoming edges. + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_App](/opengraph/extensions/githound/reference/nodes/gh_app) | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) | App is installed as this installation | + +## Properties + +::: openfetch_github.models.app_installation.GHAppProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_appinstallation.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_appinstallation.mdx new file mode 100644 index 0000000..75b2dd4 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_appinstallation.mdx @@ -0,0 +1,49 @@ +--- +title: 'GH_AppInstallation' +description: 'A GitHub App installed on the organization with specific permissions and repository access' +icon: '/images/extensions/githound/reference/gh_appinstallation.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub App installed on an organization. App installations have specific permissions and can be scoped to all repositories or a selection of repositories. The permissions granted to the app are captured as a JSON string in the properties. + +Each installation is linked to its parent [GH_App](/opengraph/extensions/githound/reference/nodes/gh_app) via a [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) edge. For installations with `repository_selection` set to `all`, [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) edges are created to every repository in the organization. For installations with `repository_selection` set to `selected`, repository-level edges cannot be enumerated with a PAT (requires app installation token authentication). + + +## Edges + +```mermaid +flowchart LR + + GH_AppInstallation["fa:fa-plug"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_App["fa:fa-cube"]:::bhNode + GH_AppInstallation -- GH_CanAccess --> GH_Repository + GH_Organization -- GH_Contains --> GH_AppInstallation + GH_App -- GH_InstalledAs --> GH_AppInstallation +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains app installation | +| [GH_App](/opengraph/extensions/githound/reference/nodes/gh_app) | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) | App is installed as this installation | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | App installation can access repository | + +## Properties + +::: openfetch_github.models.app_installation.GHAppInstallationProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branch.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branch.mdx new file mode 100644 index 0000000..8f4bcf8 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branch.mdx @@ -0,0 +1,58 @@ +--- +title: 'GH_Branch' +description: 'A named reference in a repository representing a line of development' +icon: '/images/extensions/githound/reference/gh_branch.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a Git branch within a repository. Branch nodes capture basic branch information and whether the branch is protected. Protection rule details are stored in separate [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) nodes, linked via [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) edges. + + +## Edges + +```mermaid +flowchart LR + + GH_Branch["fa:fa-code-branch"]:::bhNode + GH_Environment["fa:fa-leaf"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_BranchProtectionRule["fa:fa-shield"]:::bhNode + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_Team["fa:fa-user-group"]:::bhNode + GH_Branch -- GH_HasEnvironment --> GH_Environment + GH_Repository -- GH_HasBranch --> GH_Branch + GH_BranchProtectionRule -- GH_ProtectedBy --> GH_Branch + GH_RepoRole -- GH_CanWriteBranch --> GH_Branch + GH_RepoRole -- GH_CanEditProtection --> GH_Branch + GH_User -- GH_CanWriteBranch --> GH_Branch + GH_Team -- GH_CanWriteBranch --> GH_Branch +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_HasBranch](/opengraph/extensions/githound/reference/edges/gh_hasbranch) | Repository has branch | +| [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) | Branch is protected by rule | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Role can push commits to this branch | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) | Role can modify or remove the branch protection rule governing this branch | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | User can push commits to this branch via actor-level bypass allowances | +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Team can push commits to this branch via actor-level bypass allowances | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Branch pattern can deploy to environment | + +## Properties + +::: openfetch_github.models.branch.GHBranchProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule.mdx new file mode 100644 index 0000000..f6f3bcc --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule.mdx @@ -0,0 +1,80 @@ +--- +title: 'GH_BranchProtectionRule' +description: 'A branch protection rule that applies to one or more branches via pattern matching' +icon: '/images/extensions/githound/reference/gh_branchprotectionrule.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a branch protection rule configured on a GitHub repository. Protection rules define requirements that must be met before changes can be merged to matching branches, such as required reviews, status checks, and restrictions on who can push. + +A single protection rule can apply to multiple branches via pattern matching (e.g., `main`, `release/*`). + +## Security Considerations + +Branch protection rules are critical security controls. Key settings to review: + +- **enforce_admins**: Enforces merge-gate controls (PR reviews, lock branch) for admins and users with `bypass_branch_protection`. Does **not** enforce push-gate controls (`push_restrictions`) for admins or users with `push_protected_branch`. +- **required_pull_request_reviews**: Blocks direct pushes to existing protected branches. Bypassed by [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) and [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) (both suppressed by `enforce_admins`). +- **push_restrictions**: Restricts who can push. Bypassed by [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch), [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto), and [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) (none suppressed by `enforce_admins`). +- **blocks_creations**: Restricts new branch creation when `push_restrictions` is also `true`. Same bypass vectors as `push_restrictions`. Silently reverts to `false` if `push_restrictions` is disabled. +- **lock_branch**: Makes branch read-only. Bypassed by [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) (suppressed by `enforce_admins`). +- **require_code_owner_reviews**: If `false`, changes to critical paths may not require owner approval. +- **allows_force_pushes**: Controls whether history rewrites are allowed. Does **not** grant push access — it is not a bypass mechanism. +- **allows_deletions**: If `true`, branches can be deleted (potentially losing code). + +### Secret Exfiltration Mitigation + +The only branch protection configuration that blocks the write-access → workflow → secrets exfiltration attack path is `push_restrictions` + `blocks_creations` on a `*` pattern rule. However, users with [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch), [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto), [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush), or [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) can bypass this control. + +For complete analysis, see [BloodHound Docs: GitHound - Mitigating Controls](/opengraph/extensions/githound/reference/mitigating-controls). + +### Identifying Bypass Actors + +Use these edges to identify users and teams with elevated branch permissions: + +- [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) — can bypass PR requirements on a specific rule (PR reviews only) +- [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) — can push despite push restrictions on a specific rule +- [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) — repo-wide bypass of merge-gate controls (PR reviews + lock branch) +- [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) — repo-wide bypass of push-gate controls (push restrictions + blocks creations) +- [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) — can remove/modify protection rules entirely + + +## Edges + +```mermaid +flowchart LR + + GH_BranchProtectionRule["fa:fa-shield"]:::bhNode + GH_Branch["fa:fa-code-branch"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_BranchProtectionRule -- GH_ProtectedBy --> GH_Branch + GH_Repository -- GH_Contains --> GH_BranchProtectionRule + GH_User -- GH_RestrictionsCanPush --> GH_BranchProtectionRule + GH_User -- GH_BypassPullRequestAllowances --> GH_BranchProtectionRule +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains branch protection rule | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) | Actor can push despite push restrictions | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) | Actor can bypass PR review requirements | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) | Branch is protected by rule | + +## Properties + +::: openfetch_github.models.branch_protection_rule.GHBranchProtectionRuleProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environment.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environment.mdx new file mode 100644 index 0000000..dfcb6e7 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environment.mdx @@ -0,0 +1,50 @@ +--- +title: 'GH_Environment' +description: 'A GitHub Actions deployment environment with protection rules and deployment branch policies' +icon: '/images/extensions/githound/reference/gh_environment.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub Actions deployment environment configured on a repository. Environments can have protection rules including required reviewers, wait timers, and deployment branch policies. When custom branch policies are configured, the environment is connected to specific branches; otherwise, it is connected directly to the repository. + + +## Edges + +```mermaid +flowchart LR + + GH_Environment["fa:fa-leaf"]:::bhNode + GH_EnvironmentVariable["fa:fa-lock-open"]:::bhNode + GH_EnvironmentSecret["fa:fa-lock"]:::bhNode + GH_Branch["fa:fa-code-branch"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Environment -- GH_Contains --> GH_EnvironmentVariable + GH_Environment -- GH_Contains --> GH_EnvironmentSecret + GH_Branch -- GH_HasEnvironment --> GH_Environment + GH_Repository -- GH_HasEnvironment --> GH_Environment +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Branch pattern can deploy to environment | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Repository deploys to environment (no custom branch policy) | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_EnvironmentVariable](/opengraph/extensions/githound/reference/nodes/gh_environmentvariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains variable | +| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_EnvironmentSecret](/opengraph/extensions/githound/reference/nodes/gh_environmentsecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains secret | + +## Properties + +::: openfetch_github.models.environment.GHEnvironmentProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentsecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentsecret.mdx new file mode 100644 index 0000000..9fa2f8d --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentsecret.mdx @@ -0,0 +1,40 @@ +--- +title: 'GH_EnvironmentSecret' +description: 'An environment-level GitHub Actions secret scoped to a specific deployment environment' +icon: '/images/extensions/githound/reference/gh_environmentsecret.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents an environment-level GitHub Actions secret. These secrets are scoped to a specific deployment environment and are only available to workflow jobs that reference that environment. + + +## Edges + +```mermaid +flowchart LR + + GH_EnvironmentSecret["fa:fa-lock"]:::bhNode + GH_Environment["fa:fa-leaf"]:::bhNode + GH_Environment -- GH_Contains --> GH_EnvironmentSecret +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_EnvironmentSecret](/opengraph/extensions/githound/reference/nodes/gh_environmentsecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains secret | + +### Outbound Edges + +No outgoing edges. + +## Properties + +::: openfetch_github.models.env_secret.GHEnvironmentSecretProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentvariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentvariable.mdx new file mode 100644 index 0000000..6ecf700 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentvariable.mdx @@ -0,0 +1,40 @@ +--- +title: 'GH_EnvironmentVariable' +description: 'An environment-level GitHub Actions variable scoped to a specific deployment environment. Unlike secrets, variable values are readable.' +icon: '/images/extensions/githound/reference/gh_environmentvariable.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents an environment-level GitHub Actions variable. These variables are scoped to a specific deployment environment and are only available to workflow jobs that reference that environment. Unlike secrets, variable values are readable via the API. + + +## Edges + +```mermaid +flowchart LR + + GH_EnvironmentVariable["fa:fa-lock-open"]:::bhNode + GH_Environment["fa:fa-leaf"]:::bhNode + GH_Environment -- GH_Contains --> GH_EnvironmentVariable +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_EnvironmentVariable](/opengraph/extensions/githound/reference/nodes/gh_environmentvariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains variable | + +### Outbound Edges + +No outgoing edges. + +## Properties + +::: openfetch_github.models.env_variable.GHEnvVariableProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_externalidentity.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_externalidentity.mdx new file mode 100644 index 0000000..244a617 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_externalidentity.mdx @@ -0,0 +1,46 @@ +--- +title: 'GH_ExternalIdentity' +description: 'An external identity from a SAML/SCIM provider linked to a GitHub user for SSO authentication' +icon: '/images/extensions/githound/reference/gh_externalidentity.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents an external identity from a SAML or SCIM identity provider that is linked to a GitHub user. External identities map corporate user accounts (from providers like Okta, Azure AD, etc.) to GitHub user accounts, enabling single sign-on authentication. Each external identity can have both SAML and SCIM identity attributes. + + +## Edges + +```mermaid +flowchart LR + + GH_ExternalIdentity["fa:fa-arrows-left-right"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_SamlIdentityProvider["fa:fa-id-badge"]:::bhNode + GH_ExternalIdentity -- GH_MapsToUser --> GH_User + GH_ExternalIdentity -- GH_SyncedTo --> GH_User + GH_SamlIdentityProvider -- GH_HasExternalIdentity --> GH_ExternalIdentity +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_HasExternalIdentity](/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity) | IdP has external identity | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) | External identity maps to a user | +| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_SyncedTo](/opengraph/extensions/githound/reference/edges/gh_syncedto) | Foreign IdP user is synced to a GitHub user | + +## Properties + +::: openfetch_github.models.external_identity.GHExternalIdentityProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_organization.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_organization.mdx new file mode 100644 index 0000000..7b883a3 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_organization.mdx @@ -0,0 +1,81 @@ +--- +title: 'GH_Organization' +description: 'A GitHub Organization—top-level container for repositories, teams, and settings' +icon: '/images/extensions/githound/reference/gh_organization.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub organization. This is the root node of the graph and serves as the primary container for all other nodes. Organization-level settings such as default repository permissions, Actions configuration, and security features are captured as properties on this node. + + +## Edges + +```mermaid +flowchart LR + + GH_Organization["fa:fa-building"]:::bhNode + GH_OrgVariable["fa:fa-lock-open"]:::bhNode + GH_SecretScanningAlert["fa:fa-key"]:::bhNode + GH_PersonalAccessToken["fa:fa-key"]:::bhNode + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_AppInstallation["fa:fa-plug"]:::bhNode + GH_OrgSecret["fa:fa-lock"]:::bhNode + GH_SamlIdentityProvider["fa:fa-id-badge"]:::bhNode + GH_PersonalAccessTokenRequest["fa:fa-key"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Organization -- GH_Contains --> GH_OrgVariable + GH_Organization -- GH_Contains --> GH_SecretScanningAlert + GH_Organization -- GH_Contains --> GH_PersonalAccessToken + GH_Organization -- GH_Contains --> GH_OrgRole + GH_Organization -- GH_Contains --> GH_AppInstallation + GH_Organization -- GH_Contains --> GH_OrgSecret + GH_Organization -- GH_HasSamlIdentityProvider --> GH_SamlIdentityProvider + GH_Organization -- GH_Contains --> GH_PersonalAccessTokenRequest + GH_Organization -- GH_Owns --> GH_Repository + GH_PersonalAccessToken -- GH_CanAccess --> GH_Organization + GH_OrgRole -- GH_CreateRepository --> GH_Organization + GH_OrgRole -- GH_InviteMember --> GH_Organization + GH_OrgRole -- GH_AddCollaborator --> GH_Organization + GH_OrgRole -- GH_CreateTeam --> GH_Organization + GH_OrgRole -- GH_TransferRepository --> GH_Organization + GH_OrgRole -- GH_ViewSecretScanningAlerts --> GH_Organization + GH_OrgRole -- GH_ResolveSecretScanningAlerts --> GH_Organization +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access org | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CreateRepository](/opengraph/extensions/githound/reference/edges/gh_createrepository) | Role can create repositories in the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_InviteMember](/opengraph/extensions/githound/reference/edges/gh_invitemember) | Role can invite members to the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_AddCollaborator](/opengraph/extensions/githound/reference/edges/gh_addcollaborator) | Role can add outside collaborators to repositories | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CreateTeam](/opengraph/extensions/githound/reference/edges/gh_createteam) | Role can create teams in the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_TransferRepository](/opengraph/extensions/githound/reference/edges/gh_transferrepository) | Role can transfer repositories out of the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts for the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts for the organization | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains variable | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret scanning alert | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains role | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains app installation | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) | Org uses this SAML IdP | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT request | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Owns](/opengraph/extensions/githound/reference/edges/gh_owns) | Org owns repository | + +## Properties + +::: openfetch_github.models.org.GHOrganizationProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgrole.mdx new file mode 100644 index 0000000..301f2f5 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgrole.mdx @@ -0,0 +1,67 @@ +--- +title: 'GH_OrgRole' +description: 'The role a user has at the organization level (e.g., admin, member)' +icon: '/images/extensions/githound/reference/gh_orgrole.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents an organization-level role such as Owner, Member, or a custom organization role. Org roles define what permissions a user or team has at the organization level. The Owner and Member roles are default (built-in), while custom roles inherit from a base role and can have additional permissions. + + +## Edges + +```mermaid +flowchart LR + + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_Team["fa:fa-user-group"]:::bhNode + GH_OrgRole -- GH_HasBaseRole --> GH_OrgRole + GH_OrgRole -- GH_CreateRepository --> GH_Organization + GH_OrgRole -- GH_InviteMember --> GH_Organization + GH_OrgRole -- GH_AddCollaborator --> GH_Organization + GH_OrgRole -- GH_CreateTeam --> GH_Organization + GH_OrgRole -- GH_TransferRepository --> GH_Organization + GH_OrgRole -- GH_ViewSecretScanningAlerts --> GH_Organization + GH_OrgRole -- GH_ResolveSecretScanningAlerts --> GH_Organization + GH_User -- GH_HasRole --> GH_OrgRole + GH_Organization -- GH_Contains --> GH_OrgRole + GH_OrgRole -- GH_HasBaseRole --> GH_OrgRole + GH_User -- GH_HasRole --> GH_OrgRole + GH_Team -- GH_HasRole --> GH_OrgRole +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has default org role (owners or members) | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains role | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits base role | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has org role | +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has org role | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits base role | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CreateRepository](/opengraph/extensions/githound/reference/edges/gh_createrepository) | Role can create repositories in the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_InviteMember](/opengraph/extensions/githound/reference/edges/gh_invitemember) | Role can invite members to the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_AddCollaborator](/opengraph/extensions/githound/reference/edges/gh_addcollaborator) | Role can add outside collaborators to repositories | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CreateTeam](/opengraph/extensions/githound/reference/edges/gh_createteam) | Role can create teams in the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_TransferRepository](/opengraph/extensions/githound/reference/edges/gh_transferrepository) | Role can transfer repositories out of the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts for the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts for the organization | + +## Properties + +::: openfetch_github.models.org_role.GHOrgRoleProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgsecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgsecret.mdx new file mode 100644 index 0000000..be45b84 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgsecret.mdx @@ -0,0 +1,43 @@ +--- +title: 'GH_OrgSecret' +description: 'An organization-level GitHub Actions secret that can be scoped to all, private, or selected repositories' +icon: '/images/extensions/githound/reference/gh_orgsecret.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents an organization-level GitHub Actions secret. Organization secrets can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) edges are resolved to repository nodes. + + +## Edges + +```mermaid +flowchart LR + + GH_OrgSecret["fa:fa-lock"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Organization -- GH_Contains --> GH_OrgSecret + GH_Repository -- GH_HasSecret --> GH_OrgSecret +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository can access org secret | + +### Outbound Edges + +No outgoing edges. + +## Properties + +::: openfetch_github.models.org_secret.GHOrgSecretProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgvariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgvariable.mdx new file mode 100644 index 0000000..56e7d10 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgvariable.mdx @@ -0,0 +1,43 @@ +--- +title: 'GH_OrgVariable' +description: 'An organization-level GitHub Actions variable that can be scoped to all, private, or selected repositories. Unlike secrets, variable values are readable.' +icon: '/images/extensions/githound/reference/gh_orgvariable.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents an organization-level GitHub Actions variable. Organization variables can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) edges are resolved to repository nodes. Unlike secrets, variable values are readable via the API. + + +## Edges + +```mermaid +flowchart LR + + GH_OrgVariable["fa:fa-lock-open"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Organization -- GH_Contains --> GH_OrgVariable + GH_Repository -- GH_HasVariable --> GH_OrgVariable +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains variable | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository can access org variable | + +### Outbound Edges + +No outgoing edges. + +## Properties + +::: openfetch_github.models.org_variable.GHOrgVariableProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken.mdx new file mode 100644 index 0000000..05e3daa --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken.mdx @@ -0,0 +1,49 @@ +--- +title: 'GH_PersonalAccessToken' +description: 'A fine-grained personal access token granted access to organization resources' +icon: '/images/extensions/githound/reference/gh_personalaccesstoken.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a fine-grained personal access token that has been granted access to organization resources. PATs are linked to their owning user, the organization, and the repositories they can access. The permissions granted to the token are captured as a JSON string in the properties. + + +## Edges + +```mermaid +flowchart LR + + GH_PersonalAccessToken["fa:fa-key"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_PersonalAccessToken -- GH_CanAccess --> GH_Organization + GH_PersonalAccessToken -- GH_CanAccess --> GH_Repository + GH_User -- GH_HasPersonalAccessToken --> GH_PersonalAccessToken + GH_Organization -- GH_Contains --> GH_PersonalAccessToken +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_HasPersonalAccessToken](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken) | User owns PAT | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access org | +| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access repository | + +## Properties + +::: openfetch_github.models.personal_access_token.GHPersonalAccessTokenProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest.mdx new file mode 100644 index 0000000..f56ea1a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest.mdx @@ -0,0 +1,43 @@ +--- +title: 'GH_PersonalAccessTokenRequest' +description: 'A pending request from an organization member to access organization resources with a fine-grained personal access token' +icon: '/images/extensions/githound/reference/gh_personalaccesstokenrequest.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a pending request from an organization member to access organization resources with a fine-grained personal access token. PAT requests are linked to their owning user and the organization. The requested permissions are captured as a JSON string in the properties. + + +## Edges + +```mermaid +flowchart LR + + GH_PersonalAccessTokenRequest["fa:fa-key"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_User -- GH_HasPersonalAccessTokenRequest --> GH_PersonalAccessTokenRequest + GH_Organization -- GH_Contains --> GH_PersonalAccessTokenRequest +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest) | User submitted PAT request | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT request | + +### Outbound Edges + +No outgoing edges. + +## Properties + +::: openfetch_github.models.personal_access_token_request.GHPersonalAccessTokenRequestProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reporole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reporole.mdx new file mode 100644 index 0000000..70f89f1 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reporole.mdx @@ -0,0 +1,172 @@ +--- +title: 'GH_RepoRole' +description: 'The permission granted to a user or team on a repository (e.g., admin, write, read)' +icon: '/images/extensions/githound/reference/gh_reporole.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a repository-level permission role. Each repository has five default roles (Read, Write, Admin, Triage, Maintain) plus any custom repository roles defined at the organization level. Repo roles define what actions a user or team can perform on a specific repository. Default roles form an inheritance hierarchy (Triage -> Read, Maintain -> Write, Admin includes all), and custom roles inherit from one of the base roles. + + +## Edges + +```mermaid +flowchart LR + + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Branch["fa:fa-code-branch"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_Team["fa:fa-user-group"]:::bhNode + GH_RepoRole -- GH_ReadRepoContents --> GH_Repository + GH_RepoRole -- GH_WriteRepoContents --> GH_Repository + GH_RepoRole -- GH_WriteRepoPullRequests --> GH_Repository + GH_RepoRole -- GH_AdminTo --> GH_Repository + GH_RepoRole -- GH_HasBaseRole --> GH_RepoRole + GH_RepoRole -- GH_BypassBranchProtection --> GH_Repository + GH_RepoRole -- GH_PushProtectedBranch --> GH_Repository + GH_RepoRole -- GH_EditRepoProtections --> GH_Repository + GH_RepoRole -- GH_ViewSecretScanningAlerts --> GH_Repository + GH_RepoRole -- GH_ResolveSecretScanningAlerts --> GH_Repository + GH_RepoRole -- GH_DeleteAlertsCodeScanning --> GH_Repository + GH_RepoRole -- GH_RunOrgMigration --> GH_Repository + GH_RepoRole -- GH_ManageSecurityProducts --> GH_Repository + GH_RepoRole -- GH_ManageRepoSecurityProducts --> GH_Repository + GH_RepoRole -- GH_ManageWebhooks --> GH_Repository + GH_RepoRole -- GH_ManageDeployKeys --> GH_Repository + GH_RepoRole -- GH_CanCreateBranch --> GH_Repository + GH_RepoRole -- GH_CanWriteBranch --> GH_Branch + GH_RepoRole -- GH_CanEditProtection --> GH_Branch + GH_RepoRole -- GH_ReadCodeScanning --> GH_Repository + GH_RepoRole -- GH_WriteCodeScanning --> GH_Repository + GH_RepoRole -- GH_ViewDependabotAlerts --> GH_Repository + GH_RepoRole -- GH_ResolveDependabotAlerts --> GH_Repository + GH_RepoRole -- GH_ManageTopics --> GH_Repository + GH_RepoRole -- GH_ManageSettingsWiki --> GH_Repository + GH_RepoRole -- GH_ManageSettingsProjects --> GH_Repository + GH_RepoRole -- GH_ManageSettingsMergeTypes --> GH_Repository + GH_RepoRole -- GH_ManageSettingsPages --> GH_Repository + GH_RepoRole -- GH_EditRepoMetadata --> GH_Repository + GH_RepoRole -- GH_SetInteractionLimits --> GH_Repository + GH_RepoRole -- GH_SetSocialPreview --> GH_Repository + GH_RepoRole -- GH_EditRepoAnnouncementBanners --> GH_Repository + GH_RepoRole -- GH_EditRepoCustomPropertiesValues --> GH_Repository + GH_RepoRole -- GH_CreateTag --> GH_Repository + GH_RepoRole -- GH_DeleteTag --> GH_Repository + GH_RepoRole -- GH_JumpMergeQueue --> GH_Repository + GH_RepoRole -- GH_CreateSoloMergeQueueEntry --> GH_Repository + GH_RepoRole -- GH_AddLabel --> GH_Repository + GH_RepoRole -- GH_RemoveLabel --> GH_Repository + GH_RepoRole -- GH_CloseIssue --> GH_Repository + GH_RepoRole -- GH_ReopenIssue --> GH_Repository + GH_RepoRole -- GH_DeleteIssue --> GH_Repository + GH_RepoRole -- GH_ClosePullRequest --> GH_Repository + GH_RepoRole -- GH_ReopenPullRequest --> GH_Repository + GH_RepoRole -- GH_AddAssignee --> GH_Repository + GH_RepoRole -- GH_RemoveAssignee --> GH_Repository + GH_RepoRole -- GH_RequestPrReview --> GH_Repository + GH_RepoRole -- GH_MarkAsDuplicate --> GH_Repository + GH_RepoRole -- GH_SetMilestone --> GH_Repository + GH_RepoRole -- GH_SetIssueType --> GH_Repository + GH_RepoRole -- GH_DeleteDiscussion --> GH_Repository + GH_RepoRole -- GH_ToggleDiscussionAnswer --> GH_Repository + GH_RepoRole -- GH_ToggleDiscussionCommentMinimize --> GH_Repository + GH_RepoRole -- GH_CreateDiscussionCategory --> GH_Repository + GH_RepoRole -- GH_EditDiscussionCategory --> GH_Repository + GH_RepoRole -- GH_ConvertIssuesToDiscussions --> GH_Repository + GH_RepoRole -- GH_CloseDiscussion --> GH_Repository + GH_RepoRole -- GH_ReopenDiscussion --> GH_Repository + GH_RepoRole -- GH_EditCategoryOnDiscussion --> GH_Repository + GH_RepoRole -- GH_ManageDiscussionBadges --> GH_Repository + GH_RepoRole -- GH_EditDiscussionComment --> GH_Repository + GH_RepoRole -- GH_DeleteDiscussionComment --> GH_Repository + GH_RepoRole -- GH_HasBaseRole --> GH_RepoRole + GH_User -- GH_HasRole --> GH_RepoRole + GH_Team -- GH_HasRole --> GH_RepoRole +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits from base role | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has repo role | +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has repo role | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) | Role can read repo contents | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteRepoContents](/opengraph/extensions/githound/reference/edges/gh_writerepocontents) | Role can write repo contents | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteRepoPullRequests](/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests) | Role can write pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) | Role has admin access to repo | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits from base role | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) | Role can bypass branch protection rules | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) | Role can push to protected branches | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) | Role can edit repository branch protection settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteAlertsCodeScanning](/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning) | Role can delete code scanning alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) | Role can run organization migrations on the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) | Role can manage security products for the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) | Role can manage repository-level security products | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageWebhooks](/opengraph/extensions/githound/reference/edges/gh_managewebhooks) | Role can manage repository webhooks | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageDeployKeys](/opengraph/extensions/githound/reference/edges/gh_managedeploykeys) | Role can manage repository deploy keys | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch) | Role can create new branches in the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Role can push commits to this branch | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) | Role can modify or remove the branch protection rule governing this branch | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReadCodeScanning](/opengraph/extensions/githound/reference/edges/gh_readcodescanning) | Role can read code scanning results | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) | Role can write code scanning results | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ViewDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts) | Role can view Dependabot alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ResolveDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts) | Role can resolve Dependabot alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageTopics](/opengraph/extensions/githound/reference/edges/gh_managetopics) | Role can manage repository topics | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsWiki](/opengraph/extensions/githound/reference/edges/gh_managesettingswiki) | Role can manage wiki settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsProjects](/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects) | Role can manage projects settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) | Role can manage merge type settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsPages](/opengraph/extensions/githound/reference/edges/gh_managesettingspages) | Role can manage GitHub Pages settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoMetadata](/opengraph/extensions/githound/reference/edges/gh_editrepometadata) | Role can edit repository metadata (name, description, etc.) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) | Role can set interaction limits on the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetSocialPreview](/opengraph/extensions/githound/reference/edges/gh_setsocialpreview) | Role can set the repository social preview image | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) | Role can edit repository announcement banners | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues) | Role can edit custom property values on the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateTag](/opengraph/extensions/githound/reference/edges/gh_createtag) | Role can create tags in the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteTag](/opengraph/extensions/githound/reference/edges/gh_deletetag) | Role can delete tags in the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) | Role can jump the merge queue | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry) | Role can create a solo merge queue entry | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AddLabel](/opengraph/extensions/githound/reference/edges/gh_addlabel) | Role can add labels to issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RemoveLabel](/opengraph/extensions/githound/reference/edges/gh_removelabel) | Role can remove labels from issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CloseIssue](/opengraph/extensions/githound/reference/edges/gh_closeissue) | Role can close issues | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenIssue](/opengraph/extensions/githound/reference/edges/gh_reopenissue) | Role can reopen issues | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteIssue](/opengraph/extensions/githound/reference/edges/gh_deleteissue) | Role can delete issues | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) | Role can close pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenPullRequest](/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest) | Role can reopen pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AddAssignee](/opengraph/extensions/githound/reference/edges/gh_addassignee) | Role can add assignees to issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RemoveAssignee](/opengraph/extensions/githound/reference/edges/gh_removeassignee) | Role can remove assignees from issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RequestPrReview](/opengraph/extensions/githound/reference/edges/gh_requestprreview) | Role can request pull request reviews | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_MarkAsDuplicate](/opengraph/extensions/githound/reference/edges/gh_markasduplicate) | Role can mark issues or pull requests as duplicates | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetMilestone](/opengraph/extensions/githound/reference/edges/gh_setmilestone) | Role can set milestones on issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetIssueType](/opengraph/extensions/githound/reference/edges/gh_setissuetype) | Role can set issue types | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteDiscussion](/opengraph/extensions/githound/reference/edges/gh_deletediscussion) | Role can delete discussions | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ToggleDiscussionAnswer](/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer) | Role can toggle the accepted answer on a discussion | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize) | Role can minimize or un-minimize discussion comments | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory) | Role can create discussion categories | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory) | Role can edit discussion categories | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ConvertIssuesToDiscussions](/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions) | Role can convert issues to discussions | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CloseDiscussion](/opengraph/extensions/githound/reference/edges/gh_closediscussion) | Role can close discussions | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenDiscussion](/opengraph/extensions/githound/reference/edges/gh_reopendiscussion) | Role can reopen discussions | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditCategoryOnDiscussion](/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion) | Role can edit the category on a discussion | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageDiscussionBadges](/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges) | Role can manage discussion badges | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment) | Role can edit discussion comments | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment) | Role can delete discussion comments | + +## Properties + +::: openfetch_github.models.repository_role.GHRepoRoleProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reposecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reposecret.mdx new file mode 100644 index 0000000..cdec1fc --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reposecret.mdx @@ -0,0 +1,42 @@ +--- +title: 'GH_RepoSecret' +description: 'A repository-level GitHub Actions secret accessible only to workflows in that repository' +icon: '/images/extensions/githound/reference/gh_reposecret.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a repository-level GitHub Actions secret. These are secrets defined directly on a specific repository and are only accessible to workflows running in that repository. + + +## Edges + +```mermaid +flowchart LR + + GH_RepoSecret["fa:fa-lock"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Repository -- GH_Contains --> GH_RepoSecret + GH_Repository -- GH_HasSecret --> GH_RepoSecret +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains secret | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository has access to secret | + +### Outbound Edges + +No outgoing edges. + +## Properties + +::: openfetch_github.models.repository_secret.GHRepoSecretProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repository.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repository.mdx new file mode 100644 index 0000000..2006590 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repository.mdx @@ -0,0 +1,197 @@ +--- +title: 'GH_Repository' +description: 'A code repository in an organization, containing files, issues, and other resources' +icon: '/images/extensions/githound/reference/gh_repository.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub repository within the organization. Repository nodes capture metadata about the repo including visibility, Actions enablement status, and security configuration. Repository role nodes ([GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole)) are created alongside each repository to represent the permission levels available. + + +## Edges + +```mermaid +flowchart LR + + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_RepoSecret["fa:fa-lock"]:::bhNode + GH_RepoVariable["fa:fa-lock-open"]:::bhNode + GH_OrgVariable["fa:fa-lock-open"]:::bhNode + GH_SecretScanningAlert["fa:fa-key"]:::bhNode + GH_BranchProtectionRule["fa:fa-shield"]:::bhNode + GH_OrgSecret["fa:fa-lock"]:::bhNode + GH_Branch["fa:fa-code-branch"]:::bhNode + GH_Environment["fa:fa-leaf"]:::bhNode + GH_Workflow["fa:fa-cogs"]:::bhNode + GH_AppInstallation["fa:fa-plug"]:::bhNode + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_PersonalAccessToken["fa:fa-key"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_Repository -- GH_Contains --> GH_RepoSecret + GH_Repository -- GH_HasSecret --> GH_RepoSecret + GH_Repository -- GH_Contains --> GH_RepoVariable + GH_Repository -- GH_HasVariable --> GH_RepoVariable + GH_Repository -- GH_HasVariable --> GH_OrgVariable + GH_Repository -- GH_HasSecretScanningAlert --> GH_SecretScanningAlert + GH_Repository -- GH_Contains --> GH_BranchProtectionRule + GH_Repository -- GH_HasSecret --> GH_OrgSecret + GH_Repository -- GH_HasBranch --> GH_Branch + GH_Repository -- GH_HasEnvironment --> GH_Environment + GH_Repository -- GH_HasWorkflow --> GH_Workflow + GH_AppInstallation -- GH_CanAccess --> GH_Repository + GH_RepoRole -- GH_ReadRepoContents --> GH_Repository + GH_RepoRole -- GH_WriteRepoContents --> GH_Repository + GH_RepoRole -- GH_WriteRepoPullRequests --> GH_Repository + GH_RepoRole -- GH_AdminTo --> GH_Repository + GH_RepoRole -- GH_BypassBranchProtection --> GH_Repository + GH_RepoRole -- GH_PushProtectedBranch --> GH_Repository + GH_RepoRole -- GH_EditRepoProtections --> GH_Repository + GH_RepoRole -- GH_ViewSecretScanningAlerts --> GH_Repository + GH_RepoRole -- GH_ResolveSecretScanningAlerts --> GH_Repository + GH_RepoRole -- GH_DeleteAlertsCodeScanning --> GH_Repository + GH_RepoRole -- GH_RunOrgMigration --> GH_Repository + GH_RepoRole -- GH_ManageSecurityProducts --> GH_Repository + GH_RepoRole -- GH_ManageRepoSecurityProducts --> GH_Repository + GH_RepoRole -- GH_ManageWebhooks --> GH_Repository + GH_RepoRole -- GH_ManageDeployKeys --> GH_Repository + GH_RepoRole -- GH_CanCreateBranch --> GH_Repository + GH_RepoRole -- GH_ReadCodeScanning --> GH_Repository + GH_RepoRole -- GH_WriteCodeScanning --> GH_Repository + GH_RepoRole -- GH_ViewDependabotAlerts --> GH_Repository + GH_RepoRole -- GH_ResolveDependabotAlerts --> GH_Repository + GH_RepoRole -- GH_ManageTopics --> GH_Repository + GH_RepoRole -- GH_ManageSettingsWiki --> GH_Repository + GH_RepoRole -- GH_ManageSettingsProjects --> GH_Repository + GH_RepoRole -- GH_ManageSettingsMergeTypes --> GH_Repository + GH_RepoRole -- GH_ManageSettingsPages --> GH_Repository + GH_RepoRole -- GH_EditRepoMetadata --> GH_Repository + GH_RepoRole -- GH_SetInteractionLimits --> GH_Repository + GH_RepoRole -- GH_SetSocialPreview --> GH_Repository + GH_RepoRole -- GH_EditRepoAnnouncementBanners --> GH_Repository + GH_RepoRole -- GH_EditRepoCustomPropertiesValues --> GH_Repository + GH_RepoRole -- GH_CreateTag --> GH_Repository + GH_RepoRole -- GH_DeleteTag --> GH_Repository + GH_RepoRole -- GH_JumpMergeQueue --> GH_Repository + GH_RepoRole -- GH_CreateSoloMergeQueueEntry --> GH_Repository + GH_RepoRole -- GH_AddLabel --> GH_Repository + GH_RepoRole -- GH_RemoveLabel --> GH_Repository + GH_RepoRole -- GH_CloseIssue --> GH_Repository + GH_RepoRole -- GH_ReopenIssue --> GH_Repository + GH_RepoRole -- GH_DeleteIssue --> GH_Repository + GH_RepoRole -- GH_ClosePullRequest --> GH_Repository + GH_RepoRole -- GH_ReopenPullRequest --> GH_Repository + GH_RepoRole -- GH_AddAssignee --> GH_Repository + GH_RepoRole -- GH_RemoveAssignee --> GH_Repository + GH_RepoRole -- GH_RequestPrReview --> GH_Repository + GH_RepoRole -- GH_MarkAsDuplicate --> GH_Repository + GH_RepoRole -- GH_SetMilestone --> GH_Repository + GH_RepoRole -- GH_SetIssueType --> GH_Repository + GH_RepoRole -- GH_DeleteDiscussion --> GH_Repository + GH_RepoRole -- GH_ToggleDiscussionAnswer --> GH_Repository + GH_RepoRole -- GH_ToggleDiscussionCommentMinimize --> GH_Repository + GH_RepoRole -- GH_CreateDiscussionCategory --> GH_Repository + GH_RepoRole -- GH_EditDiscussionCategory --> GH_Repository + GH_RepoRole -- GH_ConvertIssuesToDiscussions --> GH_Repository + GH_RepoRole -- GH_CloseDiscussion --> GH_Repository + GH_RepoRole -- GH_ReopenDiscussion --> GH_Repository + GH_RepoRole -- GH_EditCategoryOnDiscussion --> GH_Repository + GH_RepoRole -- GH_ManageDiscussionBadges --> GH_Repository + GH_RepoRole -- GH_EditDiscussionComment --> GH_Repository + GH_RepoRole -- GH_DeleteDiscussionComment --> GH_Repository + GH_PersonalAccessToken -- GH_CanAccess --> GH_Repository + GH_Organization -- GH_Owns --> GH_Repository +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | App installation can access repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) | Role can read repo contents | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteRepoContents](/opengraph/extensions/githound/reference/edges/gh_writerepocontents) | Role can write repo contents | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteRepoPullRequests](/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests) | Role can write pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) | Role has admin access to repo | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) | Role can bypass branch protection rules | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) | Role can push to protected branches | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) | Role can edit repository branch protection settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteAlertsCodeScanning](/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning) | Role can delete code scanning alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) | Role can run organization migrations on the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) | Role can manage security products for the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) | Role can manage repository-level security products | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageWebhooks](/opengraph/extensions/githound/reference/edges/gh_managewebhooks) | Role can manage repository webhooks | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageDeployKeys](/opengraph/extensions/githound/reference/edges/gh_managedeploykeys) | Role can manage repository deploy keys | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch) | Role can create new branches in the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReadCodeScanning](/opengraph/extensions/githound/reference/edges/gh_readcodescanning) | Role can read code scanning results | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) | Role can write code scanning results | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ViewDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts) | Role can view Dependabot alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ResolveDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts) | Role can resolve Dependabot alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageTopics](/opengraph/extensions/githound/reference/edges/gh_managetopics) | Role can manage repository topics | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsWiki](/opengraph/extensions/githound/reference/edges/gh_managesettingswiki) | Role can manage wiki settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsProjects](/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects) | Role can manage projects settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) | Role can manage merge type settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsPages](/opengraph/extensions/githound/reference/edges/gh_managesettingspages) | Role can manage GitHub Pages settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoMetadata](/opengraph/extensions/githound/reference/edges/gh_editrepometadata) | Role can edit repository metadata (name, description, etc.) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) | Role can set interaction limits on the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetSocialPreview](/opengraph/extensions/githound/reference/edges/gh_setsocialpreview) | Role can set the repository social preview image | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) | Role can edit repository announcement banners | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues) | Role can edit custom property values on the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateTag](/opengraph/extensions/githound/reference/edges/gh_createtag) | Role can create tags in the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteTag](/opengraph/extensions/githound/reference/edges/gh_deletetag) | Role can delete tags in the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) | Role can jump the merge queue | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry) | Role can create a solo merge queue entry | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AddLabel](/opengraph/extensions/githound/reference/edges/gh_addlabel) | Role can add labels to issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RemoveLabel](/opengraph/extensions/githound/reference/edges/gh_removelabel) | Role can remove labels from issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CloseIssue](/opengraph/extensions/githound/reference/edges/gh_closeissue) | Role can close issues | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenIssue](/opengraph/extensions/githound/reference/edges/gh_reopenissue) | Role can reopen issues | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteIssue](/opengraph/extensions/githound/reference/edges/gh_deleteissue) | Role can delete issues | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) | Role can close pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenPullRequest](/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest) | Role can reopen pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AddAssignee](/opengraph/extensions/githound/reference/edges/gh_addassignee) | Role can add assignees to issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RemoveAssignee](/opengraph/extensions/githound/reference/edges/gh_removeassignee) | Role can remove assignees from issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RequestPrReview](/opengraph/extensions/githound/reference/edges/gh_requestprreview) | Role can request pull request reviews | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_MarkAsDuplicate](/opengraph/extensions/githound/reference/edges/gh_markasduplicate) | Role can mark issues or pull requests as duplicates | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetMilestone](/opengraph/extensions/githound/reference/edges/gh_setmilestone) | Role can set milestones on issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetIssueType](/opengraph/extensions/githound/reference/edges/gh_setissuetype) | Role can set issue types | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteDiscussion](/opengraph/extensions/githound/reference/edges/gh_deletediscussion) | Role can delete discussions | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ToggleDiscussionAnswer](/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer) | Role can toggle the accepted answer on a discussion | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize) | Role can minimize or un-minimize discussion comments | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory) | Role can create discussion categories | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory) | Role can edit discussion categories | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ConvertIssuesToDiscussions](/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions) | Role can convert issues to discussions | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CloseDiscussion](/opengraph/extensions/githound/reference/edges/gh_closediscussion) | Role can close discussions | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenDiscussion](/opengraph/extensions/githound/reference/edges/gh_reopendiscussion) | Role can reopen discussions | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditCategoryOnDiscussion](/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion) | Role can edit the category on a discussion | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageDiscussionBadges](/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges) | Role can manage discussion badges | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment) | Role can edit discussion comments | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment) | Role can delete discussion comments | +| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access repository | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Owns](/opengraph/extensions/githound/reference/edges/gh_owns) | Org owns repository | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains secret | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository has access to secret | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains variable | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository has access to variable | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository can access org variable | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_HasSecretScanningAlert](../../graph/edges/gh_hassecretscanningalert) | Repository has secret scanning alert | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains branch protection rule | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository can access org secret | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_HasBranch](/opengraph/extensions/githound/reference/edges/gh_hasbranch) | Repository has branch | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Repository deploys to environment (no custom branch policy) | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Workflow](/opengraph/extensions/githound/reference/nodes/gh_workflow) | [GH_HasWorkflow](/opengraph/extensions/githound/reference/edges/gh_hasworkflow) | Repository contains workflow | + +## Properties + +::: openfetch_github.models.repository.GHRepositoryProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repovariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repovariable.mdx new file mode 100644 index 0000000..adc563a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repovariable.mdx @@ -0,0 +1,42 @@ +--- +title: 'GH_RepoVariable' +description: 'A repository-level GitHub Actions variable accessible only to workflows in that repository. Unlike secrets, variable values are readable.' +icon: '/images/extensions/githound/reference/gh_repovariable.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a repository-level GitHub Actions variable. These are variables defined directly on a specific repository and are only accessible to workflows running in that repository. Unlike secrets, variable values are readable via the API. + + +## Edges + +```mermaid +flowchart LR + + GH_RepoVariable["fa:fa-lock-open"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Repository -- GH_Contains --> GH_RepoVariable + GH_Repository -- GH_HasVariable --> GH_RepoVariable +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains variable | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository has access to variable | + +### Outbound Edges + +No outgoing edges. + +## Properties + +::: openfetch_github.models.repository_variable.GHRepoVariableProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider.mdx new file mode 100644 index 0000000..0321be1 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider.mdx @@ -0,0 +1,44 @@ +--- +title: 'GH_SamlIdentityProvider' +description: 'A SAML identity provider configured for the organization, enabling SSO' +icon: '/images/extensions/githound/reference/gh_samlidentityprovider.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a SAML identity provider configured for the organization. This node captures the SAML SSO configuration details and serves as the parent container for external identity mappings. Through external identities, it enables linking GitHub users to their corporate identities in the identity provider. + + +## Edges + +```mermaid +flowchart LR + + GH_SamlIdentityProvider["fa:fa-id-badge"]:::bhNode + GH_ExternalIdentity["fa:fa-arrows-left-right"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_SamlIdentityProvider -- GH_HasExternalIdentity --> GH_ExternalIdentity + GH_Organization -- GH_HasSamlIdentityProvider --> GH_SamlIdentityProvider +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) | Org uses this SAML IdP | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_HasExternalIdentity](/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity) | IdP has external identity | + +## Properties + +::: openfetch_github.models.saml_provider.GHSamlProviderProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert.mdx new file mode 100644 index 0000000..1f77cf2 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert.mdx @@ -0,0 +1,47 @@ +--- +title: 'GH_SecretScanningAlert' +description: 'A GitHub Advanced Security alert indicating a secret was accidentally committed to a repository' +icon: '/images/extensions/githound/reference/gh_secretscanningalert.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub secret scanning alert detected in a repository. Secret scanning alerts are raised when GitHub detects a known secret pattern (such as an API key, token, or credential) committed to a repository. The alert captures the secret type, validity status, and current resolution state. + + +## Edges + +```mermaid +flowchart LR + + GH_SecretScanningAlert["fa:fa-key"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_Organization["fa:fa-building"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_SecretScanningAlert -- GH_ValidToken --> GH_User + GH_Organization -- GH_Contains --> GH_SecretScanningAlert + GH_Repository -- GH_HasSecretScanningAlert --> GH_SecretScanningAlert +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret scanning alert | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_HasSecretScanningAlert](../../graph/edges/gh_hassecretscanningalert) | Repository has secret scanning alert | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) | Alert secret is a valid PAT for this user | + +## Properties + +::: openfetch_github.models.secret_scanning_alert.GHSecretScanningAlertProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_team.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_team.mdx new file mode 100644 index 0000000..f63e2ba --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_team.mdx @@ -0,0 +1,56 @@ +--- +title: 'GH_Team' +description: 'A team within an organization, grouping users for shared access and collaboration' +icon: '/images/extensions/githound/reference/gh_team.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub team within the organization. Teams can have parent-child relationships, contain members with different roles (Member, Maintainer), and be assigned to repository roles. + + +## Edges + +```mermaid +flowchart LR + + GH_Team["fa:fa-user-group"]:::bhNode + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Branch["fa:fa-code-branch"]:::bhNode + GH_TeamRole["fa:fa-user-tie"]:::bhNode + GH_Team -- GH_HasRole --> GH_OrgRole + GH_Team -- GH_MemberOf --> GH_Team + GH_Team -- GH_HasRole --> GH_RepoRole + GH_Team -- GH_CanWriteBranch --> GH_Branch + GH_Team -- GH_MemberOf --> GH_Team + GH_TeamRole -- GH_MemberOf --> GH_Team + GH_TeamRole -- GH_AddMember --> GH_Team +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team is a child of parent team | +| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team role belongs to team | +| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_AddMember](/opengraph/extensions/githound/reference/edges/gh_addmember) | Maintainers role can add members to team | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has org role | +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team is a child of parent team | +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has repo role | +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Team can push commits to this branch via actor-level bypass allowances | + +## Properties + +::: openfetch_github.models.team.GHTeamProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_teamrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_teamrole.mdx new file mode 100644 index 0000000..b68dd57 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_teamrole.mdx @@ -0,0 +1,46 @@ +--- +title: 'GH_TeamRole' +description: 'The role a user has within a team (e.g., maintainer, member)' +icon: '/images/extensions/githound/reference/gh_teamrole.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a role within a GitHub team. Each team has two built-in roles: Member and Maintainer. Maintainers can add and remove team members. Team roles connect users to teams and transitively to any repository roles assigned to the team. + + +## Edges + +```mermaid +flowchart LR + + GH_TeamRole["fa:fa-user-tie"]:::bhNode + GH_Team["fa:fa-user-group"]:::bhNode + GH_User["fa:fa-user"]:::bhNode + GH_TeamRole -- GH_MemberOf --> GH_Team + GH_TeamRole -- GH_AddMember --> GH_Team + GH_User -- GH_HasRole --> GH_TeamRole +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has team role | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team role belongs to team | +| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_AddMember](/opengraph/extensions/githound/reference/edges/gh_addmember) | Maintainers role can add members to team | + +## Properties + +::: openfetch_github.models.team_role.GHTeamRoleProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_user.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_user.mdx new file mode 100644 index 0000000..898f5f8 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_user.mdx @@ -0,0 +1,71 @@ +--- +title: 'GH_User' +description: 'An individual GitHub user account' +icon: '/images/extensions/githound/reference/gh_user.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub user who is a member of the organization. Users are associated with organization roles (Owner or Member) and can be assigned to repository roles and team roles. + + +## Edges + +```mermaid +flowchart LR + + GH_User["fa:fa-user"]:::bhNode + GH_TeamRole["fa:fa-user-tie"]:::bhNode + GH_OrgRole["fa:fa-user-tie"]:::bhNode + GH_PersonalAccessToken["fa:fa-key"]:::bhNode + GH_RepoRole["fa:fa-user-tie"]:::bhNode + GH_Branch["fa:fa-code-branch"]:::bhNode + GH_PersonalAccessTokenRequest["fa:fa-key"]:::bhNode + GH_BranchProtectionRule["fa:fa-shield"]:::bhNode + GH_SecretScanningAlert["fa:fa-key"]:::bhNode + GH_ExternalIdentity["fa:fa-arrows-left-right"]:::bhNode + GH_User -- GH_HasRole --> GH_TeamRole + GH_User -- GH_HasRole --> GH_OrgRole + GH_User -- GH_HasPersonalAccessToken --> GH_PersonalAccessToken + GH_User -- GH_HasRole --> GH_OrgRole + GH_User -- GH_HasRole --> GH_RepoRole + GH_User -- GH_CanWriteBranch --> GH_Branch + GH_User -- GH_HasPersonalAccessTokenRequest --> GH_PersonalAccessTokenRequest + GH_User -- GH_RestrictionsCanPush --> GH_BranchProtectionRule + GH_User -- GH_BypassPullRequestAllowances --> GH_BranchProtectionRule + GH_SecretScanningAlert -- GH_ValidToken --> GH_User + GH_ExternalIdentity -- GH_MapsToUser --> GH_User + GH_ExternalIdentity -- GH_SyncedTo --> GH_User +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) | Alert secret is a valid PAT for this user | +| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) | External identity maps to a user | +| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_SyncedTo](/opengraph/extensions/githound/reference/edges/gh_syncedto) | Foreign IdP user is synced to a GitHub user | + +### Outbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has team role | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has default org role (owners or members) | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_HasPersonalAccessToken](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken) | User owns PAT | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has org role | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has repo role | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | User can push commits to this branch via actor-level bypass allowances | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest) | User submitted PAT request | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) | Actor can push despite push restrictions | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) | Actor can bypass PR review requirements | + +## Properties + +::: openfetch_github.models.user.GHUserProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflow.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflow.mdx new file mode 100644 index 0000000..9cae0dd --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflow.mdx @@ -0,0 +1,40 @@ +--- +title: 'GH_Workflow' +description: 'A GitHub Actions workflow defined in a repository' +icon: '/images/extensions/githound/reference/gh_workflow.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub Actions workflow defined in a repository. Workflow nodes capture the workflow definition metadata including its file path, state, containing repository, and the full YAML contents of the workflow file. Only repositories with GitHub Actions enabled are queried for workflows. + + +## Edges + +```mermaid +flowchart LR + + GH_Workflow["fa:fa-cogs"]:::bhNode + GH_Repository["fa:fa-box-archive"]:::bhNode + GH_Repository -- GH_HasWorkflow --> GH_Workflow +``` + +### Inbound Edges + +| Start | End | Kind | Description | +|-------|-----|------|-------------| +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Workflow](/opengraph/extensions/githound/reference/nodes/gh_workflow) | [GH_HasWorkflow](/opengraph/extensions/githound/reference/edges/gh_hasworkflow) | Repository contains workflow | + +### Outbound Edges + +No outgoing edges. + +## Properties + +::: openfetch_github.models.workflow.GHWorkflowProperties + options: + show_docstring_attributes: true + inherited_members: true + members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowjob.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowjob.mdx new file mode 100644 index 0000000..c937064 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowjob.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_WorkflowJob' +description: 'A job within a GitHub Actions workflow, with a runner, permissions, and an ordered list of steps' +icon: '/images/extensions/githound/reference/gh_workflowjob.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a single job within a GitHub Actions workflow. Jobs are the top-level execution units of a workflow — they run on a runner, hold a set of steps, and can declare permissions, environments, and dependencies on other jobs. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowstep.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowstep.mdx new file mode 100644 index 0000000..fe8c6df --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowstep.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_WorkflowStep' +description: 'A single step within a GitHub Actions job — either a uses: action reference or a run: shell command' +icon: '/images/extensions/githound/reference/gh_workflowstep.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a single step within a GitHub Actions job. A step is either a `uses:` action reference or a `run:` shell command. Steps are the leaf nodes of the workflow execution tree and are the primary location where secrets and variables are consumed. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/privilege-zone-rules.mdx b/docs/official-docs/opengraph/extensions/githound/reference/privilege-zone-rules.mdx new file mode 100644 index 0000000..b417572 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/privilege-zone-rules.mdx @@ -0,0 +1,136 @@ +--- +title: Privilege Zone Rules +description: "Default Privilege Zone rules for the GitHound extension" +icon: "gem" +--- + +Applies to BloodHound Enterprise and CE +The following Cypher rules define the default Privilege Zone for the GitHound extension. +Each rule is defined in a JSON file located in the [PrivilegeZoneRules](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules) directory of the GitHound repository. + +## Tier Zero All-Repo Admin Role + +The synthetic all_repo_admin role grants admin access to every repository in the organization. This role is inherited by the owners role via GH_HasBaseRole and cascades admin permissions including branch protection editing, secret access, and deploy key management to all repositories. + +```cypher +MATCH (n:GH_OrgRole) +WHERE n.name ENDS +WITH '/all_repo_admin' +RETURN n +``` + +This rule is defined in the [t0-all-repo-admin-role.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-all-repo-admin-role.json) file. + +## Tier Zero App Installations (All Repositories) + +GitHub App installations scoped to all repositories in the organization that have at least one write permission. A compromised app credential grants write access to every repository. Installations with only read permissions are excluded — they pose a data exfiltration risk but do not grant control over the organization. + +```cypher +MATCH (n:GH_AppInstallation {repository_selection:'all'}) +WHERE n.permissions CONTAINS '"write"' +RETURN n +``` + +This rule is defined in the [t0-app-installations-all-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-app-installations-all-repos.json) file. + +## Tier Zero Apps (All-Repository Installations) + +GitHub App definitions whose installations have write access to all repositories. The app owner controls the private key that can generate tokens for any installation. Compromise of the app's private key grants write access to every repository in organizations where it is installed. Apps whose installations have only read permissions are excluded. + +```cypher +MATCH (n:GH_App)-[:GH_InstalledAs]->(i:GH_AppInstallation {repository_selection:'all'}) +WHERE i.permissions CONTAINS '"write"' +RETURN n +``` + +This rule is defined in the [t0-apps-all-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-apps-all-repos.json) file. + +## Tier Zero External Identities (Owner-Mapped) + +External identities from SAML/SCIM providers that map to GitHub users holding the owners role. Compromise of these external identities in the identity provider grants organizational owner access to GitHub via SSO. + +```cypher +MATCH (n:GH_ExternalIdentity)-[:GH_MapsToUser]->(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) +RETURN n +``` + +This rule is defined in the [t0-external-identities-owners.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-external-identities-owners.json) file. + +## Tier Zero Organizations + +GitHub organizations are the root trust boundary for all repositories, teams, users, and settings. Compromise of the organization grants full administrative control over all contained assets. + +```cypher +MATCH (n:GH_Organization) +RETURN n +``` + +This rule is defined in the [t0-organizations.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-organizations.json) file. + +## Tier Zero Owner Users + +Users who hold the organization owners role have full administrative control over the GitHub organization. Compromise of any owner account grants control over all repositories, secrets, SSO configuration, and cloud identities. + +```cypher +MATCH (n:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) +RETURN n +``` + +This rule is defined in the [t0-owner-users.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-owner-users.json) file. + +## Tier Zero Owners Role + +The owners organization role grants full administrative control including all repository admin, member management, SSO configuration, app management, and billing. Owners inherit all_repo_admin, cascading admin access to every repository, secret, environment, and cloud identity in the organization. + +```cypher +MATCH (n:GH_OrgRole {short_name:'owners'}) +RETURN n +``` + +This rule is defined in the [t0-owners-role.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-owners-role.json) file. + +## Tier Zero PATs (All Repositories) + +Fine-grained personal access tokens scoped to all repositories in the organization that have at least one write permission. A single compromised token grants write access to every repository. PATs with only read permissions are excluded — they pose a data exfiltration risk but do not grant control over the organization. + +```cypher +MATCH (n:GH_PersonalAccessToken {repository_selection:'all'}) +WHERE n.permissions CONTAINS '"write"' +RETURN n +``` + +This rule is defined in the [t0-pats-all-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-pats-all-repos.json) file. + +## Tier Zero Privilege Escalation Roles + +Custom organization roles with write_organization_custom_org_role permission can modify organization role definitions, including setting the base_role to inherit all_repo_admin. Since this permission only exists on custom organization roles, the holder can escalate the role they already hold — a guaranteed self-escalation path to full organizational control. + +```cypher +MATCH (n:GH_OrgRole)-[:GH_WriteOrganizationCustomOrgRole]->(:GH_Organization) +RETURN n +``` + +This rule is defined in the [t0-privilege-escalation-roles.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-privilege-escalation-roles.json) file. + +## Tier Zero Privilege Escalation Users + +Users who hold custom organization roles with write_organization_custom_org_role permission. These users can modify organization role definitions — including the role they hold — to set the base_role to all_repo_admin, granting themselves admin access to every repository in the organization. + +```cypher +MATCH (n:GH_User)-[:GH_HasRole|GH_HasBaseRole*1..]->(:GH_OrgRole)-[:GH_WriteOrganizationCustomOrgRole]->(:GH_Organization) +RETURN n +``` + +This rule is defined in the [t0-privilege-escalation-users.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-privilege-escalation-users.json) file. + +## Tier Zero SAML Identity Providers + +SAML identity providers control authentication for all organization members via SSO. Compromise of the identity provider grants the ability to impersonate any user, including organization owners, by manipulating SAML assertions or resetting credentials. + +```cypher +MATCH (n:GH_SamlIdentityProvider) +RETURN n +``` + +This rule is defined in the [t0-saml-identity-providers.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-saml-identity-providers.json) file. + diff --git a/docs/official-docs/opengraph/extensions/githound/reference/queries.mdx b/docs/official-docs/opengraph/extensions/githound/reference/queries.mdx new file mode 100644 index 0000000..30b8b75 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/queries.mdx @@ -0,0 +1,696 @@ +--- +title: Cypher Queries +description: Default Cypher queries for the GitHound extension +icon: code +--- + +Applies to BloodHound Enterprise and CE +The following custom Cypher queries can be imported into BloodHound to enhance visibility. +Each query is defined in a JSON file located in the [Saved Searches](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches) directory of the GitHound repository. + +This file is automatically generated from the [JSON query files](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches) +that are bundled with the `GitHound` collector. + + +## Actions SHA Pinning Not Required + +Finds organizations that do not require SHA pinning for GitHub Actions. Without pinning, actions referenced by tag can be silently replaced with malicious versions. + +```cypher +MATCH (org:GH_Organization {actions_sha_pinning_required: false}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [actions-sha-pinning-not-required.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/actions-sha-pinning-not-required.json) file. + +## Active Leaked Secrets + +Finds secret scanning alerts that are both unresolved and confirmed active. These are valid, usable credentials committed to source code and represent an immediate compromise risk. + +```cypher +MATCH p=(:GH_Repository)-[:GH_Contains]->(alert:GH_SecretScanningAlert {state: 'open', validity: 'active'}) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [active-leaked-secrets.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/active-leaked-secrets.json) file. + +## Advanced Security Disabled for New Repositories + +Finds organizations where GitHub Advanced Security is not automatically enabled for new repositories. New repositories will lack code scanning, secret scanning, and other GHAS features. + +```cypher +MATCH (org:GH_Organization {advanced_security_enabled_for_new_repositories: false}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [advanced-security-disabled-new-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/advanced-security-disabled-new-repos.json) file. + +## All GitHub Actions Allowed + +Finds organizations that allow all GitHub Actions to run, including third-party actions from the marketplace. This creates supply chain risk if a malicious or compromised action is used. + +```cypher +MATCH (org:GH_Organization {actions_allowed_actions: 'all'}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [all-actions-allowed.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/all-actions-allowed.json) file. + +## App Installations with Access to All Repositories + +Finds GitHub App installations that have access to every repository in the organization. A compromised app credential would affect all repositories. + +```cypher +MATCH (app:GH_AppInstallation {repository_selection: 'all'}) +RETURN app +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [app-installations-all-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/app-installations-all-repos.json) file. + +## Branch Protection Rules - Admins Not Enforced + +Finds branch protection rules where administrators can bypass all protections. Admins can push directly, skip reviews, and override status checks on these branches. + +```cypher +MATCH p=(:GH_BranchProtectionRule {enforce_admins: false})-[:GH_ProtectedBy]->(:GH_Branch) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [branch-protection-admins-not-enforced.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-admins-not-enforced.json) file. + +## Branch Protection Rules - Deletions Allowed + +Finds protected branches that can be deleted. Branch deletion can result in loss of code and removal of audit history. + +```cypher +MATCH p=(:GH_BranchProtectionRule {allows_deletions: true})-[:GH_ProtectedBy]->(:GH_Branch) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [branch-protection-deletions-allowed.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-deletions-allowed.json) file. + +## Branch Protection Rules - Force Pushes Allowed + +Finds branches where force pushes are allowed. Force pushes can rewrite commit history, potentially hiding malicious changes or destroying audit trails. + +```cypher +MATCH p=(:GH_BranchProtectionRule {allows_force_pushes: true})-[:GH_ProtectedBy]->(:GH_Branch) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [branch-protection-force-pushes.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-force-pushes.json) file. + +## Branch Protection Rules - No Code Owner Reviews + +Finds branches where code owner reviews are not required. Changes to security-critical paths can be merged without authorization from the designated code owners. + +```cypher +MATCH p=(:GH_BranchProtectionRule {require_code_owner_reviews: false})-[:GH_ProtectedBy]->(:GH_Branch) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [branch-protection-no-code-owner-reviews.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-no-code-owner-reviews.json) file. + +## Branch Protection Rules - No Pull Request Reviews Required + +Finds branches where pull request reviews are not required. Code can be merged directly without peer review, increasing the risk of undetected vulnerabilities or malicious changes. + +```cypher +MATCH p=(:GH_BranchProtectionRule {required_pull_request_reviews: false})-[:GH_ProtectedBy]->(:GH_Branch) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [branch-protection-no-pr-reviews.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-no-pr-reviews.json) file. + +## Branch Protection Rules - No Status Checks Required + +Finds branches where CI/CD status checks are not required before merging. Code with failing tests or security scans can be merged into protected branches. + +```cypher +MATCH p=(:GH_BranchProtectionRule {requires_status_checks: false})-[:GH_ProtectedBy]->(:GH_Branch) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [branch-protection-no-status-checks.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-no-status-checks.json) file. + +## Branch Protection Rules - Self-Approval Allowed + +Finds branches where the author of the last push can approve their own pull request. This allows a single person to both write and approve code changes. + +```cypher +MATCH p=(:GH_BranchProtectionRule {require_last_push_approval: false})-[:GH_ProtectedBy]->(:GH_Branch) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [branch-protection-self-approval.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-self-approval.json) file. + +## Branch Protection Rules - Stale Reviews Not Dismissed + +Finds branches where stale reviews are not dismissed when new commits are pushed. An attacker could get a review approved, then push additional malicious commits that inherit the stale approval. + +```cypher +MATCH p=(:GH_BranchProtectionRule {dismisses_stale_reviews: false})-[:GH_ProtectedBy]->(:GH_Branch) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [branch-protection-stale-reviews.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-stale-reviews.json) file. + +## Users Who Can Bypass Pull Request Requirements + +Finds users and teams that can bypass pull request review requirements on protected branches. These actors can merge code without any reviews. + +```cypher +MATCH p=(actor)-[:GH_BypassPullRequestAllowances]->(rule:GH_BranchProtectionRule)-[:GH_ProtectedBy]->(branch:GH_Branch) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [bypass-pr-requirements.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/bypass-pr-requirements.json) file. + +## Dangerous Branch Permissions + +Identifies users with dangerous branch permissions in a GitHub organization, including bypass allowances on protection rules. + +```cypher +MATCH p=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_PushProtectedBranch|GH_BypassBranchProtection]-(r:GH_Repository) +MATCH p1=(:GH_User)-[:GH_BypassPullRequestAllowances|GH_RestrictionsCanPush]->(rule:GH_BranchProtectionRule)-[:GH_ProtectedBy]->(b:GH_Branch) +RETURN p,p1 +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [dangerous-branch-perms.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/dangerous-branch-perms.json) file. + +## Organizations with default repository permission + +Returns organizations that have a default repository permission other than 'none'. + +```cypher +MATCH (o:GH_Organization) +WHERE o.default_repository_permission <> 'none' +RETURN o +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [default-repository-permissions.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/default-repository-permissions.json) file. + +## [Demo] SSO Round-Trip: Azure/Okta → GitHub → Cloud Identity + +The cloud-to-cloud pivot through GitHub: a compromised Azure or Okta identity syncs to a GitHub user via SSO. That GitHub user has write access to repositories configured with OIDC federation to Azure workload identities. The attacker pivots from one cloud identity through GitHub into a completely different Azure identity — crossing cloud boundaries twice in a single attack chain. + +```cypher +MATCH p1=(extUser)-[:SyncedToGHUser]->(ghUser:GH_User) +MATCH p2=(ghUser)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_WriteRepoContents]->(:GH_Repository)-[:GH_CanAssumeIdentity]->(cred:AZFederatedIdentityCredential) +RETURN p1, p2 +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [demo-sso-to-cloud-round-trip.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/demo-sso-to-cloud-round-trip.json) file. + +## Dependabot Alerts Disabled for New Repositories + +Finds organizations where Dependabot alerts are not enabled for new repositories. Vulnerable dependencies in new repositories will go undetected. + +```cypher +MATCH (org:GH_Organization {dependabot_alerts_enabled_for_new_repositories: false}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [dependabot-alerts-disabled-new-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/dependabot-alerts-disabled-new-repos.json) file. + +## Dependabot Security Updates Disabled for New Repositories + +Finds organizations where Dependabot security update PRs are not enabled for new repositories. Known vulnerable dependencies will not receive automated fix PRs. + +```cypher +MATCH (org:GH_Organization {dependabot_security_updates_enabled_for_new_repositories: false}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [dependabot-updates-disabled-new-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/dependabot-updates-disabled-new-repos.json) file. + +## Dependency Graph Disabled for New Repositories + +Finds organizations where the dependency graph is not enabled for new repositories. Without the dependency graph, transitive dependency vulnerabilities cannot be tracked. + +```cypher +MATCH (org:GH_Organization {dependency_graph_enabled_for_new_repositories: false}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [dependency-graph-disabled-new-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/dependency-graph-disabled-new-repos.json) file. + +## Environments Where Admins Can Bypass Protections + +Finds deployment environments where administrators can bypass protection rules such as required reviewers and wait timers. Admins can deploy to these environments without any approval. + +```cypher +MATCH p=(:GH_Repository)-[:GH_HasEnvironment]->(env:GH_Environment {can_admins_bypass: true}) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [environments-admin-bypass.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/environments-admin-bypass.json) file. + +## Expired Personal Access Tokens + +Finds expired personal access tokens that still exist. Expired tokens should be cleaned up to reduce credential inventory and audit noise. + +```cypher +MATCH p=(:GH_User)-[:GH_HasPersonalAccessToken]->(token:GH_PersonalAccessToken {token_expired: true}) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [expired-pats.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/expired-pats.json) file. + +## External Identities Without SCIM Provisioning + +Finds external identities that lack SCIM synchronization. Without SCIM, user deprovisioning in the identity provider will not automatically revoke GitHub access. + +```cypher +MATCH (ei:GH_ExternalIdentity) +WHERE ei.scim_identity_username = '' +RETURN ei +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [external-identities-without-scim.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/external-identities-without-scim.json) file. + +## GitHub-to-Azure Identity Assumptions + +Finds GitHub entities (repositories, branches, environments) that can assume Azure identities via OIDC federation. Verify that each trust relationship is intentional and scoped appropriately. + +```cypher +MATCH p=(src)-[:GH_CanAssumeIdentity]->(cred:AZFederatedIdentityCredential) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [github-to-azure-identity.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/github-to-azure-identity.json) file. + +## Global Repo Permissions + +Returns all users who hold a global repository permission role (i.e., roles that are not default). + +```cypher +MATCH p=(:GH_User)-[:GH_HasBaseRole|GH_HasRole|GH_MemberOf*1..3]->(role:GH_OrgRole) +WHERE role.short_name CONTAINS 'all_repo_' +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [global-repo-perms.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/global-repo-perms.json) file. + +## External Identities + +Returns all external identities (e.g., Azure or Okta users) that are associated with GitHub users. + +```cypher +MATCH p=(s)-[]->(d:GH_User) +WHERE s:AZUser +OR s:Okta_User +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [hybrid-identities.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/hybrid-identities.json) file. + +## Members Can Change Repository Visibility + +Finds organizations where members can change repository visibility. This allows any member to make a private repository public, potentially exposing source code and secrets. + +```cypher +MATCH (org:GH_Organization {members_can_change_repo_visibility: true}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [members-can-change-repo-visibility.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/members-can-change-repo-visibility.json) file. + +## Members Can Create GitHub Pages + +Finds organizations where members can create GitHub Pages sites. Pages can be used to host phishing content, data exfiltration endpoints, or other malicious resources. + +```cypher +MATCH (org:GH_Organization {members_can_create_pages: true}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [members-can-create-pages.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/members-can-create-pages.json) file. + +## Members Can Create Public Repositories + +Finds organizations where members can create internet-facing public repositories. This increases the risk of accidental exposure of proprietary code or secrets. + +```cypher +MATCH (org:GH_Organization {members_can_create_public_repositories: true}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [members-can-create-public-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/members-can-create-public-repos.json) file. + +## Members Can Delete Repositories + +Finds organizations where members can delete repositories. This poses a risk of accidental or malicious destruction of code and audit history. + +```cypher +MATCH (org:GH_Organization {members_can_delete_repositories: true}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [members-can-delete-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/members-can-delete-repos.json) file. + +## Members Can Fork Private Repositories + +Finds organizations where members can fork private repositories to personal accounts. Forked copies leave organizational control and oversight. + +```cypher +MATCH (org:GH_Organization {members_can_fork_private_repositories: true}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [members-can-fork-private-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/members-can-fork-private-repos.json) file. + +## Members Can Invite Outside Collaborators + +Finds organizations where any member can invite external users. This can lead to unauthorized third-party access to repositories without centralized oversight. + +```cypher +MATCH (org:GH_Organization {members_can_invite_outside_collaborators: true}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [members-can-invite-outside-collaborators.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/members-can-invite-outside-collaborators.json) file. + +## Organization Owners + +Returns all users hold the organization owners role. + +```cypher +MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [org-owners.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/org-owners.json) file. + +## Organizations without 2FA + +Returns organizations that do not require two-factor authentication. + +```cypher +MATCH (o:GH_Organization) +WHERE o.two_factor_requirement_enabled = false +RETURN o +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [orgs-without-2fa.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/orgs-without-2fa.json) file. + +## PATs with Access to All Repositories + +Finds fine-grained personal access tokens scoped to all repositories. A single compromised token grants access to every repository in the organization. + +```cypher +MATCH p=(:GH_User)-[:GH_HasPersonalAccessToken]->(token:GH_PersonalAccessToken {repository_selection: 'all'}) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [pats-all-repo-access.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/pats-all-repo-access.json) file. + +## Pending PAT Requests + +Finds pending fine-grained personal access token requests awaiting approval. Review these to ensure requested permissions are appropriate before granting access. + +```cypher +MATCH p=(:GH_User)-[:GH_HasPersonalAccessTokenRequest]->(req:GH_PersonalAccessTokenRequest) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [pending-pat-requests.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/pending-pat-requests.json) file. + +## Private Repositories with Forking Allowed + +Finds private repositories that allow forking. Forked copies of private repositories can leave organizational governance and visibility. + +```cypher +MATCH (repo:GH_Repository {visibility: 'private', allow_forking: true}) +RETURN repo +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [private-repos-forking-allowed.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/private-repos-forking-allowed.json) file. + +## Privileged Custom Org Roles + +Returns all custom organization roles that are privileged (i.e., have permissions that are not default) + +```cypher +MATCH p=(role:GH_OrgRole {type:'custom'})-[r]->(dest) +WHERE dest:GH_Organization +OR dest:GH_OrgRole +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-custom-org-roles.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/privileged-custom-org-roles.json) file. + +## Privileged Hybrid Identities + +Returns all hybrid identities (e.g., Azure or Okta users) that are associated with GitHub users who hold the organization owners role. + +```cypher +MATCH p=()-[:GH_SyncedTo]->(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-hybrid-identities.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/privileged-hybrid-identities.json) file. + +## Public Repositories + +Returns all public repositories. + +```cypher +MATCH (repo:GH_Repository {private: false}) +RETURN repo +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [public-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/public-repos.json) file. + +## Secret Scanning Push Protection Disabled for New Repositories + +Finds organizations where push protection is not enabled for new repositories. Without push protection, secrets can be committed without being blocked before they reach the repository. + +```cypher +MATCH (org:GH_Organization {secret_scanning_push_protection_enabled_for_new_repositories: false}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [push-protection-disabled-new-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/push-protection-disabled-new-repos.json) file. + +## Users Who Can Push to Protected Branches + +Finds users and teams that are allowed to push directly to protected branches when push restrictions are enabled. These actors bypass the normal pull request workflow. + +```cypher +MATCH p=(actor)-[:GH_RestrictionsCanPush]->(rule:GH_BranchProtectionRule)-[:GH_ProtectedBy]->(branch:GH_Branch) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [push-to-protected-branches.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/push-to-protected-branches.json) file. + +## Repositories with Secret Scanning Disabled + +Finds repositories where secret scanning is disabled. Committed credentials in these repositories will not be detected by GitHub. + +```cypher +MATCH (repo:GH_Repository {secret_scanning: 'disabled'}) +RETURN repo +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [repos-secret-scanning-disabled.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/repos-secret-scanning-disabled.json) file. + +## Repos Vulnerable to Workflow Secret Exfiltration + +Secrets reachable by users who can create new branches (computed by Compute-GitHoundBranchAccess). The GH_CanCreateBranch edge accounts for branch protection rules, push restrictions, blocks_creations settings, and all bypass mechanisms (admin, push_protected_branch, pushAllowances). Edges emit from RepoRole in the common case; per-actor edges from User/Team are only present when per-rule allowances grant additional access beyond the role. + +```cypher +MATCH p1=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_CanCreateBranch]->(repo:GH_Repository)-[:GH_HasSecret]->(s) +WHERE (s:GH_RepoSecret +OR s:GH_OrgSecret) +OPTIONAL MATCH p2=(repo)<-[:GH_CanCreateBranch]-(:GH_User) +OPTIONAL MATCH p3=(repo)<-[:GH_CanCreateBranch]-(:GH_Team)<-[:GH_HasRole|GH_MemberOf|GH_AddMember*1..]-(:GH_User) +RETURN p1, p2, p3 +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [repos-vulnerable-to-workflow-secret-exfil.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/repos-vulnerable-to-workflow-secret-exfil.json) file. + +## Repository Workflows + +Returns all repository workflows + +```cypher +MATCH p=(:GH_Repository)-[:GH_HasWorkflow]->(:GH_Workflow) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [repository-workflows.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/repository-workflows.json) file. + +## SAML Configuration Mapping + +Finds SAML Identity Providers, their external identities, and mapped users. + +```cypher +MATCH p=(OIP:GH_SamlIdentityProvider)-[:GH_HasExternalIdentity]->(EI:GH_ExternalIdentity) +MATCH p1=(OIP)<-[:GH_HasSamlIdentityProvider]-(:GH_Organization) +MATCH p2=(EI)-[:GH_MapsToUser]->() +RETURN p,p1,p2 +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [saml-configuration.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/saml-configuration.json) file. + +## Secret Scanning Alerts + +Returns all repositories that have secret scanning alerts. + +```cypher +MATCH p=(repo:GH_Repository)-[:GH_Contains]->(:GH_SecretScanningAlert {state:'open'}) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [secret-scanning-alerts.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/secret-scanning-alerts.json) file. + +## Secret Scanning Disabled for New Repositories + +Finds organizations where secret scanning is not automatically enabled for new repositories. New repositories will not detect committed credentials until manually enabled. + +```cypher +MATCH (org:GH_Organization {secret_scanning_enabled_for_new_repositories: false}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [secret-scanning-disabled-new-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/secret-scanning-disabled-new-repos.json) file. + +## Secrets Reachable by User + +Returns all repo and org secrets reachable by users through write access. Users with write access can create GitHub Actions workflows to access secrets. + +```cypher +MATCH p=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_WriteRepoContents]->(:GH_Repository)-[:GH_HasSecret]->(s) +WHERE s:GH_RepoSecret +OR s:GH_OrgSecret +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [secrets-reachable-by-user.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/secrets-reachable-by-user.json) file. + +## Team Membership Admins + +Returns all users who hold the maintainer role over a team, this also represents team nesting. + +```cypher +MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_TeamRole)-[:GH_AddMember]->(team:GH_Team) +MATCH p1=(team)<-[:GH_MemberOf]-(:GH_Team)<-[:GH_AddMember]-(:GH_TeamRole)<-[:GH_HasRole]-(:GH_User) +RETURN p,p1 +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [team-membership-admin.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/team-membership-admin.json) file. + +## Team Structure + +Returns the structure of teams within organizations, including team roles and their members. + +```cypher +MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_TeamRole)-[:GH_MemberOf*1..]->(:GH_Team) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [team-structure.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/team-structure.json) file. + +## Unprotected Branches + +Returns all unprotected branches in repositories. + +```cypher +MATCH p=(repo:GH_Repository)-[:GH_HasBranch]-(:GH_Branch {protected: false}) +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [unprotected-branches.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/unprotected-branches.json) file. + +## Repositories with Workflows and Unprotected Default Branch + +Returns all repositories that have GitHub Actions workflows and an unprotected default branch. This means that users with GH_WriteRepoContents to the Repository can overwrite or change the workflow. + +```cypher +MATCH p=(repo:GH_Repository)-[:GH_HasWorkflow]->(:GH_Workflow) +MATCH p1=(repo)-[:GH_HasBranch]->(branch:GH_Branch) +WHERE repo.default_branch = branch.short_name +RETURN p1 +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [unprotected-default-branch-with-workflow.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/unprotected-default-branch-with-workflow.json) file. + +## Unprotected Default Branches + +Returns all default branches in repositories that are not protected. + +```cypher +MATCH p=(repo:GH_Repository)-[:GH_HasBranch]-(branch:GH_Branch {protected: false}) +WHERE repo.default_branch = branch.short_name +RETURN p +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [unprotected-default-branches.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/unprotected-default-branches.json) file. + +## Web Commit Signoff Not Required + +Finds organizations that do not require sign-off for web-based commits. Without signoff, commit attribution cannot be verified. + +```cypher +MATCH (org:GH_Organization {web_commit_signoff_required: false}) +RETURN org +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [web-commit-signoff-not-required.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/web-commit-signoff-not-required.json) file. + diff --git a/docs/official-docs/opengraph/extensions/githound/reference/schema.mdx b/docs/official-docs/opengraph/extensions/githound/reference/schema.mdx new file mode 100644 index 0000000..b54bc40 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/githound/reference/schema.mdx @@ -0,0 +1,196 @@ +--- +title: Schema +description: The OpenGraph extension schema for GitHound +icon: circle-nodes +--- + +Applies to BloodHound Enterprise and CE +## Metadata + +**Name:** GitHound
+**Display Name:** GitHub (GitHound)
+**Version:** v1.2.0
+**Namespace:** GH
+**Environment Kind:** GH_Organization
+**Source Kind:** GitHub + + +This file is automatically generated from the [schema.json](https://github.com/SpecterOps/openhound-github/blob/main/extension/schema.json) file +that is bundled with GitHub (GitHound). + + +## Nodes + +| Icon | Node Kind | Display Name | +|------|-----------|--------------| +| ![GH_App](/images/extensions/githound/reference/gh_app.png) | [GH_App](/opengraph/extensions/githound/reference/nodes/gh_app) | GitHub App | +| ![GH_AppInstallation](/images/extensions/githound/reference/gh_appinstallation.png) | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | GitHub App Installation | +| ![GH_Branch](/images/extensions/githound/reference/gh_branch.png) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | GitHub Branch | +| ![GH_BranchProtectionRule](/images/extensions/githound/reference/gh_branchprotectionrule.png) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | GitHub Branch Protection Rule | +| ![GH_Enterprise](/images/extensions/githound/reference/gh_enterprise.png) | [GH_Enterprise](/opengraph/extensions/githound/reference/nodes/gh_enterprise) | GitHub Enterprise | +| ![GH_EnterpriseRole](/images/extensions/githound/reference/gh_enterpriserole.png) | [GH_EnterpriseRole](/opengraph/extensions/githound/reference/nodes/gh_enterpriserole) | GitHub Enterprise Role | +| ![GH_EnterpriseTeam](/images/extensions/githound/reference/gh_enterpriseteam.png) | [GH_EnterpriseTeam](/opengraph/extensions/githound/reference/nodes/gh_enterpriseteam) | GitHub Enterprise Team | +| ![GH_Environment](/images/extensions/githound/reference/gh_environment.png) | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | GitHub Environment | +| ![GH_EnvironmentSecret](/images/extensions/githound/reference/gh_environmentsecret.png) | [GH_EnvironmentSecret](/opengraph/extensions/githound/reference/nodes/gh_environmentsecret) | GitHub Environment Secret | +| ![GH_EnvironmentVariable](/images/extensions/githound/reference/gh_environmentvariable.png) | [GH_EnvironmentVariable](/opengraph/extensions/githound/reference/nodes/gh_environmentvariable) | GitHub Environment Variable | +| ![GH_ExternalIdentity](/images/extensions/githound/reference/gh_externalidentity.png) | [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | GitHub External Identity | +| ![GH_Organization](/images/extensions/githound/reference/gh_organization.png) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GitHub Organization | +| ![GH_OrgRole](/images/extensions/githound/reference/gh_orgrole.png) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GitHub Org Role | +| ![GH_OrgSecret](/images/extensions/githound/reference/gh_orgsecret.png) | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | GitHub Org Secret | +| ![GH_OrgVariable](/images/extensions/githound/reference/gh_orgvariable.png) | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | GitHub Org Variable | +| ![GH_PersonalAccessToken](/images/extensions/githound/reference/gh_personalaccesstoken.png) | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | GitHub Personal Access Token | +| ![GH_PersonalAccessTokenRequest](/images/extensions/githound/reference/gh_personalaccesstokenrequest.png) | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | GitHub Personal Access Token Request | +| ![GH_RepoRole](/images/extensions/githound/reference/gh_reporole.png) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GitHub Repo Role | +| ![GH_RepoSecret](/images/extensions/githound/reference/gh_reposecret.png) | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | GitHub Repo Secret | +| ![GH_Repository](/images/extensions/githound/reference/gh_repository.png) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GitHub Repository | +| ![GH_RepoVariable](/images/extensions/githound/reference/gh_repovariable.png) | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | GitHub Repo Variable | +| ![GH_SamlIdentityProvider](/images/extensions/githound/reference/gh_samlidentityprovider.png) | [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | GitHub SAML Identity Provider | +| ![GH_SecretScanningAlert](/images/extensions/githound/reference/gh_secretscanningalert.png) | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | GitHub Secret Scanning Alert | +| ![GH_Team](/images/extensions/githound/reference/gh_team.png) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GitHub Team | +| ![GH_TeamRole](/images/extensions/githound/reference/gh_teamrole.png) | [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | GitHub Team Role | +| ![GH_User](/images/extensions/githound/reference/gh_user.png) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GitHub User | +| ![GH_Workflow](/images/extensions/githound/reference/gh_workflow.png) | [GH_Workflow](/opengraph/extensions/githound/reference/nodes/gh_workflow) | GitHub Workflow | +| ![GH_WorkflowJob](/images/extensions/githound/reference/gh_workflowjob.png) | [GH_WorkflowJob](/opengraph/extensions/githound/reference/nodes/gh_workflowjob) | GitHub Workflow Job | +| ![GH_WorkflowStep](/images/extensions/githound/reference/gh_workflowstep.png) | [GH_WorkflowStep](/opengraph/extensions/githound/reference/nodes/gh_workflowstep) | GitHub Workflow Step | + +## Edges + +| Relationship Kind | Traversable | Description | +|-------------------|:-----------:|-------------| +| [GH_AddAssignee](/opengraph/extensions/githound/reference/edges/gh_addassignee) | ❌ | [Repository] Repo role can assign users to issues and pull requests | +| [GH_AddCollaborator](/opengraph/extensions/githound/reference/edges/gh_addcollaborator) | ❌ | [Organization] Org role can add outside collaborators | +| [GH_AddLabel](/opengraph/extensions/githound/reference/edges/gh_addlabel) | ❌ | [Repository] Repo role can add labels to issues and pull requests | +| [GH_AddMember](/opengraph/extensions/githound/reference/edges/gh_addmember) | ✅ | Team role can add members to the team (maintainer privilege) | +| [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) | ❌ | [Repository] Repo role has admin access to the repository. | +| [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) | ❌ | [Repository] Repo role can bypass merge-gate branch protections (PR reviews, lock branch). Suppressed by enforce_admins. | +| [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) | ❌ | User or team can bypass pull request requirements on a branch protection rule | +| [GH_CallsWorkflow](/opengraph/extensions/githound/reference/edges/gh_callsworkflow) | ✅ | [Workflow] Job calls a reusable workflow — GH_WorkflowJob → GH_Workflow | +| [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | ❌ | Personal access token or app installation can access this repository or organization | +| [GH_CanAssumeIdentity](/opengraph/extensions/githound/reference/edges/gh_canassumeidentity) | ✅ | Repository can assume this cloud identity via OIDC federation (Azure workload identity or AWS IAM role) | +| [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch) | ✅ | [Repository - Computed] Role can create new branches in this repository (unprotected branches that bypass the merge gate) | +| [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) | ✅ | [Repository - Computed] Repo role can modify or remove the branch protection rules governing this branch (computed from GH_EditRepoProtections + GH_ProtectedBy) | +| [GH_CanPwnRequest](/opengraph/extensions/githound/reference/edges/gh_canpwnrequest) | ✅ | [Computed] Repo role can exploit a pwn-requestable workflow to execute arbitrary code with the target's secrets and permissions — GH_RepoRole → GH_Repository / GH_Branch | +| [GH_CanReadSecretScanningAlert](/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert) | ✅ | [Computed] Role can read secret scanning alerts (computed from GH_ViewSecretScanningAlerts permission + GH_Contains) | +| [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | ✅ | [Repository - Computed] Role can push to this branch after evaluating branch protection rules, push restrictions, and bypass allowances | +| [GH_CloseDiscussion](/opengraph/extensions/githound/reference/edges/gh_closediscussion) | ❌ | [Repository] Repo role can close discussions | +| [GH_CloseIssue](/opengraph/extensions/githound/reference/edges/gh_closeissue) | ❌ | [Repository] Repo role can close issues | +| [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) | ❌ | [Repository] Repo role can close pull requests | +| [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | ❌ | Container relationship for organizational hierarchy (enterprise contains orgs, org contains secrets/variables, repo contains secrets/variables, environment contains secrets/variables) | +| [GH_ConvertIssuesToDiscussions](/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions) | ❌ | [Repository] Repo role can convert issues to discussions | +| [GH_CreateDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory) | ❌ | [Repository] Repo role can create discussion categories | +| [GH_CreateEnterpriseOrganizations](/opengraph/extensions/githound/reference/edges/gh_createenterpriseorganizations) | ❌ | [Enterprise] Enterprise role can create new organizations within the enterprise | +| [GH_CreateRepository](/opengraph/extensions/githound/reference/edges/gh_createrepository) | ❌ | [Organization] Org role can create repositories in the organization | +| [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry) | ❌ | Repo role can create solo merge queue entries | +| [GH_CreateTag](/opengraph/extensions/githound/reference/edges/gh_createtag) | ❌ | [Repository] Repo role can create tags and releases | +| [GH_CreateTeam](/opengraph/extensions/githound/reference/edges/gh_createteam) | ❌ | [Organization] Org role can create teams in the organization | +| [GH_DeleteAlertsCodeScanning](/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning) | ❌ | [Repository] Repo role can delete code scanning alerts | +| [GH_DeleteDiscussion](/opengraph/extensions/githound/reference/edges/gh_deletediscussion) | ❌ | [Repository] Repo role can delete discussions | +| [GH_DeleteDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment) | ❌ | [Repository] Repo role can delete discussion comments | +| [GH_DeleteIssue](/opengraph/extensions/githound/reference/edges/gh_deleteissue) | ❌ | [Repository] Repo role can delete issues | +| [GH_DeleteTag](/opengraph/extensions/githound/reference/edges/gh_deletetag) | ❌ | [Repository] Repo role can delete tags and releases | +| [GH_DependsOn](/opengraph/extensions/githound/reference/edges/gh_dependson) | ❌ | [Workflow] Job must run after another job (needs: dependency) — ordering only, not an access path | +| [GH_DeploysTo](/opengraph/extensions/githound/reference/edges/gh_deploysto) | ❌ | [Workflow] Job deploys to a GitHub Environment — GH_WorkflowJob → GH_Environment | +| [GH_EditCategoryOnDiscussion](/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion) | ❌ | [Repository] Repo role can change the category of a discussion | +| [GH_EditDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory) | ❌ | [Repository] Repo role can edit discussion categories | +| [GH_EditDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment) | ❌ | [Repository] Repo role can edit discussion comments | +| [GH_EditEnterpriseCustomPropertiesForOrganizations](/opengraph/extensions/githound/reference/edges/gh_editenterprisecustompropertiesfororganizations) | ❌ | [Enterprise] Enterprise role can edit custom properties for organizations | +| [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) | ❌ | [Repository] Repo role can edit repository announcement banners | +| [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues) | ❌ | [Repository] Repo role can edit custom property values on the repository | +| [GH_EditRepoMetadata](/opengraph/extensions/githound/reference/edges/gh_editrepometadata) | ❌ | [Repository] Repo role can edit repository metadata | +| [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) | ❌ | Repo role can edit branch protection rules | +| [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | ✅ | Role inherits permissions from another role | +| [GH_HasBranch](/opengraph/extensions/githound/reference/edges/gh_hasbranch) | ❌ | Repository has this branch | +| [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | ❌ | Repository or branch has/can deploy to this environment | +| [GH_HasExternalIdentity](/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity) | ❌ | SAML identity provider has this external identity | +| [GH_HasJob](/opengraph/extensions/githound/reference/edges/gh_hasjob) | ✅ | [Workflow] Workflow contains this job — GH_Workflow → GH_WorkflowJob | +| [GH_HasMember](/opengraph/extensions/githound/reference/edges/gh_hasmember) | ❌ | Enterprise or organization has this user as a member | +| [GH_HasPersonalAccessToken](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken) | ❌ | User owns this personal access token that has been granted access to the organization | +| [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest) | ❌ | User has a pending personal access token request for the organization | +| [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | ✅ | User or team has a role assignment (org role, team role, or repo role) | +| [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) | ❌ | Organization has this SAML identity provider configured | +| [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | ✅ | Repository or environment has access to this secret | +| [GH_HasStep](/opengraph/extensions/githound/reference/edges/gh_hasstep) | ✅ | [Workflow] Job contains this step — GH_WorkflowJob → GH_WorkflowStep | +| [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | ✅ | Repository has access to this variable (org-level or repo-level) | +| [GH_HasWorkflow](/opengraph/extensions/githound/reference/edges/gh_hasworkflow) | ❌ | Repository has this workflow | +| [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) | ✅ | GitHub App is installed as this app installation on an organization | +| [GH_InviteMember](/opengraph/extensions/githound/reference/edges/gh_invitemember) | ❌ | [Organization] Org role can invite members to the organization | +| [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) | ❌ | Repo role can jump the merge queue | +| [GH_ManageDeployKeys](/opengraph/extensions/githound/reference/edges/gh_managedeploykeys) | ❌ | [Repository] Repo role can manage deploy keys | +| [GH_ManageDiscussionBadges](/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges) | ❌ | [Repository] Repo role can manage discussion badges | +| [GH_ManageEnterpriseAdmins](/opengraph/extensions/githound/reference/edges/gh_manageenterpriseadmins) | ✅ | [Enterprise] Enterprise role can manage enterprise administrators | +| [GH_ManageEnterpriseIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_manageenterpriseidentityprovider) | ❌ | [Enterprise] Enterprise role can manage the enterprise SAML identity provider configuration | +| [GH_ManageEnterpriseMembers](/opengraph/extensions/githound/reference/edges/gh_manageenterprisemembers) | ✅ | [Enterprise] Enterprise role can manage enterprise membership | +| [GH_ManageEnterpriseOrganizationAdmins](/opengraph/extensions/githound/reference/edges/gh_manageenterpriseorganizationadmins) | ✅ | [Enterprise] Enterprise role can manage organization administrators across the enterprise | +| [GH_ManageEnterpriseOrganizations](/opengraph/extensions/githound/reference/edges/gh_manageenterpriseorganizations) | ❌ | [Enterprise] Enterprise role can manage organizations within the enterprise | +| [GH_ManageEnterpriseReferrals](/opengraph/extensions/githound/reference/edges/gh_manageenterprisereferrals) | ❌ | [Enterprise] Enterprise role can manage enterprise referral settings | +| [GH_ManageEnterpriseTeams](/opengraph/extensions/githound/reference/edges/gh_manageenterpriseteams) | ❌ | [Enterprise] Enterprise role can manage enterprise teams | +| [GH_ManageOrganizationWebhooks](/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks) | ❌ | [Organization] Org role can manage organization webhooks | +| [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) | ❌ | Repo role can manage repo-level security products | +| [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) | ❌ | Repo role can manage security products | +| [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) | ❌ | [Repository] Repo role can manage allowed merge types | +| [GH_ManageSettingsPages](/opengraph/extensions/githound/reference/edges/gh_managesettingspages) | ❌ | [Repository] Repo role can manage GitHub Pages settings | +| [GH_ManageSettingsProjects](/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects) | ❌ | [Repository] Repo role can manage project settings | +| [GH_ManageSettingsWiki](/opengraph/extensions/githound/reference/edges/gh_managesettingswiki) | ❌ | [Repository] Repo role can manage wiki settings | +| [GH_ManageTopics](/opengraph/extensions/githound/reference/edges/gh_managetopics) | ❌ | [Repository] Repo role can manage repository topics | +| [GH_ManageWebhooks](/opengraph/extensions/githound/reference/edges/gh_managewebhooks) | ❌ | [Repository] Repo role can manage repository webhooks | +| [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) | ❌ | External identity maps to a GitHub user or identity provider user | +| [GH_MarkAsDuplicate](/opengraph/extensions/githound/reference/edges/gh_markasduplicate) | ❌ | [Repository] Repo role can mark issues or pull requests as duplicates | +| [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | ✅ | Team role is a member of a team, or team is a nested member of a parent team | +| [GH_OrgBypassCodeScanningDismissalRequests](/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests) | ❌ | [Organization] Org role can bypass code scanning dismissal requests | +| [GH_OrgBypassSecretScanningClosureRequests](/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests) | ❌ | [Organization] Org role can bypass secret scanning closure requests | +| [GH_OrgReviewAndManageSecretScanningBypassRequests](/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests) | ❌ | [Organization] Org role can review and manage secret scanning bypass requests | +| [GH_OrgReviewAndManageSecretScanningClosureRequests](/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests) | ❌ | [Organization] Org role can review and manage secret scanning closure requests | +| [GH_Owns](/opengraph/extensions/githound/reference/edges/gh_owns) | ✅ | Organization owns a repository | +| [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) | ❌ | Branch protection rule protects this branch | +| [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) | ❌ | [Repository] Repo role can push to branches with push restrictions. Not affected by enforce_admins. | +| [GH_ReadCodeScanning](/opengraph/extensions/githound/reference/edges/gh_readcodescanning) | ❌ | [Repository] Repo role can read code scanning results | +| [GH_ReadEnterpriseAuditLog](/opengraph/extensions/githound/reference/edges/gh_readenterpriseauditlog) | ❌ | [Enterprise] Enterprise role can read the enterprise audit log | +| [GH_ReadEnterpriseDomainVerification](/opengraph/extensions/githound/reference/edges/gh_readenterprisedomainverification) | ❌ | [Enterprise] Enterprise role can view the enterprise domain verification status | +| [GH_ReadEnterpriseMembers](/opengraph/extensions/githound/reference/edges/gh_readenterprisemembers) | ❌ | [Enterprise] Enterprise role can view enterprise membership | +| [GH_ReadEnterpriseOrganizationAdmin](/opengraph/extensions/githound/reference/edges/gh_readenterpriseorganizationadmin) | ❌ | [Enterprise] Enterprise role can view organization admin settings across the enterprise | +| [GH_ReadEnterpriseOrgProjects](/opengraph/extensions/githound/reference/edges/gh_readenterpriseorgprojects) | ❌ | [Enterprise] Enterprise role can view organization projects across the enterprise | +| [GH_ReadOrganizationActionsUsageMetrics](/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics) | ❌ | [Organization] Org role can read Actions usage metrics | +| [GH_ReadOrganizationCustomOrgRole](/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole) | ❌ | [Organization] Org role can read custom org role definitions | +| [GH_ReadOrganizationCustomRepoRole](/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole) | ❌ | [Organization] Org role can read custom repo role definitions | +| [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) | ❌ | [Repository] Repo role can read repository contents | +| [GH_RemoveAssignee](/opengraph/extensions/githound/reference/edges/gh_removeassignee) | ❌ | [Repository] Repo role can remove assignees from issues and pull requests | +| [GH_RemoveLabel](/opengraph/extensions/githound/reference/edges/gh_removelabel) | ❌ | [Repository] Repo role can remove labels from issues and pull requests | +| [GH_ReopenDiscussion](/opengraph/extensions/githound/reference/edges/gh_reopendiscussion) | ❌ | [Repository] Repo role can reopen discussions | +| [GH_ReopenIssue](/opengraph/extensions/githound/reference/edges/gh_reopenissue) | ❌ | [Repository] Repo role can reopen closed issues | +| [GH_ReopenPullRequest](/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest) | ❌ | [Repository] Repo role can reopen closed pull requests | +| [GH_RequestPrReview](/opengraph/extensions/githound/reference/edges/gh_requestprreview) | ❌ | [Repository] Repo role can request pull request reviews | +| [GH_ResolveDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts) | ❌ | [Repository] Repo role can resolve Dependabot alerts | +| [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | ❌ | [Organization] Org role can resolve secret scanning alerts | +| [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) | ❌ | User or team is allowed to push to branches protected by this rule | +| [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) | ❌ | [Repository] Repo role can run organization migrations | +| [GH_SetEnterpriseInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setenterpriseinteractionlimits) | ❌ | [Enterprise] Enterprise role can set interaction limits for the enterprise | +| [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) | ❌ | [Repository] Repo role can set interaction limits on the repository | +| [GH_SetIssueType](/opengraph/extensions/githound/reference/edges/gh_setissuetype) | ❌ | [Repository] Repo role can set issue types | +| [GH_SetMilestone](/opengraph/extensions/githound/reference/edges/gh_setmilestone) | ❌ | [Repository] Repo role can set milestones on issues and pull requests | +| [GH_SetSocialPreview](/opengraph/extensions/githound/reference/edges/gh_setsocialpreview) | ❌ | [Repository] Repo role can set the repository social preview image | +| [GH_SyncedTo](/opengraph/extensions/githound/reference/edges/gh_syncedto) | ✅ | External identity (Azure, Okta, PingOne) is synced to this GitHub user via SSO/SCIM | +| [GH_ToggleDiscussionAnswer](/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer) | ❌ | [Repository] Repo role can toggle discussion answers | +| [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize) | ❌ | [Repository] Repo role can minimize discussion comments | +| [GH_TransferRepository](/opengraph/extensions/githound/reference/edges/gh_transferrepository) | ❌ | [Organization] Org role can transfer repositories | +| [GH_UsesSecret](/opengraph/extensions/githound/reference/edges/gh_usessecret) | ✅ | [Workflow] Step references a secret by name — GH_WorkflowStep → GH_Secret (name match) | +| [GH_UsesVariable](/opengraph/extensions/githound/reference/edges/gh_usesvariable) | ❌ | [Workflow] Step references a variable by name — GH_WorkflowStep → GH_Variable (name match) | +| [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) | ✅ | Secret scanning alert contains a valid, active token belonging to this user | +| [GH_ViewDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts) | ❌ | [Repository] Repo role can view Dependabot alerts | +| [GH_ViewEnterpriseActionsUsageMetrics](/opengraph/extensions/githound/reference/edges/gh_viewenterpriseactionsusagemetrics) | ❌ | [Enterprise] Enterprise role can view GitHub Actions usage metrics for the enterprise | +| [GH_ViewEnterpriseBilling](/opengraph/extensions/githound/reference/edges/gh_viewenterprisebilling) | ❌ | [Enterprise] Enterprise role can view enterprise billing information | +| [GH_ViewEnterpriseSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewenterprisesecretscanningalerts) | ❌ | [Enterprise] Enterprise role can view secret scanning alerts across the enterprise | +| [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | ❌ | [Repository] Role can view secret scanning alerts | +| [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) | ❌ | [Repository] Repo role can upload code scanning results | +| [GH_WriteEnterpriseActionsPolicies](/opengraph/extensions/githound/reference/edges/gh_writeenterpriseactionspolicies) | ❌ | [Enterprise] Enterprise role can modify GitHub Actions policies for the enterprise | +| [GH_WriteEnterpriseBilling](/opengraph/extensions/githound/reference/edges/gh_writeenterprisebilling) | ❌ | [Enterprise] Enterprise role can modify enterprise billing settings | +| [GH_WriteEnterprisePersonalAccessTokenPolicies](/opengraph/extensions/githound/reference/edges/gh_writeenterprisepersonalaccesstokenpolicies) | ❌ | [Enterprise] Enterprise role can modify personal access token policies for the enterprise | +| [GH_WriteEnterpriseSso](/opengraph/extensions/githound/reference/edges/gh_writeenterprisesso) | ❌ | [Enterprise] Enterprise role can modify enterprise SSO settings | +| [GH_WriteEnterpriseTeamMembers](/opengraph/extensions/githound/reference/edges/gh_writeenterpriseteammembers) | ❌ | [Enterprise] Enterprise role can modify enterprise team membership | +| [GH_WriteOrganizationActionsSecrets](/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets) | ❌ | [Organization] Org role can write Actions secrets | +| [GH_WriteOrganizationActionsSettings](/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings) | ❌ | [Organization] Org role can write Actions settings | +| [GH_WriteOrganizationActionsVariables](/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables) | ❌ | [Organization] Org role can write Actions variables | +| [GH_WriteOrganizationCustomOrgRole](/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole) | ✅ | [Organization] Org role can write custom org role definitions | +| [GH_WriteOrganizationCustomRepoRole](/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole) | ❌ | [Organization] Org role can write custom repo role definitions | +| [GH_WriteOrganizationNetworkConfigurations](/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations) | ❌ | [Organization] Org role can write network configurations | +| [GH_WriteRepoContents](/opengraph/extensions/githound/reference/edges/gh_writerepocontents) | ❌ | [Repository] Repo role can write repository contents | +| [GH_WriteRepoPullRequests](/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests) | ❌ | [Repository] Repo role can create and merge pull requests | diff --git a/docs/og-docs-automation b/docs/og-docs-automation new file mode 160000 index 0000000..e7d82db --- /dev/null +++ b/docs/og-docs-automation @@ -0,0 +1 @@ +Subproject commit e7d82db32a71fe95bfb74e5d340331e75de64299 diff --git a/docs/og-docs.json b/docs/og-docs.json new file mode 100644 index 0000000..0d8ea3c --- /dev/null +++ b/docs/og-docs.json @@ -0,0 +1,12 @@ +{ + "extensionSchemaPath": "extension/schema.json", + "gitHubBaseUrl": "https://github.com/SpecterOps/openhound-github", + "stripTitlePrefix": "GitHub: ", + "savedSearchesDir": "extension/saved_searches", + "zoneRulesDir": "extension/privilege_zone_rules", + "nodeDescriptionsDir": "descriptions/nodes", + "edgeDescriptionsDir": "descriptions/edges", + "imagesDir": "descriptions/images", + "iconSize": 32, + "iconScale": 0.55 +} From de1122db63fa0b52432040b94551439501bd76ed Mon Sep 17 00:00:00 2001 From: JonasBK Date: Thu, 9 Apr 2026 14:31:25 +0200 Subject: [PATCH 03/16] improve official docs --- .../reference/edges/gh_addassignee.mdx | 2 +- .../reference/edges/gh_addcollaborator.mdx | 2 +- .../githound/reference/edges/gh_addlabel.mdx | 2 +- .../githound/reference/edges/gh_addmember.mdx | 2 +- .../githound/reference/edges/gh_adminto.mdx | 4 +- .../edges/gh_bypassbranchprotection.mdx | 2 +- .../edges/gh_bypasspullrequestallowances.mdx | 2 +- .../reference/edges/gh_callsworkflow.mdx | 2 +- .../githound/reference/edges/gh_canaccess.mdx | 2 +- .../reference/edges/gh_canassumeidentity.mdx | 2 +- .../reference/edges/gh_cancreatebranch.mdx | 4 +- .../reference/edges/gh_caneditprotection.mdx | 2 +- .../reference/edges/gh_canpwnrequest.mdx | 4 +- .../edges/gh_canreadsecretscanningalert.mdx | 2 +- .../reference/edges/gh_canwritebranch.mdx | 2 +- .../reference/edges/gh_closediscussion.mdx | 2 +- .../reference/edges/gh_closeissue.mdx | 2 +- .../reference/edges/gh_closepullrequest.mdx | 4 +- .../githound/reference/edges/gh_contains.mdx | 2 +- .../edges/gh_convertissuestodiscussions.mdx | 2 +- .../edges/gh_creatediscussioncategory.mdx | 2 +- .../reference/edges/gh_createrepository.mdx | 2 +- .../edges/gh_createsolomergequeueentry.mdx | 2 +- .../githound/reference/edges/gh_createtag.mdx | 2 +- .../reference/edges/gh_createteam.mdx | 2 +- .../edges/gh_deletealertscodescanning.mdx | 2 +- .../reference/edges/gh_deletediscussion.mdx | 2 +- .../edges/gh_deletediscussioncomment.mdx | 2 +- .../reference/edges/gh_deleteissue.mdx | 2 +- .../githound/reference/edges/gh_deletetag.mdx | 2 +- .../githound/reference/edges/gh_dependson.mdx | 2 +- .../githound/reference/edges/gh_deploysto.mdx | 2 +- .../edges/gh_editcategoryondiscussion.mdx | 2 +- .../edges/gh_editdiscussioncategory.mdx | 2 +- .../edges/gh_editdiscussioncomment.mdx | 2 +- .../edges/gh_editrepoannouncementbanners.mdx | 4 +- .../gh_editrepocustompropertiesvalues.mdx | 2 +- .../reference/edges/gh_editrepometadata.mdx | 2 +- .../edges/gh_editrepoprotections.mdx | 4 +- .../reference/edges/gh_hasbaserole.mdx | 6 +- .../githound/reference/edges/gh_hasbranch.mdx | 2 +- .../reference/edges/gh_hasenvironment.mdx | 2 +- .../edges/gh_hasexternalidentity.mdx | 2 +- .../githound/reference/edges/gh_hasjob.mdx | 2 +- .../edges/gh_haspersonalaccesstoken.mdx | 2 +- .../gh_haspersonalaccesstokenrequest.mdx | 2 +- .../githound/reference/edges/gh_hasrole.mdx | 2 +- .../edges/gh_hassamlidentityprovider.mdx | 4 +- .../githound/reference/edges/gh_hassecret.mdx | 2 +- .../githound/reference/edges/gh_hasstep.mdx | 2 +- .../reference/edges/gh_hasvariable.mdx | 2 +- .../reference/edges/gh_hasworkflow.mdx | 2 +- .../reference/edges/gh_installedas.mdx | 2 +- .../reference/edges/gh_invitemember.mdx | 2 +- .../reference/edges/gh_jumpmergequeue.mdx | 4 +- .../reference/edges/gh_managedeploykeys.mdx | 2 +- .../edges/gh_managediscussionbadges.mdx | 2 +- .../edges/gh_manageorganizationwebhooks.mdx | 2 +- .../edges/gh_managereposecurityproducts.mdx | 4 +- .../edges/gh_managesecurityproducts.mdx | 2 +- .../edges/gh_managesettingsmergetypes.mdx | 4 +- .../edges/gh_managesettingspages.mdx | 2 +- .../edges/gh_managesettingsprojects.mdx | 2 +- .../reference/edges/gh_managesettingswiki.mdx | 2 +- .../reference/edges/gh_managetopics.mdx | 2 +- .../reference/edges/gh_managewebhooks.mdx | 2 +- .../reference/edges/gh_mapstouser.mdx | 2 +- .../reference/edges/gh_markasduplicate.mdx | 2 +- .../githound/reference/edges/gh_memberof.mdx | 2 +- ...orgbypasscodescanningdismissalrequests.mdx | 2 +- ...orgbypasssecretscanningclosurerequests.mdx | 2 +- ...wandmanagesecretscanningbypassrequests.mdx | 2 +- ...andmanagesecretscanningclosurerequests.mdx | 2 +- .../githound/reference/edges/gh_owns.mdx | 2 +- .../reference/edges/gh_protectedby.mdx | 2 +- .../edges/gh_pushprotectedbranch.mdx | 2 +- .../reference/edges/gh_readcodescanning.mdx | 2 +- ...gh_readorganizationactionsusagemetrics.mdx | 2 +- .../gh_readorganizationcustomorgrole.mdx | 2 +- .../gh_readorganizationcustomreporole.mdx | 2 +- .../reference/edges/gh_readrepocontents.mdx | 2 +- .../reference/edges/gh_removeassignee.mdx | 2 +- .../reference/edges/gh_removelabel.mdx | 2 +- .../reference/edges/gh_reopendiscussion.mdx | 2 +- .../reference/edges/gh_reopenissue.mdx | 2 +- .../reference/edges/gh_reopenpullrequest.mdx | 2 +- .../reference/edges/gh_requestprreview.mdx | 2 +- .../edges/gh_resolvedependabotalerts.mdx | 2 +- .../edges/gh_resolvesecretscanningalerts.mdx | 2 +- .../edges/gh_restrictionscanpush.mdx | 2 +- .../reference/edges/gh_runorgmigration.mdx | 4 +- .../edges/gh_setinteractionlimits.mdx | 4 +- .../reference/edges/gh_setissuetype.mdx | 2 +- .../reference/edges/gh_setmilestone.mdx | 2 +- .../reference/edges/gh_setsocialpreview.mdx | 2 +- .../githound/reference/edges/gh_syncedto.mdx | 2 +- .../edges/gh_togglediscussionanswer.mdx | 2 +- .../gh_togglediscussioncommentminimize.mdx | 2 +- .../reference/edges/gh_transferrepository.mdx | 2 +- .../reference/edges/gh_usessecret.mdx | 4 +- .../reference/edges/gh_usesvariable.mdx | 6 +- .../reference/edges/gh_validtoken.mdx | 2 +- .../edges/gh_viewdependabotalerts.mdx | 2 +- .../edges/gh_viewsecretscanningalerts.mdx | 2 +- .../reference/edges/gh_writecodescanning.mdx | 4 +- .../gh_writeorganizationactionssecrets.mdx | 2 +- .../gh_writeorganizationactionssettings.mdx | 2 +- .../gh_writeorganizationactionsvariables.mdx | 2 +- .../gh_writeorganizationcustomorgrole.mdx | 2 +- .../gh_writeorganizationcustomreporole.mdx | 2 +- ...writeorganizationnetworkconfigurations.mdx | 2 +- .../reference/edges/gh_writerepocontents.mdx | 2 +- .../edges/gh_writerepopullrequests.mdx | 2 +- .../githound/reference/nodes/gh_app.mdx | 6 +- .../reference/nodes/gh_appinstallation.mdx | 10 +- .../githound/reference/nodes/gh_branch.mdx | 18 ++- .../nodes/gh_branchprotectionrule.mdx | 12 +- .../reference/nodes/gh_environment.mdx | 12 +- .../reference/nodes/gh_environmentsecret.mdx | 6 +- .../nodes/gh_environmentvariable.mdx | 6 +- .../reference/nodes/gh_externalidentity.mdx | 10 +- .../reference/nodes/gh_organization.mdx | 38 +++-- .../githound/reference/nodes/gh_orgrole.mdx | 30 ++-- .../githound/reference/nodes/gh_orgsecret.mdx | 8 +- .../reference/nodes/gh_orgvariable.mdx | 8 +- .../nodes/gh_personalaccesstoken.mdx | 12 +- .../nodes/gh_personalaccesstokenrequest.mdx | 8 +- .../githound/reference/nodes/gh_reporole.mdx | 134 ++++++++-------- .../reference/nodes/gh_reposecret.mdx | 8 +- .../reference/nodes/gh_repository.mdx | 150 +++++++++--------- .../reference/nodes/gh_repovariable.mdx | 8 +- .../nodes/gh_samlidentityprovider.mdx | 8 +- .../nodes/gh_secretscanningalert.mdx | 10 +- .../githound/reference/nodes/gh_team.mdx | 18 ++- .../githound/reference/nodes/gh_teamrole.mdx | 10 +- .../githound/reference/nodes/gh_user.mdx | 28 ++-- .../githound/reference/nodes/gh_workflow.mdx | 6 +- docs/og-docs-automation | 2 +- 138 files changed, 462 insertions(+), 366 deletions(-) diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addassignee.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addassignee.mdx index 2928c4b..8476c01 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addassignee.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addassignee.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_AddAssignee](/opengraph/extensions/githound/reference/edges/gh_addassignee) edge represents a role's ability to assign users to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_AddAssignee` edge represents a role's ability to assign users to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addcollaborator.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addcollaborator.mdx index 4860d39..9bcb4d3 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addcollaborator.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addcollaborator.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_AddCollaborator](/opengraph/extensions/githound/reference/edges/gh_addcollaborator) edge represents that a role has the ability to add outside collaborators to organization repositories. This permission is typically restricted to Owners, as it grants repository access to external users who are not members of the organization. Outside collaborators bypass organizational membership controls, making this permission significant for security because it can be used to grant access to untrusted external identities without the visibility that full membership provides. +The non-traversable `GH_AddCollaborator` edge represents that a role has the ability to add outside collaborators to organization repositories. This permission is typically restricted to Owners, as it grants repository access to external users who are not members of the organization. Outside collaborators bypass organizational membership controls, making this permission significant for security because it can be used to grant access to untrusted external identities without the visibility that full membership provides. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addlabel.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addlabel.mdx index 7f16956..cface8f 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addlabel.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addlabel.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_AddLabel](/opengraph/extensions/githound/reference/edges/gh_addlabel) edge represents a role's ability to add labels to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_AddLabel` edge represents a role's ability to add labels to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addmember.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addmember.mdx index 43b066c..5a6d3bc 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addmember.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addmember.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The traversable [GH_AddMember](/opengraph/extensions/githound/reference/edges/gh_addmember) edge indicates that a team role with the Maintainer permission level can add new members to the team. It is created by `Git-HoundTeam` when enumerating team membership roles. This edge is traversable because the ability to add members grants indirect access -- a maintainer can add any user to the team, and that user then inherits all of the team's repository permissions, effectively expanding the attack surface. +The traversable `GH_AddMember` edge indicates that a team role with the Maintainer permission level can add new members to the team. It is created by `Git-HoundTeam` when enumerating team membership roles. This edge is traversable because the ability to add members grants indirect access -- a maintainer can add any user to the team, and that user then inherits all of the team's repository permissions, effectively expanding the attack surface. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_adminto.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_adminto.mdx index e732b04..c17900d 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_adminto.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_adminto.mdx @@ -11,7 +11,7 @@ Traversable: ❌ | Start | Kind | End | |-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_AdminTo | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | ```mermaid flowchart LR @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) edge represents a role's full administrative access to the repository. Admin is the highest built-in repository role and grants control over all repository settings, including dangerous operations like deleting the repository or modifying its visibility. Admin access bypasses most protections including branch protection rules, unless `enforce_admins` is explicitly enabled on the branch protection rule. This edge is a key permission in the computed branch access model and is a high-value target in attack path analysis. +The non-traversable `GH_AdminTo` edge represents a role's full administrative access to the repository. Admin is the highest built-in repository role and grants control over all repository settings, including dangerous operations like deleting the repository or modifying its visibility. Admin access bypasses most protections including branch protection rules, unless `enforce_admins` is explicitly enabled on the branch protection rule. This edge is a key permission in the computed branch access model and is a high-value target in attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection.mdx index b1f7adc..caab24a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) edge represents a role's ability to bypass branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Bypassing branch protection allows merging pull requests without satisfying required review or status check requirements, effectively circumventing the merge gate. This bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, which forces even admins to comply with the protection policy. +The non-traversable `GH_BypassBranchProtection` edge represents a role's ability to bypass branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Bypassing branch protection allows merging pull requests without satisfying required review or status check requirements, effectively circumventing the merge gate. This bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, which forces even admins to comply with the protection policy. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances.mdx index 56921b8..5ef2d53 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) edge represents a per-actor allowance that bypasses the pull request review requirement on a branch protection rule. Created by `Git-HoundBranch` when collecting BPR bypass allowances, this edge identifies specific users or teams that can merge code without going through the normal PR review process. This is a significant security concern because these actors can push or merge changes directly, circumventing code review controls that protect branch integrity. Note that this bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, meaning even listed actors must follow the PR review requirement. +The non-traversable `GH_BypassPullRequestAllowances` edge represents a per-actor allowance that bypasses the pull request review requirement on a branch protection rule. Created by `Git-HoundBranch` when collecting BPR bypass allowances, this edge identifies specific users or teams that can merge code without going through the normal PR review process. This is a significant security concern because these actors can push or merge changes directly, circumventing code review controls that protect branch integrity. Note that this bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, meaning even listed actors must follow the PR review requirement. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_callsworkflow.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_callsworkflow.mdx index e2d0fc7..d9fe381 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_callsworkflow.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_callsworkflow.mdx @@ -11,7 +11,7 @@ Traversable: ✅ ## General Information -The traversable [GH_CallsWorkflow](/opengraph/extensions/githound/reference/edges/gh_callsworkflow) edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. Created by `Parse-GitHoundWorkflow`, this edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. +The traversable `GH_CallsWorkflow` edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. Created by `Parse-GitHoundWorkflow`, this edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. ### Local vs. remote reusable workflows diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canaccess.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canaccess.mdx index bbce6e4..1b5e519 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canaccess.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canaccess.mdx @@ -28,4 +28,4 @@ flowchart LR ## General Information -The non-traversable [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) edge indicates that a personal access token or app installation has been granted access to specific repositories. It is created by `Git-HoundPersonalAccessToken` and `Git-HoundPersonalAccessTokenRequest` for PATs, and by `Git-HoundAppInstallation` for app installations. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. +The non-traversable `GH_CanAccess` edge indicates that a personal access token or app installation has been granted access to specific repositories. It is created by `Git-HoundPersonalAccessToken` and `Git-HoundPersonalAccessTokenRequest` for PATs, and by `Git-HoundAppInstallation` for app installations. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canassumeidentity.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canassumeidentity.mdx index a2b8c8b..7f48142 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canassumeidentity.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canassumeidentity.mdx @@ -11,4 +11,4 @@ Traversable: ✅ ## General Information -The traversable [GH_CanAssumeIdentity](/opengraph/extensions/githound/reference/edges/gh_canassumeidentity) edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. Created by the collector when matching GitHub OIDC subject claims to cloud workload identity federation configurations, this edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS. +The traversable `GH_CanAssumeIdentity` edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. Created by the collector when matching GitHub OIDC subject claims to cloud workload identity federation configurations, this edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_cancreatebranch.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_cancreatebranch.mdx index f9d1efd..f06621c 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_cancreatebranch.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_cancreatebranch.mdx @@ -22,7 +22,7 @@ flowchart LR ## General Information -The traversable [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch) edge is a computed edge indicating that a role or actor can create new branches in a repository. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) or [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. +The traversable `GH_CanCreateBranch` edge is a computed edge indicating that a role or actor can create new branches in a repository. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) or [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios @@ -63,7 +63,7 @@ graph LR ### `push_allowance` — Per-actor push restriction bypass -User or Team listed in the wildcard BPR's `pushAllowances` can create branches. This is a per-actor delta edge — only emitted when the actor's role doesn't already grant [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch). +User or Team listed in the wildcard BPR's `pushAllowances` can create branches. This is a per-actor delta edge — only emitted when the actor's role doesn't already grant `GH_CanCreateBranch`. ```mermaid graph LR diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_caneditprotection.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_caneditprotection.mdx index 21485d0..bd76e6e 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_caneditprotection.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_caneditprotection.mdx @@ -22,7 +22,7 @@ flowchart LR ## General Information -The traversable [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, this edge is emitted when the role has [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) or [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. +The traversable `GH_CanEditProtection` edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, this edge is emitted when the role has [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) or [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. ## Scenarios diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canpwnrequest.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canpwnrequest.mdx index 7f63860..99e6dda 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canpwnrequest.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canpwnrequest.mdx @@ -11,7 +11,7 @@ Traversable: ✅ ## General Information -The traversable [GH_CanPwnRequest](/opengraph/extensions/githound/reference/edges/gh_canpwnrequest) edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. Created by `Get-PwnRequestEdges`, this is a computed edge that combines workflow analysis with repository access and fork policy evaluation. +The traversable `GH_CanPwnRequest` edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. Created by `Get-PwnRequestEdges`, this is a computed edge that combines workflow analysis with repository access and fork policy evaluation. ### Pwn Request Conditions @@ -50,7 +50,7 @@ An attacker who exploits a pwn request gains code execution in the workflow runn ### Caveats -- **OIDC traversal requires `id-token: write`**: The attack chain from [GH_CanPwnRequest](/opengraph/extensions/githound/reference/edges/gh_canpwnrequest) through [GH_CanAssumeIdentity](/opengraph/extensions/githound/reference/edges/gh_canassumeidentity) to a cloud role is only valid if the pwn-requestable workflow (or job) explicitly declares `id-token: write` in its `permissions:` block. The `id-token` permission defaults to `none` and is never implicitly granted — even when the workflow has no `permissions:` block at all. The `permissions` property on the [GH_WorkflowJob](/opengraph/extensions/githound/reference/nodes/gh_workflowjob) node can be inspected to verify this. +- **OIDC traversal requires `id-token: write`**: The attack chain from `GH_CanPwnRequest` through [GH_CanAssumeIdentity](/opengraph/extensions/githound/reference/edges/gh_canassumeidentity) to a cloud role is only valid if the pwn-requestable workflow (or job) explicitly declares `id-token: write` in its `permissions:` block. The `id-token` permission defaults to `none` and is never implicitly granted — even when the workflow has no `permissions:` block at all. The `permissions` property on the [GH_WorkflowJob](/opengraph/extensions/githound/reference/nodes/gh_workflowjob) node can be inspected to verify this. - **GITHUB_TOKEN permissions**: The `permissions:` block controls what the `GITHUB_TOKEN` can do (e.g., push commits, create releases), but has no effect on secret access, OIDC token requests (governed separately by `id-token`), or arbitrary code execution. A workflow with `contents: read` is still fully exploitable via pwn request for secret exfiltration and lateral movement — only write-back to the repository is limited. ```mermaid diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert.mdx index 0e30b75..188d937 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert.mdx @@ -11,7 +11,7 @@ Traversable: ✅ ## General Information -The traversable [GH_CanReadSecretScanningAlert](/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert) edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. Created by `Compute-GitHoundSecretScanningAccess` with no additional API calls, the computation cross-references [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) permission edges with [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) edge enables identity compromise of the token's owner. +The traversable `GH_CanReadSecretScanningAlert` edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. Created by `Compute-GitHoundSecretScanningAccess` with no additional API calls, the computation cross-references [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) permission edges with [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) edge enables identity compromise of the token's owner. Each edge includes a `reason` property (`org_role_permission` or `repo_role_permission`) and a `query_composition` Cypher query showing the underlying graph evidence. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canwritebranch.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canwritebranch.mdx index 77bab32..6c0936c 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canwritebranch.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canwritebranch.mdx @@ -28,7 +28,7 @@ flowchart LR ## General Information -The traversable [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) edge is a computed edge indicating that a role or actor can push to a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) or [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. +The traversable `GH_CanWriteBranch` edge is a computed edge indicating that a role or actor can push to a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) or [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closediscussion.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closediscussion.mdx index 8be7000..053da51 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closediscussion.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closediscussion.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_CloseDiscussion](/opengraph/extensions/githound/reference/edges/gh_closediscussion) edge represents a role's ability to close discussions, preventing further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_CloseDiscussion` edge represents a role's ability to close discussions, preventing further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closeissue.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closeissue.mdx index 0e4e339..8ef66b9 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closeissue.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closeissue.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_CloseIssue](/opengraph/extensions/githound/reference/edges/gh_closeissue) edge represents a role's ability to close issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_CloseIssue` edge represents a role's ability to close issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closepullrequest.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closepullrequest.mdx index 5dc75bd..ac0f332 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closepullrequest.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closepullrequest.mdx @@ -11,7 +11,7 @@ Traversable: ❌ | Start | Kind | End | |-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ClosePullRequest | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | ```mermaid flowchart LR @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) edge represents a role's ability to close pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ClosePullRequest` edge represents a role's ability to close pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_contains.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_contains.mdx index a8e66ef..62402bf 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_contains.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_contains.mdx @@ -57,4 +57,4 @@ flowchart LR ## General Information -The non-traversable [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) edge represents structural containment within the GitHub resource hierarchy. The organization serves as the top-level container for users, teams, repositories, roles, secrets, app installations, and personal access tokens. Repositories contain their own repo-level secrets, and environments contain environment-scoped secrets. This edge is created by the collector to establish the organizational hierarchy of GitHub resources and is not traversable because containment alone does not imply privilege escalation. +The non-traversable `GH_Contains` edge represents structural containment within the GitHub resource hierarchy. The organization serves as the top-level container for users, teams, repositories, roles, secrets, app installations, and personal access tokens. Repositories contain their own repo-level secrets, and environments contain environment-scoped secrets. This edge is created by the collector to establish the organizational hierarchy of GitHub resources and is not traversable because containment alone does not imply privilege escalation. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions.mdx index 0544337..d7472de 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ConvertIssuesToDiscussions](/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions) edge represents a role's ability to convert issues to discussions, moving them from the issue tracker to the discussions forum. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ConvertIssuesToDiscussions` edge represents a role's ability to convert issues to discussions, moving them from the issue tracker to the discussions forum. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory.mdx index f62b1f7..ed3bd41 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_CreateDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory) edge represents a role's ability to create new discussion categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_CreateDiscussionCategory` edge represents a role's ability to create new discussion categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createrepository.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createrepository.mdx index f00952b..b9c7dbb 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createrepository.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createrepository.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_CreateRepository](/opengraph/extensions/githound/reference/edges/gh_createrepository) edge represents that a role has the ability to create new repositories within the organization. This permission is available to Owners and custom organization roles that have been granted the repository creation permission. Creating repositories can introduce new attack surface to an organization, as each new repository is a potential vector for code execution through GitHub Actions workflows, secret exposure, and supply chain attacks. +The non-traversable `GH_CreateRepository` edge represents that a role has the ability to create new repositories within the organization. This permission is available to Owners and custom organization roles that have been granted the repository creation permission. Creating repositories can introduce new attack surface to an organization, as each new repository is a potential vector for code execution through GitHub Actions workflows, secret exposure, and supply chain attacks. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry.mdx index a0c92b8..52ace86 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry) edge represents a role's ability to create solo merge queue entries, effectively bypassing the merge queue by merging independently of other queued changes. This permission is available to Admin roles and custom roles that have been granted this specific permission. Solo merge queue entries skip the batching and ordering guarantees of the merge queue, allowing changes to land without waiting for or being tested alongside other pending merges. This can circumvent the integration testing benefits that merge queues provide. +The non-traversable `GH_CreateSoloMergeQueueEntry` edge represents a role's ability to create solo merge queue entries, effectively bypassing the merge queue by merging independently of other queued changes. This permission is available to Admin roles and custom roles that have been granted this specific permission. Solo merge queue entries skip the batching and ordering guarantees of the merge queue, allowing changes to land without waiting for or being tested alongside other pending merges. This can circumvent the integration testing benefits that merge queues provide. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createtag.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createtag.mdx index 0870763..1b20d73 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createtag.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createtag.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_CreateTag](/opengraph/extensions/githound/reference/edges/gh_createtag) edge represents a role's ability to create tags and releases. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. Creating tags can trigger CI/CD workflows and publish release artifacts. +The non-traversable `GH_CreateTag` edge represents a role's ability to create tags and releases. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. Creating tags can trigger CI/CD workflows and publish release artifacts. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createteam.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createteam.mdx index 7d55564..3fea71a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createteam.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createteam.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_CreateTeam](/opengraph/extensions/githound/reference/edges/gh_createteam) edge represents that a role has the ability to create teams within the organization. Teams are the primary mechanism for granting groups of users access to repositories, so team creation is a stepping stone to broader access. This edge is created by the collector when enumerating organization role permissions, and its security significance lies in the fact that a newly created team can be granted repository access and then populated with controlled accounts. +The non-traversable `GH_CreateTeam` edge represents that a role has the ability to create teams within the organization. Teams are the primary mechanism for granting groups of users access to repositories, so team creation is a stepping stone to broader access. This edge is created by the collector when enumerating organization role permissions, and its security significance lies in the fact that a newly created team can be granted repository access and then populated with controlled accounts. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning.mdx index a749d1a..1f3a6a1 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_DeleteAlertsCodeScanning](/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning) edge represents a role's ability to delete code scanning alerts from the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting code scanning alerts can obscure security vulnerabilities that have been detected in the codebase, which is significant from an audit and compliance perspective. An attacker with this permission could suppress evidence of vulnerabilities they have introduced. +The non-traversable `GH_DeleteAlertsCodeScanning` edge represents a role's ability to delete code scanning alerts from the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting code scanning alerts can obscure security vulnerabilities that have been detected in the codebase, which is significant from an audit and compliance perspective. An attacker with this permission could suppress evidence of vulnerabilities they have introduced. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussion.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussion.mdx index 0013ea3..e6a8ab4 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussion.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussion.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_DeleteDiscussion](/opengraph/extensions/githound/reference/edges/gh_deletediscussion) edge represents a role's ability to delete discussions. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_DeleteDiscussion` edge represents a role's ability to delete discussions. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment.mdx index cfdef69..8adedba 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_DeleteDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment) edge represents a role's ability to delete discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_DeleteDiscussionComment` edge represents a role's ability to delete discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deleteissue.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deleteissue.mdx index 93553ce..b0821ad 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deleteissue.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deleteissue.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_DeleteIssue](/opengraph/extensions/githound/reference/edges/gh_deleteissue) edge represents a role's ability to delete issues permanently. Deleted issues cannot be recovered. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting issues can destroy audit trails and remove evidence of security discussions or vulnerability reports. +The non-traversable `GH_DeleteIssue` edge represents a role's ability to delete issues permanently. Deleted issues cannot be recovered. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting issues can destroy audit trails and remove evidence of security discussions or vulnerability reports. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletetag.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletetag.mdx index ad55719..a80e97c 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletetag.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletetag.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_DeleteTag](/opengraph/extensions/githound/reference/edges/gh_deletetag) edge represents a role's ability to delete tags and releases. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting tags can break downstream dependency references and remove published artifacts. +The non-traversable `GH_DeleteTag` edge represents a role's ability to delete tags and releases. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting tags can break downstream dependency references and remove published artifacts. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_dependson.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_dependson.mdx index 19a3a10..86475ed 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_dependson.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_dependson.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_DependsOn](/opengraph/extensions/githound/reference/edges/gh_dependson) edge represents a `needs:` dependency between two jobs in the same workflow. Created by `Parse-GitHoundWorkflow`, this edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. +The non-traversable `GH_DependsOn` edge represents a `needs:` dependency between two jobs in the same workflow. Created by `Parse-GitHoundWorkflow`, this edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deploysto.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deploysto.mdx index 58eff72..25af789 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deploysto.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deploysto.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_DeploysTo](/opengraph/extensions/githound/reference/edges/gh_deploysto) edge links a workflow job to the GitHub Environment it targets via the `environment:` key. Created by `Parse-GitHoundWorkflow`, this edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. +The non-traversable `GH_DeploysTo` edge links a workflow job to the GitHub Environment it targets via the `environment:` key. Created by `Parse-GitHoundWorkflow`, this edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion.mdx index 2d0d543..1907275 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_EditCategoryOnDiscussion](/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion) edge represents a role's ability to change the category of a discussion, moving it between categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_EditCategoryOnDiscussion` edge represents a role's ability to change the category of a discussion, moving it between categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory.mdx index 5ebdbd9..2770c81 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_EditDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory) edge represents a role's ability to edit discussion categories to reorganize discussion classification. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_EditDiscussionCategory` edge represents a role's ability to edit discussion categories to reorganize discussion classification. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment.mdx index aef36cd..835940f 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_EditDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment) edge represents a role's ability to edit discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_EditDiscussionComment` edge represents a role's ability to edit discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners.mdx index 5f3019a..1449762 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners.mdx @@ -11,7 +11,7 @@ Traversable: ❌ | Start | Kind | End | |-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditRepoAnnouncementBanners | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | ```mermaid flowchart LR @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) edge represents a role's ability to edit repository announcement banners displayed to visitors. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_EditRepoAnnouncementBanners` edge represents a role's ability to edit repository announcement banners displayed to visitors. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues.mdx index 72c9773..632afe2 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues) edge represents a role's ability to edit custom property values on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Custom properties are organization-defined metadata fields on repositories that can be used for classification, compliance tagging, or policy enforcement via rulesets. Modifying custom property values could alter which organization-level rulesets apply to the repository, potentially bypassing security controls that are scoped by property-based targeting. +The non-traversable `GH_EditRepoCustomPropertiesValues` edge represents a role's ability to edit custom property values on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Custom properties are organization-defined metadata fields on repositories that can be used for classification, compliance tagging, or policy enforcement via rulesets. Modifying custom property values could alter which organization-level rulesets apply to the repository, potentially bypassing security controls that are scoped by property-based targeting. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepometadata.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepometadata.mdx index 0fc7686..4eebd69 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepometadata.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepometadata.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_EditRepoMetadata](/opengraph/extensions/githound/reference/edges/gh_editrepometadata) edge represents a role's ability to edit repository metadata including description, homepage URL, and visibility settings. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_EditRepoMetadata` edge represents a role's ability to edit repository metadata including description, homepage URL, and visibility settings. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoprotections.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoprotections.mdx index a1d7f82..ae57c57 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoprotections.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoprotections.mdx @@ -11,7 +11,7 @@ Traversable: ❌ | Start | Kind | End | |-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditRepoProtections | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | ```mermaid flowchart LR @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) edge represents a role's ability to edit or remove branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Modifying a branch protection rule is an indirect bypass -- removing or weakening protections opens the branch to direct push or unreviewed merges, making this a high-severity permission from a security perspective. Attack paths that include this edge can escalate to full branch write access by first disabling protections. +The non-traversable `GH_EditRepoProtections` edge represents a role's ability to edit or remove branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Modifying a branch protection rule is an indirect bypass -- removing or weakening protections opens the branch to direct push or unreviewed merges, making this a high-severity permission from a security perspective. Attack paths that include this edge can escalate to full branch write access by first disabling protections. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbaserole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbaserole.mdx index 05a335a..161a21e 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbaserole.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbaserole.mdx @@ -11,8 +11,8 @@ Traversable: ✅ | Start | Kind | End | |-------|-----------|-------| -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_HasBaseRole | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_HasBaseRole | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | ```mermaid flowchart LR @@ -24,4 +24,4 @@ flowchart LR ## General Information -The traversable [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) edge represents role inheritance within the GitHub permission hierarchy. Org roles inherit down to all-repo roles (e.g., Owners inherits to all_repo_admin), and custom roles inherit from their base roles (e.g., a custom_role inherits from write). It is created by `Git-HoundOrganization` (for org-to-repo role inheritance) and `Git-HoundRepository` (for repo-level role inheritance). This edge is traversable because it extends permissions through the role hierarchy, meaning a principal with a higher-level role implicitly holds all inherited lower-level roles. +The traversable `GH_HasBaseRole` edge represents role inheritance within the GitHub permission hierarchy. Org roles inherit down to all-repo roles (e.g., Owners inherits to all_repo_admin), and custom roles inherit from their base roles (e.g., a custom_role inherits from write). It is created by `Git-HoundOrganization` (for org-to-repo role inheritance) and `Git-HoundRepository` (for repo-level role inheritance). This edge is traversable because it extends permissions through the role hierarchy, meaning a principal with a higher-level role implicitly holds all inherited lower-level roles. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbranch.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbranch.mdx index 3d2f357..8d83513 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbranch.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbranch.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_HasBranch](/opengraph/extensions/githound/reference/edges/gh_hasbranch) edge represents the relationship between a repository and its branches. Created by `Git-HoundBranch`, this edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) model the effective access. +The non-traversable `GH_HasBranch` edge represents the relationship between a repository and its branches. Created by `Git-HoundBranch`, this edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) model the effective access. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasenvironment.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasenvironment.mdx index d840881..e714ae5 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasenvironment.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasenvironment.mdx @@ -25,4 +25,4 @@ flowchart LR ## General Information -The non-traversable [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) edge represents the relationship between a repository or branch and its deployment environments. Created by `Git-HoundEnvironment`, this edge links environments to the repositories that define them and to the branches that are allowed to deploy to them (via deployment branch policies). Environments are security-relevant because they can gate access to secrets and cloud credentials, and their deployment branch policies control which branches can trigger deployments. +The non-traversable `GH_HasEnvironment` edge represents the relationship between a repository or branch and its deployment environments. Created by `Git-HoundEnvironment`, this edge links environments to the repositories that define them and to the branches that are allowed to deploy to them (via deployment branch policies). Environments are security-relevant because they can gate access to secrets and cloud credentials, and their deployment branch policies control which branches can trigger deployments. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity.mdx index 7a78ed2..e451407 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_HasExternalIdentity](/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity) edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. Created by `Git-HoundGraphQlSamlProvider`, this edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. +The non-traversable `GH_HasExternalIdentity` edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. Created by `Git-HoundGraphQlSamlProvider`, this edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasjob.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasjob.mdx index ab4c2fa..1d51df4 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasjob.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasjob.mdx @@ -11,4 +11,4 @@ Traversable: ✅ ## General Information -The traversable [GH_HasJob](/opengraph/extensions/githound/reference/edges/gh_hasjob) edge links a workflow to each of its jobs. Created by `Parse-GitHoundWorkflow`, this edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. +The traversable `GH_HasJob` edge links a workflow to each of its jobs. Created by `Parse-GitHoundWorkflow`, this edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken.mdx index cd3cfd8..182891d 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_HasPersonalAccessToken](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken) edge represents the relationship between a user and their fine-grained personal access tokens that have been granted access to the organization. Created by `Git-HoundPersonalAccessToken`, this edge links each approved token back to the user who created it. Fine-grained personal access tokens are security-significant because they provide programmatic access to organization resources with specific scoped permissions. Tracking token ownership is essential for understanding which users have standing API access and for identifying tokens that may need revocation. +The non-traversable `GH_HasPersonalAccessToken` edge represents the relationship between a user and their fine-grained personal access tokens that have been granted access to the organization. Created by `Git-HoundPersonalAccessToken`, this edge links each approved token back to the user who created it. Fine-grained personal access tokens are security-significant because they provide programmatic access to organization resources with specific scoped permissions. Tracking token ownership is essential for understanding which users have standing API access and for identifying tokens that may need revocation. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest.mdx index 6f70c14..d859cf0 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest) edge represents the relationship between a user and their pending personal access token requests awaiting organizational approval. Created by `Git-HoundPersonalAccessTokenRequest`, this edge links each pending token request back to the user who submitted it. Pending token requests are security-relevant because they represent access that may soon be granted, and reviewing them helps administrators understand what permissions users are requesting before approval. Organizations that require approval for fine-grained PATs will have these requests queued until an administrator acts on them. +The non-traversable `GH_HasPersonalAccessTokenRequest` edge represents the relationship between a user and their pending personal access token requests awaiting organizational approval. Created by `Git-HoundPersonalAccessTokenRequest`, this edge links each pending token request back to the user who submitted it. Pending token requests are security-relevant because they represent access that may soon be granted, and reviewing them helps administrators understand what permissions users are requesting before approval. Organizations that require approval for fine-grained PATs will have these requests queued until an administrator acts on them. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasrole.mdx index 2760ec4..01c1b06 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasrole.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasrole.mdx @@ -33,4 +33,4 @@ flowchart LR ## General Information -The traversable [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. It is created by `Git-HoundUser` (for org roles), `Git-HoundRepositoryRole` (for repo roles), and `Git-HoundTeam` (for team roles). Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. +The traversable `GH_HasRole` edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. It is created by `Git-HoundUser` (for org roles), `Git-HoundRepositoryRole` (for repo roles), and `Git-HoundTeam` (for team roles). Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider.mdx index 7d6a30b..dc24a85 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider.mdx @@ -11,7 +11,7 @@ Traversable: ❌ | Start | Kind | End | |-------|-----------|-------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) | [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_HasSamlIdentityProvider | [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | ```mermaid flowchart LR @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) edge represents the relationship between an organization and its SAML identity provider configuration. Created by `Git-HoundGraphQlSamlProvider`, this edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. +The non-traversable `GH_HasSamlIdentityProvider` edge represents the relationship between an organization and its SAML identity provider configuration. Created by `Git-HoundGraphQlSamlProvider`, this edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassecret.mdx index a7d0d38..a81b21e 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassecret.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassecret.mdx @@ -25,4 +25,4 @@ flowchart LR ## General Information -The traversable [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) edge represents the relationship between a repository or environment and the secrets accessible within that context. Created by `Git-HoundOrganizationSecret`, `Git-HoundSecret`, and `Git-HoundEnvironment`, this edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch)) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. +The traversable `GH_HasSecret` edge represents the relationship between a repository or environment and the secrets accessible within that context. Created by `Git-HoundOrganizationSecret`, `Git-HoundSecret`, and `Git-HoundEnvironment`, this edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch)) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasstep.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasstep.mdx index 2113c64..b8b345f 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasstep.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasstep.mdx @@ -11,4 +11,4 @@ Traversable: ✅ ## General Information -The traversable [GH_HasStep](/opengraph/extensions/githound/reference/edges/gh_hasstep) edge links a job to each of its steps in execution order. Created by `Parse-GitHoundWorkflow`, this edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. +The traversable `GH_HasStep` edge links a job to each of its steps in execution order. Created by `Parse-GitHoundWorkflow`, this edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasvariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasvariable.mdx index 1be0f33..d0f2746 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasvariable.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasvariable.mdx @@ -25,4 +25,4 @@ flowchart LR ## General Information -The traversable [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) edge represents the relationship between a repository and the variables accessible within that context. Created by `Git-HoundOrganizationSecret` and `Git-HoundVariable`, this edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch)) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. +The traversable `GH_HasVariable` edge represents the relationship between a repository and the variables accessible within that context. Created by `Git-HoundOrganizationSecret` and `Git-HoundVariable`, this edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch)) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasworkflow.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasworkflow.mdx index db694d3..190d75c 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasworkflow.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasworkflow.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_HasWorkflow](/opengraph/extensions/githound/reference/edges/gh_hasworkflow) edge represents the relationship between a repository and its GitHub Actions workflows. Created by `Git-HoundWorkflow`, this edge links each discovered workflow definition to its parent repository. Workflows are significant from a security perspective because they can execute arbitrary code with repository permissions, access secrets, and assume cloud identities. This structural edge enables analysts to enumerate which workflows exist in a given repository. +The non-traversable `GH_HasWorkflow` edge represents the relationship between a repository and its GitHub Actions workflows. Created by `Git-HoundWorkflow`, this edge links each discovered workflow definition to its parent repository. Workflows are significant from a security perspective because they can execute arbitrary code with repository permissions, access secrets, and assume cloud identities. This structural edge enables analysts to enumerate which workflows exist in a given repository. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_installedas.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_installedas.mdx index 79e172d..d3a4d8d 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_installedas.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_installedas.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The traversable [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) edge links a GitHub App to its installation within the organization. It is created by `Git-HoundAppInstallation` during app installation enumeration. This edge is traversable because it connects the app definition to its active installation, which determines the specific set of repositories and permissions the app has been granted. Understanding the relationship between an app and its installation is essential for tracing how app-level permissions translate into repository access. +The traversable `GH_InstalledAs` edge links a GitHub App to its installation within the organization. It is created by `Git-HoundAppInstallation` during app installation enumeration. This edge is traversable because it connects the app definition to its active installation, which determines the specific set of repositories and permissions the app has been granted. Understanding the relationship between an app and its installation is essential for tracing how app-level permissions translate into repository access. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_invitemember.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_invitemember.mdx index 87e92bf..00ae932 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_invitemember.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_invitemember.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_InviteMember](/opengraph/extensions/githound/reference/edges/gh_invitemember) edge represents that a role has the ability to invite new members to the organization. This permission is typically restricted to Owners, as inviting members expands the organization's trust boundary by granting new users access to internal resources. An attacker with this permission could invite a controlled account to gain persistent access to the organization's repositories, teams, and secrets. +The non-traversable `GH_InviteMember` edge represents that a role has the ability to invite new members to the organization. This permission is typically restricted to Owners, as inviting members expands the organization's trust boundary by granting new users access to internal resources. An attacker with this permission could invite a controlled account to gain persistent access to the organization's repositories, teams, and secrets. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue.mdx index e78e16e..1290707 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue.mdx @@ -11,7 +11,7 @@ Traversable: ❌ | Start | Kind | End | |-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_JumpMergeQueue | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | ```mermaid flowchart LR @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) edge represents a role's ability to jump ahead of other entries in the merge queue. This permission is available to Admin roles and custom roles that have been granted this specific permission. Merge queues enforce an ordered sequence of CI checks and merges; jumping the queue allows a principal to prioritize their changes ahead of others. While less severe than bypassing protections entirely, this permission can be used to accelerate the landing of malicious changes before other queued entries are reviewed or tested. +The non-traversable `GH_JumpMergeQueue` edge represents a role's ability to jump ahead of other entries in the merge queue. This permission is available to Admin roles and custom roles that have been granted this specific permission. Merge queues enforce an ordered sequence of CI checks and merges; jumping the queue allows a principal to prioritize their changes ahead of others. While less severe than bypassing protections entirely, this permission can be used to accelerate the landing of malicious changes before other queued entries are reviewed or tested. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managedeploykeys.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managedeploykeys.mdx index 56fe2a1..07a9d2b 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managedeploykeys.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managedeploykeys.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ManageDeployKeys](/opengraph/extensions/githound/reference/edges/gh_managedeploykeys) edge represents a role's ability to create, modify, and delete deploy keys for the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deploy keys provide SSH-based access to the repository, and a deploy key with write access can push commits directly without going through the GitHub web interface or API authentication. Managing deploy keys is security-significant because it enables the creation of persistent, credential-based access that operates outside the normal user authentication flow. +The non-traversable `GH_ManageDeployKeys` edge represents a role's ability to create, modify, and delete deploy keys for the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deploy keys provide SSH-based access to the repository, and a deploy key with write access can push commits directly without going through the GitHub web interface or API authentication. Managing deploy keys is security-significant because it enables the creation of persistent, credential-based access that operates outside the normal user authentication flow. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges.mdx index 4fdb7cc..bf4351c 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ManageDiscussionBadges](/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges) edge represents a role's ability to manage discussion badges used to highlight discussion participants. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ManageDiscussionBadges` edge represents a role's ability to manage discussion badges used to highlight discussion participants. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks.mdx index 6ff730b..075838a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_ManageOrganizationWebhooks](/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks) edge represents that a role has the ability to manage organization-level webhooks. This edge is dynamically generated from custom organization role permissions discovered by the collector. Webhooks can be configured to send event data to external endpoints, making this permission significant for security because an attacker could create or modify webhooks to exfiltrate repository data, commit contents, or issue details to an attacker-controlled server, or use them as a persistence mechanism. +The non-traversable `GH_ManageOrganizationWebhooks` edge represents that a role has the ability to manage organization-level webhooks. This edge is dynamically generated from custom organization role permissions discovered by the collector. Webhooks can be configured to send event data to external endpoints, making this permission significant for security because an attacker could create or modify webhooks to exfiltrate repository data, commit contents, or issue details to an attacker-controlled server, or use them as a persistence mechanism. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts.mdx index b080a0f..3cd9867 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts.mdx @@ -11,7 +11,7 @@ Traversable: ❌ | Start | Kind | End | |-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageRepoSecurityProducts | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | ```mermaid flowchart LR @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) edge represents a role's ability to manage repository-specific security product settings. This permission is available to Admin roles and custom roles that have been granted this specific permission. Unlike the broader [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) permission, this edge is scoped to repository-level security configuration such as repository-specific scanning settings and alert management. Disabling repository-level security products can create blind spots in vulnerability detection for the specific repository. +The non-traversable `GH_ManageRepoSecurityProducts` edge represents a role's ability to manage repository-specific security product settings. This permission is available to Admin roles and custom roles that have been granted this specific permission. Unlike the broader [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) permission, this edge is scoped to repository-level security configuration such as repository-specific scanning settings and alert management. Disabling repository-level security products can create blind spots in vulnerability detection for the specific repository. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts.mdx index 4f85ea4..d0fddbf 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) edge represents a role's ability to manage security product settings on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Managing security products allows enabling or disabling features such as secret scanning, code scanning, and Dependabot alerts. An attacker with this permission could disable security features to prevent detection of vulnerabilities or leaked secrets, making this a high-severity permission for security posture management. +The non-traversable `GH_ManageSecurityProducts` edge represents a role's ability to manage security product settings on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Managing security products allows enabling or disabling features such as secret scanning, code scanning, and Dependabot alerts. An attacker with this permission could disable security features to prevent detection of vulnerabilities or leaked secrets, making this a high-severity permission for security posture management. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes.mdx index 2cbc3f3..442970e 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes.mdx @@ -11,7 +11,7 @@ Traversable: ❌ | Start | Kind | End | |-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageSettingsMergeTypes | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | ```mermaid flowchart LR @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) edge represents a role's ability to configure allowed merge types (merge commit, squash, rebase) on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ManageSettingsMergeTypes` edge represents a role's ability to configure allowed merge types (merge commit, squash, rebase) on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingspages.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingspages.mdx index 568ae64..6addbce 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingspages.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingspages.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ManageSettingsPages](/opengraph/extensions/githound/reference/edges/gh_managesettingspages) edge represents a role's ability to manage GitHub Pages settings including enabling, disabling, and configuring the source. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ManageSettingsPages` edge represents a role's ability to manage GitHub Pages settings including enabling, disabling, and configuring the source. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects.mdx index 1210b15..1e9fa88 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ManageSettingsProjects](/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects) edge represents a role's ability to manage project board settings on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ManageSettingsProjects` edge represents a role's ability to manage project board settings on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingswiki.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingswiki.mdx index e750ed0..02d3006 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingswiki.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingswiki.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ManageSettingsWiki](/opengraph/extensions/githound/reference/edges/gh_managesettingswiki) edge represents a role's ability to enable or disable the repository wiki. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ManageSettingsWiki` edge represents a role's ability to enable or disable the repository wiki. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managetopics.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managetopics.mdx index 0d9fc02..4f70fd5 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managetopics.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managetopics.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ManageTopics](/opengraph/extensions/githound/reference/edges/gh_managetopics) edge represents a role's ability to manage repository topics used for discovery and classification. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ManageTopics` edge represents a role's ability to manage repository topics used for discovery and classification. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managewebhooks.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managewebhooks.mdx index b66f972..a2aa4e6 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managewebhooks.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managewebhooks.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ManageWebhooks](/opengraph/extensions/githound/reference/edges/gh_managewebhooks) edge represents a role's ability to create, modify, and delete repository-level webhooks. This permission is available to Admin roles and custom roles that have been granted this specific permission. Webhooks can exfiltrate repository events and code changes to external endpoints, making this a security-sensitive permission. An attacker with this permission could configure a webhook to receive push event payloads containing commit diffs, effectively creating a covert channel for data exfiltration. +The non-traversable `GH_ManageWebhooks` edge represents a role's ability to create, modify, and delete repository-level webhooks. This permission is available to Admin roles and custom roles that have been granted this specific permission. Webhooks can exfiltrate repository events and code changes to external endpoints, making this a security-sensitive permission. An attacker with this permission could configure a webhook to receive push event payloads containing commit diffs, effectively creating a covert channel for data exfiltration. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_mapstouser.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_mapstouser.mdx index bad3328..c50c87b 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_mapstouser.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_mapstouser.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](/resources/nodes/az-user), [Okta_User](/opengraph/extensions/oktahound/reference/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. It is created by `Git-HoundGraphQlSamlProvider` for SAML-linked identities and `Git-HoundScimUser` for SCIM-provisioned identities. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. +The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](/resources/nodes/az-user), [Okta_User](/opengraph/extensions/oktahound/reference/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. It is created by `Git-HoundGraphQlSamlProvider` for SAML-linked identities and `Git-HoundScimUser` for SCIM-provisioned identities. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_markasduplicate.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_markasduplicate.mdx index a7975d1..b761942 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_markasduplicate.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_markasduplicate.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_MarkAsDuplicate](/opengraph/extensions/githound/reference/edges/gh_markasduplicate) edge represents a role's ability to mark issues or pull requests as duplicates. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_MarkAsDuplicate` edge represents a role's ability to mark issues or pull requests as duplicates. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_memberof.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_memberof.mdx index ef7e160..ef7b854 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_memberof.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_memberof.mdx @@ -24,4 +24,4 @@ flowchart LR ## General Information -The traversable [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) edge represents team membership, linking a team role to its parent team or a child team to a parent team in nested team hierarchies. It is created by `Git-HoundTeam` during team enumeration. This edge is traversable because team membership extends access transitively -- a user who holds a role in a child team inherits the repository permissions of all ancestor teams in the nesting hierarchy, making it a key component of attack path analysis. +The traversable `GH_MemberOf` edge represents team membership, linking a team role to its parent team or a child team to a parent team in nested team hierarchies. It is created by `Git-HoundTeam` during team enumeration. This edge is traversable because team membership extends access transitively -- a user who holds a role in a child team inherits the repository permissions of all ancestor teams in the nesting hierarchy, making it a key component of attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests.mdx index abfaa69..48dfb42 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_OrgBypassCodeScanningDismissalRequests](/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests) edge represents that a role can bypass code scanning dismissal requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows suppressing code scanning security findings without the standard review process, which is significant because an attacker could use it to hide vulnerabilities or malicious code patterns that would otherwise be flagged by automated scanning tools. +The non-traversable `GH_OrgBypassCodeScanningDismissalRequests` edge represents that a role can bypass code scanning dismissal requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows suppressing code scanning security findings without the standard review process, which is significant because an attacker could use it to hide vulnerabilities or malicious code patterns that would otherwise be flagged by automated scanning tools. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests.mdx index 0116f1d..6821a60 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_OrgBypassSecretScanningClosureRequests](/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests) edge represents that a role can bypass secret scanning closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows closing secret scanning alerts without going through the standard review and approval process, which is significant because an attacker could use it to suppress alerts about leaked credentials and prevent incident response teams from being notified. +The non-traversable `GH_OrgBypassSecretScanningClosureRequests` edge represents that a role can bypass secret scanning closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows closing secret scanning alerts without going through the standard review and approval process, which is significant because an attacker could use it to suppress alerts about leaked credentials and prevent incident response teams from being notified. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx index d8ace9a..c2fc5c4 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_OrgReviewAndManageSecretScanningBypassRequests](/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests) edge represents that a role can review and manage secret scanning push protection bypass requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Push protection prevents secrets from being committed to repositories, and bypass requests allow developers to override this protection for specific commits. An attacker with this permission could approve their own or an accomplice's bypass requests, allowing secrets to be committed to repositories without triggering push protection blocks. +The non-traversable `GH_OrgReviewAndManageSecretScanningBypassRequests` edge represents that a role can review and manage secret scanning push protection bypass requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Push protection prevents secrets from being committed to repositories, and bypass requests allow developers to override this protection for specific commits. An attacker with this permission could approve their own or an accomplice's bypass requests, allowing secrets to be committed to repositories without triggering push protection blocks. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx index d198e48..60a4b83 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_OrgReviewAndManageSecretScanningClosureRequests](/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests) edge represents that a role can review and manage secret scanning alert closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Alert closure requests are part of the workflow for closing secret scanning alerts, and this permission controls who can approve or deny those requests. An attacker with this permission could approve closure requests to suppress alerts about actively leaked credentials, undermining the organization's secret scanning remediation process. +The non-traversable `GH_OrgReviewAndManageSecretScanningClosureRequests` edge represents that a role can review and manage secret scanning alert closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Alert closure requests are part of the workflow for closing secret scanning alerts, and this permission controls who can approve or deny those requests. An attacker with this permission could approve closure requests to suppress alerts about actively leaked credentials, undermining the organization's secret scanning remediation process. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_owns.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_owns.mdx index 2f7b05e..9a187d4 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_owns.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_owns.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The traversable [GH_Owns](/opengraph/extensions/githound/reference/edges/gh_owns) edge represents that an organization owns a repository. Created by `Git-HoundRepository`, this edge establishes the foundation of the access control model by linking repositories to their owning organization. It is traversable because repository ownership is a critical relationship for understanding how organizational permissions cascade down to repository-level access, making it essential for attack path analysis. +The traversable `GH_Owns` edge represents that an organization owns a repository. Created by `Git-HoundRepository`, this edge establishes the foundation of the access control model by linking repositories to their owning organization. It is traversable because repository ownership is a critical relationship for understanding how organizational permissions cascade down to repository-level access, making it essential for attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_protectedby.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_protectedby.mdx index 436816a..0a73487 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_protectedby.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_protectedby.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) edge represents that a branch protection rule applies to a specific branch. Created by `Git-HoundBranch` when branch protection rules are collected, this edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed edge functions (`Compute-GitHoundBranchAccess`) to determine effective push access; the computed [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) edges carry traversability instead. +The non-traversable `GH_ProtectedBy` edge represents that a branch protection rule applies to a specific branch. Created by `Git-HoundBranch` when branch protection rules are collected, this edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed edge functions (`Compute-GitHoundBranchAccess`) to determine effective push access; the computed [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) edges carry traversability instead. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch.mdx index 6882acc..dd30afd 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) edge represents a role's ability to push directly to branches that are protected by push restrictions. This permission is available to Admin and Maintain roles. This edge bypasses the push gate of branch protection, allowing direct commits to protected branches without going through the pull request workflow. Unlike merge gate bypasses (such as [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection)), this push gate bypass is NOT suppressed by the `enforce_admins` setting on the branch protection rule, making it a particularly potent permission. +The non-traversable `GH_PushProtectedBranch` edge represents a role's ability to push directly to branches that are protected by push restrictions. This permission is available to Admin and Maintain roles. This edge bypasses the push gate of branch protection, allowing direct commits to protected branches without going through the pull request workflow. Unlike merge gate bypasses (such as [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection)), this push gate bypass is NOT suppressed by the `enforce_admins` setting on the branch protection rule, making it a particularly potent permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readcodescanning.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readcodescanning.mdx index ee5e08e..3da4f51 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readcodescanning.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readcodescanning.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ReadCodeScanning](/opengraph/extensions/githound/reference/edges/gh_readcodescanning) edge represents a role's ability to read code scanning analysis results and alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. Code scanning alerts may reveal exploitable vulnerabilities in the codebase. +The non-traversable `GH_ReadCodeScanning` edge represents a role's ability to read code scanning analysis results and alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. Code scanning alerts may reveal exploitable vulnerabilities in the codebase. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics.mdx index f2c3b13..3b458d6 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_ReadOrganizationActionsUsageMetrics](/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics) edge represents that a role can read GitHub Actions usage metrics for the organization. This edge is dynamically generated from custom organization role permissions discovered by the collector. Usage metrics provide visibility into workflow execution patterns, runner utilization, and billing data across the organization. While this is primarily an informational permission, it can reveal which repositories have active CI/CD pipelines and the scale of automation in use. +The non-traversable `GH_ReadOrganizationActionsUsageMetrics` edge represents that a role can read GitHub Actions usage metrics for the organization. This edge is dynamically generated from custom organization role permissions discovered by the collector. Usage metrics provide visibility into workflow execution patterns, runner utilization, and billing data across the organization. While this is primarily an informational permission, it can reveal which repositories have active CI/CD pipelines and the scale of automation in use. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole.mdx index 3d0d73a..9c2a8d5 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_ReadOrganizationCustomOrgRole](/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole) edge represents that a role can read custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom org role definitions allows a user to enumerate the permissions granted to each custom role, which provides reconnaissance value for understanding the organization's access control model and identifying roles with elevated privileges. +The non-traversable `GH_ReadOrganizationCustomOrgRole` edge represents that a role can read custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom org role definitions allows a user to enumerate the permissions granted to each custom role, which provides reconnaissance value for understanding the organization's access control model and identifying roles with elevated privileges. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole.mdx index c466a88..9f1621e 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_ReadOrganizationCustomRepoRole](/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole) edge represents that a role can read custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom repo role definitions allows a user to enumerate the permissions granted to each custom repository role, which provides reconnaissance value for understanding repository-level access controls and identifying roles that grant elevated repository permissions. +The non-traversable `GH_ReadOrganizationCustomRepoRole` edge represents that a role can read custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom repo role definitions allows a user to enumerate the permissions granted to each custom repository role, which provides reconnaissance value for understanding repository-level access controls and identifying roles that grant elevated repository permissions. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readrepocontents.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readrepocontents.mdx index fb1bb13..882cd91 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readrepocontents.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readrepocontents.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) edge represents a role's ability to read repository contents including source code, issues, and pull requests. This is the base level of repository access, available to all roles at the Read permission level and above (Read, Triage, Write, Maintain, Admin). +The non-traversable `GH_ReadRepoContents` edge represents a role's ability to read repository contents including source code, issues, and pull requests. This is the base level of repository access, available to all roles at the Read permission level and above (Read, Triage, Write, Maintain, Admin). diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removeassignee.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removeassignee.mdx index c71ea73..5dc1f5b 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removeassignee.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removeassignee.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_RemoveAssignee](/opengraph/extensions/githound/reference/edges/gh_removeassignee) edge represents a role's ability to remove assignees from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_RemoveAssignee` edge represents a role's ability to remove assignees from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removelabel.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removelabel.mdx index fd5ea7b..aeb8d87 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removelabel.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removelabel.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_RemoveLabel](/opengraph/extensions/githound/reference/edges/gh_removelabel) edge represents a role's ability to remove labels from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_RemoveLabel` edge represents a role's ability to remove labels from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopendiscussion.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopendiscussion.mdx index 287ad49..0ba49ce 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopendiscussion.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopendiscussion.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ReopenDiscussion](/opengraph/extensions/githound/reference/edges/gh_reopendiscussion) edge represents a role's ability to reopen closed discussions to allow further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ReopenDiscussion` edge represents a role's ability to reopen closed discussions to allow further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenissue.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenissue.mdx index aa7030c..7dd4d59 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenissue.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenissue.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ReopenIssue](/opengraph/extensions/githound/reference/edges/gh_reopenissue) edge represents a role's ability to reopen closed issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ReopenIssue` edge represents a role's ability to reopen closed issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest.mdx index 8f35857..2038977 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ReopenPullRequest](/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest) edge represents a role's ability to reopen closed pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ReopenPullRequest` edge represents a role's ability to reopen closed pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_requestprreview.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_requestprreview.mdx index 34531cd..a64b859 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_requestprreview.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_requestprreview.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_RequestPrReview](/opengraph/extensions/githound/reference/edges/gh_requestprreview) edge represents a role's ability to request pull request reviews from specific users or teams. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_RequestPrReview` edge represents a role's ability to request pull request reviews from specific users or teams. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts.mdx index b4c1b2f..365fd7c 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ResolveDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts) edge represents a role's ability to dismiss or resolve Dependabot alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could dismiss valid alerts to suppress vulnerability warnings and prevent remediation. +The non-traversable `GH_ResolveDependabotAlerts` edge represents a role's ability to dismiss or resolve Dependabot alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could dismiss valid alerts to suppress vulnerability warnings and prevent remediation. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts.mdx index bcf707a..2445e04 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts.mdx @@ -26,4 +26,4 @@ flowchart LR ## General Information -The non-traversable [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) edge represents that a role can resolve (close) secret scanning alerts at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Resolving a secret scanning alert marks a leaked secret as addressed, which removes it from active monitoring dashboards. An attacker with this permission could suppress alerts about leaked credentials to prevent incident response teams from detecting and rotating compromised secrets. +The non-traversable `GH_ResolveSecretScanningAlerts` edge represents that a role can resolve (close) secret scanning alerts at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Resolving a secret scanning alert marks a leaked secret as addressed, which removes it from active monitoring dashboards. An attacker with this permission could suppress alerts about leaked credentials to prevent incident response teams from detecting and rotating compromised secrets. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush.mdx index 3d852c0..bc58f98 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. Created by `Git-HoundBranch` when collecting BPR push allowances, this edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances), this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. +The non-traversable `GH_RestrictionsCanPush` edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. Created by `Git-HoundBranch` when collecting BPR push allowances, this edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances), this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_runorgmigration.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_runorgmigration.mdx index ce44776..9ddbbdb 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_runorgmigration.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_runorgmigration.mdx @@ -11,7 +11,7 @@ Traversable: ❌ | Start | Kind | End | |-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_RunOrgMigration | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | ```mermaid flowchart LR @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) edge represents a role's ability to run organization migrations on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Organization migrations export repository data including source code, issues, and pull requests, which can be used to transfer repository contents to another organization. This permission is security-relevant because it enables bulk data export from the repository. +The non-traversable `GH_RunOrgMigration` edge represents a role's ability to run organization migrations on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Organization migrations export repository data including source code, issues, and pull requests, which can be used to transfer repository contents to another organization. This permission is security-relevant because it enables bulk data export from the repository. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits.mdx index 0482d38..39ba15c 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits.mdx @@ -11,7 +11,7 @@ Traversable: ❌ | Start | Kind | End | |-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_SetInteractionLimits | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | ```mermaid flowchart LR @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) edge represents a role's ability to set temporary interaction limits to restrict who can comment, open issues, or create pull requests. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_SetInteractionLimits` edge represents a role's ability to set temporary interaction limits to restrict who can comment, open issues, or create pull requests. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setissuetype.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setissuetype.mdx index 47ac743..3d94781 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setissuetype.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setissuetype.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_SetIssueType](/opengraph/extensions/githound/reference/edges/gh_setissuetype) edge represents a role's ability to set issue types. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_SetIssueType` edge represents a role's ability to set issue types. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setmilestone.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setmilestone.mdx index bf66a6b..78f49c8 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setmilestone.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setmilestone.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_SetMilestone](/opengraph/extensions/githound/reference/edges/gh_setmilestone) edge represents a role's ability to set milestones on issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_SetMilestone` edge represents a role's ability to set milestones on issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setsocialpreview.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setsocialpreview.mdx index 7d8d434..914c3bc 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setsocialpreview.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setsocialpreview.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_SetSocialPreview](/opengraph/extensions/githound/reference/edges/gh_setsocialpreview) edge represents a role's ability to set the repository social preview image shown in link previews. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_SetSocialPreview` edge represents a role's ability to set the repository social preview image shown in link previews. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_syncedto.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_syncedto.mdx index 2489c3f..3d094c4 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_syncedto.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_syncedto.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The traversable [GH_SyncedTo](/opengraph/extensions/githound/reference/edges/gh_syncedto) edge is a hybrid edge that maps an external IdP user to a GitHub user based on SCIM provisioning. Created by `Git-HoundScimUser` when SCIM data links an external identity to a GitHub account, this edge represents a confirmed identity linkage between an external identity provider and GitHub. It is traversable because compromising the IdP account provides a verified path to the corresponding GitHub account, making it a critical edge for cross-system attack path analysis. This edge enables analysts to trace access from enterprise identity providers like Azure AD, Okta, or PingOne into the GitHub environment. +The traversable `GH_SyncedTo` edge is a hybrid edge that maps an external IdP user to a GitHub user based on SCIM provisioning. Created by `Git-HoundScimUser` when SCIM data links an external identity to a GitHub account, this edge represents a confirmed identity linkage between an external identity provider and GitHub. It is traversable because compromising the IdP account provides a verified path to the corresponding GitHub account, making it a critical edge for cross-system attack path analysis. This edge enables analysts to trace access from enterprise identity providers like Azure AD, Okta, or PingOne into the GitHub environment. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer.mdx index 0bbd61d..57d48a5 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ToggleDiscussionAnswer](/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer) edge represents a role's ability to mark or unmark a discussion comment as the accepted answer. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ToggleDiscussionAnswer` edge represents a role's ability to mark or unmark a discussion comment as the accepted answer. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize.mdx index 83c995b..4944ac0 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize) edge represents a role's ability to minimize or restore discussion comments, hiding them from default view. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable `GH_ToggleDiscussionCommentMinimize` edge represents a role's ability to minimize or restore discussion comments, hiding them from default view. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_transferrepository.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_transferrepository.mdx index 30ecd51..499cffd 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_transferrepository.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_transferrepository.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_TransferRepository](/opengraph/extensions/githound/reference/edges/gh_transferrepository) edge represents that a role has the ability to transfer repositories to or from the organization. This permission is typically restricted to Owners, as transferring a repository can move it outside of the organization's security controls, branch protection rules, and audit logging. An attacker with this permission could transfer a repository to an organization they control, effectively exfiltrating the codebase and its associated secrets. +The non-traversable `GH_TransferRepository` edge represents that a role has the ability to transfer repositories to or from the organization. This permission is typically restricted to Owners, as transferring a repository can move it outside of the organization's security controls, branch protection rules, and audit logging. An attacker with this permission could transfer a repository to an organization they control, effectively exfiltrating the codebase and its associated secrets. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usessecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usessecret.mdx index e59c8bf..8fd7739 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usessecret.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usessecret.mdx @@ -11,7 +11,7 @@ Traversable: ✅ ## General Information -The traversable [GH_UsesSecret](/opengraph/extensions/githound/reference/edges/gh_usessecret) edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. Created by `Parse-GitHoundWorkflow`, this edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. +The traversable `GH_UsesSecret` edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. Created by `Parse-GitHoundWorkflow`, this edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. ### Matching strategy @@ -20,7 +20,7 @@ Edges use `match_by: property` with two matchers to disambiguate between secrets - **GH_RepoSecret** is matched by `name` + `repository_id` (the GitHub node_id of the repository). - **GH_OrgSecret** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level secret scope). -This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two [GH_UsesSecret](/opengraph/extensions/githound/reference/edges/gh_usessecret) edges — one to the repo-level secret and one to the org-level secret — reflecting that either could supply the value at runtime depending on scope precedence. +This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two `GH_UsesSecret` edges — one to the repo-level secret and one to the org-level secret — reflecting that either could supply the value at runtime depending on scope precedence. ### Context property diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usesvariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usesvariable.mdx index 6e78580..9221023 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usesvariable.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usesvariable.mdx @@ -11,16 +11,16 @@ Traversable: ❌ ## General Information -The non-traversable [GH_UsesVariable](/opengraph/extensions/githound/reference/edges/gh_usesvariable) edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. Created by `Parse-GitHoundWorkflow`, this edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). +The non-traversable `GH_UsesVariable` edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. Created by `Parse-GitHoundWorkflow`, this edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). ### Matching strategy Edges use `match_by: property` with two matchers to disambiguate between variables with the same name across repositories: - **GH_RepoVariable** is matched by `name` + `repository_id` (the GitHub node_id of the repository). -- **GH_OrgVariable** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level variable scope). +- **[GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable)** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level variable scope). -This means one `${{ vars.MY_VAR }}` expression can produce up to two [GH_UsesVariable](/opengraph/extensions/githound/reference/edges/gh_usesvariable) edges — one to the repo-level variable and one to the org-level variable. +This means one `${{ vars.MY_VAR }}` expression can produce up to two `GH_UsesVariable` edges — one to the repo-level variable and one to the org-level variable. ### Context property diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_validtoken.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_validtoken.mdx index 68403d5..a5a9495 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_validtoken.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_validtoken.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The traversable [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) edge represents a secret scanning alert that contains a valid, active GitHub Personal Access Token belonging to a specific user. Created by `Git-HoundSecretScanningAlert`, this edge is only emitted when the alert's state is `open`, the secret type is `github_personal_access_token`, and the token is confirmed valid by calling the GitHub API. This edge is traversable because possessing the leaked token grants the ability to act as the token's owner, effectively compromising that user's identity and all permissions granted to the token. +The traversable `GH_ValidToken` edge represents a secret scanning alert that contains a valid, active GitHub Personal Access Token belonging to a specific user. Created by `Git-HoundSecretScanningAlert`, this edge is only emitted when the alert's state is `open`, the secret type is `github_personal_access_token`, and the token is confirmed valid by calling the GitHub API. This edge is traversable because possessing the leaked token grants the ability to act as the token's owner, effectively compromising that user's identity and all permissions granted to the token. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts.mdx index b5894f7..a8aac7f 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_ViewDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts) edge represents a role's ability to view Dependabot security alerts, which reveal known vulnerabilities in the repository's dependencies. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. This information could be used to identify and exploit unpatched vulnerabilities. +The non-traversable `GH_ViewDependabotAlerts` edge represents a role's ability to view Dependabot security alerts, which reveal known vulnerabilities in the repository's dependencies. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. This information could be used to identify and exploit unpatched vulnerabilities. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts.mdx index 7ffe0ad..92ddb02 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts.mdx @@ -26,4 +26,4 @@ flowchart LR ## General Information -The non-traversable [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) edge represents that a role can view secret scanning alerts at the organization or repository level. This edge is dynamically generated from custom role permissions discovered by the collector. Secret scanning alerts may reveal details about leaked credentials, including partial or full secret values and the locations where they were detected. This makes the permission significant for security because an attacker with access to view these alerts could harvest exposed credentials for use in lateral movement or privilege escalation. +The non-traversable `GH_ViewSecretScanningAlerts` edge represents that a role can view secret scanning alerts at the organization or repository level. This edge is dynamically generated from custom role permissions discovered by the collector. Secret scanning alerts may reveal details about leaked credentials, including partial or full secret values and the locations where they were detected. This makes the permission significant for security because an attacker with access to view these alerts could harvest exposed credentials for use in lateral movement or privilege escalation. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writecodescanning.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writecodescanning.mdx index 97cbd5d..adce611 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writecodescanning.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writecodescanning.mdx @@ -11,7 +11,7 @@ Traversable: ❌ | Start | Kind | End | |-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_WriteCodeScanning | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | ```mermaid flowchart LR @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) edge represents a role's ability to upload code scanning analysis results. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could upload falsified SARIF results to suppress real alerts or inject misleading findings. +The non-traversable `GH_WriteCodeScanning` edge represents a role's ability to upload code scanning analysis results. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could upload falsified SARIF results to suppress real alerts or inject misleading findings. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets.mdx index a135d15..0d5e0f2 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_WriteOrganizationActionsSecrets](/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets) edge represents that a role can write organization-level GitHub Actions secrets. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level secrets are available to workflows across multiple repositories and often contain credentials for external systems such as cloud providers, package registries, and deployment targets. An attacker with this permission could overwrite existing secrets to inject malicious credentials or create new secrets to facilitate lateral movement. +The non-traversable `GH_WriteOrganizationActionsSecrets` edge represents that a role can write organization-level GitHub Actions secrets. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level secrets are available to workflows across multiple repositories and often contain credentials for external systems such as cloud providers, package registries, and deployment targets. An attacker with this permission could overwrite existing secrets to inject malicious credentials or create new secrets to facilitate lateral movement. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings.mdx index 511dfd8..77f6925 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_WriteOrganizationActionsSettings](/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings) edge represents that a role can modify organization-level GitHub Actions settings. This edge is dynamically generated from custom organization role permissions discovered by the collector. These settings control which actions are allowed to run within the organization and the default permissions granted to the `GITHUB_TOKEN` in workflows. An attacker with this permission could weaken restrictions to allow untrusted third-party actions or elevate default token permissions to enable write access across repositories. +The non-traversable `GH_WriteOrganizationActionsSettings` edge represents that a role can modify organization-level GitHub Actions settings. This edge is dynamically generated from custom organization role permissions discovered by the collector. These settings control which actions are allowed to run within the organization and the default permissions granted to the `GITHUB_TOKEN` in workflows. An attacker with this permission could weaken restrictions to allow untrusted third-party actions or elevate default token permissions to enable write access across repositories. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables.mdx index 9936815..67a1bf9 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_WriteOrganizationActionsVariables](/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables) edge represents that a role can write organization-level GitHub Actions variables. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level variables are available to workflows across multiple repositories and often contain configuration values such as environment URLs, feature flags, and service endpoints. An attacker with this permission could overwrite existing variables to redirect workflows to malicious endpoints or alter application behavior. +The non-traversable `GH_WriteOrganizationActionsVariables` edge represents that a role can write organization-level GitHub Actions variables. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level variables are available to workflows across multiple repositories and often contain configuration values such as environment URLs, feature flags, and service endpoints. An attacker with this permission could overwrite existing variables to redirect workflows to malicious endpoints or alter application behavior. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole.mdx index 8e5156b..264031f 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole.mdx @@ -11,4 +11,4 @@ Traversable: ✅ ## General Information -The traversable [GH_WriteOrganizationCustomOrgRole](/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole) edge represents that a role can create or modify custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying organization role definitions can escalate privileges because an attacker could add permissions to an existing custom role that is already assigned to their account, including setting the base_role to inherit all_repo_admin. Since this permission can only belong to custom organization roles, the user necessarily holds the role they can modify — guaranteeing a self-escalation path. This makes it a Tier Zero privilege escalation vector. +The traversable `GH_WriteOrganizationCustomOrgRole` edge represents that a role can create or modify custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying organization role definitions can escalate privileges because an attacker could add permissions to an existing custom role that is already assigned to their account, including setting the base_role to inherit all_repo_admin. Since this permission can only belong to custom organization roles, the user necessarily holds the role they can modify — guaranteeing a self-escalation path. This makes it a Tier Zero privilege escalation vector. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole.mdx index 45bc626..9fc952f 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_WriteOrganizationCustomRepoRole](/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole) edge represents that a role can create or modify custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying repository role definitions can escalate privileges because an attacker could add permissions such as admin access, bypass branch protections, or secret management to a custom repo role that is already assigned to their account. This makes it a high-impact permission for gaining elevated access to repositories across the organization. +The non-traversable `GH_WriteOrganizationCustomRepoRole` edge represents that a role can create or modify custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying repository role definitions can escalate privileges because an attacker could add permissions such as admin access, bypass branch protections, or secret management to a custom repo role that is already assigned to their account. This makes it a high-impact permission for gaining elevated access to repositories across the organization. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations.mdx index 2cac9e4..f23a96d 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations.mdx @@ -11,4 +11,4 @@ Traversable: ❌ ## General Information -The non-traversable [GH_WriteOrganizationNetworkConfigurations](/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations) edge represents that a role can modify organization network configurations. This edge is dynamically generated from custom organization role permissions discovered by the collector. Network configurations control how GitHub-hosted runners connect to private resources such as internal APIs, databases, and cloud services. An attacker with this permission could modify network settings to route runner traffic through attacker-controlled infrastructure or grant runners access to previously isolated network segments. +The non-traversable `GH_WriteOrganizationNetworkConfigurations` edge represents that a role can modify organization network configurations. This edge is dynamically generated from custom organization role permissions discovered by the collector. Network configurations control how GitHub-hosted runners connect to private resources such as internal APIs, databases, and cloud services. An attacker with this permission could modify network settings to route runner traffic through attacker-controlled infrastructure or grant runners access to previously isolated network segments. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepocontents.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepocontents.mdx index 45e63a9..4ec4fc3 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepocontents.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepocontents.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_WriteRepoContents](/opengraph/extensions/githound/reference/edges/gh_writerepocontents) edge represents a role's ability to push commits to the repository. This permission is available to Write, Maintain, and Admin roles. Pushing code can modify application behavior and introduce vulnerabilities, making this a security-significant edge. However, this edge represents only the raw permission; actual branch push capability is determined by the computed [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) edge, which factors in branch protection rules and push restrictions. +The non-traversable `GH_WriteRepoContents` edge represents a role's ability to push commits to the repository. This permission is available to Write, Maintain, and Admin roles. Pushing code can modify application behavior and introduce vulnerabilities, making this a security-significant edge. However, this edge represents only the raw permission; actual branch push capability is determined by the computed [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) edge, which factors in branch protection rules and push restrictions. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests.mdx index 039d68f..8728258 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests.mdx @@ -22,4 +22,4 @@ flowchart LR ## General Information -The non-traversable [GH_WriteRepoPullRequests](/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests) edge represents a role's ability to create and merge pull requests in the repository. This permission is available to Write, Maintain, and Admin roles. Pull request merge access is security-significant because merging code into protected branches is a common vector for introducing unauthorized changes; however, actual merge capability on protected branches is further governed by branch protection rules and required reviews. +The non-traversable `GH_WriteRepoPullRequests` edge represents a role's ability to create and merge pull requests in the repository. This permission is available to Write, Maintain, and Admin roles. Pull request merge access is security-significant because merging code into protected branches is a common vector for introducing unauthorized changes; however, actual merge capability on protected branches is further governed by branch protection rules and required reviews. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_app.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_app.mdx index 3992f63..effaef4 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_app.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_app.mdx @@ -15,6 +15,10 @@ App definitions are retrieved via the public `GET /apps/{app_slug}` endpoint (no ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -31,7 +35,7 @@ No incoming edges. | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_App](/opengraph/extensions/githound/reference/nodes/gh_app) | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) | App is installed as this installation | +| GH_App | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) | App is installed as this installation | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_appinstallation.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_appinstallation.mdx index 75b2dd4..148a1f3 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_appinstallation.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_appinstallation.mdx @@ -15,6 +15,10 @@ Each installation is linked to its parent [GH_App](/opengraph/extensions/githoun ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -31,14 +35,14 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains app installation | -| [GH_App](/opengraph/extensions/githound/reference/nodes/gh_app) | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) | App is installed as this installation | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_AppInstallation | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains app installation | +| [GH_App](/opengraph/extensions/githound/reference/nodes/gh_app) | GH_AppInstallation | [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) | App is installed as this installation | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | App installation can access repository | +| GH_AppInstallation | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | App installation can access repository | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branch.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branch.mdx index 8f4bcf8..f94bad0 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branch.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branch.mdx @@ -13,6 +13,10 @@ Represents a Git branch within a repository. Branch nodes capture basic branch i ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -36,18 +40,18 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_HasBranch](/opengraph/extensions/githound/reference/edges/gh_hasbranch) | Repository has branch | -| [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) | Branch is protected by rule | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Role can push commits to this branch | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) | Role can modify or remove the branch protection rule governing this branch | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | User can push commits to this branch via actor-level bypass allowances | -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Team can push commits to this branch via actor-level bypass allowances | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_Branch | [GH_HasBranch](/opengraph/extensions/githound/reference/edges/gh_hasbranch) | Repository has branch | +| [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | GH_Branch | [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) | Branch is protected by rule | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Branch | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Role can push commits to this branch | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Branch | [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) | Role can modify or remove the branch protection rule governing this branch | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_Branch | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | User can push commits to this branch via actor-level bypass allowances | +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_Branch | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Team can push commits to this branch via actor-level bypass allowances | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Branch pattern can deploy to environment | +| GH_Branch | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Branch pattern can deploy to environment | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule.mdx index f6f3bcc..8798201 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule.mdx @@ -44,6 +44,10 @@ Use these edges to identify users and teams with elevated branch permissions: ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -61,15 +65,15 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains branch protection rule | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) | Actor can push despite push restrictions | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) | Actor can bypass PR review requirements | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_BranchProtectionRule | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains branch protection rule | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_BranchProtectionRule | [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) | Actor can push despite push restrictions | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_BranchProtectionRule | [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) | Actor can bypass PR review requirements | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) | Branch is protected by rule | +| GH_BranchProtectionRule | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) | Branch is protected by rule | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environment.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environment.mdx index dfcb6e7..129286b 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environment.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environment.mdx @@ -13,6 +13,10 @@ Represents a GitHub Actions deployment environment configured on a repository. E ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -31,15 +35,15 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Branch pattern can deploy to environment | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Repository deploys to environment (no custom branch policy) | +| [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | GH_Environment | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Branch pattern can deploy to environment | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_Environment | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Repository deploys to environment (no custom branch policy) | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_EnvironmentVariable](/opengraph/extensions/githound/reference/nodes/gh_environmentvariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains variable | -| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_EnvironmentSecret](/opengraph/extensions/githound/reference/nodes/gh_environmentsecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains secret | +| GH_Environment | [GH_EnvironmentVariable](/opengraph/extensions/githound/reference/nodes/gh_environmentvariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains variable | +| GH_Environment | [GH_EnvironmentSecret](/opengraph/extensions/githound/reference/nodes/gh_environmentsecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains secret | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentsecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentsecret.mdx index 9fa2f8d..6c17eb2 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentsecret.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentsecret.mdx @@ -13,6 +13,10 @@ Represents an environment-level GitHub Actions secret. These secrets are scoped ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -25,7 +29,7 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_EnvironmentSecret](/opengraph/extensions/githound/reference/nodes/gh_environmentsecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains secret | +| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | GH_EnvironmentSecret | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains secret | ### Outbound Edges diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentvariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentvariable.mdx index 6ecf700..02cc7e2 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentvariable.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentvariable.mdx @@ -13,6 +13,10 @@ Represents an environment-level GitHub Actions variable. These variables are sco ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -25,7 +29,7 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_EnvironmentVariable](/opengraph/extensions/githound/reference/nodes/gh_environmentvariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains variable | +| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | GH_EnvironmentVariable | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains variable | ### Outbound Edges diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_externalidentity.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_externalidentity.mdx index 244a617..5a34d75 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_externalidentity.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_externalidentity.mdx @@ -13,6 +13,10 @@ Represents an external identity from a SAML or SCIM identity provider that is li ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -28,14 +32,14 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_HasExternalIdentity](/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity) | IdP has external identity | +| [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | GH_ExternalIdentity | [GH_HasExternalIdentity](/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity) | IdP has external identity | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) | External identity maps to a user | -| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_SyncedTo](/opengraph/extensions/githound/reference/edges/gh_syncedto) | Foreign IdP user is synced to a GitHub user | +| GH_ExternalIdentity | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) | External identity maps to a user | +| GH_ExternalIdentity | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_SyncedTo](/opengraph/extensions/githound/reference/edges/gh_syncedto) | Foreign IdP user is synced to a GitHub user | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_organization.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_organization.mdx index 7b883a3..2ca3608 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_organization.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_organization.mdx @@ -13,6 +13,10 @@ Represents a GitHub organization. This is the root node of the graph and serves ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -49,28 +53,28 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access org | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CreateRepository](/opengraph/extensions/githound/reference/edges/gh_createrepository) | Role can create repositories in the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_InviteMember](/opengraph/extensions/githound/reference/edges/gh_invitemember) | Role can invite members to the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_AddCollaborator](/opengraph/extensions/githound/reference/edges/gh_addcollaborator) | Role can add outside collaborators to repositories | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CreateTeam](/opengraph/extensions/githound/reference/edges/gh_createteam) | Role can create teams in the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_TransferRepository](/opengraph/extensions/githound/reference/edges/gh_transferrepository) | Role can transfer repositories out of the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts for the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts for the organization | +| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | GH_Organization | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access org | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_CreateRepository](/opengraph/extensions/githound/reference/edges/gh_createrepository) | Role can create repositories in the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_InviteMember](/opengraph/extensions/githound/reference/edges/gh_invitemember) | Role can invite members to the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_AddCollaborator](/opengraph/extensions/githound/reference/edges/gh_addcollaborator) | Role can add outside collaborators to repositories | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_CreateTeam](/opengraph/extensions/githound/reference/edges/gh_createteam) | Role can create teams in the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_TransferRepository](/opengraph/extensions/githound/reference/edges/gh_transferrepository) | Role can transfer repositories out of the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts for the organization | +| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts for the organization | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains variable | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret scanning alert | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains role | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains app installation | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) | Org uses this SAML IdP | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT request | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Owns](/opengraph/extensions/githound/reference/edges/gh_owns) | Org owns repository | +| GH_Organization | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains variable | +| GH_Organization | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret scanning alert | +| GH_Organization | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT | +| GH_Organization | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains role | +| GH_Organization | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains app installation | +| GH_Organization | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret | +| GH_Organization | [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) | Org uses this SAML IdP | +| GH_Organization | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT request | +| GH_Organization | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Owns](/opengraph/extensions/githound/reference/edges/gh_owns) | Org owns repository | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgrole.mdx index 301f2f5..df2ef9f 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgrole.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgrole.mdx @@ -13,6 +13,10 @@ Represents an organization-level role such as Owner, Member, or a custom organiz ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -39,24 +43,24 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has default org role (owners or members) | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains role | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits base role | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has org role | -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has org role | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_OrgRole | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has default org role (owners or members) | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_OrgRole | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains role | +| GH_OrgRole | GH_OrgRole | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits base role | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_OrgRole | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has org role | +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_OrgRole | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has org role | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits base role | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CreateRepository](/opengraph/extensions/githound/reference/edges/gh_createrepository) | Role can create repositories in the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_InviteMember](/opengraph/extensions/githound/reference/edges/gh_invitemember) | Role can invite members to the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_AddCollaborator](/opengraph/extensions/githound/reference/edges/gh_addcollaborator) | Role can add outside collaborators to repositories | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CreateTeam](/opengraph/extensions/githound/reference/edges/gh_createteam) | Role can create teams in the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_TransferRepository](/opengraph/extensions/githound/reference/edges/gh_transferrepository) | Role can transfer repositories out of the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts for the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts for the organization | +| GH_OrgRole | GH_OrgRole | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits base role | +| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CreateRepository](/opengraph/extensions/githound/reference/edges/gh_createrepository) | Role can create repositories in the organization | +| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_InviteMember](/opengraph/extensions/githound/reference/edges/gh_invitemember) | Role can invite members to the organization | +| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_AddCollaborator](/opengraph/extensions/githound/reference/edges/gh_addcollaborator) | Role can add outside collaborators to repositories | +| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CreateTeam](/opengraph/extensions/githound/reference/edges/gh_createteam) | Role can create teams in the organization | +| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_TransferRepository](/opengraph/extensions/githound/reference/edges/gh_transferrepository) | Role can transfer repositories out of the organization | +| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts for the organization | +| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts for the organization | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgsecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgsecret.mdx index be45b84..c92e354 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgsecret.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgsecret.mdx @@ -13,6 +13,10 @@ Represents an organization-level GitHub Actions secret. Organization secrets can ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -27,8 +31,8 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository can access org secret | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_OrgSecret | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_OrgSecret | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository can access org secret | ### Outbound Edges diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgvariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgvariable.mdx index 56e7d10..89782e0 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgvariable.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgvariable.mdx @@ -13,6 +13,10 @@ Represents an organization-level GitHub Actions variable. Organization variables ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -27,8 +31,8 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains variable | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository can access org variable | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_OrgVariable | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains variable | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_OrgVariable | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository can access org variable | ### Outbound Edges diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken.mdx index 05e3daa..356745d 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken.mdx @@ -13,6 +13,10 @@ Represents a fine-grained personal access token that has been granted access to ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -30,15 +34,15 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_HasPersonalAccessToken](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken) | User owns PAT | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_PersonalAccessToken | [GH_HasPersonalAccessToken](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken) | User owns PAT | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_PersonalAccessToken | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access org | -| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access repository | +| GH_PersonalAccessToken | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access org | +| GH_PersonalAccessToken | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access repository | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest.mdx index f56ea1a..5cdb906 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest.mdx @@ -13,6 +13,10 @@ Represents a pending request from an organization member to access organization ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -27,8 +31,8 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest) | User submitted PAT request | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT request | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_PersonalAccessTokenRequest | [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest) | User submitted PAT request | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_PersonalAccessTokenRequest | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT request | ### Outbound Edges diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reporole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reporole.mdx index 70f89f1..e4ee4dc 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reporole.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reporole.mdx @@ -13,6 +13,10 @@ Represents a repository-level permission role. Each repository has five default ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -92,76 +96,76 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits from base role | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has repo role | -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has repo role | +| GH_RepoRole | GH_RepoRole | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits from base role | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_RepoRole | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has repo role | +| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_RepoRole | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has repo role | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) | Role can read repo contents | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteRepoContents](/opengraph/extensions/githound/reference/edges/gh_writerepocontents) | Role can write repo contents | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteRepoPullRequests](/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests) | Role can write pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) | Role has admin access to repo | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits from base role | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) | Role can bypass branch protection rules | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) | Role can push to protected branches | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) | Role can edit repository branch protection settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteAlertsCodeScanning](/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning) | Role can delete code scanning alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) | Role can run organization migrations on the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) | Role can manage security products for the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) | Role can manage repository-level security products | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageWebhooks](/opengraph/extensions/githound/reference/edges/gh_managewebhooks) | Role can manage repository webhooks | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageDeployKeys](/opengraph/extensions/githound/reference/edges/gh_managedeploykeys) | Role can manage repository deploy keys | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch) | Role can create new branches in the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Role can push commits to this branch | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) | Role can modify or remove the branch protection rule governing this branch | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReadCodeScanning](/opengraph/extensions/githound/reference/edges/gh_readcodescanning) | Role can read code scanning results | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) | Role can write code scanning results | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ViewDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts) | Role can view Dependabot alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ResolveDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts) | Role can resolve Dependabot alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageTopics](/opengraph/extensions/githound/reference/edges/gh_managetopics) | Role can manage repository topics | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsWiki](/opengraph/extensions/githound/reference/edges/gh_managesettingswiki) | Role can manage wiki settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsProjects](/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects) | Role can manage projects settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) | Role can manage merge type settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsPages](/opengraph/extensions/githound/reference/edges/gh_managesettingspages) | Role can manage GitHub Pages settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoMetadata](/opengraph/extensions/githound/reference/edges/gh_editrepometadata) | Role can edit repository metadata (name, description, etc.) | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) | Role can set interaction limits on the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetSocialPreview](/opengraph/extensions/githound/reference/edges/gh_setsocialpreview) | Role can set the repository social preview image | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) | Role can edit repository announcement banners | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues) | Role can edit custom property values on the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateTag](/opengraph/extensions/githound/reference/edges/gh_createtag) | Role can create tags in the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteTag](/opengraph/extensions/githound/reference/edges/gh_deletetag) | Role can delete tags in the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) | Role can jump the merge queue | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry) | Role can create a solo merge queue entry | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AddLabel](/opengraph/extensions/githound/reference/edges/gh_addlabel) | Role can add labels to issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RemoveLabel](/opengraph/extensions/githound/reference/edges/gh_removelabel) | Role can remove labels from issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CloseIssue](/opengraph/extensions/githound/reference/edges/gh_closeissue) | Role can close issues | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenIssue](/opengraph/extensions/githound/reference/edges/gh_reopenissue) | Role can reopen issues | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteIssue](/opengraph/extensions/githound/reference/edges/gh_deleteissue) | Role can delete issues | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) | Role can close pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenPullRequest](/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest) | Role can reopen pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AddAssignee](/opengraph/extensions/githound/reference/edges/gh_addassignee) | Role can add assignees to issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RemoveAssignee](/opengraph/extensions/githound/reference/edges/gh_removeassignee) | Role can remove assignees from issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RequestPrReview](/opengraph/extensions/githound/reference/edges/gh_requestprreview) | Role can request pull request reviews | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_MarkAsDuplicate](/opengraph/extensions/githound/reference/edges/gh_markasduplicate) | Role can mark issues or pull requests as duplicates | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetMilestone](/opengraph/extensions/githound/reference/edges/gh_setmilestone) | Role can set milestones on issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetIssueType](/opengraph/extensions/githound/reference/edges/gh_setissuetype) | Role can set issue types | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteDiscussion](/opengraph/extensions/githound/reference/edges/gh_deletediscussion) | Role can delete discussions | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ToggleDiscussionAnswer](/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer) | Role can toggle the accepted answer on a discussion | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize) | Role can minimize or un-minimize discussion comments | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory) | Role can create discussion categories | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory) | Role can edit discussion categories | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ConvertIssuesToDiscussions](/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions) | Role can convert issues to discussions | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CloseDiscussion](/opengraph/extensions/githound/reference/edges/gh_closediscussion) | Role can close discussions | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenDiscussion](/opengraph/extensions/githound/reference/edges/gh_reopendiscussion) | Role can reopen discussions | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditCategoryOnDiscussion](/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion) | Role can edit the category on a discussion | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageDiscussionBadges](/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges) | Role can manage discussion badges | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment) | Role can edit discussion comments | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment) | Role can delete discussion comments | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) | Role can read repo contents | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteRepoContents](/opengraph/extensions/githound/reference/edges/gh_writerepocontents) | Role can write repo contents | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteRepoPullRequests](/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests) | Role can write pull requests | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) | Role has admin access to repo | +| GH_RepoRole | GH_RepoRole | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits from base role | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) | Role can bypass branch protection rules | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) | Role can push to protected branches | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) | Role can edit repository branch protection settings | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteAlertsCodeScanning](/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning) | Role can delete code scanning alerts | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) | Role can run organization migrations on the repository | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) | Role can manage security products for the repository | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) | Role can manage repository-level security products | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageWebhooks](/opengraph/extensions/githound/reference/edges/gh_managewebhooks) | Role can manage repository webhooks | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageDeployKeys](/opengraph/extensions/githound/reference/edges/gh_managedeploykeys) | Role can manage repository deploy keys | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch) | Role can create new branches in the repository | +| GH_RepoRole | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Role can push commits to this branch | +| GH_RepoRole | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) | Role can modify or remove the branch protection rule governing this branch | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReadCodeScanning](/opengraph/extensions/githound/reference/edges/gh_readcodescanning) | Role can read code scanning results | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) | Role can write code scanning results | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ViewDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts) | Role can view Dependabot alerts | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ResolveDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts) | Role can resolve Dependabot alerts | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageTopics](/opengraph/extensions/githound/reference/edges/gh_managetopics) | Role can manage repository topics | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsWiki](/opengraph/extensions/githound/reference/edges/gh_managesettingswiki) | Role can manage wiki settings | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsProjects](/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects) | Role can manage projects settings | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) | Role can manage merge type settings | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsPages](/opengraph/extensions/githound/reference/edges/gh_managesettingspages) | Role can manage GitHub Pages settings | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoMetadata](/opengraph/extensions/githound/reference/edges/gh_editrepometadata) | Role can edit repository metadata (name, description, etc.) | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) | Role can set interaction limits on the repository | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetSocialPreview](/opengraph/extensions/githound/reference/edges/gh_setsocialpreview) | Role can set the repository social preview image | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) | Role can edit repository announcement banners | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues) | Role can edit custom property values on the repository | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateTag](/opengraph/extensions/githound/reference/edges/gh_createtag) | Role can create tags in the repository | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteTag](/opengraph/extensions/githound/reference/edges/gh_deletetag) | Role can delete tags in the repository | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) | Role can jump the merge queue | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry) | Role can create a solo merge queue entry | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AddLabel](/opengraph/extensions/githound/reference/edges/gh_addlabel) | Role can add labels to issues and pull requests | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RemoveLabel](/opengraph/extensions/githound/reference/edges/gh_removelabel) | Role can remove labels from issues and pull requests | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CloseIssue](/opengraph/extensions/githound/reference/edges/gh_closeissue) | Role can close issues | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenIssue](/opengraph/extensions/githound/reference/edges/gh_reopenissue) | Role can reopen issues | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteIssue](/opengraph/extensions/githound/reference/edges/gh_deleteissue) | Role can delete issues | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) | Role can close pull requests | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenPullRequest](/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest) | Role can reopen pull requests | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AddAssignee](/opengraph/extensions/githound/reference/edges/gh_addassignee) | Role can add assignees to issues and pull requests | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RemoveAssignee](/opengraph/extensions/githound/reference/edges/gh_removeassignee) | Role can remove assignees from issues and pull requests | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RequestPrReview](/opengraph/extensions/githound/reference/edges/gh_requestprreview) | Role can request pull request reviews | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_MarkAsDuplicate](/opengraph/extensions/githound/reference/edges/gh_markasduplicate) | Role can mark issues or pull requests as duplicates | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetMilestone](/opengraph/extensions/githound/reference/edges/gh_setmilestone) | Role can set milestones on issues and pull requests | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetIssueType](/opengraph/extensions/githound/reference/edges/gh_setissuetype) | Role can set issue types | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteDiscussion](/opengraph/extensions/githound/reference/edges/gh_deletediscussion) | Role can delete discussions | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ToggleDiscussionAnswer](/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer) | Role can toggle the accepted answer on a discussion | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize) | Role can minimize or un-minimize discussion comments | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory) | Role can create discussion categories | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory) | Role can edit discussion categories | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ConvertIssuesToDiscussions](/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions) | Role can convert issues to discussions | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CloseDiscussion](/opengraph/extensions/githound/reference/edges/gh_closediscussion) | Role can close discussions | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenDiscussion](/opengraph/extensions/githound/reference/edges/gh_reopendiscussion) | Role can reopen discussions | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditCategoryOnDiscussion](/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion) | Role can edit the category on a discussion | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageDiscussionBadges](/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges) | Role can manage discussion badges | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment) | Role can edit discussion comments | +| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment) | Role can delete discussion comments | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reposecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reposecret.mdx index cdec1fc..f265585 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reposecret.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reposecret.mdx @@ -13,6 +13,10 @@ Represents a repository-level GitHub Actions secret. These are secrets defined d ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -26,8 +30,8 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains secret | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository has access to secret | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_RepoSecret | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains secret | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_RepoSecret | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository has access to secret | ### Outbound Edges diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repository.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repository.mdx index 2006590..9e9ff8e 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repository.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repository.mdx @@ -13,6 +13,10 @@ Represents a GitHub repository within the organization. Repository nodes capture ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -109,84 +113,84 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | App installation can access repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) | Role can read repo contents | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteRepoContents](/opengraph/extensions/githound/reference/edges/gh_writerepocontents) | Role can write repo contents | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteRepoPullRequests](/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests) | Role can write pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) | Role has admin access to repo | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) | Role can bypass branch protection rules | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) | Role can push to protected branches | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) | Role can edit repository branch protection settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteAlertsCodeScanning](/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning) | Role can delete code scanning alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) | Role can run organization migrations on the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) | Role can manage security products for the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) | Role can manage repository-level security products | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageWebhooks](/opengraph/extensions/githound/reference/edges/gh_managewebhooks) | Role can manage repository webhooks | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageDeployKeys](/opengraph/extensions/githound/reference/edges/gh_managedeploykeys) | Role can manage repository deploy keys | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch) | Role can create new branches in the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReadCodeScanning](/opengraph/extensions/githound/reference/edges/gh_readcodescanning) | Role can read code scanning results | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) | Role can write code scanning results | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ViewDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts) | Role can view Dependabot alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ResolveDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts) | Role can resolve Dependabot alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageTopics](/opengraph/extensions/githound/reference/edges/gh_managetopics) | Role can manage repository topics | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsWiki](/opengraph/extensions/githound/reference/edges/gh_managesettingswiki) | Role can manage wiki settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsProjects](/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects) | Role can manage projects settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) | Role can manage merge type settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsPages](/opengraph/extensions/githound/reference/edges/gh_managesettingspages) | Role can manage GitHub Pages settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoMetadata](/opengraph/extensions/githound/reference/edges/gh_editrepometadata) | Role can edit repository metadata (name, description, etc.) | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) | Role can set interaction limits on the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetSocialPreview](/opengraph/extensions/githound/reference/edges/gh_setsocialpreview) | Role can set the repository social preview image | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) | Role can edit repository announcement banners | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues) | Role can edit custom property values on the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateTag](/opengraph/extensions/githound/reference/edges/gh_createtag) | Role can create tags in the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteTag](/opengraph/extensions/githound/reference/edges/gh_deletetag) | Role can delete tags in the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) | Role can jump the merge queue | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry) | Role can create a solo merge queue entry | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AddLabel](/opengraph/extensions/githound/reference/edges/gh_addlabel) | Role can add labels to issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RemoveLabel](/opengraph/extensions/githound/reference/edges/gh_removelabel) | Role can remove labels from issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CloseIssue](/opengraph/extensions/githound/reference/edges/gh_closeissue) | Role can close issues | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenIssue](/opengraph/extensions/githound/reference/edges/gh_reopenissue) | Role can reopen issues | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteIssue](/opengraph/extensions/githound/reference/edges/gh_deleteissue) | Role can delete issues | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) | Role can close pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenPullRequest](/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest) | Role can reopen pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AddAssignee](/opengraph/extensions/githound/reference/edges/gh_addassignee) | Role can add assignees to issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RemoveAssignee](/opengraph/extensions/githound/reference/edges/gh_removeassignee) | Role can remove assignees from issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RequestPrReview](/opengraph/extensions/githound/reference/edges/gh_requestprreview) | Role can request pull request reviews | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_MarkAsDuplicate](/opengraph/extensions/githound/reference/edges/gh_markasduplicate) | Role can mark issues or pull requests as duplicates | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetMilestone](/opengraph/extensions/githound/reference/edges/gh_setmilestone) | Role can set milestones on issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetIssueType](/opengraph/extensions/githound/reference/edges/gh_setissuetype) | Role can set issue types | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteDiscussion](/opengraph/extensions/githound/reference/edges/gh_deletediscussion) | Role can delete discussions | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ToggleDiscussionAnswer](/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer) | Role can toggle the accepted answer on a discussion | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize) | Role can minimize or un-minimize discussion comments | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory) | Role can create discussion categories | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory) | Role can edit discussion categories | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ConvertIssuesToDiscussions](/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions) | Role can convert issues to discussions | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CloseDiscussion](/opengraph/extensions/githound/reference/edges/gh_closediscussion) | Role can close discussions | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenDiscussion](/opengraph/extensions/githound/reference/edges/gh_reopendiscussion) | Role can reopen discussions | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditCategoryOnDiscussion](/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion) | Role can edit the category on a discussion | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageDiscussionBadges](/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges) | Role can manage discussion badges | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment) | Role can edit discussion comments | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment) | Role can delete discussion comments | -| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access repository | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Owns](/opengraph/extensions/githound/reference/edges/gh_owns) | Org owns repository | +| [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | GH_Repository | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | App installation can access repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) | Role can read repo contents | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_WriteRepoContents](/opengraph/extensions/githound/reference/edges/gh_writerepocontents) | Role can write repo contents | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_WriteRepoPullRequests](/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests) | Role can write pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) | Role has admin access to repo | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) | Role can bypass branch protection rules | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) | Role can push to protected branches | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) | Role can edit repository branch protection settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_DeleteAlertsCodeScanning](/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning) | Role can delete code scanning alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) | Role can run organization migrations on the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) | Role can manage security products for the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) | Role can manage repository-level security products | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageWebhooks](/opengraph/extensions/githound/reference/edges/gh_managewebhooks) | Role can manage repository webhooks | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageDeployKeys](/opengraph/extensions/githound/reference/edges/gh_managedeploykeys) | Role can manage repository deploy keys | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch) | Role can create new branches in the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ReadCodeScanning](/opengraph/extensions/githound/reference/edges/gh_readcodescanning) | Role can read code scanning results | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) | Role can write code scanning results | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ViewDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts) | Role can view Dependabot alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ResolveDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts) | Role can resolve Dependabot alerts | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageTopics](/opengraph/extensions/githound/reference/edges/gh_managetopics) | Role can manage repository topics | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageSettingsWiki](/opengraph/extensions/githound/reference/edges/gh_managesettingswiki) | Role can manage wiki settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageSettingsProjects](/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects) | Role can manage projects settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) | Role can manage merge type settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageSettingsPages](/opengraph/extensions/githound/reference/edges/gh_managesettingspages) | Role can manage GitHub Pages settings | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditRepoMetadata](/opengraph/extensions/githound/reference/edges/gh_editrepometadata) | Role can edit repository metadata (name, description, etc.) | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) | Role can set interaction limits on the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_SetSocialPreview](/opengraph/extensions/githound/reference/edges/gh_setsocialpreview) | Role can set the repository social preview image | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) | Role can edit repository announcement banners | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues) | Role can edit custom property values on the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_CreateTag](/opengraph/extensions/githound/reference/edges/gh_createtag) | Role can create tags in the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_DeleteTag](/opengraph/extensions/githound/reference/edges/gh_deletetag) | Role can delete tags in the repository | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) | Role can jump the merge queue | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry) | Role can create a solo merge queue entry | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_AddLabel](/opengraph/extensions/githound/reference/edges/gh_addlabel) | Role can add labels to issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_RemoveLabel](/opengraph/extensions/githound/reference/edges/gh_removelabel) | Role can remove labels from issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_CloseIssue](/opengraph/extensions/githound/reference/edges/gh_closeissue) | Role can close issues | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ReopenIssue](/opengraph/extensions/githound/reference/edges/gh_reopenissue) | Role can reopen issues | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_DeleteIssue](/opengraph/extensions/githound/reference/edges/gh_deleteissue) | Role can delete issues | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) | Role can close pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ReopenPullRequest](/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest) | Role can reopen pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_AddAssignee](/opengraph/extensions/githound/reference/edges/gh_addassignee) | Role can add assignees to issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_RemoveAssignee](/opengraph/extensions/githound/reference/edges/gh_removeassignee) | Role can remove assignees from issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_RequestPrReview](/opengraph/extensions/githound/reference/edges/gh_requestprreview) | Role can request pull request reviews | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_MarkAsDuplicate](/opengraph/extensions/githound/reference/edges/gh_markasduplicate) | Role can mark issues or pull requests as duplicates | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_SetMilestone](/opengraph/extensions/githound/reference/edges/gh_setmilestone) | Role can set milestones on issues and pull requests | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_SetIssueType](/opengraph/extensions/githound/reference/edges/gh_setissuetype) | Role can set issue types | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_DeleteDiscussion](/opengraph/extensions/githound/reference/edges/gh_deletediscussion) | Role can delete discussions | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ToggleDiscussionAnswer](/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer) | Role can toggle the accepted answer on a discussion | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize) | Role can minimize or un-minimize discussion comments | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_CreateDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory) | Role can create discussion categories | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory) | Role can edit discussion categories | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ConvertIssuesToDiscussions](/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions) | Role can convert issues to discussions | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_CloseDiscussion](/opengraph/extensions/githound/reference/edges/gh_closediscussion) | Role can close discussions | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ReopenDiscussion](/opengraph/extensions/githound/reference/edges/gh_reopendiscussion) | Role can reopen discussions | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditCategoryOnDiscussion](/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion) | Role can edit the category on a discussion | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageDiscussionBadges](/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges) | Role can manage discussion badges | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment) | Role can edit discussion comments | +| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_DeleteDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment) | Role can delete discussion comments | +| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | GH_Repository | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access repository | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Repository | [GH_Owns](/opengraph/extensions/githound/reference/edges/gh_owns) | Org owns repository | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains secret | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository has access to secret | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains variable | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository has access to variable | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository can access org variable | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_HasSecretScanningAlert](../../graph/edges/gh_hassecretscanningalert) | Repository has secret scanning alert | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains branch protection rule | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository can access org secret | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_HasBranch](/opengraph/extensions/githound/reference/edges/gh_hasbranch) | Repository has branch | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Repository deploys to environment (no custom branch policy) | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Workflow](/opengraph/extensions/githound/reference/nodes/gh_workflow) | [GH_HasWorkflow](/opengraph/extensions/githound/reference/edges/gh_hasworkflow) | Repository contains workflow | +| GH_Repository | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains secret | +| GH_Repository | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository has access to secret | +| GH_Repository | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains variable | +| GH_Repository | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository has access to variable | +| GH_Repository | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository can access org variable | +| GH_Repository | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_HasSecretScanningAlert](../../graph/edges/gh_hassecretscanningalert) | Repository has secret scanning alert | +| GH_Repository | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains branch protection rule | +| GH_Repository | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository can access org secret | +| GH_Repository | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_HasBranch](/opengraph/extensions/githound/reference/edges/gh_hasbranch) | Repository has branch | +| GH_Repository | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Repository deploys to environment (no custom branch policy) | +| GH_Repository | [GH_Workflow](/opengraph/extensions/githound/reference/nodes/gh_workflow) | [GH_HasWorkflow](/opengraph/extensions/githound/reference/edges/gh_hasworkflow) | Repository contains workflow | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repovariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repovariable.mdx index adc563a..d08a846 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repovariable.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repovariable.mdx @@ -13,6 +13,10 @@ Represents a repository-level GitHub Actions variable. These are variables defin ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -26,8 +30,8 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains variable | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository has access to variable | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_RepoVariable | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains variable | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_RepoVariable | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository has access to variable | ### Outbound Edges diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider.mdx index 0321be1..b7a71f0 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider.mdx @@ -13,6 +13,10 @@ Represents a SAML identity provider configured for the organization. This node c ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -27,13 +31,13 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) | Org uses this SAML IdP | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_SamlIdentityProvider | [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) | Org uses this SAML IdP | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_HasExternalIdentity](/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity) | IdP has external identity | +| GH_SamlIdentityProvider | [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_HasExternalIdentity](/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity) | IdP has external identity | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert.mdx index 1f77cf2..b6551e6 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert.mdx @@ -13,6 +13,10 @@ Represents a GitHub secret scanning alert detected in a repository. Secret scann ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -29,14 +33,14 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret scanning alert | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_HasSecretScanningAlert](../../graph/edges/gh_hassecretscanningalert) | Repository has secret scanning alert | +| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_SecretScanningAlert | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret scanning alert | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_SecretScanningAlert | [GH_HasSecretScanningAlert](../../graph/edges/gh_hassecretscanningalert) | Repository has secret scanning alert | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) | Alert secret is a valid PAT for this user | +| GH_SecretScanningAlert | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) | Alert secret is a valid PAT for this user | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_team.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_team.mdx index f63e2ba..71a847e 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_team.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_team.mdx @@ -13,6 +13,10 @@ Represents a GitHub team within the organization. Teams can have parent-child re ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -34,18 +38,18 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team is a child of parent team | -| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team role belongs to team | -| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_AddMember](/opengraph/extensions/githound/reference/edges/gh_addmember) | Maintainers role can add members to team | +| GH_Team | GH_Team | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team is a child of parent team | +| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | GH_Team | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team role belongs to team | +| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | GH_Team | [GH_AddMember](/opengraph/extensions/githound/reference/edges/gh_addmember) | Maintainers role can add members to team | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has org role | -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team is a child of parent team | -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has repo role | -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Team can push commits to this branch via actor-level bypass allowances | +| GH_Team | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has org role | +| GH_Team | GH_Team | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team is a child of parent team | +| GH_Team | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has repo role | +| GH_Team | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Team can push commits to this branch via actor-level bypass allowances | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_teamrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_teamrole.mdx index b68dd57..1877154 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_teamrole.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_teamrole.mdx @@ -13,6 +13,10 @@ Represents a role within a GitHub team. Each team has two built-in roles: Member ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -28,14 +32,14 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has team role | +| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_TeamRole | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has team role | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team role belongs to team | -| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_AddMember](/opengraph/extensions/githound/reference/edges/gh_addmember) | Maintainers role can add members to team | +| GH_TeamRole | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team role belongs to team | +| GH_TeamRole | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_AddMember](/opengraph/extensions/githound/reference/edges/gh_addmember) | Maintainers role can add members to team | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_user.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_user.mdx index 898f5f8..a8907c3 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_user.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_user.mdx @@ -13,6 +13,10 @@ Represents a GitHub user who is a member of the organization. Users are associat ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -44,23 +48,23 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) | Alert secret is a valid PAT for this user | -| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) | External identity maps to a user | -| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_SyncedTo](/opengraph/extensions/githound/reference/edges/gh_syncedto) | Foreign IdP user is synced to a GitHub user | +| [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | GH_User | [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) | Alert secret is a valid PAT for this user | +| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | GH_User | [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) | External identity maps to a user | +| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | GH_User | [GH_SyncedTo](/opengraph/extensions/githound/reference/edges/gh_syncedto) | Foreign IdP user is synced to a GitHub user | ### Outbound Edges | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has team role | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has default org role (owners or members) | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_HasPersonalAccessToken](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken) | User owns PAT | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has org role | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has repo role | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | User can push commits to this branch via actor-level bypass allowances | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest) | User submitted PAT request | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) | Actor can push despite push restrictions | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) | Actor can bypass PR review requirements | +| GH_User | [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has team role | +| GH_User | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has default org role (owners or members) | +| GH_User | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_HasPersonalAccessToken](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken) | User owns PAT | +| GH_User | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has org role | +| GH_User | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has repo role | +| GH_User | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | User can push commits to this branch via actor-level bypass allowances | +| GH_User | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest) | User submitted PAT request | +| GH_User | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) | Actor can push despite push restrictions | +| GH_User | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) | Actor can bypass PR review requirements | ## Properties diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflow.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflow.mdx index 9cae0dd..d4a495e 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflow.mdx +++ b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflow.mdx @@ -13,6 +13,10 @@ Represents a GitHub Actions workflow defined in a repository. Workflow nodes cap ## Edges + +The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. + + ```mermaid flowchart LR @@ -25,7 +29,7 @@ flowchart LR | Start | End | Kind | Description | |-------|-----|------|-------------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Workflow](/opengraph/extensions/githound/reference/nodes/gh_workflow) | [GH_HasWorkflow](/opengraph/extensions/githound/reference/edges/gh_hasworkflow) | Repository contains workflow | +| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_Workflow | [GH_HasWorkflow](/opengraph/extensions/githound/reference/edges/gh_hasworkflow) | Repository contains workflow | ### Outbound Edges diff --git a/docs/og-docs-automation b/docs/og-docs-automation index e7d82db..678d767 160000 --- a/docs/og-docs-automation +++ b/docs/og-docs-automation @@ -1 +1 @@ -Subproject commit e7d82db32a71fe95bfb74e5d340331e75de64299 +Subproject commit 678d767e67b675a0bcb06a52856b903a2d9b32f9 From 2378f9bae8378c49cb14d41c81b22ffdb4384b44 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Tue, 14 Apr 2026 19:08:33 +0200 Subject: [PATCH 04/16] add codex to gitignore --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index c0e85d6..da31ce0 100644 --- a/.gitignore +++ b/.gitignore @@ -13,6 +13,9 @@ dbt_packages *.pem source +# Codex +.codex + # Byte-compiled / optimized / DLL files __pycache__/ *.py[codz] From a8565ac8a3b04f52df192da9ebd7823e8ce18a9c Mon Sep 17 00:00:00 2001 From: JonasBK Date: Tue, 14 Apr 2026 19:21:51 +0200 Subject: [PATCH 05/16] add description for GH_HasMember --- descriptions/edges/GH_HasMember.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 descriptions/edges/GH_HasMember.md diff --git a/descriptions/edges/GH_HasMember.md b/descriptions/edges/GH_HasMember.md new file mode 100644 index 0000000..40e1260 --- /dev/null +++ b/descriptions/edges/GH_HasMember.md @@ -0,0 +1,3 @@ +## General Information + +The non-traversable `GH_HasMember` edge represents the relationship between a GitHub enterprise or organization and a user who is a member of that scope. This edge records membership as directory context rather than as an access path: being listed as a member does not by itself describe what the user can do, only that the user belongs to the enterprise or organization. Membership remains security-relevant because it defines the population from which roles, team assignments, and token approvals are drawn, and it helps analysts understand who is inside the trust boundary when reviewing GitHub exposure. From 5f05c3f406dfef156fb7ab7ff8ff16e034796c16 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Tue, 14 Apr 2026 19:56:53 +0200 Subject: [PATCH 06/16] bump og-docs-automation and fix broken links --- descriptions/edges/GH_MapsToUser.md | 2 +- descriptions/nodes/GH_BranchProtectionRule.md | 2 +- .../githound/reference/gh_enterprise.png | Bin 1311 -> 0 bytes .../githound/reference/gh_enterpriserole.png | Bin 1147 -> 0 bytes .../githound/reference/gh_enterpriseteam.png | Bin 1205 -> 0 bytes .../{githound/reference => github}/gh_app.png | Bin .../gh_appinstallation.png | Bin .../reference => github}/gh_branch.png | Bin .../gh_branchprotectionrule.png | Bin .../reference => github}/gh_environment.png | Bin .../gh_environmentsecret.png | Bin .../gh_environmentvariable.png | Bin .../gh_externalidentity.png | Bin .../reference => github}/gh_organization.png | Bin .../reference => github}/gh_orgrole.png | Bin .../reference => github}/gh_orgsecret.png | Bin .../reference => github}/gh_orgvariable.png | Bin .../gh_personalaccesstoken.png | Bin .../gh_personalaccesstokenrequest.png | Bin .../reference => github}/gh_reporole.png | Bin .../reference => github}/gh_reposecret.png | Bin .../reference => github}/gh_repository.png | Bin .../reference => github}/gh_repovariable.png | Bin .../gh_samlidentityprovider.png | Bin .../gh_secretscanningalert.png | Bin .../reference => github}/gh_team.png | Bin .../reference => github}/gh_teamrole.png | Bin .../reference => github}/gh_user.png | Bin .../reference => github}/gh_workflow.png | Bin .../reference => github}/gh_workflowjob.png | Bin .../reference => github}/gh_workflowstep.png | Bin .../opengraph/extensions/githound/docs.json | 162 -------------- .../githound/reference/edges/gh_canaccess.mdx | 31 --- .../githound/reference/edges/gh_contains.mdx | 60 ------ .../edges/gh_hasexternalidentity.mdx | 25 --- .../githound/reference/edges/gh_hasrole.mdx | 36 ---- .../githound/reference/edges/gh_hassecret.mdx | 28 --- .../reference/edges/gh_hasvariable.mdx | 28 --- .../edges/gh_managereposecurityproducts.mdx | 25 --- .../reference/edges/gh_mapstouser.mdx | 25 --- .../edges/gh_pushprotectedbranch.mdx | 25 --- .../edges/gh_resolvesecretscanningalerts.mdx | 29 --- .../githound/reference/nodes/gh_app.mdx | 46 ---- .../reference/nodes/gh_appinstallation.mdx | 53 ----- .../githound/reference/nodes/gh_branch.mdx | 62 ------ .../nodes/gh_branchprotectionrule.mdx | 84 -------- .../reference/nodes/gh_environment.mdx | 54 ----- .../reference/nodes/gh_environmentsecret.mdx | 44 ---- .../nodes/gh_environmentvariable.mdx | 44 ---- .../reference/nodes/gh_externalidentity.mdx | 50 ----- .../reference/nodes/gh_organization.mdx | 85 -------- .../githound/reference/nodes/gh_orgrole.mdx | 71 ------- .../githound/reference/nodes/gh_orgsecret.mdx | 47 ---- .../reference/nodes/gh_orgvariable.mdx | 47 ---- .../nodes/gh_personalaccesstoken.mdx | 53 ----- .../nodes/gh_personalaccesstokenrequest.mdx | 47 ---- .../githound/reference/nodes/gh_reporole.mdx | 176 --------------- .../reference/nodes/gh_reposecret.mdx | 46 ---- .../reference/nodes/gh_repository.mdx | 201 ------------------ .../reference/nodes/gh_repovariable.mdx | 46 ---- .../nodes/gh_samlidentityprovider.mdx | 48 ----- .../nodes/gh_secretscanningalert.mdx | 51 ----- .../githound/reference/nodes/gh_team.mdx | 60 ------ .../githound/reference/nodes/gh_teamrole.mdx | 50 ----- .../githound/reference/nodes/gh_user.mdx | 75 ------- .../githound/reference/nodes/gh_workflow.mdx | 44 ---- .../extensions/githound/reference/schema.mdx | 196 ----------------- .../opengraph/extensions/github/docs.json | 158 ++++++++++++++ .../edges/gh_addassignee.mdx | 13 +- .../edges/gh_addcollaborator.mdx | 13 +- .../edges/gh_addlabel.mdx | 13 +- .../edges/gh_addmember.mdx | 13 +- .../reference => github}/edges/gh_adminto.mdx | 13 +- .../edges/gh_bypassbranchprotection.mdx | 13 +- .../edges/gh_bypasspullrequestallowances.mdx | 13 +- .../edges/gh_callsworkflow.mdx | 2 +- .../extensions/github/edges/gh_canaccess.mdx | 14 ++ .../edges/gh_canassumeidentity.mdx | 2 +- .../edges/gh_cancreatebranch.mdx | 17 +- .../edges/gh_caneditprotection.mdx | 19 +- .../edges/gh_canpwnrequest.mdx | 10 +- .../edges/gh_canreadsecretscanningalert.mdx | 8 +- .../edges/gh_canwritebranch.mdx | 25 +-- .../edges/gh_closediscussion.mdx | 13 +- .../edges/gh_closeissue.mdx | 13 +- .../edges/gh_closepullrequest.mdx | 13 +- .../extensions/github/edges/gh_contains.mdx | 14 ++ .../edges/gh_convertissuestodiscussions.mdx | 13 +- .../edges/gh_creatediscussioncategory.mdx | 13 +- .../edges/gh_createrepository.mdx | 13 +- .../edges/gh_createsolomergequeueentry.mdx | 13 +- .../edges/gh_createtag.mdx | 13 +- .../edges/gh_createteam.mdx | 13 +- .../edges/gh_deletealertscodescanning.mdx | 13 +- .../edges/gh_deletediscussion.mdx | 13 +- .../edges/gh_deletediscussioncomment.mdx | 13 +- .../edges/gh_deleteissue.mdx | 13 +- .../edges/gh_deletetag.mdx | 13 +- .../edges/gh_dependson.mdx | 2 +- .../edges/gh_deploysto.mdx | 2 +- .../edges/gh_editcategoryondiscussion.mdx | 13 +- .../edges/gh_editdiscussioncategory.mdx | 13 +- .../edges/gh_editdiscussioncomment.mdx | 13 +- .../edges/gh_editrepoannouncementbanners.mdx | 13 +- .../gh_editrepocustompropertiesvalues.mdx | 13 +- .../edges/gh_editrepometadata.mdx | 13 +- .../edges/gh_editrepoprotections.mdx | 13 +- .../edges/gh_hasbaserole.mdx | 15 +- .../edges/gh_hasbranch.mdx | 15 +- .../edges/gh_hasenvironment.mdx | 16 +- .../github/edges/gh_hasexternalidentity.mdx | 14 ++ .../reference => github}/edges/gh_hasjob.mdx | 2 +- .../extensions/github/edges/gh_hasmember.mdx | 14 ++ .../edges/gh_haspersonalaccesstoken.mdx | 13 +- .../gh_haspersonalaccesstokenrequest.mdx | 13 +- .../extensions/github/edges/gh_hasrole.mdx | 14 ++ .../edges/gh_hassamlidentityprovider.mdx | 13 +- .../extensions/github/edges/gh_hassecret.mdx | 14 ++ .../reference => github}/edges/gh_hasstep.mdx | 2 +- .../github/edges/gh_hasvariable.mdx | 14 ++ .../edges/gh_hasworkflow.mdx | 13 +- .../edges/gh_installedas.mdx | 13 +- .../edges/gh_invitemember.mdx | 13 +- .../edges/gh_jumpmergequeue.mdx | 13 +- .../edges/gh_managedeploykeys.mdx | 13 +- .../edges/gh_managediscussionbadges.mdx | 13 +- .../edges/gh_manageorganizationwebhooks.mdx | 2 +- .../edges/gh_managereposecurityproducts.mdx | 14 ++ .../edges/gh_managesecurityproducts.mdx | 13 +- .../edges/gh_managesettingsmergetypes.mdx | 13 +- .../edges/gh_managesettingspages.mdx | 13 +- .../edges/gh_managesettingsprojects.mdx | 13 +- .../edges/gh_managesettingswiki.mdx | 13 +- .../edges/gh_managetopics.mdx | 13 +- .../edges/gh_managewebhooks.mdx | 13 +- .../extensions/github/edges/gh_mapstouser.mdx | 14 ++ .../edges/gh_markasduplicate.mdx | 13 +- .../edges/gh_memberof.mdx | 15 +- ...orgbypasscodescanningdismissalrequests.mdx | 2 +- ...orgbypasssecretscanningclosurerequests.mdx | 2 +- ...wandmanagesecretscanningbypassrequests.mdx | 2 +- ...andmanagesecretscanningclosurerequests.mdx | 2 +- .../reference => github}/edges/gh_owns.mdx | 13 +- .../edges/gh_protectedby.mdx | 15 +- .../github/edges/gh_pushprotectedbranch.mdx | 14 ++ .../edges/gh_readcodescanning.mdx | 13 +- ...gh_readorganizationactionsusagemetrics.mdx | 2 +- .../gh_readorganizationcustomorgrole.mdx | 2 +- .../gh_readorganizationcustomreporole.mdx | 2 +- .../edges/gh_readrepocontents.mdx | 13 +- .../edges/gh_removeassignee.mdx | 13 +- .../edges/gh_removelabel.mdx | 13 +- .../edges/gh_reopendiscussion.mdx | 13 +- .../edges/gh_reopenissue.mdx | 13 +- .../edges/gh_reopenpullrequest.mdx | 13 +- .../edges/gh_requestprreview.mdx | 13 +- .../edges/gh_resolvedependabotalerts.mdx | 13 +- .../edges/gh_resolvesecretscanningalerts.mdx | 14 ++ .../edges/gh_restrictionscanpush.mdx | 15 +- .../edges/gh_runorgmigration.mdx | 13 +- .../edges/gh_setinteractionlimits.mdx | 13 +- .../edges/gh_setissuetype.mdx | 13 +- .../edges/gh_setmilestone.mdx | 13 +- .../edges/gh_setsocialpreview.mdx | 13 +- .../edges/gh_syncedto.mdx | 13 +- .../edges/gh_togglediscussionanswer.mdx | 13 +- .../gh_togglediscussioncommentminimize.mdx | 13 +- .../edges/gh_transferrepository.mdx | 13 +- .../edges/gh_usessecret.mdx | 4 +- .../edges/gh_usesvariable.mdx | 4 +- .../edges/gh_validtoken.mdx | 13 +- .../edges/gh_viewdependabotalerts.mdx | 13 +- .../edges/gh_viewsecretscanningalerts.mdx | 17 +- .../edges/gh_writecodescanning.mdx | 13 +- .../gh_writeorganizationactionssecrets.mdx | 2 +- .../gh_writeorganizationactionssettings.mdx | 2 +- .../gh_writeorganizationactionsvariables.mdx | 2 +- .../gh_writeorganizationcustomorgrole.mdx | 2 +- .../gh_writeorganizationcustomreporole.mdx | 2 +- ...writeorganizationnetworkconfigurations.mdx | 2 +- .../edges/gh_writerepocontents.mdx | 15 +- .../edges/gh_writerepopullrequests.mdx | 13 +- .../extensions/github/nodes/gh_app.mdx | 13 ++ .../github/nodes/gh_appinstallation.mdx | 13 ++ .../extensions/github/nodes/gh_branch.mdx | 11 + .../github/nodes/gh_branchprotectionrule.mdx | 42 ++++ .../github/nodes/gh_environment.mdx | 11 + .../github/nodes/gh_environmentsecret.mdx | 11 + .../github/nodes/gh_environmentvariable.mdx | 11 + .../github/nodes/gh_externalidentity.mdx | 11 + .../github/nodes/gh_organization.mdx | 11 + .../extensions/github/nodes/gh_orgrole.mdx | 11 + .../extensions/github/nodes/gh_orgsecret.mdx | 11 + .../github/nodes/gh_orgvariable.mdx | 11 + .../github/nodes/gh_personalaccesstoken.mdx | 11 + .../nodes/gh_personalaccesstokenrequest.mdx | 11 + .../extensions/github/nodes/gh_reporole.mdx | 11 + .../extensions/github/nodes/gh_reposecret.mdx | 11 + .../extensions/github/nodes/gh_repository.mdx | 11 + .../github/nodes/gh_repovariable.mdx | 11 + .../github/nodes/gh_samlidentityprovider.mdx | 11 + .../github/nodes/gh_secretscanningalert.mdx | 11 + .../extensions/github/nodes/gh_team.mdx | 11 + .../extensions/github/nodes/gh_teamrole.mdx | 11 + .../extensions/github/nodes/gh_user.mdx | 11 + .../extensions/github/nodes/gh_workflow.mdx | 11 + .../nodes/gh_workflowjob.mdx | 2 +- .../nodes/gh_workflowstep.mdx | 2 +- .../privilege-zone-rules.mdx | 8 +- .../reference => github}/queries.mdx | 6 +- .../opengraph/extensions/github/schema.mdx | 169 +++++++++++++++ docs/og-docs-automation | 2 +- docs/og-docs.json | 2 + 213 files changed, 918 insertions(+), 3276 deletions(-) delete mode 100644 docs/official-docs/images/extensions/githound/reference/gh_enterprise.png delete mode 100644 docs/official-docs/images/extensions/githound/reference/gh_enterpriserole.png delete mode 100644 docs/official-docs/images/extensions/githound/reference/gh_enterpriseteam.png rename docs/official-docs/images/extensions/{githound/reference => github}/gh_app.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_appinstallation.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_branch.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_branchprotectionrule.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_environment.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_environmentsecret.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_environmentvariable.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_externalidentity.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_organization.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_orgrole.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_orgsecret.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_orgvariable.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_personalaccesstoken.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_personalaccesstokenrequest.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_reporole.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_reposecret.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_repository.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_repovariable.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_samlidentityprovider.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_secretscanningalert.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_team.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_teamrole.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_user.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_workflow.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_workflowjob.png (100%) rename docs/official-docs/images/extensions/{githound/reference => github}/gh_workflowstep.png (100%) delete mode 100644 docs/official-docs/opengraph/extensions/githound/docs.json delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canaccess.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_contains.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasrole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassecret.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasvariable.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_mapstouser.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_app.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_appinstallation.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branch.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environment.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentsecret.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentvariable.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_externalidentity.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_organization.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgrole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgsecret.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgvariable.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reporole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reposecret.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repository.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repovariable.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_team.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_teamrole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_user.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflow.mdx delete mode 100644 docs/official-docs/opengraph/extensions/githound/reference/schema.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/docs.json rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_addassignee.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_addcollaborator.mdx (63%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_addlabel.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_addmember.mdx (63%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_adminto.mdx (65%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_bypassbranchprotection.mdx (66%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_bypasspullrequestallowances.mdx (66%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_callsworkflow.mdx (96%) create mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_canassumeidentity.mdx (97%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_cancreatebranch.mdx (73%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_caneditprotection.mdx (53%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_canpwnrequest.mdx (81%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_canreadsecretscanningalert.mdx (59%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_canwritebranch.mdx (68%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_closediscussion.mdx (53%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_closeissue.mdx (51%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_closepullrequest.mdx (52%) create mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_contains.mdx rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_convertissuestodiscussions.mdx (56%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_creatediscussioncategory.mdx (53%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_createrepository.mdx (62%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_createsolomergequeueentry.mdx (64%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_createtag.mdx (55%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_createteam.mdx (63%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_deletealertscodescanning.mdx (62%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_deletediscussion.mdx (52%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_deletediscussioncomment.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_deleteissue.mdx (57%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_deletetag.mdx (55%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_dependson.mdx (95%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_deploysto.mdx (95%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_editcategoryondiscussion.mdx (55%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_editdiscussioncategory.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_editdiscussioncomment.mdx (53%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_editrepoannouncementbanners.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_editrepocustompropertiesvalues.mdx (65%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_editrepometadata.mdx (55%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_editrepoprotections.mdx (64%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_hasbaserole.mdx (56%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_hasbranch.mdx (52%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_hasenvironment.mdx (51%) create mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_hasjob.mdx (95%) create mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasmember.mdx rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_haspersonalaccesstoken.mdx (66%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_haspersonalaccesstokenrequest.mdx (64%) create mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_hassamlidentityprovider.mdx (64%) create mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_hasstep.mdx (94%) create mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_hasworkflow.mdx (62%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_installedas.mdx (64%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_invitemember.mdx (61%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_jumpmergequeue.mdx (64%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_managedeploykeys.mdx (65%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_managediscussionbadges.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_manageorganizationwebhooks.mdx (96%) create mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_managereposecurityproducts.mdx rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_managesecurityproducts.mdx (64%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_managesettingsmergetypes.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_managesettingspages.mdx (55%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_managesettingsprojects.mdx (53%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_managesettingswiki.mdx (52%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_managetopics.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_managewebhooks.mdx (64%) create mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_markasduplicate.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_memberof.mdx (55%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_orgbypasscodescanningdismissalrequests.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_orgbypasssecretscanningclosurerequests.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_owns.mdx (60%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_protectedby.mdx (57%) create mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_pushprotectedbranch.mdx rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_readcodescanning.mdx (57%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_readorganizationactionsusagemetrics.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_readorganizationcustomorgrole.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_readorganizationcustomreporole.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_readrepocontents.mdx (55%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_removeassignee.mdx (55%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_removelabel.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_reopendiscussion.mdx (53%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_reopenissue.mdx (52%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_reopenpullrequest.mdx (53%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_requestprreview.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_resolvedependabotalerts.mdx (57%) create mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts.mdx rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_restrictionscanpush.mdx (52%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_runorgmigration.mdx (63%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_setinteractionlimits.mdx (56%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_setissuetype.mdx (52%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_setmilestone.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_setsocialpreview.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_syncedto.mdx (67%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_togglediscussionanswer.mdx (54%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_togglediscussioncommentminimize.mdx (55%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_transferrepository.mdx (62%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_usessecret.mdx (85%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_usesvariable.mdx (84%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_validtoken.mdx (65%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_viewdependabotalerts.mdx (59%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_viewsecretscanningalerts.mdx (51%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_writecodescanning.mdx (57%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_writeorganizationactionssecrets.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_writeorganizationactionssettings.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_writeorganizationactionsvariables.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_writeorganizationcustomorgrole.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_writeorganizationcustomreporole.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_writeorganizationnetworkconfigurations.mdx (96%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_writerepocontents.mdx (55%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/edges/gh_writerepopullrequests.mdx (61%) create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_app.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_appinstallation.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_branch.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_branchprotectionrule.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_environment.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_environmentsecret.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_environmentvariable.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_externalidentity.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_organization.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_orgrole.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_orgsecret.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_orgvariable.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstoken.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstokenrequest.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_reporole.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_reposecret.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_repository.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_repovariable.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_samlidentityprovider.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_secretscanningalert.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_team.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_teamrole.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_user.mdx create mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_workflow.mdx rename docs/official-docs/opengraph/extensions/{githound/reference => github}/nodes/gh_workflowjob.mdx (87%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/nodes/gh_workflowstep.mdx (87%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/privilege-zone-rules.mdx (92%) rename docs/official-docs/opengraph/extensions/{githound/reference => github}/queries.mdx (96%) create mode 100644 docs/official-docs/opengraph/extensions/github/schema.mdx diff --git a/descriptions/edges/GH_MapsToUser.md b/descriptions/edges/GH_MapsToUser.md index ec0d949..ad31310 100644 --- a/descriptions/edges/GH_MapsToUser.md +++ b/descriptions/edges/GH_MapsToUser.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](https://bloodhound.specterops.io/resources/nodes/az-user), [Okta_User](https://bloodhound.specterops.io/opengraph/extensions/oktahound/reference/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. It is created by `Git-HoundGraphQlSamlProvider` for SAML-linked identities and `Git-HoundScimUser` for SCIM-provisioned identities. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. +The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](https://bloodhound.specterops.io/resources/nodes/az-user), [Okta_User](https://bloodhound.specterops.io/opengraph/extensions/okta/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. It is created by `Git-HoundGraphQlSamlProvider` for SAML-linked identities and `Git-HoundScimUser` for SCIM-provisioned identities. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. diff --git a/descriptions/nodes/GH_BranchProtectionRule.md b/descriptions/nodes/GH_BranchProtectionRule.md index 0841e99..7ebe199 100644 --- a/descriptions/nodes/GH_BranchProtectionRule.md +++ b/descriptions/nodes/GH_BranchProtectionRule.md @@ -21,7 +21,7 @@ Branch protection rules are critical security controls. Key settings to review: The only branch protection configuration that blocks the write-access → workflow → secrets exfiltration attack path is `push_restrictions` + `blocks_creations` on a `*` pattern rule. However, users with `GH_PushProtectedBranch`, `GH_AdminTo`, `GH_RestrictionsCanPush`, or `GH_EditRepoProtections` can bypass this control. -For complete analysis, see [BloodHound Docs: GitHound - Mitigating Controls](https://bloodhound.specterops.io/opengraph/extensions/githound/reference/mitigating-controls). +For complete analysis, see [BloodHound Docs: GitHound - Mitigating Controls](https://bloodhound.specterops.io/opengraph/extensions/github/mitigating-controls). ### Identifying Bypass Actors diff --git a/docs/official-docs/images/extensions/githound/reference/gh_enterprise.png b/docs/official-docs/images/extensions/githound/reference/gh_enterprise.png deleted file mode 100644 index a509023f420e9c55ec7b755794c5ef696c3b551b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1311 zcmV+)1>pLLP)ZPiP!f9LGQ1W{DHn=`tlmoCR0h;O-%&7?|YH+7@#Nda&z3 zuwZfsh|n$M(uC zpX&jF9dTfnzBF(inDTyTIfK4|QB*yTqUrQ#832T3vf~JZwL!gllWl7wIL|cj6&){23XYlkTRK2h##Zd^$ zlYIJSkW{G>~!BY`yV3y{`w21ApxBo*~PDfh7B2<~4ygZ;Sbk$8iEB@z+kw>{+} zrG=MP4vM^!=AKw$?eM=Sd{H zL*ox7yE&XQ`1Qwc0ZssOK*O`ZG)QlcbGVixSSycHtIVJqMOuzvb9LVD-&~!iAu~MA%SSx>uuuK$9N7W1b_V5-v0R=mbpk7@> z)e9(^j<8JD%Hy$f1$0aR>4a+zw44!Z`dVcM;U<<>2Sx#S`tVkp-0zR?g=B6cszL>Mli%jjSK0-je+tm*XR@T3ExgOm%U9_w9An_)3$dmbmdQ`wO?%BE&UbJz zIl`aZJB$>HU$pf_vEvBtUOweT+XYu&C|jhF{xGQJh8Zc%N9TAc+`0UrxA*JF3fzbi z@JMU|hqT- zEi>P91cdvEP)ZPe>eB9LGOy{*x)?)0Ltpr=g}6k<21?Nc5~-WyR29u3X(3VDqq{;&t3{}F3r)l=H9gE0EZryWX|`Zic4$xS;qA=M zuCueVNxm@5n>X+Ge&6@|z4!b5UK8G-0B-~RK)dY$$l9J2;3wdqfw^7L4m<$tZ1~6uJgu7HCy%9p;5Up(i0%rmM2u)xViinILmDpr2vuB^@CNN74i_{{Z z06zkq0MS^K*yy08upab%o#gy7sbtFR`VF|?M8b(cXGysd3;x>chr3j+ zEnR;u#np%pO_?Mr+;Pk{<_^#w3FBym-O}i3G?$TkToqZ z19V1XQF<=*x=xaqTjtv@zB$sryR!>`+Wl5dStX#5&*|ndeFa$YA$>m#5E~tIRSq0k zxg9?&uGN*d=@^&;$S>HRNg;Ck(xL8Gz#rN!ie-!df^E2q2{I>z=b6fS%L&TP7J^ zZEGdq(S?9zIbg?!tYXOLbWg&m#HRI*4^0stn&Q{>bj81VFv`dEz#mj=nFg zq{*yCb4&T$n|=CzX{?JyZI)W`QOZi0EzMF;jpSUSBFbg9G>n3Qwxyw&?Z=w+zgQ@e zoJ%+_W?#3LY#TmgUS0r5&M!MNPFDI>XoB?mw)LG}-)67Mh1D|FV#+!eDD44|g(InC z>WKf0f^+O&TU>Q)yU7Yo*z3fbP>usxU=p}7J2K5@D{-q7^SAhk^h6w!klLj>wn63v zzip2c3q@u}rp?dElFlO~*#^*|cB@P*zSxrN+PmYX?{|FnsVxk;ZQbB|S&9;+Jv53mYc%IESg|Niq6UhjCLZoO9vLKED+5;ynNQ{>9C_Azc3 zlMSE)WSWhQ3^aBzxtp+`_X@LnAz+diLtf7Snf0Qva|G28{!@Odcomw!I5gPP1gYd^ z^+}pU)|}6LS#1X%()i`{AZPiz}S6vlsXR@lVUy981v0>@6(G&wj<0w|YMAw9q$D1l3) z=8(bxL?k%$fC_33HJ3_>dMIjpKp-{22Up60sz?#ap$!Huks9!yR4FQTVk2S4YVk&L z@k-{;VR!Advrg?epET0$?9BVVoq6xgn zR9TT~0wmxLFaY3dJI#pe(<0&1kj*CuCFh7_Zs=XV0;kMGm zcXaY;@2!T(0c?WEwD%Tn$8Z^knE*d9;B4_S*&Aq>xDu1S0Ys|{)GaPLw!Q@()TQVB z{?+21%SwW*x_<|TWOX50OVRRmcvSz?1#Ai0iyu^PH#*!(e3tuhjM(ROeLFBs!AF=%K z6V}rU$V!5q*0+$A1V8>U&!fK|@Ip&Bg2iTPukf$J!|ZJUML^5f?RIZf)sdYbEAd%X zOd-qo@oRcq0~DV_$vMJ1YWA}U4t#A>ruGb69*ZtO_taXU#dXWGwt-F#{)K5Uq!;w-QTycusN?{F*o00V*0=!kqI3%o-Hww? z_I`6nMd=y6u8>jBo?=njTsa>29+;Aqgzfk2ZC*O^D$hORJP>&*7bURqHt8o(oqQB6 z@95a?VzLVK1Nhpe7;&Ae^I|e@%!FZ$yrzqZQN&r)>lvU{KK*S|IPG4nf}?n - -## Edge Schema - -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | GH_CanAccess | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | -| [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | GH_CanAccess | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | -| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | GH_CanAccess | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_PersonalAccessToken["fa:fa-key"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_AppInstallation["fa:fa-plug"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_PersonalAccessToken -- GH_CanAccess --> GH_Organization - GH_AppInstallation -- GH_CanAccess --> GH_Repository - GH_PersonalAccessToken -- GH_CanAccess --> GH_Repository -``` - -## General Information - -The non-traversable `GH_CanAccess` edge indicates that a personal access token or app installation has been granted access to specific repositories. It is created by `Git-HoundPersonalAccessToken` and `Git-HoundPersonalAccessTokenRequest` for PATs, and by `Git-HoundAppInstallation` for app installations. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_contains.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_contains.mdx deleted file mode 100644 index 62402bf..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_contains.mdx +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: 'GH_Contains' -description: 'Container relationship for organizational hierarchy (enterprise contains orgs, org contains secrets/variables, repo contains secrets/variables, environment contains secrets/variables)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_Contains | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_Contains | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | -| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | GH_Contains | [GH_EnvironmentVariable](/opengraph/extensions/githound/reference/nodes/gh_environmentvariable) | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_Contains | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Contains | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | -| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | GH_Contains | [GH_EnvironmentSecret](/opengraph/extensions/githound/reference/nodes/gh_environmentsecret) | - -```mermaid -flowchart LR - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoSecret["fa:fa-lock"]:::bhNode - GH_RepoVariable["fa:fa-lock-open"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_OrgVariable["fa:fa-lock-open"]:::bhNode - GH_SecretScanningAlert["fa:fa-key"]:::bhNode - GH_PersonalAccessToken["fa:fa-key"]:::bhNode - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_Environment["fa:fa-leaf"]:::bhNode - GH_EnvironmentVariable["fa:fa-lock-open"]:::bhNode - GH_BranchProtectionRule["fa:fa-shield"]:::bhNode - GH_AppInstallation["fa:fa-plug"]:::bhNode - GH_OrgSecret["fa:fa-lock"]:::bhNode - GH_PersonalAccessTokenRequest["fa:fa-key"]:::bhNode - GH_EnvironmentSecret["fa:fa-lock"]:::bhNode - GH_Repository -- GH_Contains --> GH_RepoSecret - GH_Repository -- GH_Contains --> GH_RepoVariable - GH_Organization -- GH_Contains --> GH_OrgVariable - GH_Organization -- GH_Contains --> GH_SecretScanningAlert - GH_Organization -- GH_Contains --> GH_PersonalAccessToken - GH_Organization -- GH_Contains --> GH_OrgRole - GH_Environment -- GH_Contains --> GH_EnvironmentVariable - GH_Repository -- GH_Contains --> GH_BranchProtectionRule - GH_Organization -- GH_Contains --> GH_AppInstallation - GH_Organization -- GH_Contains --> GH_OrgSecret - GH_Organization -- GH_Contains --> GH_PersonalAccessTokenRequest - GH_Environment -- GH_Contains --> GH_EnvironmentSecret -``` - -## General Information - -The non-traversable `GH_Contains` edge represents structural containment within the GitHub resource hierarchy. The organization serves as the top-level container for users, teams, repositories, roles, secrets, app installations, and personal access tokens. Repositories contain their own repo-level secrets, and environments contain environment-scoped secrets. This edge is created by the collector to establish the organizational hierarchy of GitHub resources and is not traversable because containment alone does not imply privilege escalation. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity.mdx deleted file mode 100644 index e451407..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: 'GH_HasExternalIdentity' -description: 'SAML identity provider has this external identity' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | GH_HasExternalIdentity | [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | - -```mermaid -flowchart LR - GH_SamlIdentityProvider["fa:fa-id-badge"]:::bhNode - GH_ExternalIdentity["fa:fa-arrows-left-right"]:::bhNode - GH_SamlIdentityProvider -- GH_HasExternalIdentity --> GH_ExternalIdentity -``` - -## General Information - -The non-traversable `GH_HasExternalIdentity` edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. Created by `Git-HoundGraphQlSamlProvider`, this edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasrole.mdx deleted file mode 100644 index 01c1b06..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasrole.mdx +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: 'GH_HasRole' -description: 'User or team has a role assignment (org role, team role, or repo role)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_HasRole | [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_HasRole | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_HasRole | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_HasRole | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_HasRole | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | - -```mermaid -flowchart LR - GH_User["fa:fa-user"]:::bhNode - GH_TeamRole["fa:fa-user-tie"]:::bhNode - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_Team["fa:fa-user-group"]:::bhNode - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_User -- GH_HasRole --> GH_TeamRole - GH_User -- GH_HasRole --> GH_OrgRole - GH_Team -- GH_HasRole --> GH_OrgRole - GH_User -- GH_HasRole --> GH_RepoRole - GH_Team -- GH_HasRole --> GH_RepoRole -``` - -## General Information - -The traversable `GH_HasRole` edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. It is created by `Git-HoundUser` (for org roles), `Git-HoundRepositoryRole` (for repo roles), and `Git-HoundTeam` (for team roles). Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassecret.mdx deleted file mode 100644 index a81b21e..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassecret.mdx +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: 'GH_HasSecret' -description: 'Repository or environment has access to this secret' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasSecret | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasSecret | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | - -```mermaid -flowchart LR - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoSecret["fa:fa-lock"]:::bhNode - GH_OrgSecret["fa:fa-lock"]:::bhNode - GH_Repository -- GH_HasSecret --> GH_RepoSecret - GH_Repository -- GH_HasSecret --> GH_OrgSecret -``` - -## General Information - -The traversable `GH_HasSecret` edge represents the relationship between a repository or environment and the secrets accessible within that context. Created by `Git-HoundOrganizationSecret`, `Git-HoundSecret`, and `Git-HoundEnvironment`, this edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch)) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasvariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasvariable.mdx deleted file mode 100644 index d0f2746..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasvariable.mdx +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: 'GH_HasVariable' -description: 'Repository has access to this variable (org-level or repo-level)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasVariable | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasVariable | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | - -```mermaid -flowchart LR - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoVariable["fa:fa-lock-open"]:::bhNode - GH_OrgVariable["fa:fa-lock-open"]:::bhNode - GH_Repository -- GH_HasVariable --> GH_RepoVariable - GH_Repository -- GH_HasVariable --> GH_OrgVariable -``` - -## General Information - -The traversable `GH_HasVariable` edge represents the relationship between a repository and the variables accessible within that context. Created by `Git-HoundOrganizationSecret` and `Git-HoundVariable`, this edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch)) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts.mdx deleted file mode 100644 index 3cd9867..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: 'GH_ManageRepoSecurityProducts' -description: 'Repo role can manage repo-level security products' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageRepoSecurityProducts | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ManageRepoSecurityProducts --> GH_Repository -``` - -## General Information - -The non-traversable `GH_ManageRepoSecurityProducts` edge represents a role's ability to manage repository-specific security product settings. This permission is available to Admin roles and custom roles that have been granted this specific permission. Unlike the broader [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) permission, this edge is scoped to repository-level security configuration such as repository-specific scanning settings and alert management. Disabling repository-level security products can create blind spots in vulnerability detection for the specific repository. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_mapstouser.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_mapstouser.mdx deleted file mode 100644 index c50c87b..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_mapstouser.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: 'GH_MapsToUser' -description: 'External identity maps to a GitHub user or identity provider user' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | GH_MapsToUser | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | - -```mermaid -flowchart LR - GH_ExternalIdentity["fa:fa-arrows-left-right"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_ExternalIdentity -- GH_MapsToUser --> GH_User -``` - -## General Information - -The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](/resources/nodes/az-user), [Okta_User](/opengraph/extensions/oktahound/reference/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. It is created by `Git-HoundGraphQlSamlProvider` for SAML-linked identities and `Git-HoundScimUser` for SCIM-provisioned identities. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch.mdx deleted file mode 100644 index dd30afd..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: 'GH_PushProtectedBranch' -description: '[Repository] Repo role can push to branches with push restrictions. Not affected by enforce_admins.' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_PushProtectedBranch | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_PushProtectedBranch --> GH_Repository -``` - -## General Information - -The non-traversable `GH_PushProtectedBranch` edge represents a role's ability to push directly to branches that are protected by push restrictions. This permission is available to Admin and Maintain roles. This edge bypasses the push gate of branch protection, allowing direct commits to protected branches without going through the pull request workflow. Unlike merge gate bypasses (such as [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection)), this push gate bypass is NOT suppressed by the `enforce_admins` setting on the branch protection rule, making it a particularly potent permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts.mdx b/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts.mdx deleted file mode 100644 index 2445e04..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts.mdx +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: 'GH_ResolveSecretScanningAlerts' -description: '[Organization] Org role can resolve secret scanning alerts' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_ResolveSecretScanningAlerts | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ResolveSecretScanningAlerts | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_OrgRole -- GH_ResolveSecretScanningAlerts --> GH_Organization - GH_RepoRole -- GH_ResolveSecretScanningAlerts --> GH_Repository -``` - -## General Information - -The non-traversable `GH_ResolveSecretScanningAlerts` edge represents that a role can resolve (close) secret scanning alerts at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Resolving a secret scanning alert marks a leaked secret as addressed, which removes it from active monitoring dashboards. An attacker with this permission could suppress alerts about leaked credentials to prevent incident response teams from detecting and rotating compromised secrets. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_app.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_app.mdx deleted file mode 100644 index effaef4..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_app.mdx +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: 'GH_App' -description: 'A GitHub App definition representing the registered application. The app owner controls the private key used to generate installation tokens.' -icon: '/images/extensions/githound/reference/gh_app.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub App definition — the registered application entity. The app owner holds the private key that can generate installation access tokens for **every** [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) of this app. If the private key is compromised, all installations across all organizations are affected. - -App definitions are retrieved via the public `GET /apps/{app_slug}` endpoint (no authentication required) after discovering unique app slugs from the organization's app installations. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_App["fa:fa-cube"]:::bhNode - GH_AppInstallation["fa:fa-plug"]:::bhNode - GH_App -- GH_InstalledAs --> GH_AppInstallation -``` - -### Inbound Edges - -No incoming edges. - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_App | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) | App is installed as this installation | - -## Properties - -::: openfetch_github.models.app_installation.GHAppProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_appinstallation.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_appinstallation.mdx deleted file mode 100644 index 148a1f3..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_appinstallation.mdx +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: 'GH_AppInstallation' -description: 'A GitHub App installed on the organization with specific permissions and repository access' -icon: '/images/extensions/githound/reference/gh_appinstallation.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub App installed on an organization. App installations have specific permissions and can be scoped to all repositories or a selection of repositories. The permissions granted to the app are captured as a JSON string in the properties. - -Each installation is linked to its parent [GH_App](/opengraph/extensions/githound/reference/nodes/gh_app) via a [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) edge. For installations with `repository_selection` set to `all`, [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) edges are created to every repository in the organization. For installations with `repository_selection` set to `selected`, repository-level edges cannot be enumerated with a PAT (requires app installation token authentication). - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_AppInstallation["fa:fa-plug"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_App["fa:fa-cube"]:::bhNode - GH_AppInstallation -- GH_CanAccess --> GH_Repository - GH_Organization -- GH_Contains --> GH_AppInstallation - GH_App -- GH_InstalledAs --> GH_AppInstallation -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_AppInstallation | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains app installation | -| [GH_App](/opengraph/extensions/githound/reference/nodes/gh_app) | GH_AppInstallation | [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) | App is installed as this installation | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_AppInstallation | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | App installation can access repository | - -## Properties - -::: openfetch_github.models.app_installation.GHAppInstallationProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branch.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branch.mdx deleted file mode 100644 index f94bad0..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branch.mdx +++ /dev/null @@ -1,62 +0,0 @@ ---- -title: 'GH_Branch' -description: 'A named reference in a repository representing a line of development' -icon: '/images/extensions/githound/reference/gh_branch.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a Git branch within a repository. Branch nodes capture basic branch information and whether the branch is protected. Protection rule details are stored in separate [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) nodes, linked via [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) edges. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_Branch["fa:fa-code-branch"]:::bhNode - GH_Environment["fa:fa-leaf"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_BranchProtectionRule["fa:fa-shield"]:::bhNode - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_Team["fa:fa-user-group"]:::bhNode - GH_Branch -- GH_HasEnvironment --> GH_Environment - GH_Repository -- GH_HasBranch --> GH_Branch - GH_BranchProtectionRule -- GH_ProtectedBy --> GH_Branch - GH_RepoRole -- GH_CanWriteBranch --> GH_Branch - GH_RepoRole -- GH_CanEditProtection --> GH_Branch - GH_User -- GH_CanWriteBranch --> GH_Branch - GH_Team -- GH_CanWriteBranch --> GH_Branch -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_Branch | [GH_HasBranch](/opengraph/extensions/githound/reference/edges/gh_hasbranch) | Repository has branch | -| [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | GH_Branch | [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) | Branch is protected by rule | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Branch | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Role can push commits to this branch | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Branch | [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) | Role can modify or remove the branch protection rule governing this branch | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_Branch | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | User can push commits to this branch via actor-level bypass allowances | -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_Branch | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Team can push commits to this branch via actor-level bypass allowances | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_Branch | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Branch pattern can deploy to environment | - -## Properties - -::: openfetch_github.models.branch.GHBranchProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule.mdx deleted file mode 100644 index 8798201..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule.mdx +++ /dev/null @@ -1,84 +0,0 @@ ---- -title: 'GH_BranchProtectionRule' -description: 'A branch protection rule that applies to one or more branches via pattern matching' -icon: '/images/extensions/githound/reference/gh_branchprotectionrule.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a branch protection rule configured on a GitHub repository. Protection rules define requirements that must be met before changes can be merged to matching branches, such as required reviews, status checks, and restrictions on who can push. - -A single protection rule can apply to multiple branches via pattern matching (e.g., `main`, `release/*`). - -## Security Considerations - -Branch protection rules are critical security controls. Key settings to review: - -- **enforce_admins**: Enforces merge-gate controls (PR reviews, lock branch) for admins and users with `bypass_branch_protection`. Does **not** enforce push-gate controls (`push_restrictions`) for admins or users with `push_protected_branch`. -- **required_pull_request_reviews**: Blocks direct pushes to existing protected branches. Bypassed by [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) and [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) (both suppressed by `enforce_admins`). -- **push_restrictions**: Restricts who can push. Bypassed by [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch), [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto), and [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) (none suppressed by `enforce_admins`). -- **blocks_creations**: Restricts new branch creation when `push_restrictions` is also `true`. Same bypass vectors as `push_restrictions`. Silently reverts to `false` if `push_restrictions` is disabled. -- **lock_branch**: Makes branch read-only. Bypassed by [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) (suppressed by `enforce_admins`). -- **require_code_owner_reviews**: If `false`, changes to critical paths may not require owner approval. -- **allows_force_pushes**: Controls whether history rewrites are allowed. Does **not** grant push access — it is not a bypass mechanism. -- **allows_deletions**: If `true`, branches can be deleted (potentially losing code). - -### Secret Exfiltration Mitigation - -The only branch protection configuration that blocks the write-access → workflow → secrets exfiltration attack path is `push_restrictions` + `blocks_creations` on a `*` pattern rule. However, users with [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch), [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto), [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush), or [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) can bypass this control. - -For complete analysis, see [BloodHound Docs: GitHound - Mitigating Controls](/opengraph/extensions/githound/reference/mitigating-controls). - -### Identifying Bypass Actors - -Use these edges to identify users and teams with elevated branch permissions: - -- [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) — can bypass PR requirements on a specific rule (PR reviews only) -- [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) — can push despite push restrictions on a specific rule -- [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) — repo-wide bypass of merge-gate controls (PR reviews + lock branch) -- [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) — repo-wide bypass of push-gate controls (push restrictions + blocks creations) -- [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) — can remove/modify protection rules entirely - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_BranchProtectionRule["fa:fa-shield"]:::bhNode - GH_Branch["fa:fa-code-branch"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_BranchProtectionRule -- GH_ProtectedBy --> GH_Branch - GH_Repository -- GH_Contains --> GH_BranchProtectionRule - GH_User -- GH_RestrictionsCanPush --> GH_BranchProtectionRule - GH_User -- GH_BypassPullRequestAllowances --> GH_BranchProtectionRule -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_BranchProtectionRule | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains branch protection rule | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_BranchProtectionRule | [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) | Actor can push despite push restrictions | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_BranchProtectionRule | [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) | Actor can bypass PR review requirements | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_BranchProtectionRule | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) | Branch is protected by rule | - -## Properties - -::: openfetch_github.models.branch_protection_rule.GHBranchProtectionRuleProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environment.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environment.mdx deleted file mode 100644 index 129286b..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environment.mdx +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: 'GH_Environment' -description: 'A GitHub Actions deployment environment with protection rules and deployment branch policies' -icon: '/images/extensions/githound/reference/gh_environment.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub Actions deployment environment configured on a repository. Environments can have protection rules including required reviewers, wait timers, and deployment branch policies. When custom branch policies are configured, the environment is connected to specific branches; otherwise, it is connected directly to the repository. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_Environment["fa:fa-leaf"]:::bhNode - GH_EnvironmentVariable["fa:fa-lock-open"]:::bhNode - GH_EnvironmentSecret["fa:fa-lock"]:::bhNode - GH_Branch["fa:fa-code-branch"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Environment -- GH_Contains --> GH_EnvironmentVariable - GH_Environment -- GH_Contains --> GH_EnvironmentSecret - GH_Branch -- GH_HasEnvironment --> GH_Environment - GH_Repository -- GH_HasEnvironment --> GH_Environment -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | GH_Environment | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Branch pattern can deploy to environment | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_Environment | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Repository deploys to environment (no custom branch policy) | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_Environment | [GH_EnvironmentVariable](/opengraph/extensions/githound/reference/nodes/gh_environmentvariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains variable | -| GH_Environment | [GH_EnvironmentSecret](/opengraph/extensions/githound/reference/nodes/gh_environmentsecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains secret | - -## Properties - -::: openfetch_github.models.environment.GHEnvironmentProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentsecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentsecret.mdx deleted file mode 100644 index 6c17eb2..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentsecret.mdx +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: 'GH_EnvironmentSecret' -description: 'An environment-level GitHub Actions secret scoped to a specific deployment environment' -icon: '/images/extensions/githound/reference/gh_environmentsecret.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents an environment-level GitHub Actions secret. These secrets are scoped to a specific deployment environment and are only available to workflow jobs that reference that environment. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_EnvironmentSecret["fa:fa-lock"]:::bhNode - GH_Environment["fa:fa-leaf"]:::bhNode - GH_Environment -- GH_Contains --> GH_EnvironmentSecret -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | GH_EnvironmentSecret | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains secret | - -### Outbound Edges - -No outgoing edges. - -## Properties - -::: openfetch_github.models.env_secret.GHEnvironmentSecretProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentvariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentvariable.mdx deleted file mode 100644 index 02cc7e2..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_environmentvariable.mdx +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: 'GH_EnvironmentVariable' -description: 'An environment-level GitHub Actions variable scoped to a specific deployment environment. Unlike secrets, variable values are readable.' -icon: '/images/extensions/githound/reference/gh_environmentvariable.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents an environment-level GitHub Actions variable. These variables are scoped to a specific deployment environment and are only available to workflow jobs that reference that environment. Unlike secrets, variable values are readable via the API. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_EnvironmentVariable["fa:fa-lock-open"]:::bhNode - GH_Environment["fa:fa-leaf"]:::bhNode - GH_Environment -- GH_Contains --> GH_EnvironmentVariable -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | GH_EnvironmentVariable | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Environment contains variable | - -### Outbound Edges - -No outgoing edges. - -## Properties - -::: openfetch_github.models.env_variable.GHEnvVariableProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_externalidentity.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_externalidentity.mdx deleted file mode 100644 index 5a34d75..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_externalidentity.mdx +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: 'GH_ExternalIdentity' -description: 'An external identity from a SAML/SCIM provider linked to a GitHub user for SSO authentication' -icon: '/images/extensions/githound/reference/gh_externalidentity.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents an external identity from a SAML or SCIM identity provider that is linked to a GitHub user. External identities map corporate user accounts (from providers like Okta, Azure AD, etc.) to GitHub user accounts, enabling single sign-on authentication. Each external identity can have both SAML and SCIM identity attributes. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_ExternalIdentity["fa:fa-arrows-left-right"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_SamlIdentityProvider["fa:fa-id-badge"]:::bhNode - GH_ExternalIdentity -- GH_MapsToUser --> GH_User - GH_ExternalIdentity -- GH_SyncedTo --> GH_User - GH_SamlIdentityProvider -- GH_HasExternalIdentity --> GH_ExternalIdentity -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | GH_ExternalIdentity | [GH_HasExternalIdentity](/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity) | IdP has external identity | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_ExternalIdentity | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) | External identity maps to a user | -| GH_ExternalIdentity | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_SyncedTo](/opengraph/extensions/githound/reference/edges/gh_syncedto) | Foreign IdP user is synced to a GitHub user | - -## Properties - -::: openfetch_github.models.external_identity.GHExternalIdentityProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_organization.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_organization.mdx deleted file mode 100644 index 2ca3608..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_organization.mdx +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: 'GH_Organization' -description: 'A GitHub Organization—top-level container for repositories, teams, and settings' -icon: '/images/extensions/githound/reference/gh_organization.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub organization. This is the root node of the graph and serves as the primary container for all other nodes. Organization-level settings such as default repository permissions, Actions configuration, and security features are captured as properties on this node. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_Organization["fa:fa-building"]:::bhNode - GH_OrgVariable["fa:fa-lock-open"]:::bhNode - GH_SecretScanningAlert["fa:fa-key"]:::bhNode - GH_PersonalAccessToken["fa:fa-key"]:::bhNode - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_AppInstallation["fa:fa-plug"]:::bhNode - GH_OrgSecret["fa:fa-lock"]:::bhNode - GH_SamlIdentityProvider["fa:fa-id-badge"]:::bhNode - GH_PersonalAccessTokenRequest["fa:fa-key"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Organization -- GH_Contains --> GH_OrgVariable - GH_Organization -- GH_Contains --> GH_SecretScanningAlert - GH_Organization -- GH_Contains --> GH_PersonalAccessToken - GH_Organization -- GH_Contains --> GH_OrgRole - GH_Organization -- GH_Contains --> GH_AppInstallation - GH_Organization -- GH_Contains --> GH_OrgSecret - GH_Organization -- GH_HasSamlIdentityProvider --> GH_SamlIdentityProvider - GH_Organization -- GH_Contains --> GH_PersonalAccessTokenRequest - GH_Organization -- GH_Owns --> GH_Repository - GH_PersonalAccessToken -- GH_CanAccess --> GH_Organization - GH_OrgRole -- GH_CreateRepository --> GH_Organization - GH_OrgRole -- GH_InviteMember --> GH_Organization - GH_OrgRole -- GH_AddCollaborator --> GH_Organization - GH_OrgRole -- GH_CreateTeam --> GH_Organization - GH_OrgRole -- GH_TransferRepository --> GH_Organization - GH_OrgRole -- GH_ViewSecretScanningAlerts --> GH_Organization - GH_OrgRole -- GH_ResolveSecretScanningAlerts --> GH_Organization -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | GH_Organization | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access org | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_CreateRepository](/opengraph/extensions/githound/reference/edges/gh_createrepository) | Role can create repositories in the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_InviteMember](/opengraph/extensions/githound/reference/edges/gh_invitemember) | Role can invite members to the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_AddCollaborator](/opengraph/extensions/githound/reference/edges/gh_addcollaborator) | Role can add outside collaborators to repositories | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_CreateTeam](/opengraph/extensions/githound/reference/edges/gh_createteam) | Role can create teams in the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_TransferRepository](/opengraph/extensions/githound/reference/edges/gh_transferrepository) | Role can transfer repositories out of the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts for the organization | -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_Organization | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts for the organization | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_Organization | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains variable | -| GH_Organization | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret scanning alert | -| GH_Organization | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT | -| GH_Organization | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains role | -| GH_Organization | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains app installation | -| GH_Organization | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret | -| GH_Organization | [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) | Org uses this SAML IdP | -| GH_Organization | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT request | -| GH_Organization | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_Owns](/opengraph/extensions/githound/reference/edges/gh_owns) | Org owns repository | - -## Properties - -::: openfetch_github.models.org.GHOrganizationProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgrole.mdx deleted file mode 100644 index df2ef9f..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgrole.mdx +++ /dev/null @@ -1,71 +0,0 @@ ---- -title: 'GH_OrgRole' -description: 'The role a user has at the organization level (e.g., admin, member)' -icon: '/images/extensions/githound/reference/gh_orgrole.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents an organization-level role such as Owner, Member, or a custom organization role. Org roles define what permissions a user or team has at the organization level. The Owner and Member roles are default (built-in), while custom roles inherit from a base role and can have additional permissions. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_Team["fa:fa-user-group"]:::bhNode - GH_OrgRole -- GH_HasBaseRole --> GH_OrgRole - GH_OrgRole -- GH_CreateRepository --> GH_Organization - GH_OrgRole -- GH_InviteMember --> GH_Organization - GH_OrgRole -- GH_AddCollaborator --> GH_Organization - GH_OrgRole -- GH_CreateTeam --> GH_Organization - GH_OrgRole -- GH_TransferRepository --> GH_Organization - GH_OrgRole -- GH_ViewSecretScanningAlerts --> GH_Organization - GH_OrgRole -- GH_ResolveSecretScanningAlerts --> GH_Organization - GH_User -- GH_HasRole --> GH_OrgRole - GH_Organization -- GH_Contains --> GH_OrgRole - GH_OrgRole -- GH_HasBaseRole --> GH_OrgRole - GH_User -- GH_HasRole --> GH_OrgRole - GH_Team -- GH_HasRole --> GH_OrgRole -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_OrgRole | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has default org role (owners or members) | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_OrgRole | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains role | -| GH_OrgRole | GH_OrgRole | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits base role | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_OrgRole | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has org role | -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_OrgRole | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has org role | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_OrgRole | GH_OrgRole | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits base role | -| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CreateRepository](/opengraph/extensions/githound/reference/edges/gh_createrepository) | Role can create repositories in the organization | -| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_InviteMember](/opengraph/extensions/githound/reference/edges/gh_invitemember) | Role can invite members to the organization | -| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_AddCollaborator](/opengraph/extensions/githound/reference/edges/gh_addcollaborator) | Role can add outside collaborators to repositories | -| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CreateTeam](/opengraph/extensions/githound/reference/edges/gh_createteam) | Role can create teams in the organization | -| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_TransferRepository](/opengraph/extensions/githound/reference/edges/gh_transferrepository) | Role can transfer repositories out of the organization | -| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts for the organization | -| GH_OrgRole | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts for the organization | - -## Properties - -::: openfetch_github.models.org_role.GHOrgRoleProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgsecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgsecret.mdx deleted file mode 100644 index c92e354..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgsecret.mdx +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: 'GH_OrgSecret' -description: 'An organization-level GitHub Actions secret that can be scoped to all, private, or selected repositories' -icon: '/images/extensions/githound/reference/gh_orgsecret.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents an organization-level GitHub Actions secret. Organization secrets can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) edges are resolved to repository nodes. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_OrgSecret["fa:fa-lock"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Organization -- GH_Contains --> GH_OrgSecret - GH_Repository -- GH_HasSecret --> GH_OrgSecret -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_OrgSecret | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_OrgSecret | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository can access org secret | - -### Outbound Edges - -No outgoing edges. - -## Properties - -::: openfetch_github.models.org_secret.GHOrgSecretProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgvariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgvariable.mdx deleted file mode 100644 index 89782e0..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_orgvariable.mdx +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: 'GH_OrgVariable' -description: 'An organization-level GitHub Actions variable that can be scoped to all, private, or selected repositories. Unlike secrets, variable values are readable.' -icon: '/images/extensions/githound/reference/gh_orgvariable.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents an organization-level GitHub Actions variable. Organization variables can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) edges are resolved to repository nodes. Unlike secrets, variable values are readable via the API. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_OrgVariable["fa:fa-lock-open"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Organization -- GH_Contains --> GH_OrgVariable - GH_Repository -- GH_HasVariable --> GH_OrgVariable -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_OrgVariable | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains variable | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_OrgVariable | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository can access org variable | - -### Outbound Edges - -No outgoing edges. - -## Properties - -::: openfetch_github.models.org_variable.GHOrgVariableProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken.mdx deleted file mode 100644 index 356745d..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken.mdx +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: 'GH_PersonalAccessToken' -description: 'A fine-grained personal access token granted access to organization resources' -icon: '/images/extensions/githound/reference/gh_personalaccesstoken.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a fine-grained personal access token that has been granted access to organization resources. PATs are linked to their owning user, the organization, and the repositories they can access. The permissions granted to the token are captured as a JSON string in the properties. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_PersonalAccessToken["fa:fa-key"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_PersonalAccessToken -- GH_CanAccess --> GH_Organization - GH_PersonalAccessToken -- GH_CanAccess --> GH_Repository - GH_User -- GH_HasPersonalAccessToken --> GH_PersonalAccessToken - GH_Organization -- GH_Contains --> GH_PersonalAccessToken -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_PersonalAccessToken | [GH_HasPersonalAccessToken](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken) | User owns PAT | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_PersonalAccessToken | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_PersonalAccessToken | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access org | -| GH_PersonalAccessToken | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access repository | - -## Properties - -::: openfetch_github.models.personal_access_token.GHPersonalAccessTokenProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest.mdx deleted file mode 100644 index 5cdb906..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest.mdx +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: 'GH_PersonalAccessTokenRequest' -description: 'A pending request from an organization member to access organization resources with a fine-grained personal access token' -icon: '/images/extensions/githound/reference/gh_personalaccesstokenrequest.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a pending request from an organization member to access organization resources with a fine-grained personal access token. PAT requests are linked to their owning user and the organization. The requested permissions are captured as a JSON string in the properties. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_PersonalAccessTokenRequest["fa:fa-key"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_User -- GH_HasPersonalAccessTokenRequest --> GH_PersonalAccessTokenRequest - GH_Organization -- GH_Contains --> GH_PersonalAccessTokenRequest -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_PersonalAccessTokenRequest | [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest) | User submitted PAT request | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_PersonalAccessTokenRequest | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains PAT request | - -### Outbound Edges - -No outgoing edges. - -## Properties - -::: openfetch_github.models.personal_access_token_request.GHPersonalAccessTokenRequestProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reporole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reporole.mdx deleted file mode 100644 index e4ee4dc..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reporole.mdx +++ /dev/null @@ -1,176 +0,0 @@ ---- -title: 'GH_RepoRole' -description: 'The permission granted to a user or team on a repository (e.g., admin, write, read)' -icon: '/images/extensions/githound/reference/gh_reporole.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a repository-level permission role. Each repository has five default roles (Read, Write, Admin, Triage, Maintain) plus any custom repository roles defined at the organization level. Repo roles define what actions a user or team can perform on a specific repository. Default roles form an inheritance hierarchy (Triage -> Read, Maintain -> Write, Admin includes all), and custom roles inherit from one of the base roles. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Branch["fa:fa-code-branch"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_Team["fa:fa-user-group"]:::bhNode - GH_RepoRole -- GH_ReadRepoContents --> GH_Repository - GH_RepoRole -- GH_WriteRepoContents --> GH_Repository - GH_RepoRole -- GH_WriteRepoPullRequests --> GH_Repository - GH_RepoRole -- GH_AdminTo --> GH_Repository - GH_RepoRole -- GH_HasBaseRole --> GH_RepoRole - GH_RepoRole -- GH_BypassBranchProtection --> GH_Repository - GH_RepoRole -- GH_PushProtectedBranch --> GH_Repository - GH_RepoRole -- GH_EditRepoProtections --> GH_Repository - GH_RepoRole -- GH_ViewSecretScanningAlerts --> GH_Repository - GH_RepoRole -- GH_ResolveSecretScanningAlerts --> GH_Repository - GH_RepoRole -- GH_DeleteAlertsCodeScanning --> GH_Repository - GH_RepoRole -- GH_RunOrgMigration --> GH_Repository - GH_RepoRole -- GH_ManageSecurityProducts --> GH_Repository - GH_RepoRole -- GH_ManageRepoSecurityProducts --> GH_Repository - GH_RepoRole -- GH_ManageWebhooks --> GH_Repository - GH_RepoRole -- GH_ManageDeployKeys --> GH_Repository - GH_RepoRole -- GH_CanCreateBranch --> GH_Repository - GH_RepoRole -- GH_CanWriteBranch --> GH_Branch - GH_RepoRole -- GH_CanEditProtection --> GH_Branch - GH_RepoRole -- GH_ReadCodeScanning --> GH_Repository - GH_RepoRole -- GH_WriteCodeScanning --> GH_Repository - GH_RepoRole -- GH_ViewDependabotAlerts --> GH_Repository - GH_RepoRole -- GH_ResolveDependabotAlerts --> GH_Repository - GH_RepoRole -- GH_ManageTopics --> GH_Repository - GH_RepoRole -- GH_ManageSettingsWiki --> GH_Repository - GH_RepoRole -- GH_ManageSettingsProjects --> GH_Repository - GH_RepoRole -- GH_ManageSettingsMergeTypes --> GH_Repository - GH_RepoRole -- GH_ManageSettingsPages --> GH_Repository - GH_RepoRole -- GH_EditRepoMetadata --> GH_Repository - GH_RepoRole -- GH_SetInteractionLimits --> GH_Repository - GH_RepoRole -- GH_SetSocialPreview --> GH_Repository - GH_RepoRole -- GH_EditRepoAnnouncementBanners --> GH_Repository - GH_RepoRole -- GH_EditRepoCustomPropertiesValues --> GH_Repository - GH_RepoRole -- GH_CreateTag --> GH_Repository - GH_RepoRole -- GH_DeleteTag --> GH_Repository - GH_RepoRole -- GH_JumpMergeQueue --> GH_Repository - GH_RepoRole -- GH_CreateSoloMergeQueueEntry --> GH_Repository - GH_RepoRole -- GH_AddLabel --> GH_Repository - GH_RepoRole -- GH_RemoveLabel --> GH_Repository - GH_RepoRole -- GH_CloseIssue --> GH_Repository - GH_RepoRole -- GH_ReopenIssue --> GH_Repository - GH_RepoRole -- GH_DeleteIssue --> GH_Repository - GH_RepoRole -- GH_ClosePullRequest --> GH_Repository - GH_RepoRole -- GH_ReopenPullRequest --> GH_Repository - GH_RepoRole -- GH_AddAssignee --> GH_Repository - GH_RepoRole -- GH_RemoveAssignee --> GH_Repository - GH_RepoRole -- GH_RequestPrReview --> GH_Repository - GH_RepoRole -- GH_MarkAsDuplicate --> GH_Repository - GH_RepoRole -- GH_SetMilestone --> GH_Repository - GH_RepoRole -- GH_SetIssueType --> GH_Repository - GH_RepoRole -- GH_DeleteDiscussion --> GH_Repository - GH_RepoRole -- GH_ToggleDiscussionAnswer --> GH_Repository - GH_RepoRole -- GH_ToggleDiscussionCommentMinimize --> GH_Repository - GH_RepoRole -- GH_CreateDiscussionCategory --> GH_Repository - GH_RepoRole -- GH_EditDiscussionCategory --> GH_Repository - GH_RepoRole -- GH_ConvertIssuesToDiscussions --> GH_Repository - GH_RepoRole -- GH_CloseDiscussion --> GH_Repository - GH_RepoRole -- GH_ReopenDiscussion --> GH_Repository - GH_RepoRole -- GH_EditCategoryOnDiscussion --> GH_Repository - GH_RepoRole -- GH_ManageDiscussionBadges --> GH_Repository - GH_RepoRole -- GH_EditDiscussionComment --> GH_Repository - GH_RepoRole -- GH_DeleteDiscussionComment --> GH_Repository - GH_RepoRole -- GH_HasBaseRole --> GH_RepoRole - GH_User -- GH_HasRole --> GH_RepoRole - GH_Team -- GH_HasRole --> GH_RepoRole -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_RepoRole | GH_RepoRole | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits from base role | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_RepoRole | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has repo role | -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_RepoRole | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has repo role | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) | Role can read repo contents | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteRepoContents](/opengraph/extensions/githound/reference/edges/gh_writerepocontents) | Role can write repo contents | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteRepoPullRequests](/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests) | Role can write pull requests | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) | Role has admin access to repo | -| GH_RepoRole | GH_RepoRole | [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | Role inherits from base role | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) | Role can bypass branch protection rules | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) | Role can push to protected branches | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) | Role can edit repository branch protection settings | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteAlertsCodeScanning](/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning) | Role can delete code scanning alerts | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) | Role can run organization migrations on the repository | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) | Role can manage security products for the repository | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) | Role can manage repository-level security products | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageWebhooks](/opengraph/extensions/githound/reference/edges/gh_managewebhooks) | Role can manage repository webhooks | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageDeployKeys](/opengraph/extensions/githound/reference/edges/gh_managedeploykeys) | Role can manage repository deploy keys | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch) | Role can create new branches in the repository | -| GH_RepoRole | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Role can push commits to this branch | -| GH_RepoRole | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) | Role can modify or remove the branch protection rule governing this branch | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReadCodeScanning](/opengraph/extensions/githound/reference/edges/gh_readcodescanning) | Role can read code scanning results | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) | Role can write code scanning results | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ViewDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts) | Role can view Dependabot alerts | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ResolveDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts) | Role can resolve Dependabot alerts | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageTopics](/opengraph/extensions/githound/reference/edges/gh_managetopics) | Role can manage repository topics | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsWiki](/opengraph/extensions/githound/reference/edges/gh_managesettingswiki) | Role can manage wiki settings | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsProjects](/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects) | Role can manage projects settings | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) | Role can manage merge type settings | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageSettingsPages](/opengraph/extensions/githound/reference/edges/gh_managesettingspages) | Role can manage GitHub Pages settings | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoMetadata](/opengraph/extensions/githound/reference/edges/gh_editrepometadata) | Role can edit repository metadata (name, description, etc.) | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) | Role can set interaction limits on the repository | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetSocialPreview](/opengraph/extensions/githound/reference/edges/gh_setsocialpreview) | Role can set the repository social preview image | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) | Role can edit repository announcement banners | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues) | Role can edit custom property values on the repository | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateTag](/opengraph/extensions/githound/reference/edges/gh_createtag) | Role can create tags in the repository | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteTag](/opengraph/extensions/githound/reference/edges/gh_deletetag) | Role can delete tags in the repository | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) | Role can jump the merge queue | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry) | Role can create a solo merge queue entry | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AddLabel](/opengraph/extensions/githound/reference/edges/gh_addlabel) | Role can add labels to issues and pull requests | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RemoveLabel](/opengraph/extensions/githound/reference/edges/gh_removelabel) | Role can remove labels from issues and pull requests | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CloseIssue](/opengraph/extensions/githound/reference/edges/gh_closeissue) | Role can close issues | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenIssue](/opengraph/extensions/githound/reference/edges/gh_reopenissue) | Role can reopen issues | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteIssue](/opengraph/extensions/githound/reference/edges/gh_deleteissue) | Role can delete issues | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) | Role can close pull requests | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenPullRequest](/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest) | Role can reopen pull requests | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_AddAssignee](/opengraph/extensions/githound/reference/edges/gh_addassignee) | Role can add assignees to issues and pull requests | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RemoveAssignee](/opengraph/extensions/githound/reference/edges/gh_removeassignee) | Role can remove assignees from issues and pull requests | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_RequestPrReview](/opengraph/extensions/githound/reference/edges/gh_requestprreview) | Role can request pull request reviews | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_MarkAsDuplicate](/opengraph/extensions/githound/reference/edges/gh_markasduplicate) | Role can mark issues or pull requests as duplicates | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetMilestone](/opengraph/extensions/githound/reference/edges/gh_setmilestone) | Role can set milestones on issues and pull requests | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_SetIssueType](/opengraph/extensions/githound/reference/edges/gh_setissuetype) | Role can set issue types | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteDiscussion](/opengraph/extensions/githound/reference/edges/gh_deletediscussion) | Role can delete discussions | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ToggleDiscussionAnswer](/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer) | Role can toggle the accepted answer on a discussion | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize) | Role can minimize or un-minimize discussion comments | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CreateDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory) | Role can create discussion categories | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory) | Role can edit discussion categories | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ConvertIssuesToDiscussions](/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions) | Role can convert issues to discussions | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_CloseDiscussion](/opengraph/extensions/githound/reference/edges/gh_closediscussion) | Role can close discussions | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ReopenDiscussion](/opengraph/extensions/githound/reference/edges/gh_reopendiscussion) | Role can reopen discussions | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditCategoryOnDiscussion](/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion) | Role can edit the category on a discussion | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_ManageDiscussionBadges](/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges) | Role can manage discussion badges | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_EditDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment) | Role can edit discussion comments | -| GH_RepoRole | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | [GH_DeleteDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment) | Role can delete discussion comments | - -## Properties - -::: openfetch_github.models.repository_role.GHRepoRoleProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reposecret.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reposecret.mdx deleted file mode 100644 index f265585..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_reposecret.mdx +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: 'GH_RepoSecret' -description: 'A repository-level GitHub Actions secret accessible only to workflows in that repository' -icon: '/images/extensions/githound/reference/gh_reposecret.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a repository-level GitHub Actions secret. These are secrets defined directly on a specific repository and are only accessible to workflows running in that repository. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_RepoSecret["fa:fa-lock"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Repository -- GH_Contains --> GH_RepoSecret - GH_Repository -- GH_HasSecret --> GH_RepoSecret -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_RepoSecret | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains secret | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_RepoSecret | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository has access to secret | - -### Outbound Edges - -No outgoing edges. - -## Properties - -::: openfetch_github.models.repository_secret.GHRepoSecretProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repository.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repository.mdx deleted file mode 100644 index 9e9ff8e..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repository.mdx +++ /dev/null @@ -1,201 +0,0 @@ ---- -title: 'GH_Repository' -description: 'A code repository in an organization, containing files, issues, and other resources' -icon: '/images/extensions/githound/reference/gh_repository.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub repository within the organization. Repository nodes capture metadata about the repo including visibility, Actions enablement status, and security configuration. Repository role nodes ([GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole)) are created alongside each repository to represent the permission levels available. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoSecret["fa:fa-lock"]:::bhNode - GH_RepoVariable["fa:fa-lock-open"]:::bhNode - GH_OrgVariable["fa:fa-lock-open"]:::bhNode - GH_SecretScanningAlert["fa:fa-key"]:::bhNode - GH_BranchProtectionRule["fa:fa-shield"]:::bhNode - GH_OrgSecret["fa:fa-lock"]:::bhNode - GH_Branch["fa:fa-code-branch"]:::bhNode - GH_Environment["fa:fa-leaf"]:::bhNode - GH_Workflow["fa:fa-cogs"]:::bhNode - GH_AppInstallation["fa:fa-plug"]:::bhNode - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_PersonalAccessToken["fa:fa-key"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_Repository -- GH_Contains --> GH_RepoSecret - GH_Repository -- GH_HasSecret --> GH_RepoSecret - GH_Repository -- GH_Contains --> GH_RepoVariable - GH_Repository -- GH_HasVariable --> GH_RepoVariable - GH_Repository -- GH_HasVariable --> GH_OrgVariable - GH_Repository -- GH_HasSecretScanningAlert --> GH_SecretScanningAlert - GH_Repository -- GH_Contains --> GH_BranchProtectionRule - GH_Repository -- GH_HasSecret --> GH_OrgSecret - GH_Repository -- GH_HasBranch --> GH_Branch - GH_Repository -- GH_HasEnvironment --> GH_Environment - GH_Repository -- GH_HasWorkflow --> GH_Workflow - GH_AppInstallation -- GH_CanAccess --> GH_Repository - GH_RepoRole -- GH_ReadRepoContents --> GH_Repository - GH_RepoRole -- GH_WriteRepoContents --> GH_Repository - GH_RepoRole -- GH_WriteRepoPullRequests --> GH_Repository - GH_RepoRole -- GH_AdminTo --> GH_Repository - GH_RepoRole -- GH_BypassBranchProtection --> GH_Repository - GH_RepoRole -- GH_PushProtectedBranch --> GH_Repository - GH_RepoRole -- GH_EditRepoProtections --> GH_Repository - GH_RepoRole -- GH_ViewSecretScanningAlerts --> GH_Repository - GH_RepoRole -- GH_ResolveSecretScanningAlerts --> GH_Repository - GH_RepoRole -- GH_DeleteAlertsCodeScanning --> GH_Repository - GH_RepoRole -- GH_RunOrgMigration --> GH_Repository - GH_RepoRole -- GH_ManageSecurityProducts --> GH_Repository - GH_RepoRole -- GH_ManageRepoSecurityProducts --> GH_Repository - GH_RepoRole -- GH_ManageWebhooks --> GH_Repository - GH_RepoRole -- GH_ManageDeployKeys --> GH_Repository - GH_RepoRole -- GH_CanCreateBranch --> GH_Repository - GH_RepoRole -- GH_ReadCodeScanning --> GH_Repository - GH_RepoRole -- GH_WriteCodeScanning --> GH_Repository - GH_RepoRole -- GH_ViewDependabotAlerts --> GH_Repository - GH_RepoRole -- GH_ResolveDependabotAlerts --> GH_Repository - GH_RepoRole -- GH_ManageTopics --> GH_Repository - GH_RepoRole -- GH_ManageSettingsWiki --> GH_Repository - GH_RepoRole -- GH_ManageSettingsProjects --> GH_Repository - GH_RepoRole -- GH_ManageSettingsMergeTypes --> GH_Repository - GH_RepoRole -- GH_ManageSettingsPages --> GH_Repository - GH_RepoRole -- GH_EditRepoMetadata --> GH_Repository - GH_RepoRole -- GH_SetInteractionLimits --> GH_Repository - GH_RepoRole -- GH_SetSocialPreview --> GH_Repository - GH_RepoRole -- GH_EditRepoAnnouncementBanners --> GH_Repository - GH_RepoRole -- GH_EditRepoCustomPropertiesValues --> GH_Repository - GH_RepoRole -- GH_CreateTag --> GH_Repository - GH_RepoRole -- GH_DeleteTag --> GH_Repository - GH_RepoRole -- GH_JumpMergeQueue --> GH_Repository - GH_RepoRole -- GH_CreateSoloMergeQueueEntry --> GH_Repository - GH_RepoRole -- GH_AddLabel --> GH_Repository - GH_RepoRole -- GH_RemoveLabel --> GH_Repository - GH_RepoRole -- GH_CloseIssue --> GH_Repository - GH_RepoRole -- GH_ReopenIssue --> GH_Repository - GH_RepoRole -- GH_DeleteIssue --> GH_Repository - GH_RepoRole -- GH_ClosePullRequest --> GH_Repository - GH_RepoRole -- GH_ReopenPullRequest --> GH_Repository - GH_RepoRole -- GH_AddAssignee --> GH_Repository - GH_RepoRole -- GH_RemoveAssignee --> GH_Repository - GH_RepoRole -- GH_RequestPrReview --> GH_Repository - GH_RepoRole -- GH_MarkAsDuplicate --> GH_Repository - GH_RepoRole -- GH_SetMilestone --> GH_Repository - GH_RepoRole -- GH_SetIssueType --> GH_Repository - GH_RepoRole -- GH_DeleteDiscussion --> GH_Repository - GH_RepoRole -- GH_ToggleDiscussionAnswer --> GH_Repository - GH_RepoRole -- GH_ToggleDiscussionCommentMinimize --> GH_Repository - GH_RepoRole -- GH_CreateDiscussionCategory --> GH_Repository - GH_RepoRole -- GH_EditDiscussionCategory --> GH_Repository - GH_RepoRole -- GH_ConvertIssuesToDiscussions --> GH_Repository - GH_RepoRole -- GH_CloseDiscussion --> GH_Repository - GH_RepoRole -- GH_ReopenDiscussion --> GH_Repository - GH_RepoRole -- GH_EditCategoryOnDiscussion --> GH_Repository - GH_RepoRole -- GH_ManageDiscussionBadges --> GH_Repository - GH_RepoRole -- GH_EditDiscussionComment --> GH_Repository - GH_RepoRole -- GH_DeleteDiscussionComment --> GH_Repository - GH_PersonalAccessToken -- GH_CanAccess --> GH_Repository - GH_Organization -- GH_Owns --> GH_Repository -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | GH_Repository | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | App installation can access repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) | Role can read repo contents | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_WriteRepoContents](/opengraph/extensions/githound/reference/edges/gh_writerepocontents) | Role can write repo contents | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_WriteRepoPullRequests](/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests) | Role can write pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) | Role has admin access to repo | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) | Role can bypass branch protection rules | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) | Role can push to protected branches | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) | Role can edit repository branch protection settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | Role can view secret scanning alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | Role can resolve secret scanning alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_DeleteAlertsCodeScanning](/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning) | Role can delete code scanning alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) | Role can run organization migrations on the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) | Role can manage security products for the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) | Role can manage repository-level security products | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageWebhooks](/opengraph/extensions/githound/reference/edges/gh_managewebhooks) | Role can manage repository webhooks | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageDeployKeys](/opengraph/extensions/githound/reference/edges/gh_managedeploykeys) | Role can manage repository deploy keys | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch) | Role can create new branches in the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ReadCodeScanning](/opengraph/extensions/githound/reference/edges/gh_readcodescanning) | Role can read code scanning results | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) | Role can write code scanning results | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ViewDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts) | Role can view Dependabot alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ResolveDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts) | Role can resolve Dependabot alerts | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageTopics](/opengraph/extensions/githound/reference/edges/gh_managetopics) | Role can manage repository topics | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageSettingsWiki](/opengraph/extensions/githound/reference/edges/gh_managesettingswiki) | Role can manage wiki settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageSettingsProjects](/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects) | Role can manage projects settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) | Role can manage merge type settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageSettingsPages](/opengraph/extensions/githound/reference/edges/gh_managesettingspages) | Role can manage GitHub Pages settings | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditRepoMetadata](/opengraph/extensions/githound/reference/edges/gh_editrepometadata) | Role can edit repository metadata (name, description, etc.) | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) | Role can set interaction limits on the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_SetSocialPreview](/opengraph/extensions/githound/reference/edges/gh_setsocialpreview) | Role can set the repository social preview image | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) | Role can edit repository announcement banners | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues) | Role can edit custom property values on the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_CreateTag](/opengraph/extensions/githound/reference/edges/gh_createtag) | Role can create tags in the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_DeleteTag](/opengraph/extensions/githound/reference/edges/gh_deletetag) | Role can delete tags in the repository | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) | Role can jump the merge queue | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry) | Role can create a solo merge queue entry | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_AddLabel](/opengraph/extensions/githound/reference/edges/gh_addlabel) | Role can add labels to issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_RemoveLabel](/opengraph/extensions/githound/reference/edges/gh_removelabel) | Role can remove labels from issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_CloseIssue](/opengraph/extensions/githound/reference/edges/gh_closeissue) | Role can close issues | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ReopenIssue](/opengraph/extensions/githound/reference/edges/gh_reopenissue) | Role can reopen issues | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_DeleteIssue](/opengraph/extensions/githound/reference/edges/gh_deleteissue) | Role can delete issues | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) | Role can close pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ReopenPullRequest](/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest) | Role can reopen pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_AddAssignee](/opengraph/extensions/githound/reference/edges/gh_addassignee) | Role can add assignees to issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_RemoveAssignee](/opengraph/extensions/githound/reference/edges/gh_removeassignee) | Role can remove assignees from issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_RequestPrReview](/opengraph/extensions/githound/reference/edges/gh_requestprreview) | Role can request pull request reviews | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_MarkAsDuplicate](/opengraph/extensions/githound/reference/edges/gh_markasduplicate) | Role can mark issues or pull requests as duplicates | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_SetMilestone](/opengraph/extensions/githound/reference/edges/gh_setmilestone) | Role can set milestones on issues and pull requests | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_SetIssueType](/opengraph/extensions/githound/reference/edges/gh_setissuetype) | Role can set issue types | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_DeleteDiscussion](/opengraph/extensions/githound/reference/edges/gh_deletediscussion) | Role can delete discussions | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ToggleDiscussionAnswer](/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer) | Role can toggle the accepted answer on a discussion | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize) | Role can minimize or un-minimize discussion comments | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_CreateDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory) | Role can create discussion categories | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory) | Role can edit discussion categories | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ConvertIssuesToDiscussions](/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions) | Role can convert issues to discussions | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_CloseDiscussion](/opengraph/extensions/githound/reference/edges/gh_closediscussion) | Role can close discussions | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ReopenDiscussion](/opengraph/extensions/githound/reference/edges/gh_reopendiscussion) | Role can reopen discussions | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditCategoryOnDiscussion](/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion) | Role can edit the category on a discussion | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_ManageDiscussionBadges](/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges) | Role can manage discussion badges | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_EditDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment) | Role can edit discussion comments | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_Repository | [GH_DeleteDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment) | Role can delete discussion comments | -| [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | GH_Repository | [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | PAT can access repository | -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Repository | [GH_Owns](/opengraph/extensions/githound/reference/edges/gh_owns) | Org owns repository | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_Repository | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains secret | -| GH_Repository | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository has access to secret | -| GH_Repository | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains variable | -| GH_Repository | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository has access to variable | -| GH_Repository | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository can access org variable | -| GH_Repository | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | [GH_HasSecretScanningAlert](../../graph/edges/gh_hassecretscanningalert) | Repository has secret scanning alert | -| GH_Repository | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains branch protection rule | -| GH_Repository | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | Repository can access org secret | -| GH_Repository | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_HasBranch](/opengraph/extensions/githound/reference/edges/gh_hasbranch) | Repository has branch | -| GH_Repository | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | Repository deploys to environment (no custom branch policy) | -| GH_Repository | [GH_Workflow](/opengraph/extensions/githound/reference/nodes/gh_workflow) | [GH_HasWorkflow](/opengraph/extensions/githound/reference/edges/gh_hasworkflow) | Repository contains workflow | - -## Properties - -::: openfetch_github.models.repository.GHRepositoryProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repovariable.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repovariable.mdx deleted file mode 100644 index d08a846..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_repovariable.mdx +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: 'GH_RepoVariable' -description: 'A repository-level GitHub Actions variable accessible only to workflows in that repository. Unlike secrets, variable values are readable.' -icon: '/images/extensions/githound/reference/gh_repovariable.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a repository-level GitHub Actions variable. These are variables defined directly on a specific repository and are only accessible to workflows running in that repository. Unlike secrets, variable values are readable via the API. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_RepoVariable["fa:fa-lock-open"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Repository -- GH_Contains --> GH_RepoVariable - GH_Repository -- GH_HasVariable --> GH_RepoVariable -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_RepoVariable | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Repository contains variable | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_RepoVariable | [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | Repository has access to variable | - -### Outbound Edges - -No outgoing edges. - -## Properties - -::: openfetch_github.models.repository_variable.GHRepoVariableProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider.mdx deleted file mode 100644 index b7a71f0..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider.mdx +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: 'GH_SamlIdentityProvider' -description: 'A SAML identity provider configured for the organization, enabling SSO' -icon: '/images/extensions/githound/reference/gh_samlidentityprovider.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a SAML identity provider configured for the organization. This node captures the SAML SSO configuration details and serves as the parent container for external identity mappings. Through external identities, it enables linking GitHub users to their corporate identities in the identity provider. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_SamlIdentityProvider["fa:fa-id-badge"]:::bhNode - GH_ExternalIdentity["fa:fa-arrows-left-right"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_SamlIdentityProvider -- GH_HasExternalIdentity --> GH_ExternalIdentity - GH_Organization -- GH_HasSamlIdentityProvider --> GH_SamlIdentityProvider -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_SamlIdentityProvider | [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) | Org uses this SAML IdP | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_SamlIdentityProvider | [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | [GH_HasExternalIdentity](/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity) | IdP has external identity | - -## Properties - -::: openfetch_github.models.saml_provider.GHSamlProviderProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert.mdx deleted file mode 100644 index b6551e6..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert.mdx +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: 'GH_SecretScanningAlert' -description: 'A GitHub Advanced Security alert indicating a secret was accidentally committed to a repository' -icon: '/images/extensions/githound/reference/gh_secretscanningalert.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub secret scanning alert detected in a repository. Secret scanning alerts are raised when GitHub detects a known secret pattern (such as an API key, token, or credential) committed to a repository. The alert captures the secret type, validity status, and current resolution state. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_SecretScanningAlert["fa:fa-key"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_SecretScanningAlert -- GH_ValidToken --> GH_User - GH_Organization -- GH_Contains --> GH_SecretScanningAlert - GH_Repository -- GH_HasSecretScanningAlert --> GH_SecretScanningAlert -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_SecretScanningAlert | [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | Org contains secret scanning alert | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_SecretScanningAlert | [GH_HasSecretScanningAlert](../../graph/edges/gh_hassecretscanningalert) | Repository has secret scanning alert | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_SecretScanningAlert | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) | Alert secret is a valid PAT for this user | - -## Properties - -::: openfetch_github.models.secret_scanning_alert.GHSecretScanningAlertProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_team.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_team.mdx deleted file mode 100644 index 71a847e..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_team.mdx +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: 'GH_Team' -description: 'A team within an organization, grouping users for shared access and collaboration' -icon: '/images/extensions/githound/reference/gh_team.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub team within the organization. Teams can have parent-child relationships, contain members with different roles (Member, Maintainer), and be assigned to repository roles. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_Team["fa:fa-user-group"]:::bhNode - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Branch["fa:fa-code-branch"]:::bhNode - GH_TeamRole["fa:fa-user-tie"]:::bhNode - GH_Team -- GH_HasRole --> GH_OrgRole - GH_Team -- GH_MemberOf --> GH_Team - GH_Team -- GH_HasRole --> GH_RepoRole - GH_Team -- GH_CanWriteBranch --> GH_Branch - GH_Team -- GH_MemberOf --> GH_Team - GH_TeamRole -- GH_MemberOf --> GH_Team - GH_TeamRole -- GH_AddMember --> GH_Team -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_Team | GH_Team | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team is a child of parent team | -| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | GH_Team | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team role belongs to team | -| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | GH_Team | [GH_AddMember](/opengraph/extensions/githound/reference/edges/gh_addmember) | Maintainers role can add members to team | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_Team | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has org role | -| GH_Team | GH_Team | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team is a child of parent team | -| GH_Team | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | Team has repo role | -| GH_Team | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | Team can push commits to this branch via actor-level bypass allowances | - -## Properties - -::: openfetch_github.models.team.GHTeamProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_teamrole.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_teamrole.mdx deleted file mode 100644 index 1877154..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_teamrole.mdx +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: 'GH_TeamRole' -description: 'The role a user has within a team (e.g., maintainer, member)' -icon: '/images/extensions/githound/reference/gh_teamrole.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a role within a GitHub team. Each team has two built-in roles: Member and Maintainer. Maintainers can add and remove team members. Team roles connect users to teams and transitively to any repository roles assigned to the team. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_TeamRole["fa:fa-user-tie"]:::bhNode - GH_Team["fa:fa-user-group"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_TeamRole -- GH_MemberOf --> GH_Team - GH_TeamRole -- GH_AddMember --> GH_Team - GH_User -- GH_HasRole --> GH_TeamRole -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_TeamRole | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has team role | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_TeamRole | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | Team role belongs to team | -| GH_TeamRole | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | [GH_AddMember](/opengraph/extensions/githound/reference/edges/gh_addmember) | Maintainers role can add members to team | - -## Properties - -::: openfetch_github.models.team_role.GHTeamRoleProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_user.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_user.mdx deleted file mode 100644 index a8907c3..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_user.mdx +++ /dev/null @@ -1,75 +0,0 @@ ---- -title: 'GH_User' -description: 'An individual GitHub user account' -icon: '/images/extensions/githound/reference/gh_user.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub user who is a member of the organization. Users are associated with organization roles (Owner or Member) and can be assigned to repository roles and team roles. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_User["fa:fa-user"]:::bhNode - GH_TeamRole["fa:fa-user-tie"]:::bhNode - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_PersonalAccessToken["fa:fa-key"]:::bhNode - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Branch["fa:fa-code-branch"]:::bhNode - GH_PersonalAccessTokenRequest["fa:fa-key"]:::bhNode - GH_BranchProtectionRule["fa:fa-shield"]:::bhNode - GH_SecretScanningAlert["fa:fa-key"]:::bhNode - GH_ExternalIdentity["fa:fa-arrows-left-right"]:::bhNode - GH_User -- GH_HasRole --> GH_TeamRole - GH_User -- GH_HasRole --> GH_OrgRole - GH_User -- GH_HasPersonalAccessToken --> GH_PersonalAccessToken - GH_User -- GH_HasRole --> GH_OrgRole - GH_User -- GH_HasRole --> GH_RepoRole - GH_User -- GH_CanWriteBranch --> GH_Branch - GH_User -- GH_HasPersonalAccessTokenRequest --> GH_PersonalAccessTokenRequest - GH_User -- GH_RestrictionsCanPush --> GH_BranchProtectionRule - GH_User -- GH_BypassPullRequestAllowances --> GH_BranchProtectionRule - GH_SecretScanningAlert -- GH_ValidToken --> GH_User - GH_ExternalIdentity -- GH_MapsToUser --> GH_User - GH_ExternalIdentity -- GH_SyncedTo --> GH_User -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | GH_User | [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) | Alert secret is a valid PAT for this user | -| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | GH_User | [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) | External identity maps to a user | -| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | GH_User | [GH_SyncedTo](/opengraph/extensions/githound/reference/edges/gh_syncedto) | Foreign IdP user is synced to a GitHub user | - -### Outbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| GH_User | [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has team role | -| GH_User | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has default org role (owners or members) | -| GH_User | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | [GH_HasPersonalAccessToken](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken) | User owns PAT | -| GH_User | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has org role | -| GH_User | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | User has repo role | -| GH_User | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | User can push commits to this branch via actor-level bypass allowances | -| GH_User | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest) | User submitted PAT request | -| GH_User | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) | Actor can push despite push restrictions | -| GH_User | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) | Actor can bypass PR review requirements | - -## Properties - -::: openfetch_github.models.user.GHUserProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflow.mdx b/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflow.mdx deleted file mode 100644 index d4a495e..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflow.mdx +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: 'GH_Workflow' -description: 'A GitHub Actions workflow defined in a repository' -icon: '/images/extensions/githound/reference/gh_workflow.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub Actions workflow defined in a repository. Workflow nodes capture the workflow definition metadata including its file path, state, containing repository, and the full YAML contents of the workflow file. Only repositories with GitHub Actions enabled are queried for workflows. - - -## Edges - - -The tables below list edges defined by the GitHound extension only. Additional edges to or from this node may be created by other extensions. - - -```mermaid -flowchart LR - - GH_Workflow["fa:fa-cogs"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Repository -- GH_HasWorkflow --> GH_Workflow -``` - -### Inbound Edges - -| Start | End | Kind | Description | -|-------|-----|------|-------------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_Workflow | [GH_HasWorkflow](/opengraph/extensions/githound/reference/edges/gh_hasworkflow) | Repository contains workflow | - -### Outbound Edges - -No outgoing edges. - -## Properties - -::: openfetch_github.models.workflow.GHWorkflowProperties - options: - show_docstring_attributes: true - inherited_members: true - members_order: source diff --git a/docs/official-docs/opengraph/extensions/githound/reference/schema.mdx b/docs/official-docs/opengraph/extensions/githound/reference/schema.mdx deleted file mode 100644 index b54bc40..0000000 --- a/docs/official-docs/opengraph/extensions/githound/reference/schema.mdx +++ /dev/null @@ -1,196 +0,0 @@ ---- -title: Schema -description: The OpenGraph extension schema for GitHound -icon: circle-nodes ---- - -Applies to BloodHound Enterprise and CE -## Metadata - -**Name:** GitHound
-**Display Name:** GitHub (GitHound)
-**Version:** v1.2.0
-**Namespace:** GH
-**Environment Kind:** GH_Organization
-**Source Kind:** GitHub - - -This file is automatically generated from the [schema.json](https://github.com/SpecterOps/openhound-github/blob/main/extension/schema.json) file -that is bundled with GitHub (GitHound). - - -## Nodes - -| Icon | Node Kind | Display Name | -|------|-----------|--------------| -| ![GH_App](/images/extensions/githound/reference/gh_app.png) | [GH_App](/opengraph/extensions/githound/reference/nodes/gh_app) | GitHub App | -| ![GH_AppInstallation](/images/extensions/githound/reference/gh_appinstallation.png) | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | GitHub App Installation | -| ![GH_Branch](/images/extensions/githound/reference/gh_branch.png) | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | GitHub Branch | -| ![GH_BranchProtectionRule](/images/extensions/githound/reference/gh_branchprotectionrule.png) | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | GitHub Branch Protection Rule | -| ![GH_Enterprise](/images/extensions/githound/reference/gh_enterprise.png) | [GH_Enterprise](/opengraph/extensions/githound/reference/nodes/gh_enterprise) | GitHub Enterprise | -| ![GH_EnterpriseRole](/images/extensions/githound/reference/gh_enterpriserole.png) | [GH_EnterpriseRole](/opengraph/extensions/githound/reference/nodes/gh_enterpriserole) | GitHub Enterprise Role | -| ![GH_EnterpriseTeam](/images/extensions/githound/reference/gh_enterpriseteam.png) | [GH_EnterpriseTeam](/opengraph/extensions/githound/reference/nodes/gh_enterpriseteam) | GitHub Enterprise Team | -| ![GH_Environment](/images/extensions/githound/reference/gh_environment.png) | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | GitHub Environment | -| ![GH_EnvironmentSecret](/images/extensions/githound/reference/gh_environmentsecret.png) | [GH_EnvironmentSecret](/opengraph/extensions/githound/reference/nodes/gh_environmentsecret) | GitHub Environment Secret | -| ![GH_EnvironmentVariable](/images/extensions/githound/reference/gh_environmentvariable.png) | [GH_EnvironmentVariable](/opengraph/extensions/githound/reference/nodes/gh_environmentvariable) | GitHub Environment Variable | -| ![GH_ExternalIdentity](/images/extensions/githound/reference/gh_externalidentity.png) | [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | GitHub External Identity | -| ![GH_Organization](/images/extensions/githound/reference/gh_organization.png) | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GitHub Organization | -| ![GH_OrgRole](/images/extensions/githound/reference/gh_orgrole.png) | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GitHub Org Role | -| ![GH_OrgSecret](/images/extensions/githound/reference/gh_orgsecret.png) | [GH_OrgSecret](/opengraph/extensions/githound/reference/nodes/gh_orgsecret) | GitHub Org Secret | -| ![GH_OrgVariable](/images/extensions/githound/reference/gh_orgvariable.png) | [GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable) | GitHub Org Variable | -| ![GH_PersonalAccessToken](/images/extensions/githound/reference/gh_personalaccesstoken.png) | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | GitHub Personal Access Token | -| ![GH_PersonalAccessTokenRequest](/images/extensions/githound/reference/gh_personalaccesstokenrequest.png) | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | GitHub Personal Access Token Request | -| ![GH_RepoRole](/images/extensions/githound/reference/gh_reporole.png) | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GitHub Repo Role | -| ![GH_RepoSecret](/images/extensions/githound/reference/gh_reposecret.png) | [GH_RepoSecret](/opengraph/extensions/githound/reference/nodes/gh_reposecret) | GitHub Repo Secret | -| ![GH_Repository](/images/extensions/githound/reference/gh_repository.png) | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GitHub Repository | -| ![GH_RepoVariable](/images/extensions/githound/reference/gh_repovariable.png) | [GH_RepoVariable](/opengraph/extensions/githound/reference/nodes/gh_repovariable) | GitHub Repo Variable | -| ![GH_SamlIdentityProvider](/images/extensions/githound/reference/gh_samlidentityprovider.png) | [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | GitHub SAML Identity Provider | -| ![GH_SecretScanningAlert](/images/extensions/githound/reference/gh_secretscanningalert.png) | [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | GitHub Secret Scanning Alert | -| ![GH_Team](/images/extensions/githound/reference/gh_team.png) | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GitHub Team | -| ![GH_TeamRole](/images/extensions/githound/reference/gh_teamrole.png) | [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | GitHub Team Role | -| ![GH_User](/images/extensions/githound/reference/gh_user.png) | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GitHub User | -| ![GH_Workflow](/images/extensions/githound/reference/gh_workflow.png) | [GH_Workflow](/opengraph/extensions/githound/reference/nodes/gh_workflow) | GitHub Workflow | -| ![GH_WorkflowJob](/images/extensions/githound/reference/gh_workflowjob.png) | [GH_WorkflowJob](/opengraph/extensions/githound/reference/nodes/gh_workflowjob) | GitHub Workflow Job | -| ![GH_WorkflowStep](/images/extensions/githound/reference/gh_workflowstep.png) | [GH_WorkflowStep](/opengraph/extensions/githound/reference/nodes/gh_workflowstep) | GitHub Workflow Step | - -## Edges - -| Relationship Kind | Traversable | Description | -|-------------------|:-----------:|-------------| -| [GH_AddAssignee](/opengraph/extensions/githound/reference/edges/gh_addassignee) | ❌ | [Repository] Repo role can assign users to issues and pull requests | -| [GH_AddCollaborator](/opengraph/extensions/githound/reference/edges/gh_addcollaborator) | ❌ | [Organization] Org role can add outside collaborators | -| [GH_AddLabel](/opengraph/extensions/githound/reference/edges/gh_addlabel) | ❌ | [Repository] Repo role can add labels to issues and pull requests | -| [GH_AddMember](/opengraph/extensions/githound/reference/edges/gh_addmember) | ✅ | Team role can add members to the team (maintainer privilege) | -| [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) | ❌ | [Repository] Repo role has admin access to the repository. | -| [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) | ❌ | [Repository] Repo role can bypass merge-gate branch protections (PR reviews, lock branch). Suppressed by enforce_admins. | -| [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances) | ❌ | User or team can bypass pull request requirements on a branch protection rule | -| [GH_CallsWorkflow](/opengraph/extensions/githound/reference/edges/gh_callsworkflow) | ✅ | [Workflow] Job calls a reusable workflow — GH_WorkflowJob → GH_Workflow | -| [GH_CanAccess](/opengraph/extensions/githound/reference/edges/gh_canaccess) | ❌ | Personal access token or app installation can access this repository or organization | -| [GH_CanAssumeIdentity](/opengraph/extensions/githound/reference/edges/gh_canassumeidentity) | ✅ | Repository can assume this cloud identity via OIDC federation (Azure workload identity or AWS IAM role) | -| [GH_CanCreateBranch](/opengraph/extensions/githound/reference/edges/gh_cancreatebranch) | ✅ | [Repository - Computed] Role can create new branches in this repository (unprotected branches that bypass the merge gate) | -| [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) | ✅ | [Repository - Computed] Repo role can modify or remove the branch protection rules governing this branch (computed from GH_EditRepoProtections + GH_ProtectedBy) | -| [GH_CanPwnRequest](/opengraph/extensions/githound/reference/edges/gh_canpwnrequest) | ✅ | [Computed] Repo role can exploit a pwn-requestable workflow to execute arbitrary code with the target's secrets and permissions — GH_RepoRole → GH_Repository / GH_Branch | -| [GH_CanReadSecretScanningAlert](/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert) | ✅ | [Computed] Role can read secret scanning alerts (computed from GH_ViewSecretScanningAlerts permission + GH_Contains) | -| [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) | ✅ | [Repository - Computed] Role can push to this branch after evaluating branch protection rules, push restrictions, and bypass allowances | -| [GH_CloseDiscussion](/opengraph/extensions/githound/reference/edges/gh_closediscussion) | ❌ | [Repository] Repo role can close discussions | -| [GH_CloseIssue](/opengraph/extensions/githound/reference/edges/gh_closeissue) | ❌ | [Repository] Repo role can close issues | -| [GH_ClosePullRequest](/opengraph/extensions/githound/reference/edges/gh_closepullrequest) | ❌ | [Repository] Repo role can close pull requests | -| [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) | ❌ | Container relationship for organizational hierarchy (enterprise contains orgs, org contains secrets/variables, repo contains secrets/variables, environment contains secrets/variables) | -| [GH_ConvertIssuesToDiscussions](/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions) | ❌ | [Repository] Repo role can convert issues to discussions | -| [GH_CreateDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory) | ❌ | [Repository] Repo role can create discussion categories | -| [GH_CreateEnterpriseOrganizations](/opengraph/extensions/githound/reference/edges/gh_createenterpriseorganizations) | ❌ | [Enterprise] Enterprise role can create new organizations within the enterprise | -| [GH_CreateRepository](/opengraph/extensions/githound/reference/edges/gh_createrepository) | ❌ | [Organization] Org role can create repositories in the organization | -| [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry) | ❌ | Repo role can create solo merge queue entries | -| [GH_CreateTag](/opengraph/extensions/githound/reference/edges/gh_createtag) | ❌ | [Repository] Repo role can create tags and releases | -| [GH_CreateTeam](/opengraph/extensions/githound/reference/edges/gh_createteam) | ❌ | [Organization] Org role can create teams in the organization | -| [GH_DeleteAlertsCodeScanning](/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning) | ❌ | [Repository] Repo role can delete code scanning alerts | -| [GH_DeleteDiscussion](/opengraph/extensions/githound/reference/edges/gh_deletediscussion) | ❌ | [Repository] Repo role can delete discussions | -| [GH_DeleteDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment) | ❌ | [Repository] Repo role can delete discussion comments | -| [GH_DeleteIssue](/opengraph/extensions/githound/reference/edges/gh_deleteissue) | ❌ | [Repository] Repo role can delete issues | -| [GH_DeleteTag](/opengraph/extensions/githound/reference/edges/gh_deletetag) | ❌ | [Repository] Repo role can delete tags and releases | -| [GH_DependsOn](/opengraph/extensions/githound/reference/edges/gh_dependson) | ❌ | [Workflow] Job must run after another job (needs: dependency) — ordering only, not an access path | -| [GH_DeploysTo](/opengraph/extensions/githound/reference/edges/gh_deploysto) | ❌ | [Workflow] Job deploys to a GitHub Environment — GH_WorkflowJob → GH_Environment | -| [GH_EditCategoryOnDiscussion](/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion) | ❌ | [Repository] Repo role can change the category of a discussion | -| [GH_EditDiscussionCategory](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory) | ❌ | [Repository] Repo role can edit discussion categories | -| [GH_EditDiscussionComment](/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment) | ❌ | [Repository] Repo role can edit discussion comments | -| [GH_EditEnterpriseCustomPropertiesForOrganizations](/opengraph/extensions/githound/reference/edges/gh_editenterprisecustompropertiesfororganizations) | ❌ | [Enterprise] Enterprise role can edit custom properties for organizations | -| [GH_EditRepoAnnouncementBanners](/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners) | ❌ | [Repository] Repo role can edit repository announcement banners | -| [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues) | ❌ | [Repository] Repo role can edit custom property values on the repository | -| [GH_EditRepoMetadata](/opengraph/extensions/githound/reference/edges/gh_editrepometadata) | ❌ | [Repository] Repo role can edit repository metadata | -| [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) | ❌ | Repo role can edit branch protection rules | -| [GH_HasBaseRole](/opengraph/extensions/githound/reference/edges/gh_hasbaserole) | ✅ | Role inherits permissions from another role | -| [GH_HasBranch](/opengraph/extensions/githound/reference/edges/gh_hasbranch) | ❌ | Repository has this branch | -| [GH_HasEnvironment](/opengraph/extensions/githound/reference/edges/gh_hasenvironment) | ❌ | Repository or branch has/can deploy to this environment | -| [GH_HasExternalIdentity](/opengraph/extensions/githound/reference/edges/gh_hasexternalidentity) | ❌ | SAML identity provider has this external identity | -| [GH_HasJob](/opengraph/extensions/githound/reference/edges/gh_hasjob) | ✅ | [Workflow] Workflow contains this job — GH_Workflow → GH_WorkflowJob | -| [GH_HasMember](/opengraph/extensions/githound/reference/edges/gh_hasmember) | ❌ | Enterprise or organization has this user as a member | -| [GH_HasPersonalAccessToken](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken) | ❌ | User owns this personal access token that has been granted access to the organization | -| [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest) | ❌ | User has a pending personal access token request for the organization | -| [GH_HasRole](/opengraph/extensions/githound/reference/edges/gh_hasrole) | ✅ | User or team has a role assignment (org role, team role, or repo role) | -| [GH_HasSamlIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider) | ❌ | Organization has this SAML identity provider configured | -| [GH_HasSecret](/opengraph/extensions/githound/reference/edges/gh_hassecret) | ✅ | Repository or environment has access to this secret | -| [GH_HasStep](/opengraph/extensions/githound/reference/edges/gh_hasstep) | ✅ | [Workflow] Job contains this step — GH_WorkflowJob → GH_WorkflowStep | -| [GH_HasVariable](/opengraph/extensions/githound/reference/edges/gh_hasvariable) | ✅ | Repository has access to this variable (org-level or repo-level) | -| [GH_HasWorkflow](/opengraph/extensions/githound/reference/edges/gh_hasworkflow) | ❌ | Repository has this workflow | -| [GH_InstalledAs](/opengraph/extensions/githound/reference/edges/gh_installedas) | ✅ | GitHub App is installed as this app installation on an organization | -| [GH_InviteMember](/opengraph/extensions/githound/reference/edges/gh_invitemember) | ❌ | [Organization] Org role can invite members to the organization | -| [GH_JumpMergeQueue](/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue) | ❌ | Repo role can jump the merge queue | -| [GH_ManageDeployKeys](/opengraph/extensions/githound/reference/edges/gh_managedeploykeys) | ❌ | [Repository] Repo role can manage deploy keys | -| [GH_ManageDiscussionBadges](/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges) | ❌ | [Repository] Repo role can manage discussion badges | -| [GH_ManageEnterpriseAdmins](/opengraph/extensions/githound/reference/edges/gh_manageenterpriseadmins) | ✅ | [Enterprise] Enterprise role can manage enterprise administrators | -| [GH_ManageEnterpriseIdentityProvider](/opengraph/extensions/githound/reference/edges/gh_manageenterpriseidentityprovider) | ❌ | [Enterprise] Enterprise role can manage the enterprise SAML identity provider configuration | -| [GH_ManageEnterpriseMembers](/opengraph/extensions/githound/reference/edges/gh_manageenterprisemembers) | ✅ | [Enterprise] Enterprise role can manage enterprise membership | -| [GH_ManageEnterpriseOrganizationAdmins](/opengraph/extensions/githound/reference/edges/gh_manageenterpriseorganizationadmins) | ✅ | [Enterprise] Enterprise role can manage organization administrators across the enterprise | -| [GH_ManageEnterpriseOrganizations](/opengraph/extensions/githound/reference/edges/gh_manageenterpriseorganizations) | ❌ | [Enterprise] Enterprise role can manage organizations within the enterprise | -| [GH_ManageEnterpriseReferrals](/opengraph/extensions/githound/reference/edges/gh_manageenterprisereferrals) | ❌ | [Enterprise] Enterprise role can manage enterprise referral settings | -| [GH_ManageEnterpriseTeams](/opengraph/extensions/githound/reference/edges/gh_manageenterpriseteams) | ❌ | [Enterprise] Enterprise role can manage enterprise teams | -| [GH_ManageOrganizationWebhooks](/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks) | ❌ | [Organization] Org role can manage organization webhooks | -| [GH_ManageRepoSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managereposecurityproducts) | ❌ | Repo role can manage repo-level security products | -| [GH_ManageSecurityProducts](/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts) | ❌ | Repo role can manage security products | -| [GH_ManageSettingsMergeTypes](/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes) | ❌ | [Repository] Repo role can manage allowed merge types | -| [GH_ManageSettingsPages](/opengraph/extensions/githound/reference/edges/gh_managesettingspages) | ❌ | [Repository] Repo role can manage GitHub Pages settings | -| [GH_ManageSettingsProjects](/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects) | ❌ | [Repository] Repo role can manage project settings | -| [GH_ManageSettingsWiki](/opengraph/extensions/githound/reference/edges/gh_managesettingswiki) | ❌ | [Repository] Repo role can manage wiki settings | -| [GH_ManageTopics](/opengraph/extensions/githound/reference/edges/gh_managetopics) | ❌ | [Repository] Repo role can manage repository topics | -| [GH_ManageWebhooks](/opengraph/extensions/githound/reference/edges/gh_managewebhooks) | ❌ | [Repository] Repo role can manage repository webhooks | -| [GH_MapsToUser](/opengraph/extensions/githound/reference/edges/gh_mapstouser) | ❌ | External identity maps to a GitHub user or identity provider user | -| [GH_MarkAsDuplicate](/opengraph/extensions/githound/reference/edges/gh_markasduplicate) | ❌ | [Repository] Repo role can mark issues or pull requests as duplicates | -| [GH_MemberOf](/opengraph/extensions/githound/reference/edges/gh_memberof) | ✅ | Team role is a member of a team, or team is a nested member of a parent team | -| [GH_OrgBypassCodeScanningDismissalRequests](/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests) | ❌ | [Organization] Org role can bypass code scanning dismissal requests | -| [GH_OrgBypassSecretScanningClosureRequests](/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests) | ❌ | [Organization] Org role can bypass secret scanning closure requests | -| [GH_OrgReviewAndManageSecretScanningBypassRequests](/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests) | ❌ | [Organization] Org role can review and manage secret scanning bypass requests | -| [GH_OrgReviewAndManageSecretScanningClosureRequests](/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests) | ❌ | [Organization] Org role can review and manage secret scanning closure requests | -| [GH_Owns](/opengraph/extensions/githound/reference/edges/gh_owns) | ✅ | Organization owns a repository | -| [GH_ProtectedBy](/opengraph/extensions/githound/reference/edges/gh_protectedby) | ❌ | Branch protection rule protects this branch | -| [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) | ❌ | [Repository] Repo role can push to branches with push restrictions. Not affected by enforce_admins. | -| [GH_ReadCodeScanning](/opengraph/extensions/githound/reference/edges/gh_readcodescanning) | ❌ | [Repository] Repo role can read code scanning results | -| [GH_ReadEnterpriseAuditLog](/opengraph/extensions/githound/reference/edges/gh_readenterpriseauditlog) | ❌ | [Enterprise] Enterprise role can read the enterprise audit log | -| [GH_ReadEnterpriseDomainVerification](/opengraph/extensions/githound/reference/edges/gh_readenterprisedomainverification) | ❌ | [Enterprise] Enterprise role can view the enterprise domain verification status | -| [GH_ReadEnterpriseMembers](/opengraph/extensions/githound/reference/edges/gh_readenterprisemembers) | ❌ | [Enterprise] Enterprise role can view enterprise membership | -| [GH_ReadEnterpriseOrganizationAdmin](/opengraph/extensions/githound/reference/edges/gh_readenterpriseorganizationadmin) | ❌ | [Enterprise] Enterprise role can view organization admin settings across the enterprise | -| [GH_ReadEnterpriseOrgProjects](/opengraph/extensions/githound/reference/edges/gh_readenterpriseorgprojects) | ❌ | [Enterprise] Enterprise role can view organization projects across the enterprise | -| [GH_ReadOrganizationActionsUsageMetrics](/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics) | ❌ | [Organization] Org role can read Actions usage metrics | -| [GH_ReadOrganizationCustomOrgRole](/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole) | ❌ | [Organization] Org role can read custom org role definitions | -| [GH_ReadOrganizationCustomRepoRole](/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole) | ❌ | [Organization] Org role can read custom repo role definitions | -| [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) | ❌ | [Repository] Repo role can read repository contents | -| [GH_RemoveAssignee](/opengraph/extensions/githound/reference/edges/gh_removeassignee) | ❌ | [Repository] Repo role can remove assignees from issues and pull requests | -| [GH_RemoveLabel](/opengraph/extensions/githound/reference/edges/gh_removelabel) | ❌ | [Repository] Repo role can remove labels from issues and pull requests | -| [GH_ReopenDiscussion](/opengraph/extensions/githound/reference/edges/gh_reopendiscussion) | ❌ | [Repository] Repo role can reopen discussions | -| [GH_ReopenIssue](/opengraph/extensions/githound/reference/edges/gh_reopenissue) | ❌ | [Repository] Repo role can reopen closed issues | -| [GH_ReopenPullRequest](/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest) | ❌ | [Repository] Repo role can reopen closed pull requests | -| [GH_RequestPrReview](/opengraph/extensions/githound/reference/edges/gh_requestprreview) | ❌ | [Repository] Repo role can request pull request reviews | -| [GH_ResolveDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts) | ❌ | [Repository] Repo role can resolve Dependabot alerts | -| [GH_ResolveSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_resolvesecretscanningalerts) | ❌ | [Organization] Org role can resolve secret scanning alerts | -| [GH_RestrictionsCanPush](/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush) | ❌ | User or team is allowed to push to branches protected by this rule | -| [GH_RunOrgMigration](/opengraph/extensions/githound/reference/edges/gh_runorgmigration) | ❌ | [Repository] Repo role can run organization migrations | -| [GH_SetEnterpriseInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setenterpriseinteractionlimits) | ❌ | [Enterprise] Enterprise role can set interaction limits for the enterprise | -| [GH_SetInteractionLimits](/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits) | ❌ | [Repository] Repo role can set interaction limits on the repository | -| [GH_SetIssueType](/opengraph/extensions/githound/reference/edges/gh_setissuetype) | ❌ | [Repository] Repo role can set issue types | -| [GH_SetMilestone](/opengraph/extensions/githound/reference/edges/gh_setmilestone) | ❌ | [Repository] Repo role can set milestones on issues and pull requests | -| [GH_SetSocialPreview](/opengraph/extensions/githound/reference/edges/gh_setsocialpreview) | ❌ | [Repository] Repo role can set the repository social preview image | -| [GH_SyncedTo](/opengraph/extensions/githound/reference/edges/gh_syncedto) | ✅ | External identity (Azure, Okta, PingOne) is synced to this GitHub user via SSO/SCIM | -| [GH_ToggleDiscussionAnswer](/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer) | ❌ | [Repository] Repo role can toggle discussion answers | -| [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize) | ❌ | [Repository] Repo role can minimize discussion comments | -| [GH_TransferRepository](/opengraph/extensions/githound/reference/edges/gh_transferrepository) | ❌ | [Organization] Org role can transfer repositories | -| [GH_UsesSecret](/opengraph/extensions/githound/reference/edges/gh_usessecret) | ✅ | [Workflow] Step references a secret by name — GH_WorkflowStep → GH_Secret (name match) | -| [GH_UsesVariable](/opengraph/extensions/githound/reference/edges/gh_usesvariable) | ❌ | [Workflow] Step references a variable by name — GH_WorkflowStep → GH_Variable (name match) | -| [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) | ✅ | Secret scanning alert contains a valid, active token belonging to this user | -| [GH_ViewDependabotAlerts](/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts) | ❌ | [Repository] Repo role can view Dependabot alerts | -| [GH_ViewEnterpriseActionsUsageMetrics](/opengraph/extensions/githound/reference/edges/gh_viewenterpriseactionsusagemetrics) | ❌ | [Enterprise] Enterprise role can view GitHub Actions usage metrics for the enterprise | -| [GH_ViewEnterpriseBilling](/opengraph/extensions/githound/reference/edges/gh_viewenterprisebilling) | ❌ | [Enterprise] Enterprise role can view enterprise billing information | -| [GH_ViewEnterpriseSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewenterprisesecretscanningalerts) | ❌ | [Enterprise] Enterprise role can view secret scanning alerts across the enterprise | -| [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) | ❌ | [Repository] Role can view secret scanning alerts | -| [GH_WriteCodeScanning](/opengraph/extensions/githound/reference/edges/gh_writecodescanning) | ❌ | [Repository] Repo role can upload code scanning results | -| [GH_WriteEnterpriseActionsPolicies](/opengraph/extensions/githound/reference/edges/gh_writeenterpriseactionspolicies) | ❌ | [Enterprise] Enterprise role can modify GitHub Actions policies for the enterprise | -| [GH_WriteEnterpriseBilling](/opengraph/extensions/githound/reference/edges/gh_writeenterprisebilling) | ❌ | [Enterprise] Enterprise role can modify enterprise billing settings | -| [GH_WriteEnterprisePersonalAccessTokenPolicies](/opengraph/extensions/githound/reference/edges/gh_writeenterprisepersonalaccesstokenpolicies) | ❌ | [Enterprise] Enterprise role can modify personal access token policies for the enterprise | -| [GH_WriteEnterpriseSso](/opengraph/extensions/githound/reference/edges/gh_writeenterprisesso) | ❌ | [Enterprise] Enterprise role can modify enterprise SSO settings | -| [GH_WriteEnterpriseTeamMembers](/opengraph/extensions/githound/reference/edges/gh_writeenterpriseteammembers) | ❌ | [Enterprise] Enterprise role can modify enterprise team membership | -| [GH_WriteOrganizationActionsSecrets](/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets) | ❌ | [Organization] Org role can write Actions secrets | -| [GH_WriteOrganizationActionsSettings](/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings) | ❌ | [Organization] Org role can write Actions settings | -| [GH_WriteOrganizationActionsVariables](/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables) | ❌ | [Organization] Org role can write Actions variables | -| [GH_WriteOrganizationCustomOrgRole](/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole) | ✅ | [Organization] Org role can write custom org role definitions | -| [GH_WriteOrganizationCustomRepoRole](/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole) | ❌ | [Organization] Org role can write custom repo role definitions | -| [GH_WriteOrganizationNetworkConfigurations](/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations) | ❌ | [Organization] Org role can write network configurations | -| [GH_WriteRepoContents](/opengraph/extensions/githound/reference/edges/gh_writerepocontents) | ❌ | [Repository] Repo role can write repository contents | -| [GH_WriteRepoPullRequests](/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests) | ❌ | [Repository] Repo role can create and merge pull requests | diff --git a/docs/official-docs/opengraph/extensions/github/docs.json b/docs/official-docs/opengraph/extensions/github/docs.json new file mode 100644 index 0000000..9995659 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/docs.json @@ -0,0 +1,158 @@ +{ + "group": "GitHub", + "pages": [ + "opengraph/extensions/github/privilege-zone-rules", + "opengraph/extensions/github/queries", + "opengraph/extensions/github/schema", + { + "group": "Nodes", + "pages": [ + "opengraph/extensions/github/nodes/gh_app", + "opengraph/extensions/github/nodes/gh_appinstallation", + "opengraph/extensions/github/nodes/gh_branch", + "opengraph/extensions/github/nodes/gh_branchprotectionrule", + "opengraph/extensions/github/nodes/gh_environment", + "opengraph/extensions/github/nodes/gh_environmentsecret", + "opengraph/extensions/github/nodes/gh_environmentvariable", + "opengraph/extensions/github/nodes/gh_externalidentity", + "opengraph/extensions/github/nodes/gh_organization", + "opengraph/extensions/github/nodes/gh_orgrole", + "opengraph/extensions/github/nodes/gh_orgsecret", + "opengraph/extensions/github/nodes/gh_orgvariable", + "opengraph/extensions/github/nodes/gh_personalaccesstoken", + "opengraph/extensions/github/nodes/gh_personalaccesstokenrequest", + "opengraph/extensions/github/nodes/gh_reporole", + "opengraph/extensions/github/nodes/gh_reposecret", + "opengraph/extensions/github/nodes/gh_repository", + "opengraph/extensions/github/nodes/gh_repovariable", + "opengraph/extensions/github/nodes/gh_samlidentityprovider", + "opengraph/extensions/github/nodes/gh_secretscanningalert", + "opengraph/extensions/github/nodes/gh_team", + "opengraph/extensions/github/nodes/gh_teamrole", + "opengraph/extensions/github/nodes/gh_user", + "opengraph/extensions/github/nodes/gh_workflow", + "opengraph/extensions/github/nodes/gh_workflowjob", + "opengraph/extensions/github/nodes/gh_workflowstep" + ] + }, + { + "group": "Edges", + "pages": [ + "opengraph/extensions/github/edges/gh_addassignee", + "opengraph/extensions/github/edges/gh_addcollaborator", + "opengraph/extensions/github/edges/gh_addlabel", + "opengraph/extensions/github/edges/gh_addmember", + "opengraph/extensions/github/edges/gh_adminto", + "opengraph/extensions/github/edges/gh_bypassbranchprotection", + "opengraph/extensions/github/edges/gh_bypasspullrequestallowances", + "opengraph/extensions/github/edges/gh_callsworkflow", + "opengraph/extensions/github/edges/gh_canaccess", + "opengraph/extensions/github/edges/gh_canassumeidentity", + "opengraph/extensions/github/edges/gh_cancreatebranch", + "opengraph/extensions/github/edges/gh_caneditprotection", + "opengraph/extensions/github/edges/gh_canpwnrequest", + "opengraph/extensions/github/edges/gh_canreadsecretscanningalert", + "opengraph/extensions/github/edges/gh_canwritebranch", + "opengraph/extensions/github/edges/gh_closediscussion", + "opengraph/extensions/github/edges/gh_closeissue", + "opengraph/extensions/github/edges/gh_closepullrequest", + "opengraph/extensions/github/edges/gh_contains", + "opengraph/extensions/github/edges/gh_convertissuestodiscussions", + "opengraph/extensions/github/edges/gh_creatediscussioncategory", + "opengraph/extensions/github/edges/gh_createrepository", + "opengraph/extensions/github/edges/gh_createsolomergequeueentry", + "opengraph/extensions/github/edges/gh_createtag", + "opengraph/extensions/github/edges/gh_createteam", + "opengraph/extensions/github/edges/gh_deletealertscodescanning", + "opengraph/extensions/github/edges/gh_deletediscussion", + "opengraph/extensions/github/edges/gh_deletediscussioncomment", + "opengraph/extensions/github/edges/gh_deleteissue", + "opengraph/extensions/github/edges/gh_deletetag", + "opengraph/extensions/github/edges/gh_dependson", + "opengraph/extensions/github/edges/gh_deploysto", + "opengraph/extensions/github/edges/gh_editcategoryondiscussion", + "opengraph/extensions/github/edges/gh_editdiscussioncategory", + "opengraph/extensions/github/edges/gh_editdiscussioncomment", + "opengraph/extensions/github/edges/gh_editrepoannouncementbanners", + "opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues", + "opengraph/extensions/github/edges/gh_editrepometadata", + "opengraph/extensions/github/edges/gh_editrepoprotections", + "opengraph/extensions/github/edges/gh_hasbaserole", + "opengraph/extensions/github/edges/gh_hasbranch", + "opengraph/extensions/github/edges/gh_hasenvironment", + "opengraph/extensions/github/edges/gh_hasexternalidentity", + "opengraph/extensions/github/edges/gh_hasjob", + "opengraph/extensions/github/edges/gh_hasmember", + "opengraph/extensions/github/edges/gh_haspersonalaccesstoken", + "opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest", + "opengraph/extensions/github/edges/gh_hasrole", + "opengraph/extensions/github/edges/gh_hassamlidentityprovider", + "opengraph/extensions/github/edges/gh_hassecret", + "opengraph/extensions/github/edges/gh_hasstep", + "opengraph/extensions/github/edges/gh_hasvariable", + "opengraph/extensions/github/edges/gh_hasworkflow", + "opengraph/extensions/github/edges/gh_installedas", + "opengraph/extensions/github/edges/gh_invitemember", + "opengraph/extensions/github/edges/gh_jumpmergequeue", + "opengraph/extensions/github/edges/gh_managedeploykeys", + "opengraph/extensions/github/edges/gh_managediscussionbadges", + "opengraph/extensions/github/edges/gh_manageorganizationwebhooks", + "opengraph/extensions/github/edges/gh_managereposecurityproducts", + "opengraph/extensions/github/edges/gh_managesecurityproducts", + "opengraph/extensions/github/edges/gh_managesettingsmergetypes", + "opengraph/extensions/github/edges/gh_managesettingspages", + "opengraph/extensions/github/edges/gh_managesettingsprojects", + "opengraph/extensions/github/edges/gh_managesettingswiki", + "opengraph/extensions/github/edges/gh_managetopics", + "opengraph/extensions/github/edges/gh_managewebhooks", + "opengraph/extensions/github/edges/gh_mapstouser", + "opengraph/extensions/github/edges/gh_markasduplicate", + "opengraph/extensions/github/edges/gh_memberof", + "opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests", + "opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests", + "opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests", + "opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests", + "opengraph/extensions/github/edges/gh_owns", + "opengraph/extensions/github/edges/gh_protectedby", + "opengraph/extensions/github/edges/gh_pushprotectedbranch", + "opengraph/extensions/github/edges/gh_readcodescanning", + "opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics", + "opengraph/extensions/github/edges/gh_readorganizationcustomorgrole", + "opengraph/extensions/github/edges/gh_readorganizationcustomreporole", + "opengraph/extensions/github/edges/gh_readrepocontents", + "opengraph/extensions/github/edges/gh_removeassignee", + "opengraph/extensions/github/edges/gh_removelabel", + "opengraph/extensions/github/edges/gh_reopendiscussion", + "opengraph/extensions/github/edges/gh_reopenissue", + "opengraph/extensions/github/edges/gh_reopenpullrequest", + "opengraph/extensions/github/edges/gh_requestprreview", + "opengraph/extensions/github/edges/gh_resolvedependabotalerts", + "opengraph/extensions/github/edges/gh_resolvesecretscanningalerts", + "opengraph/extensions/github/edges/gh_restrictionscanpush", + "opengraph/extensions/github/edges/gh_runorgmigration", + "opengraph/extensions/github/edges/gh_setinteractionlimits", + "opengraph/extensions/github/edges/gh_setissuetype", + "opengraph/extensions/github/edges/gh_setmilestone", + "opengraph/extensions/github/edges/gh_setsocialpreview", + "opengraph/extensions/github/edges/gh_syncedto", + "opengraph/extensions/github/edges/gh_togglediscussionanswer", + "opengraph/extensions/github/edges/gh_togglediscussioncommentminimize", + "opengraph/extensions/github/edges/gh_transferrepository", + "opengraph/extensions/github/edges/gh_usessecret", + "opengraph/extensions/github/edges/gh_usesvariable", + "opengraph/extensions/github/edges/gh_validtoken", + "opengraph/extensions/github/edges/gh_viewdependabotalerts", + "opengraph/extensions/github/edges/gh_viewsecretscanningalerts", + "opengraph/extensions/github/edges/gh_writecodescanning", + "opengraph/extensions/github/edges/gh_writeorganizationactionssecrets", + "opengraph/extensions/github/edges/gh_writeorganizationactionssettings", + "opengraph/extensions/github/edges/gh_writeorganizationactionsvariables", + "opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole", + "opengraph/extensions/github/edges/gh_writeorganizationcustomreporole", + "opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations", + "opengraph/extensions/github/edges/gh_writerepocontents", + "opengraph/extensions/github/edges/gh_writerepopullrequests" + ] + } + ] +} diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addassignee.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_addassignee.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addassignee.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_addassignee.mdx index 8476c01..62a718d 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addassignee.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_addassignee.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can assign users to issues and pull request ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_AddAssignee | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_AddAssignee --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addcollaborator.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_addcollaborator.mdx similarity index 63% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addcollaborator.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_addcollaborator.mdx index 9bcb4d3..fdb6921 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addcollaborator.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_addcollaborator.mdx @@ -7,18 +7,7 @@ description: '[Organization] Org role can add outside collaborators' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_AddCollaborator | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | - -```mermaid -flowchart LR - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_OrgRole -- GH_AddCollaborator --> GH_Organization -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addlabel.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_addlabel.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addlabel.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_addlabel.mdx index cface8f..30232c8 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addlabel.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_addlabel.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can add labels to issues and pull requests' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_AddLabel | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_AddLabel --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addmember.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx similarity index 63% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addmember.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx index 5a6d3bc..cfee1ab 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_addmember.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx @@ -7,18 +7,7 @@ description: 'Team role can add members to the team (maintainer privilege)' ## Edge Schema -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | GH_AddMember | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | - -```mermaid -flowchart LR - GH_TeamRole["fa:fa-user-tie"]:::bhNode - GH_Team["fa:fa-user-group"]:::bhNode - GH_TeamRole -- GH_AddMember --> GH_Team -``` +Traversable: true ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_adminto.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_adminto.mdx similarity index 65% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_adminto.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_adminto.mdx index c17900d..8f4c837 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_adminto.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_adminto.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role has admin access to the repository.' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_AdminTo | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_AdminTo --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_bypassbranchprotection.mdx similarity index 66% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_bypassbranchprotection.mdx index caab24a..c4d994a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_bypassbranchprotection.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can bypass merge-gate branch protections (P ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_BypassBranchProtection | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_BypassBranchProtection --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx similarity index 66% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx index 5ef2d53..92db5c6 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx @@ -7,18 +7,7 @@ description: 'User or team can bypass pull request requirements on a branch prot ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_BypassPullRequestAllowances | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | - -```mermaid -flowchart LR - GH_User["fa:fa-user"]:::bhNode - GH_BranchProtectionRule["fa:fa-shield"]:::bhNode - GH_User -- GH_BypassPullRequestAllowances --> GH_BranchProtectionRule -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_callsworkflow.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_callsworkflow.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx index d9fe381..a911bdb 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_callsworkflow.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx @@ -7,7 +7,7 @@ description: '[Workflow] Job calls a reusable workflow — GH_WorkflowJob → GH ## Edge Schema -Traversable: ✅ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx new file mode 100644 index 0000000..def8251 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_CanAccess' +description: 'Personal access token or app installation can access this repository or organization' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable `GH_CanAccess` edge indicates that a personal access token or app installation has been granted access to specific repositories. It is created by `Git-HoundPersonalAccessToken` and `Git-HoundPersonalAccessTokenRequest` for PATs, and by `Git-HoundAppInstallation` for app installations. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canassumeidentity.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx similarity index 97% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canassumeidentity.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx index 7f48142..f553072 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canassumeidentity.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx @@ -7,7 +7,7 @@ description: 'Repository can assume this cloud identity via OIDC federation (Azu ## Edge Schema -Traversable: ✅ +Traversable: true ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_cancreatebranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx similarity index 73% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_cancreatebranch.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx index f06621c..5529cc8 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_cancreatebranch.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx @@ -7,22 +7,11 @@ description: '[Repository - Computed] Role can create new branches in this repos ## Edge Schema -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CanCreateBranch | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_CanCreateBranch --> GH_Repository -``` +Traversable: true ## General Information -The traversable `GH_CanCreateBranch` edge is a computed edge indicating that a role or actor can create new branches in a repository. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) or [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. +The traversable `GH_CanCreateBranch` edge is a computed edge indicating that a role or actor can create new branches in a repository. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from [GH_User](/opengraph/extensions/github/nodes/gh_user) or [GH_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios @@ -50,7 +39,7 @@ graph LR ### `push_protected_branch` — Push-protected role bypasses wildcard BPR -A wildcard BPR blocks creations. The [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) permission bypasses the push gate regardless of `enforce_admins`. +A wildcard BPR blocks creations. The [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch) permission bypasses the push gate regardless of `enforce_admins`. ```mermaid graph LR diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_caneditprotection.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx similarity index 53% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_caneditprotection.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx index bd76e6e..a09a8b5 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_caneditprotection.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx @@ -7,28 +7,17 @@ description: '[Repository - Computed] Repo role can modify or remove the branch ## Edge Schema -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CanEditProtection | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Branch["fa:fa-code-branch"]:::bhNode - GH_RepoRole -- GH_CanEditProtection --> GH_Branch -``` +Traversable: true ## General Information -The traversable `GH_CanEditProtection` edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, this edge is emitted when the role has [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) or [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. +The traversable `GH_CanEditProtection` edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, this edge is emitted when the role has [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) or [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto) permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. ## Scenarios ### `admin` — Admin can edit protections -The admin role has [GH_AdminTo](/opengraph/extensions/githound/reference/edges/gh_adminto) which implicitly grants the ability to modify or remove any branch protection rule. +The admin role has [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto) which implicitly grants the ability to modify or remove any branch protection rule. ```mermaid graph LR @@ -40,7 +29,7 @@ graph LR ### `edit_repo_protections` — Explicit edit permission -A custom or standard role with the [GH_EditRepoProtections](/opengraph/extensions/githound/reference/edges/gh_editrepoprotections) permission can modify or remove branch protection rules. +A custom or standard role with the [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) permission can modify or remove branch protection rules. ```mermaid graph LR diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canpwnrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx similarity index 81% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canpwnrequest.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx index 99e6dda..228060e 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canpwnrequest.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx @@ -7,7 +7,7 @@ description: '[Computed] Repo role can exploit a pwn-requestable workflow to exe ## Edge Schema -Traversable: ✅ +Traversable: true ## General Information @@ -25,9 +25,9 @@ A workflow is considered pwn-requestable (`is_pwn_requestable = true`) when **al ### Edge Drawing Conditions -An edge is drawn from a [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) to the repository (and its branches) when: +An edge is drawn from a [GH_RepoRole](/opengraph/extensions/github/nodes/gh_reporole) to the repository (and its branches) when: -1. **Read access**: The role has a [GH_ReadRepoContents](/opengraph/extensions/githound/reference/edges/gh_readrepocontents) edge to the repository (read access is the minimum required to fork). +1. **Read access**: The role has a [GH_ReadRepoContents](/opengraph/extensions/github/edges/gh_readrepocontents) edge to the repository (read access is the minimum required to fork). 2. **Forkability**: The repository can be forked by the role holder: - **Public repos**: Always forkable by anyone on GitHub. - **Private/internal repos**: Requires both the organization setting `members_can_fork_private_repositories = true` AND the repository setting `allow_forking = true`. @@ -45,12 +45,12 @@ An attacker who exploits a pwn request gains code execution in the workflow runn - **Repository secrets** scoped to the base branch - **Organization secrets** accessible by the repository - **GITHUB_TOKEN** with the workflow's declared permissions (often `write`) -- **OIDC tokens** if `id-token: write` is set, enabling cloud identity assumption via [GH_CanAssumeIdentity](/opengraph/extensions/githound/reference/edges/gh_canassumeidentity) +- **OIDC tokens** if `id-token: write` is set, enabling cloud identity assumption via [GH_CanAssumeIdentity](/opengraph/extensions/github/edges/gh_canassumeidentity) - **Environment secrets** if the workflow job targets a deployment environment ### Caveats -- **OIDC traversal requires `id-token: write`**: The attack chain from `GH_CanPwnRequest` through [GH_CanAssumeIdentity](/opengraph/extensions/githound/reference/edges/gh_canassumeidentity) to a cloud role is only valid if the pwn-requestable workflow (or job) explicitly declares `id-token: write` in its `permissions:` block. The `id-token` permission defaults to `none` and is never implicitly granted — even when the workflow has no `permissions:` block at all. The `permissions` property on the [GH_WorkflowJob](/opengraph/extensions/githound/reference/nodes/gh_workflowjob) node can be inspected to verify this. +- **OIDC traversal requires `id-token: write`**: The attack chain from `GH_CanPwnRequest` through [GH_CanAssumeIdentity](/opengraph/extensions/github/edges/gh_canassumeidentity) to a cloud role is only valid if the pwn-requestable workflow (or job) explicitly declares `id-token: write` in its `permissions:` block. The `id-token` permission defaults to `none` and is never implicitly granted — even when the workflow has no `permissions:` block at all. The `permissions` property on the [GH_WorkflowJob](/opengraph/extensions/github/nodes/gh_workflowjob) node can be inspected to verify this. - **GITHUB_TOKEN permissions**: The `permissions:` block controls what the `GITHUB_TOKEN` can do (e.g., push commits, create releases), but has no effect on secret access, OIDC token requests (governed separately by `id-token`), or arbitrary code execution. A workflow with `contents: read` is still fully exploitable via pwn request for secret exfiltration and lateral movement — only write-back to the repository is limited. ```mermaid diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx similarity index 59% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx index 188d937..cf748b8 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canreadsecretscanningalert.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx @@ -7,11 +7,11 @@ description: '[Computed] Role can read secret scanning alerts (computed from GH_ ## Edge Schema -Traversable: ✅ +Traversable: true ## General Information -The traversable `GH_CanReadSecretScanningAlert` edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. Created by `Compute-GitHoundSecretScanningAccess` with no additional API calls, the computation cross-references [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) permission edges with [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the [GH_ValidToken](/opengraph/extensions/githound/reference/edges/gh_validtoken) edge enables identity compromise of the token's owner. +The traversable `GH_CanReadSecretScanningAlert` edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. Created by `Compute-GitHoundSecretScanningAccess` with no additional API calls, the computation cross-references [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) permission edges with [GH_Contains](/opengraph/extensions/github/edges/gh_contains) structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the [GH_ValidToken](/opengraph/extensions/github/edges/gh_validtoken) edge enables identity compromise of the token's owner. Each edge includes a `reason` property (`org_role_permission` or `repo_role_permission`) and a `query_composition` Cypher query showing the underlying graph evidence. @@ -19,7 +19,7 @@ Each edge includes a `reason` property (`org_role_permission` or `repo_role_perm ### `org_role_permission` — Org role views alerts via organization -An org role with [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) to the organization can read all secret scanning alerts across the entire org. The computation follows [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) edges from the organization to each alert. +An org role with [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) to the organization can read all secret scanning alerts across the entire org. The computation follows [GH_Contains](/opengraph/extensions/github/edges/gh_contains) edges from the organization to each alert. ```mermaid graph LR @@ -31,7 +31,7 @@ graph LR ### `repo_role_permission` — Repo role views alerts via repository -A repo role with [GH_ViewSecretScanningAlerts](/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts) to the repository can read secret scanning alerts in that specific repo. The computation follows [GH_Contains](/opengraph/extensions/githound/reference/edges/gh_contains) edges from the repository to each alert. +A repo role with [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) to the repository can read secret scanning alerts in that specific repo. The computation follows [GH_Contains](/opengraph/extensions/github/edges/gh_contains) edges from the repository to each alert. ```mermaid graph LR diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canwritebranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx similarity index 68% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canwritebranch.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx index 6c0936c..e7ca58a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_canwritebranch.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx @@ -7,28 +7,11 @@ description: '[Repository - Computed] Role can push to this branch after evaluat ## Edge Schema -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CanWriteBranch | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_CanWriteBranch | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_CanWriteBranch | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Branch["fa:fa-code-branch"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_Team["fa:fa-user-group"]:::bhNode - GH_RepoRole -- GH_CanWriteBranch --> GH_Branch - GH_User -- GH_CanWriteBranch --> GH_Branch - GH_Team -- GH_CanWriteBranch --> GH_Branch -``` +Traversable: true ## General Information -The traversable `GH_CanWriteBranch` edge is a computed edge indicating that a role or actor can push to a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) or [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. +The traversable `GH_CanWriteBranch` edge is a computed edge indicating that a role or actor can push to a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from [GH_User](/opengraph/extensions/github/nodes/gh_user) or [GH_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios @@ -57,7 +40,7 @@ graph LR ### `push_protected_branch` — Push gate bypass -Push gate blocked by `push_restrictions` (no merge gate block). The [GH_PushProtectedBranch](/opengraph/extensions/githound/reference/edges/gh_pushprotectedbranch) permission bypasses the push gate regardless of `enforce_admins`. +Push gate blocked by `push_restrictions` (no merge gate block). The [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch) permission bypasses the push gate regardless of `enforce_admins`. ```mermaid graph LR @@ -70,7 +53,7 @@ graph LR ### `bypass_branch_protection` — Merge gate bypass -Merge gate blocked by PR reviews. The [GH_BypassBranchProtection](/opengraph/extensions/githound/reference/edges/gh_bypassbranchprotection) permission bypasses the merge gate. Requires `enforce_admins=false`; suppressed when `enforce_admins=true`. +Merge gate blocked by PR reviews. The [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) permission bypasses the merge gate. Requires `enforce_admins=false`; suppressed when `enforce_admins=true`. ```mermaid graph LR diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closediscussion.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_closediscussion.mdx similarity index 53% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closediscussion.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_closediscussion.mdx index 053da51..4d91443 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closediscussion.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_closediscussion.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can close discussions' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CloseDiscussion | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_CloseDiscussion --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closeissue.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_closeissue.mdx similarity index 51% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closeissue.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_closeissue.mdx index 8ef66b9..f235d3e 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closeissue.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_closeissue.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can close issues' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CloseIssue | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_CloseIssue --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closepullrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_closepullrequest.mdx similarity index 52% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closepullrequest.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_closepullrequest.mdx index ac0f332..0587a6b 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_closepullrequest.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_closepullrequest.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can close pull requests' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ClosePullRequest | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ClosePullRequest --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_contains.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_contains.mdx new file mode 100644 index 0000000..b98099a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_contains.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_Contains' +description: 'Container relationship for organizational hierarchy (org contains secrets/variables, repo contains secrets/variables, environment contains secrets/variables)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable `GH_Contains` edge represents structural containment within the GitHub resource hierarchy. The organization serves as the top-level container for users, teams, repositories, roles, secrets, app installations, and personal access tokens. Repositories contain their own repo-level secrets, and environments contain environment-scoped secrets. This edge is created by the collector to establish the organizational hierarchy of GitHub resources and is not traversable because containment alone does not imply privilege escalation. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_convertissuestodiscussions.mdx similarity index 56% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_convertissuestodiscussions.mdx index d7472de..e285d04 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_convertissuestodiscussions.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_convertissuestodiscussions.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can convert issues to discussions' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ConvertIssuesToDiscussions | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ConvertIssuesToDiscussions --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_creatediscussioncategory.mdx similarity index 53% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_creatediscussioncategory.mdx index ed3bd41..94702da 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_creatediscussioncategory.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_creatediscussioncategory.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can create discussion categories' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CreateDiscussionCategory | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_CreateDiscussionCategory --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createrepository.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_createrepository.mdx similarity index 62% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createrepository.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_createrepository.mdx index b9c7dbb..332b6f4 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createrepository.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_createrepository.mdx @@ -7,18 +7,7 @@ description: '[Organization] Org role can create repositories in the organizatio ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_CreateRepository | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | - -```mermaid -flowchart LR - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_OrgRole -- GH_CreateRepository --> GH_Organization -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_createsolomergequeueentry.mdx similarity index 64% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_createsolomergequeueentry.mdx index 52ace86..fb42e3d 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createsolomergequeueentry.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_createsolomergequeueentry.mdx @@ -7,18 +7,7 @@ description: 'Repo role can create solo merge queue entries' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CreateSoloMergeQueueEntry | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_CreateSoloMergeQueueEntry --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createtag.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_createtag.mdx similarity index 55% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createtag.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_createtag.mdx index 1b20d73..092cf3a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createtag.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_createtag.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can create tags and releases' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_CreateTag | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_CreateTag --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createteam.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_createteam.mdx similarity index 63% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createteam.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_createteam.mdx index 3fea71a..1f5b47b 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_createteam.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_createteam.mdx @@ -7,18 +7,7 @@ description: '[Organization] Org role can create teams in the organization' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_CreateTeam | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | - -```mermaid -flowchart LR - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_OrgRole -- GH_CreateTeam --> GH_Organization -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deletealertscodescanning.mdx similarity index 62% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_deletealertscodescanning.mdx index 1f3a6a1..daba56e 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletealertscodescanning.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deletealertscodescanning.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can delete code scanning alerts' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_DeleteAlertsCodeScanning | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_DeleteAlertsCodeScanning --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussion.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussion.mdx similarity index 52% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussion.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussion.mdx index e6a8ab4..70340b2 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussion.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussion.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can delete discussions' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_DeleteDiscussion | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_DeleteDiscussion --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussioncomment.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussioncomment.mdx index 8adedba..b2fa4a1 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletediscussioncomment.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussioncomment.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can delete discussion comments' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_DeleteDiscussionComment | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_DeleteDiscussionComment --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deleteissue.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deleteissue.mdx similarity index 57% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deleteissue.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_deleteissue.mdx index b0821ad..743a0f9 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deleteissue.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deleteissue.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can delete issues' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_DeleteIssue | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_DeleteIssue --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletetag.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deletetag.mdx similarity index 55% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletetag.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_deletetag.mdx index a80e97c..0f1da9a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deletetag.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deletetag.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can delete tags and releases' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_DeleteTag | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_DeleteTag --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_dependson.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx similarity index 95% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_dependson.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx index 86475ed..8b107b9 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_dependson.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx @@ -7,7 +7,7 @@ description: '[Workflow] Job must run after another job (needs: dependency) — ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deploysto.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx similarity index 95% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deploysto.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx index 25af789..4394727 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_deploysto.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx @@ -7,7 +7,7 @@ description: '[Workflow] Job deploys to a GitHub Environment — GH_WorkflowJob ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editcategoryondiscussion.mdx similarity index 55% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_editcategoryondiscussion.mdx index 1907275..d318d83 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editcategoryondiscussion.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editcategoryondiscussion.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can change the category of a discussion' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditCategoryOnDiscussion | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_EditCategoryOnDiscussion --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncategory.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncategory.mdx index 2770c81..ccc122b 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncategory.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncategory.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can edit discussion categories' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditDiscussionCategory | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_EditDiscussionCategory --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncomment.mdx similarity index 53% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncomment.mdx index 835940f..5787387 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editdiscussioncomment.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncomment.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can edit discussion comments' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditDiscussionComment | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_EditDiscussionComment --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoannouncementbanners.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_editrepoannouncementbanners.mdx index 1449762..d89f5c2 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoannouncementbanners.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoannouncementbanners.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can edit repository announcement banners' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditRepoAnnouncementBanners | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_EditRepoAnnouncementBanners --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues.mdx similarity index 65% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues.mdx index 632afe2..aee5fa2 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepocustompropertiesvalues.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can edit custom property values on the repo ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditRepoCustomPropertiesValues | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_EditRepoCustomPropertiesValues --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepometadata.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepometadata.mdx similarity index 55% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepometadata.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_editrepometadata.mdx index 4eebd69..9c3f765 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepometadata.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepometadata.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can edit repository metadata' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditRepoMetadata | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_EditRepoMetadata --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoprotections.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoprotections.mdx similarity index 64% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoprotections.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_editrepoprotections.mdx index ae57c57..eddbb38 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_editrepoprotections.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoprotections.mdx @@ -7,18 +7,7 @@ description: 'Repo role can edit branch protection rules' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_EditRepoProtections | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_EditRepoProtections --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbaserole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx similarity index 56% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbaserole.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx index 161a21e..5809ad0 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbaserole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx @@ -7,20 +7,7 @@ description: 'Role inherits permissions from another role' ## Edge Schema -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_HasBaseRole | [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_HasBaseRole | [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | - -```mermaid -flowchart LR - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_OrgRole -- GH_HasBaseRole --> GH_OrgRole - GH_RepoRole -- GH_HasBaseRole --> GH_RepoRole -``` +Traversable: true ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx similarity index 52% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbranch.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx index 8d83513..2541187 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasbranch.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx @@ -7,19 +7,8 @@ description: 'Repository has this branch' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasBranch | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | - -```mermaid -flowchart LR - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Branch["fa:fa-code-branch"]:::bhNode - GH_Repository -- GH_HasBranch --> GH_Branch -``` +Traversable: false ## General Information -The non-traversable `GH_HasBranch` edge represents the relationship between a repository and its branches. Created by `Git-HoundBranch`, this edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) model the effective access. +The non-traversable `GH_HasBranch` edge represents the relationship between a repository and its branches. Created by `Git-HoundBranch`, this edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) model the effective access. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasenvironment.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx similarity index 51% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasenvironment.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx index e714ae5..bdb4006 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasenvironment.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx @@ -7,21 +7,7 @@ description: 'Repository or branch has/can deploy to this environment' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | GH_HasEnvironment | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasEnvironment | [GH_Environment](/opengraph/extensions/githound/reference/nodes/gh_environment) | - -```mermaid -flowchart LR - GH_Branch["fa:fa-code-branch"]:::bhNode - GH_Environment["fa:fa-leaf"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Branch -- GH_HasEnvironment --> GH_Environment - GH_Repository -- GH_HasEnvironment --> GH_Environment -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx new file mode 100644 index 0000000..dbd198d --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_HasExternalIdentity' +description: 'SAML identity provider has this external identity' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable `GH_HasExternalIdentity` edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. Created by `Git-HoundGraphQlSamlProvider`, this edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the [GH_MapsToUser](/opengraph/extensions/github/edges/gh_mapstouser) edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasjob.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx similarity index 95% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasjob.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx index 1d51df4..59e5a23 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasjob.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx @@ -7,7 +7,7 @@ description: '[Workflow] Workflow contains this job — GH_Workflow → GH_Workf ## Edge Schema -Traversable: ✅ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasmember.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasmember.mdx new file mode 100644 index 0000000..bd68e98 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasmember.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_HasMember' +description: 'Enterprise or organization has this user as a member' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable `GH_HasMember` edge represents the relationship between a GitHub enterprise or organization and a user who is a member of that scope. This edge records membership as directory context rather than as an access path: being listed as a member does not by itself describe what the user can do, only that the user belongs to the enterprise or organization. Membership remains security-relevant because it defines the population from which roles, team assignments, and token approvals are drawn, and it helps analysts understand who is inside the trust boundary when reviewing GitHub exposure. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx similarity index 66% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx index 182891d..5605dce 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstoken.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx @@ -7,18 +7,7 @@ description: 'User owns this personal access token that has been granted access ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_HasPersonalAccessToken | [GH_PersonalAccessToken](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstoken) | - -```mermaid -flowchart LR - GH_User["fa:fa-user"]:::bhNode - GH_PersonalAccessToken["fa:fa-key"]:::bhNode - GH_User -- GH_HasPersonalAccessToken --> GH_PersonalAccessToken -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx similarity index 64% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx index d859cf0..8123bf7 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_haspersonalaccesstokenrequest.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx @@ -7,18 +7,7 @@ description: 'User has a pending personal access token request for the organizat ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_HasPersonalAccessTokenRequest | [GH_PersonalAccessTokenRequest](/opengraph/extensions/githound/reference/nodes/gh_personalaccesstokenrequest) | - -```mermaid -flowchart LR - GH_User["fa:fa-user"]:::bhNode - GH_PersonalAccessTokenRequest["fa:fa-key"]:::bhNode - GH_User -- GH_HasPersonalAccessTokenRequest --> GH_PersonalAccessTokenRequest -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx new file mode 100644 index 0000000..afe2108 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_HasRole' +description: 'User or team has a role assignment (org role, team role, or repo role)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable `GH_HasRole` edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. It is created by `Git-HoundUser` (for org roles), `Git-HoundRepositoryRole` (for repo roles), and `Git-HoundTeam` (for team roles). Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx similarity index 64% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx index dc24a85..69ca2c2 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hassamlidentityprovider.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx @@ -7,18 +7,7 @@ description: 'Organization has this SAML identity provider configured' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_HasSamlIdentityProvider | [GH_SamlIdentityProvider](/opengraph/extensions/githound/reference/nodes/gh_samlidentityprovider) | - -```mermaid -flowchart LR - GH_Organization["fa:fa-building"]:::bhNode - GH_SamlIdentityProvider["fa:fa-id-badge"]:::bhNode - GH_Organization -- GH_HasSamlIdentityProvider --> GH_SamlIdentityProvider -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx new file mode 100644 index 0000000..a9da313 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_HasSecret' +description: 'Repository or environment has access to this secret' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable `GH_HasSecret` edge represents the relationship between a repository or environment and the secrets accessible within that context. Created by `Git-HoundOrganizationSecret`, `Git-HoundSecret`, and `Git-HoundEnvironment`, this edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch)) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasstep.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx similarity index 94% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasstep.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx index b8b345f..13d133c 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasstep.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx @@ -7,7 +7,7 @@ description: '[Workflow] Job contains this step — GH_WorkflowJob → GH_Workfl ## Edge Schema -Traversable: ✅ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx new file mode 100644 index 0000000..465e18f --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_HasVariable' +description: 'Repository has access to this variable (org-level or repo-level)' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable `GH_HasVariable` edge represents the relationship between a repository and the variables accessible within that context. Created by `Git-HoundOrganizationSecret` and `Git-HoundVariable`, this edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch)) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasworkflow.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx similarity index 62% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasworkflow.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx index 190d75c..598856b 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_hasworkflow.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx @@ -7,18 +7,7 @@ description: 'Repository has this workflow' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | GH_HasWorkflow | [GH_Workflow](/opengraph/extensions/githound/reference/nodes/gh_workflow) | - -```mermaid -flowchart LR - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Workflow["fa:fa-cogs"]:::bhNode - GH_Repository -- GH_HasWorkflow --> GH_Workflow -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_installedas.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx similarity index 64% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_installedas.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx index d3a4d8d..68662ba 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_installedas.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx @@ -7,18 +7,7 @@ description: 'GitHub App is installed as this app installation on an organizatio ## Edge Schema -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_App](/opengraph/extensions/githound/reference/nodes/gh_app) | GH_InstalledAs | [GH_AppInstallation](/opengraph/extensions/githound/reference/nodes/gh_appinstallation) | - -```mermaid -flowchart LR - GH_App["fa:fa-cube"]:::bhNode - GH_AppInstallation["fa:fa-plug"]:::bhNode - GH_App -- GH_InstalledAs --> GH_AppInstallation -``` +Traversable: true ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_invitemember.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_invitemember.mdx similarity index 61% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_invitemember.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_invitemember.mdx index 00ae932..4eaf531 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_invitemember.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_invitemember.mdx @@ -7,18 +7,7 @@ description: '[Organization] Org role can invite members to the organization' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_InviteMember | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | - -```mermaid -flowchart LR - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_OrgRole -- GH_InviteMember --> GH_Organization -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_jumpmergequeue.mdx similarity index 64% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_jumpmergequeue.mdx index 1290707..f79cd78 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_jumpmergequeue.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_jumpmergequeue.mdx @@ -7,18 +7,7 @@ description: 'Repo role can jump the merge queue' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_JumpMergeQueue | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_JumpMergeQueue --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managedeploykeys.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managedeploykeys.mdx similarity index 65% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managedeploykeys.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_managedeploykeys.mdx index 07a9d2b..1d30d91 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managedeploykeys.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managedeploykeys.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can manage deploy keys' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageDeployKeys | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ManageDeployKeys --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managediscussionbadges.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_managediscussionbadges.mdx index bf4351c..6c70a25 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managediscussionbadges.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managediscussionbadges.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can manage discussion badges' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageDiscussionBadges | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ManageDiscussionBadges --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_manageorganizationwebhooks.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_manageorganizationwebhooks.mdx index 075838a..2586f7c 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_manageorganizationwebhooks.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_manageorganizationwebhooks.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can manage organization webhooks' ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managereposecurityproducts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managereposecurityproducts.mdx new file mode 100644 index 0000000..1d5b6f2 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managereposecurityproducts.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_ManageRepoSecurityProducts' +description: 'Repo role can manage repo-level security products' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable `GH_ManageRepoSecurityProducts` edge represents a role's ability to manage repository-specific security product settings. This permission is available to Admin roles and custom roles that have been granted this specific permission. Unlike the broader [GH_ManageSecurityProducts](/opengraph/extensions/github/edges/gh_managesecurityproducts) permission, this edge is scoped to repository-level security configuration such as repository-specific scanning settings and alert management. Disabling repository-level security products can create blind spots in vulnerability detection for the specific repository. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesecurityproducts.mdx similarity index 64% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_managesecurityproducts.mdx index d0fddbf..202b70a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesecurityproducts.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managesecurityproducts.mdx @@ -7,18 +7,7 @@ description: 'Repo role can manage security products' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageSecurityProducts | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ManageSecurityProducts --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsmergetypes.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsmergetypes.mdx index 442970e..e5ca318 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsmergetypes.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsmergetypes.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can manage allowed merge types' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageSettingsMergeTypes | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ManageSettingsMergeTypes --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingspages.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingspages.mdx similarity index 55% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingspages.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_managesettingspages.mdx index 6addbce..0cd06e7 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingspages.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingspages.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can manage GitHub Pages settings' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageSettingsPages | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ManageSettingsPages --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsprojects.mdx similarity index 53% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsprojects.mdx index 1e9fa88..7e87738 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingsprojects.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsprojects.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can manage project settings' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageSettingsProjects | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ManageSettingsProjects --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingswiki.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingswiki.mdx similarity index 52% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingswiki.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_managesettingswiki.mdx index 02d3006..fdc557b 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managesettingswiki.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingswiki.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can manage wiki settings' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageSettingsWiki | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ManageSettingsWiki --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managetopics.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managetopics.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managetopics.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_managetopics.mdx index 4f70fd5..b890b3c 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managetopics.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managetopics.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can manage repository topics' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageTopics | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ManageTopics --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managewebhooks.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managewebhooks.mdx similarity index 64% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managewebhooks.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_managewebhooks.mdx index a2aa4e6..949a64a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_managewebhooks.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managewebhooks.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can manage repository webhooks' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ManageWebhooks | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ManageWebhooks --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx new file mode 100644 index 0000000..e75c985 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_MapsToUser' +description: 'External identity maps to a GitHub user or identity provider user' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](/resources/nodes/az-user), [Okta_User](/opengraph/extensions/okta/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. It is created by `Git-HoundGraphQlSamlProvider` for SAML-linked identities and `Git-HoundScimUser` for SCIM-provisioned identities. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_markasduplicate.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_markasduplicate.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_markasduplicate.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_markasduplicate.mdx index b761942..eb56270 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_markasduplicate.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_markasduplicate.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can mark issues or pull requests as duplica ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_MarkAsDuplicate | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_MarkAsDuplicate --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_memberof.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx similarity index 55% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_memberof.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx index ef7b854..36b406a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_memberof.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx @@ -7,20 +7,7 @@ description: 'Team role is a member of a team, or team is a nested member of a p ## Edge Schema -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | GH_MemberOf | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | -| [GH_TeamRole](/opengraph/extensions/githound/reference/nodes/gh_teamrole) | GH_MemberOf | [GH_Team](/opengraph/extensions/githound/reference/nodes/gh_team) | - -```mermaid -flowchart LR - GH_Team["fa:fa-user-group"]:::bhNode - GH_TeamRole["fa:fa-user-tie"]:::bhNode - GH_Team -- GH_MemberOf --> GH_Team - GH_TeamRole -- GH_MemberOf --> GH_Team -``` +Traversable: true ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests.mdx index 48dfb42..569dd0a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasscodescanningdismissalrequests.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can bypass code scanning dismissal request ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests.mdx index 6821a60..47860e5 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgbypasssecretscanningclosurerequests.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can bypass secret scanning closure request ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx index c2fc5c4..e725e3f 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can review and manage secret scanning bypa ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx index 60a4b83..48f0351 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can review and manage secret scanning clos ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_owns.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx similarity index 60% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_owns.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx index 9a187d4..5ac3076 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_owns.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx @@ -7,18 +7,7 @@ description: 'Organization owns a repository' ## Edge Schema -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | GH_Owns | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_Organization["fa:fa-building"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_Organization -- GH_Owns --> GH_Repository -``` +Traversable: true ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_protectedby.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx similarity index 57% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_protectedby.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx index 0a73487..5979f33 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_protectedby.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx @@ -7,19 +7,8 @@ description: 'Branch protection rule protects this branch' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | GH_ProtectedBy | [GH_Branch](/opengraph/extensions/githound/reference/nodes/gh_branch) | - -```mermaid -flowchart LR - GH_BranchProtectionRule["fa:fa-shield"]:::bhNode - GH_Branch["fa:fa-code-branch"]:::bhNode - GH_BranchProtectionRule -- GH_ProtectedBy --> GH_Branch -``` +Traversable: false ## General Information -The non-traversable `GH_ProtectedBy` edge represents that a branch protection rule applies to a specific branch. Created by `Git-HoundBranch` when branch protection rules are collected, this edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed edge functions (`Compute-GitHoundBranchAccess`) to determine effective push access; the computed [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/githound/reference/edges/gh_caneditprotection) edges carry traversability instead. +The non-traversable `GH_ProtectedBy` edge represents that a branch protection rule applies to a specific branch. Created by `Git-HoundBranch` when branch protection rules are collected, this edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed edge functions (`Compute-GitHoundBranchAccess`) to determine effective push access; the computed [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) edges carry traversability instead. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_pushprotectedbranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_pushprotectedbranch.mdx new file mode 100644 index 0000000..8fbe95a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_pushprotectedbranch.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_PushProtectedBranch' +description: '[Repository] Repo role can push to branches with push restrictions. Not affected by enforce_admins.' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable `GH_PushProtectedBranch` edge represents a role's ability to push directly to branches that are protected by push restrictions. This permission is available to Admin and Maintain roles. This edge bypasses the push gate of branch protection, allowing direct commits to protected branches without going through the pull request workflow. Unlike merge gate bypasses (such as [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection)), this push gate bypass is NOT suppressed by the `enforce_admins` setting on the branch protection rule, making it a particularly potent permission. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readcodescanning.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readcodescanning.mdx similarity index 57% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readcodescanning.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_readcodescanning.mdx index 3da4f51..b5bdbb4 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readcodescanning.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_readcodescanning.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can read code scanning results' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ReadCodeScanning | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ReadCodeScanning --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics.mdx index 3b458d6..832d3e0 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationactionsusagemetrics.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can read Actions usage metrics' ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole.mdx index 9c2a8d5..aec96e1 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomorgrole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can read custom org role definitions' ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomreporole.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomreporole.mdx index 9f1621e..c50ec65 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readorganizationcustomreporole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomreporole.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can read custom repo role definitions' ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readrepocontents.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readrepocontents.mdx similarity index 55% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readrepocontents.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_readrepocontents.mdx index 882cd91..4f1f5b2 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_readrepocontents.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_readrepocontents.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can read repository contents' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ReadRepoContents | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ReadRepoContents --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removeassignee.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_removeassignee.mdx similarity index 55% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removeassignee.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_removeassignee.mdx index 5dc1f5b..0131f77 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removeassignee.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_removeassignee.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can remove assignees from issues and pull r ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_RemoveAssignee | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_RemoveAssignee --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removelabel.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_removelabel.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removelabel.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_removelabel.mdx index aeb8d87..07f13a5 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_removelabel.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_removelabel.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can remove labels from issues and pull requ ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_RemoveLabel | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_RemoveLabel --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopendiscussion.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_reopendiscussion.mdx similarity index 53% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopendiscussion.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_reopendiscussion.mdx index 0ba49ce..a76d580 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopendiscussion.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_reopendiscussion.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can reopen discussions' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ReopenDiscussion | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ReopenDiscussion --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenissue.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_reopenissue.mdx similarity index 52% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenissue.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_reopenissue.mdx index 7dd4d59..5068e94 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenissue.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_reopenissue.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can reopen closed issues' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ReopenIssue | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ReopenIssue --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_reopenpullrequest.mdx similarity index 53% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_reopenpullrequest.mdx index 2038977..abcc456 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_reopenpullrequest.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_reopenpullrequest.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can reopen closed pull requests' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ReopenPullRequest | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ReopenPullRequest --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_requestprreview.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_requestprreview.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_requestprreview.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_requestprreview.mdx index a64b859..0a5962f 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_requestprreview.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_requestprreview.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can request pull request reviews' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_RequestPrReview | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_RequestPrReview --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_resolvedependabotalerts.mdx similarity index 57% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_resolvedependabotalerts.mdx index 365fd7c..e952a97 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_resolvedependabotalerts.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_resolvedependabotalerts.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can resolve Dependabot alerts' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ResolveDependabotAlerts | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ResolveDependabotAlerts --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts.mdx new file mode 100644 index 0000000..8d07574 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts.mdx @@ -0,0 +1,14 @@ +--- +title: 'GH_ResolveSecretScanningAlerts' +description: '[Organization] Org role can resolve secret scanning alerts' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable `GH_ResolveSecretScanningAlerts` edge represents that a role can resolve (close) secret scanning alerts at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Resolving a secret scanning alert marks a leaked secret as addressed, which removes it from active monitoring dashboards. An attacker with this permission could suppress alerts about leaked credentials to prevent incident response teams from detecting and rotating compromised secrets. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx similarity index 52% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx index bc58f98..4be127b 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_restrictionscanpush.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx @@ -7,19 +7,8 @@ description: 'User or team is allowed to push to branches protected by this rule ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | GH_RestrictionsCanPush | [GH_BranchProtectionRule](/opengraph/extensions/githound/reference/nodes/gh_branchprotectionrule) | - -```mermaid -flowchart LR - GH_User["fa:fa-user"]:::bhNode - GH_BranchProtectionRule["fa:fa-shield"]:::bhNode - GH_User -- GH_RestrictionsCanPush --> GH_BranchProtectionRule -``` +Traversable: false ## General Information -The non-traversable `GH_RestrictionsCanPush` edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. Created by `Git-HoundBranch` when collecting BPR push allowances, this edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike [GH_BypassPullRequestAllowances](/opengraph/extensions/githound/reference/edges/gh_bypasspullrequestallowances), this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. +The non-traversable `GH_RestrictionsCanPush` edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. Created by `Git-HoundBranch` when collecting BPR push allowances, this edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike [GH_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances), this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_runorgmigration.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_runorgmigration.mdx similarity index 63% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_runorgmigration.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_runorgmigration.mdx index 9ddbbdb..42db234 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_runorgmigration.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_runorgmigration.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can run organization migrations' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_RunOrgMigration | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_RunOrgMigration --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_setinteractionlimits.mdx similarity index 56% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_setinteractionlimits.mdx index 39ba15c..9ae2cd8 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setinteractionlimits.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_setinteractionlimits.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can set interaction limits on the repositor ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_SetInteractionLimits | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_SetInteractionLimits --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setissuetype.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_setissuetype.mdx similarity index 52% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setissuetype.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_setissuetype.mdx index 3d94781..f498bf7 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setissuetype.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_setissuetype.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can set issue types' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_SetIssueType | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_SetIssueType --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setmilestone.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_setmilestone.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setmilestone.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_setmilestone.mdx index 78f49c8..736b4f9 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setmilestone.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_setmilestone.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can set milestones on issues and pull reque ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_SetMilestone | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_SetMilestone --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setsocialpreview.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_setsocialpreview.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setsocialpreview.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_setsocialpreview.mdx index 914c3bc..996e336 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_setsocialpreview.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_setsocialpreview.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can set the repository social preview image ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_SetSocialPreview | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_SetSocialPreview --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_syncedto.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx similarity index 67% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_syncedto.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx index 3d094c4..2e661ee 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_syncedto.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx @@ -7,18 +7,7 @@ description: 'External identity (Azure, Okta, PingOne) is synced to this GitHub ## Edge Schema -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_ExternalIdentity](/opengraph/extensions/githound/reference/nodes/gh_externalidentity) | GH_SyncedTo | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | - -```mermaid -flowchart LR - GH_ExternalIdentity["fa:fa-arrows-left-right"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_ExternalIdentity -- GH_SyncedTo --> GH_User -``` +Traversable: true ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussionanswer.mdx similarity index 54% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussionanswer.mdx index 57d48a5..ed74acc 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussionanswer.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussionanswer.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can toggle discussion answers' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ToggleDiscussionAnswer | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ToggleDiscussionAnswer --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize.mdx similarity index 55% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize.mdx index 4944ac0..fbd3611 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_togglediscussioncommentminimize.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can minimize discussion comments' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ToggleDiscussionCommentMinimize | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ToggleDiscussionCommentMinimize --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_transferrepository.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_transferrepository.mdx similarity index 62% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_transferrepository.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_transferrepository.mdx index 499cffd..af200a2 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_transferrepository.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_transferrepository.mdx @@ -7,18 +7,7 @@ description: '[Organization] Org role can transfer repositories' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_TransferRepository | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | - -```mermaid -flowchart LR - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_OrgRole -- GH_TransferRepository --> GH_Organization -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usessecret.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx similarity index 85% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usessecret.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx index 8fd7739..6cf8a72 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usessecret.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx @@ -7,7 +7,7 @@ description: '[Workflow] Step references a secret by name — GH_WorkflowStep ## Edge Schema -Traversable: ✅ +Traversable: false ## General Information @@ -18,7 +18,7 @@ The traversable `GH_UsesSecret` edge links a workflow step to the secret it refe Edges use `match_by: property` with two matchers to disambiguate between secrets with the same name across repositories: - **GH_RepoSecret** is matched by `name` + `repository_id` (the GitHub node_id of the repository). -- **GH_OrgSecret** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level secret scope). +- **[GH_OrgSecret](/opengraph/extensions/github/nodes/gh_orgsecret)** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level secret scope). This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two `GH_UsesSecret` edges — one to the repo-level secret and one to the org-level secret — reflecting that either could supply the value at runtime depending on scope precedence. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usesvariable.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx similarity index 84% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usesvariable.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx index 9221023..7e593b0 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_usesvariable.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx @@ -7,7 +7,7 @@ description: '[Workflow] Step references a variable by name — GH_WorkflowStep ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information @@ -18,7 +18,7 @@ The non-traversable `GH_UsesVariable` edge links a workflow step to the variable Edges use `match_by: property` with two matchers to disambiguate between variables with the same name across repositories: - **GH_RepoVariable** is matched by `name` + `repository_id` (the GitHub node_id of the repository). -- **[GH_OrgVariable](/opengraph/extensions/githound/reference/nodes/gh_orgvariable)** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level variable scope). +- **GH_OrgVariable** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level variable scope). This means one `${{ vars.MY_VAR }}` expression can produce up to two `GH_UsesVariable` edges — one to the repo-level variable and one to the org-level variable. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_validtoken.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx similarity index 65% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_validtoken.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx index a5a9495..9fe912a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_validtoken.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx @@ -7,18 +7,7 @@ description: 'Secret scanning alert contains a valid, active token belonging to ## Edge Schema -Traversable: ✅ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_SecretScanningAlert](/opengraph/extensions/githound/reference/nodes/gh_secretscanningalert) | GH_ValidToken | [GH_User](/opengraph/extensions/githound/reference/nodes/gh_user) | - -```mermaid -flowchart LR - GH_SecretScanningAlert["fa:fa-key"]:::bhNode - GH_User["fa:fa-user"]:::bhNode - GH_SecretScanningAlert -- GH_ValidToken --> GH_User -``` +Traversable: true ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_viewdependabotalerts.mdx similarity index 59% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_viewdependabotalerts.mdx index a8aac7f..c9efae1 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewdependabotalerts.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_viewdependabotalerts.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can view Dependabot alerts' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ViewDependabotAlerts | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_ViewDependabotAlerts --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_viewsecretscanningalerts.mdx similarity index 51% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_viewsecretscanningalerts.mdx index 92ddb02..2574c93 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_viewsecretscanningalerts.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_viewsecretscanningalerts.mdx @@ -7,22 +7,7 @@ description: '[Repository] Role can view secret scanning alerts' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_OrgRole](/opengraph/extensions/githound/reference/nodes/gh_orgrole) | GH_ViewSecretScanningAlerts | [GH_Organization](/opengraph/extensions/githound/reference/nodes/gh_organization) | -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_ViewSecretScanningAlerts | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_OrgRole["fa:fa-user-tie"]:::bhNode - GH_Organization["fa:fa-building"]:::bhNode - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_OrgRole -- GH_ViewSecretScanningAlerts --> GH_Organization - GH_RepoRole -- GH_ViewSecretScanningAlerts --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writecodescanning.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writecodescanning.mdx similarity index 57% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writecodescanning.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_writecodescanning.mdx index adce611..6f5e362 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writecodescanning.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writecodescanning.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can upload code scanning results' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_WriteCodeScanning | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_WriteCodeScanning --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets.mdx index 0d5e0f2..b7d82da 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssecrets.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can write Actions secrets' ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssettings.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssettings.mdx index 77f6925..9ca3420 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionssettings.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssettings.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can write Actions settings' ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables.mdx index 67a1bf9..93a32e7 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationactionsvariables.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can write Actions variables' ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole.mdx index 264031f..71cc56a 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomorgrole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can write custom org role definitions' ## Edge Schema -Traversable: ✅ +Traversable: true ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole.mdx index 9fc952f..b2b55c5 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationcustomreporole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can write custom repo role definitions' ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations.mdx index f23a96d..a0f2374 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writeorganizationnetworkconfigurations.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations.mdx @@ -7,7 +7,7 @@ description: '[Organization] Org role can write network configurations' ## Edge Schema -Traversable: ❌ +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepocontents.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writerepocontents.mdx similarity index 55% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepocontents.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_writerepocontents.mdx index 4ec4fc3..f811d5e 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepocontents.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writerepocontents.mdx @@ -7,19 +7,8 @@ description: '[Repository] Repo role can write repository contents' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_WriteRepoContents | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_WriteRepoContents --> GH_Repository -``` +Traversable: false ## General Information -The non-traversable `GH_WriteRepoContents` edge represents a role's ability to push commits to the repository. This permission is available to Write, Maintain, and Admin roles. Pushing code can modify application behavior and introduce vulnerabilities, making this a security-significant edge. However, this edge represents only the raw permission; actual branch push capability is determined by the computed [GH_CanWriteBranch](/opengraph/extensions/githound/reference/edges/gh_canwritebranch) edge, which factors in branch protection rules and push restrictions. +The non-traversable `GH_WriteRepoContents` edge represents a role's ability to push commits to the repository. This permission is available to Write, Maintain, and Admin roles. Pushing code can modify application behavior and introduce vulnerabilities, making this a security-significant edge. However, this edge represents only the raw permission; actual branch push capability is determined by the computed [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) edge, which factors in branch protection rules and push restrictions. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writerepopullrequests.mdx similarity index 61% rename from docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests.mdx rename to docs/official-docs/opengraph/extensions/github/edges/gh_writerepopullrequests.mdx index 8728258..ab5cde7 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/edges/gh_writerepopullrequests.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writerepopullrequests.mdx @@ -7,18 +7,7 @@ description: '[Repository] Repo role can create and merge pull requests' ## Edge Schema -Traversable: ❌ - -| Start | Kind | End | -|-------|-----------|-------| -| [GH_RepoRole](/opengraph/extensions/githound/reference/nodes/gh_reporole) | GH_WriteRepoPullRequests | [GH_Repository](/opengraph/extensions/githound/reference/nodes/gh_repository) | - -```mermaid -flowchart LR - GH_RepoRole["fa:fa-user-tie"]:::bhNode - GH_Repository["fa:fa-box-archive"]:::bhNode - GH_RepoRole -- GH_WriteRepoPullRequests --> GH_Repository -``` +Traversable: false ## General Information diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_app.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_app.mdx new file mode 100644 index 0000000..784c6f4 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_app.mdx @@ -0,0 +1,13 @@ +--- +title: 'GH_App' +description: 'A GitHub App definition representing the registered application. The app owner controls the private key used to generate installation tokens.' +icon: '/images/extensions/github/gh_app.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub App definition — the registered application entity. The app owner holds the private key that can generate installation access tokens for **every** [GH_AppInstallation](/opengraph/extensions/github/nodes/gh_appinstallation) of this app. If the private key is compromised, all installations across all organizations are affected. + +App definitions are retrieved via the public `GET /apps/{app_slug}` endpoint (no authentication required) after discovering unique app slugs from the organization's app installations. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_appinstallation.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_appinstallation.mdx new file mode 100644 index 0000000..965a688 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_appinstallation.mdx @@ -0,0 +1,13 @@ +--- +title: 'GH_AppInstallation' +description: 'A GitHub App installed on the organization with specific permissions and repository access' +icon: '/images/extensions/github/gh_appinstallation.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub App installed on an organization. App installations have specific permissions and can be scoped to all repositories or a selection of repositories. The permissions granted to the app are captured as a JSON string in the properties. + +Each installation is linked to its parent [GH_App](/opengraph/extensions/github/nodes/gh_app) via a [GH_InstalledAs](/opengraph/extensions/github/edges/gh_installedas) edge. For installations with `repository_selection` set to `all`, [GH_CanAccess](/opengraph/extensions/github/edges/gh_canaccess) edges are created to every repository in the organization. For installations with `repository_selection` set to `selected`, repository-level edges cannot be enumerated with a PAT (requires app installation token authentication). diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_branch.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_branch.mdx new file mode 100644 index 0000000..6f31223 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_branch.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_Branch' +description: 'A named reference in a repository representing a line of development' +icon: '/images/extensions/github/gh_branch.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a Git branch within a repository. Branch nodes capture basic branch information and whether the branch is protected. Protection rule details are stored in separate [GH_BranchProtectionRule](/opengraph/extensions/github/nodes/gh_branchprotectionrule) nodes, linked via [GH_ProtectedBy](/opengraph/extensions/github/edges/gh_protectedby) edges. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_branchprotectionrule.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_branchprotectionrule.mdx new file mode 100644 index 0000000..9473522 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_branchprotectionrule.mdx @@ -0,0 +1,42 @@ +--- +title: 'GH_BranchProtectionRule' +description: 'A branch protection rule that applies to one or more branches via pattern matching' +icon: '/images/extensions/github/gh_branchprotectionrule.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a branch protection rule configured on a GitHub repository. Protection rules define requirements that must be met before changes can be merged to matching branches, such as required reviews, status checks, and restrictions on who can push. + +A single protection rule can apply to multiple branches via pattern matching (e.g., `main`, `release/*`). + +## Security Considerations + +Branch protection rules are critical security controls. Key settings to review: + +- **enforce_admins**: Enforces merge-gate controls (PR reviews, lock branch) for admins and users with `bypass_branch_protection`. Does **not** enforce push-gate controls (`push_restrictions`) for admins or users with `push_protected_branch`. +- **required_pull_request_reviews**: Blocks direct pushes to existing protected branches. Bypassed by [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) and [GH_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances) (both suppressed by `enforce_admins`). +- **push_restrictions**: Restricts who can push. Bypassed by [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch), [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto), and [GH_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush) (none suppressed by `enforce_admins`). +- **blocks_creations**: Restricts new branch creation when `push_restrictions` is also `true`. Same bypass vectors as `push_restrictions`. Silently reverts to `false` if `push_restrictions` is disabled. +- **lock_branch**: Makes branch read-only. Bypassed by [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) (suppressed by `enforce_admins`). +- **require_code_owner_reviews**: If `false`, changes to critical paths may not require owner approval. +- **allows_force_pushes**: Controls whether history rewrites are allowed. Does **not** grant push access — it is not a bypass mechanism. +- **allows_deletions**: If `true`, branches can be deleted (potentially losing code). + +### Secret Exfiltration Mitigation + +The only branch protection configuration that blocks the write-access → workflow → secrets exfiltration attack path is `push_restrictions` + `blocks_creations` on a `*` pattern rule. However, users with [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch), [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto), [GH_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush), or [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) can bypass this control. + +For complete analysis, see [BloodHound Docs: GitHound - Mitigating Controls](/opengraph/extensions/github/mitigating-controls). + +### Identifying Bypass Actors + +Use these edges to identify users and teams with elevated branch permissions: + +- [GH_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances) — can bypass PR requirements on a specific rule (PR reviews only) +- [GH_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush) — can push despite push restrictions on a specific rule +- [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) — repo-wide bypass of merge-gate controls (PR reviews + lock branch) +- [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch) — repo-wide bypass of push-gate controls (push restrictions + blocks creations) +- [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) — can remove/modify protection rules entirely diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_environment.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_environment.mdx new file mode 100644 index 0000000..b7d8131 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_environment.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_Environment' +description: 'A GitHub Actions deployment environment with protection rules and deployment branch policies' +icon: '/images/extensions/github/gh_environment.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub Actions deployment environment configured on a repository. Environments can have protection rules including required reviewers, wait timers, and deployment branch policies. When custom branch policies are configured, the environment is connected to specific branches; otherwise, it is connected directly to the repository. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_environmentsecret.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_environmentsecret.mdx new file mode 100644 index 0000000..08a6a93 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_environmentsecret.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_EnvironmentSecret' +description: 'An environment-level GitHub Actions secret scoped to a specific deployment environment' +icon: '/images/extensions/github/gh_environmentsecret.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents an environment-level GitHub Actions secret. These secrets are scoped to a specific deployment environment and are only available to workflow jobs that reference that environment. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_environmentvariable.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_environmentvariable.mdx new file mode 100644 index 0000000..e090cfc --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_environmentvariable.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_EnvironmentVariable' +description: 'An environment-level GitHub Actions variable scoped to a specific deployment environment. Unlike secrets, variable values are readable.' +icon: '/images/extensions/github/gh_environmentvariable.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents an environment-level GitHub Actions variable. These variables are scoped to a specific deployment environment and are only available to workflow jobs that reference that environment. Unlike secrets, variable values are readable via the API. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_externalidentity.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_externalidentity.mdx new file mode 100644 index 0000000..1409778 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_externalidentity.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_ExternalIdentity' +description: 'An external identity from a SAML/SCIM provider linked to a GitHub user for SSO authentication' +icon: '/images/extensions/github/gh_externalidentity.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents an external identity from a SAML or SCIM identity provider that is linked to a GitHub user. External identities map corporate user accounts (from providers like Okta, Azure AD, etc.) to GitHub user accounts, enabling single sign-on authentication. Each external identity can have both SAML and SCIM identity attributes. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_organization.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_organization.mdx new file mode 100644 index 0000000..56b036b --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_organization.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_Organization' +description: 'A GitHub Organization—top-level container for repositories, teams, and settings' +icon: '/images/extensions/github/gh_organization.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub organization. This is the root node of the graph and serves as the primary container for all other nodes. Organization-level settings such as default repository permissions, Actions configuration, and security features are captured as properties on this node. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_orgrole.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_orgrole.mdx new file mode 100644 index 0000000..ccdbedf --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_orgrole.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_OrgRole' +description: 'The role a user has at the organization level (e.g., admin, member)' +icon: '/images/extensions/github/gh_orgrole.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents an organization-level role such as Owner, Member, or a custom organization role. Org roles define what permissions a user or team has at the organization level. The Owner and Member roles are default (built-in), while custom roles inherit from a base role and can have additional permissions. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_orgsecret.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_orgsecret.mdx new file mode 100644 index 0000000..c979f58 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_orgsecret.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_OrgSecret' +description: 'An organization-level GitHub Actions secret that can be scoped to all, private, or selected repositories' +icon: '/images/extensions/github/gh_orgsecret.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents an organization-level GitHub Actions secret. Organization secrets can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how [GH_HasSecret](/opengraph/extensions/github/edges/gh_hassecret) edges are resolved to repository nodes. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_orgvariable.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_orgvariable.mdx new file mode 100644 index 0000000..73b1084 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_orgvariable.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_OrgVariable' +description: 'An organization-level GitHub Actions variable that can be scoped to all, private, or selected repositories. Unlike secrets, variable values are readable.' +icon: '/images/extensions/github/gh_orgvariable.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents an organization-level GitHub Actions variable. Organization variables can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how [GH_HasVariable](/opengraph/extensions/github/edges/gh_hasvariable) edges are resolved to repository nodes. Unlike secrets, variable values are readable via the API. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstoken.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstoken.mdx new file mode 100644 index 0000000..eba69b3 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstoken.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_PersonalAccessToken' +description: 'A fine-grained personal access token granted access to organization resources' +icon: '/images/extensions/github/gh_personalaccesstoken.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a fine-grained personal access token that has been granted access to organization resources. PATs are linked to their owning user, the organization, and the repositories they can access. The permissions granted to the token are captured as a JSON string in the properties. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstokenrequest.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstokenrequest.mdx new file mode 100644 index 0000000..a2a7615 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstokenrequest.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_PersonalAccessTokenRequest' +description: 'A pending request from an organization member to access organization resources with a fine-grained personal access token' +icon: '/images/extensions/github/gh_personalaccesstokenrequest.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a pending request from an organization member to access organization resources with a fine-grained personal access token. PAT requests are linked to their owning user and the organization. The requested permissions are captured as a JSON string in the properties. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_reporole.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_reporole.mdx new file mode 100644 index 0000000..99bbbf5 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_reporole.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_RepoRole' +description: 'The permission granted to a user or team on a repository (e.g., admin, write, read)' +icon: '/images/extensions/github/gh_reporole.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a repository-level permission role. Each repository has five default roles (Read, Write, Admin, Triage, Maintain) plus any custom repository roles defined at the organization level. Repo roles define what actions a user or team can perform on a specific repository. Default roles form an inheritance hierarchy (Triage -> Read, Maintain -> Write, Admin includes all), and custom roles inherit from one of the base roles. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_reposecret.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_reposecret.mdx new file mode 100644 index 0000000..270117d --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_reposecret.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_RepoSecret' +description: 'A repository-level GitHub Actions secret accessible only to workflows in that repository' +icon: '/images/extensions/github/gh_reposecret.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a repository-level GitHub Actions secret. These are secrets defined directly on a specific repository and are only accessible to workflows running in that repository. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_repository.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_repository.mdx new file mode 100644 index 0000000..333e14e --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_repository.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_Repository' +description: 'A code repository in an organization, containing files, issues, and other resources' +icon: '/images/extensions/github/gh_repository.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub repository within the organization. Repository nodes capture metadata about the repo including visibility, Actions enablement status, and security configuration. Repository role nodes ([GH_RepoRole](/opengraph/extensions/github/nodes/gh_reporole)) are created alongside each repository to represent the permission levels available. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_repovariable.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_repovariable.mdx new file mode 100644 index 0000000..5b14661 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_repovariable.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_RepoVariable' +description: 'A repository-level GitHub Actions variable accessible only to workflows in that repository. Unlike secrets, variable values are readable.' +icon: '/images/extensions/github/gh_repovariable.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a repository-level GitHub Actions variable. These are variables defined directly on a specific repository and are only accessible to workflows running in that repository. Unlike secrets, variable values are readable via the API. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_samlidentityprovider.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_samlidentityprovider.mdx new file mode 100644 index 0000000..8c0d8e2 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_samlidentityprovider.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_SamlIdentityProvider' +description: 'A SAML identity provider configured for the organization, enabling SSO' +icon: '/images/extensions/github/gh_samlidentityprovider.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a SAML identity provider configured for the organization. This node captures the SAML SSO configuration details and serves as the parent container for external identity mappings. Through external identities, it enables linking GitHub users to their corporate identities in the identity provider. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_secretscanningalert.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_secretscanningalert.mdx new file mode 100644 index 0000000..b3084ee --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_secretscanningalert.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_SecretScanningAlert' +description: 'A GitHub Advanced Security alert indicating a secret was accidentally committed to a repository' +icon: '/images/extensions/github/gh_secretscanningalert.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub secret scanning alert detected in a repository. Secret scanning alerts are raised when GitHub detects a known secret pattern (such as an API key, token, or credential) committed to a repository. The alert captures the secret type, validity status, and current resolution state. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_team.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_team.mdx new file mode 100644 index 0000000..161f27a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_team.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_Team' +description: 'A team within an organization, grouping users for shared access and collaboration' +icon: '/images/extensions/github/gh_team.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub team within the organization. Teams can have parent-child relationships, contain members with different roles (Member, Maintainer), and be assigned to repository roles. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_teamrole.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_teamrole.mdx new file mode 100644 index 0000000..74e1fbd --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_teamrole.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_TeamRole' +description: 'The role a user has within a team (e.g., maintainer, member)' +icon: '/images/extensions/github/gh_teamrole.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a role within a GitHub team. Each team has two built-in roles: Member and Maintainer. Maintainers can add and remove team members. Team roles connect users to teams and transitively to any repository roles assigned to the team. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_user.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_user.mdx new file mode 100644 index 0000000..9281e63 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_user.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_User' +description: 'An individual GitHub user account' +icon: '/images/extensions/github/gh_user.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub user who is a member of the organization. Users are associated with organization roles (Owner or Member) and can be assigned to repository roles and team roles. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_workflow.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_workflow.mdx new file mode 100644 index 0000000..1a9b1cf --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_workflow.mdx @@ -0,0 +1,11 @@ +--- +title: 'GH_Workflow' +description: 'A GitHub Actions workflow defined in a repository' +icon: '/images/extensions/github/gh_workflow.png' +--- + +Applies to BloodHound Enterprise and CE + +## Description + +Represents a GitHub Actions workflow defined in a repository. Workflow nodes capture the workflow definition metadata including its file path, state, containing repository, and the full YAML contents of the workflow file. Only repositories with GitHub Actions enabled are queried for workflows. diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowjob.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_workflowjob.mdx similarity index 87% rename from docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowjob.mdx rename to docs/official-docs/opengraph/extensions/github/nodes/gh_workflowjob.mdx index c937064..d545bb1 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowjob.mdx +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_workflowjob.mdx @@ -1,7 +1,7 @@ --- title: 'GH_WorkflowJob' description: 'A job within a GitHub Actions workflow, with a runner, permissions, and an ordered list of steps' -icon: '/images/extensions/githound/reference/gh_workflowjob.png' +icon: '/images/extensions/github/gh_workflowjob.png' --- Applies to BloodHound Enterprise and CE diff --git a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowstep.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_workflowstep.mdx similarity index 87% rename from docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowstep.mdx rename to docs/official-docs/opengraph/extensions/github/nodes/gh_workflowstep.mdx index fe8c6df..a1da800 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/nodes/gh_workflowstep.mdx +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_workflowstep.mdx @@ -1,7 +1,7 @@ --- title: 'GH_WorkflowStep' description: 'A single step within a GitHub Actions job — either a uses: action reference or a run: shell command' -icon: '/images/extensions/githound/reference/gh_workflowstep.png' +icon: '/images/extensions/github/gh_workflowstep.png' --- Applies to BloodHound Enterprise and CE diff --git a/docs/official-docs/opengraph/extensions/githound/reference/privilege-zone-rules.mdx b/docs/official-docs/opengraph/extensions/github/privilege-zone-rules.mdx similarity index 92% rename from docs/official-docs/opengraph/extensions/githound/reference/privilege-zone-rules.mdx rename to docs/official-docs/opengraph/extensions/github/privilege-zone-rules.mdx index b417572..7f0c33c 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/privilege-zone-rules.mdx +++ b/docs/official-docs/opengraph/extensions/github/privilege-zone-rules.mdx @@ -1,12 +1,14 @@ --- title: Privilege Zone Rules -description: "Default Privilege Zone rules for the GitHound extension" +description: GitHub extension Privilege Zone rules icon: "gem" --- Applies to BloodHound Enterprise and CE -The following Cypher rules define the default Privilege Zone for the GitHound extension. -Each rule is defined in a JSON file located in the [PrivilegeZoneRules](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules) directory of the GitHound repository. +The following Privilege Zone rules can be imported into BloodHound to group nodes for Cypher query analysis and BloodHound Enterprise finding generation. + +This file is automatically generated from the [JSON Privilege Zone rule files](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules). + ## Tier Zero All-Repo Admin Role diff --git a/docs/official-docs/opengraph/extensions/githound/reference/queries.mdx b/docs/official-docs/opengraph/extensions/github/queries.mdx similarity index 96% rename from docs/official-docs/opengraph/extensions/githound/reference/queries.mdx rename to docs/official-docs/opengraph/extensions/github/queries.mdx index 30b8b75..f9dadf5 100644 --- a/docs/official-docs/opengraph/extensions/githound/reference/queries.mdx +++ b/docs/official-docs/opengraph/extensions/github/queries.mdx @@ -1,15 +1,13 @@ --- title: Cypher Queries -description: Default Cypher queries for the GitHound extension +description: GitHub extension Cypher queries icon: code --- Applies to BloodHound Enterprise and CE The following custom Cypher queries can be imported into BloodHound to enhance visibility. -Each query is defined in a JSON file located in the [Saved Searches](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches) directory of the GitHound repository. -This file is automatically generated from the [JSON query files](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches) -that are bundled with the `GitHound` collector. +This file is automatically generated from the [JSON query files](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches). ## Actions SHA Pinning Not Required diff --git a/docs/official-docs/opengraph/extensions/github/schema.mdx b/docs/official-docs/opengraph/extensions/github/schema.mdx new file mode 100644 index 0000000..3b28d00 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/github/schema.mdx @@ -0,0 +1,169 @@ +--- +title: Schema +description: GitHub extension definition schema +icon: circle-nodes +--- + +Applies to BloodHound Enterprise and CE +## Metadata + +**Name:** SOGitHub
+**Display Name:** GitHub Extension (by SpecterOps)
+**Version:** v1.2.1
+**Namespace:** GH
+**Environment Kind:** GH_Organization
+**Source Kind:** GitHub + + +This file is automatically generated from the [extension schema definition file](https://github.com/SpecterOps/openhound-github/blob/main/extension/schema.json). + + +## Nodes + +| Icon | Node Kind | Display Name | +|------|-----------|--------------| +| ![GH_App](/images/extensions/github/gh_app.png) | [GH_App](/opengraph/extensions/github/nodes/gh_app) | GitHub App | +| ![GH_AppInstallation](/images/extensions/github/gh_appinstallation.png) | [GH_AppInstallation](/opengraph/extensions/github/nodes/gh_appinstallation) | GitHub App Installation | +| ![GH_Branch](/images/extensions/github/gh_branch.png) | [GH_Branch](/opengraph/extensions/github/nodes/gh_branch) | GitHub Branch | +| ![GH_BranchProtectionRule](/images/extensions/github/gh_branchprotectionrule.png) | [GH_BranchProtectionRule](/opengraph/extensions/github/nodes/gh_branchprotectionrule) | GitHub Branch Protection Rule | +| ![GH_Environment](/images/extensions/github/gh_environment.png) | [GH_Environment](/opengraph/extensions/github/nodes/gh_environment) | GitHub Environment | +| ![GH_EnvironmentSecret](/images/extensions/github/gh_environmentsecret.png) | [GH_EnvironmentSecret](/opengraph/extensions/github/nodes/gh_environmentsecret) | GitHub Environment Secret | +| ![GH_EnvironmentVariable](/images/extensions/github/gh_environmentvariable.png) | [GH_EnvironmentVariable](/opengraph/extensions/github/nodes/gh_environmentvariable) | GitHub Environment Variable | +| ![GH_ExternalIdentity](/images/extensions/github/gh_externalidentity.png) | [GH_ExternalIdentity](/opengraph/extensions/github/nodes/gh_externalidentity) | GitHub External Identity | +| ![GH_Organization](/images/extensions/github/gh_organization.png) | [GH_Organization](/opengraph/extensions/github/nodes/gh_organization) | GitHub Organization | +| ![GH_OrgRole](/images/extensions/github/gh_orgrole.png) | [GH_OrgRole](/opengraph/extensions/github/nodes/gh_orgrole) | GitHub Org Role | +| ![GH_OrgSecret](/images/extensions/github/gh_orgsecret.png) | [GH_OrgSecret](/opengraph/extensions/github/nodes/gh_orgsecret) | GitHub Org Secret | +| ![GH_OrgVariable](/images/extensions/github/gh_orgvariable.png) | [GH_OrgVariable](/opengraph/extensions/github/nodes/gh_orgvariable) | GitHub Org Variable | +| ![GH_PersonalAccessToken](/images/extensions/github/gh_personalaccesstoken.png) | [GH_PersonalAccessToken](/opengraph/extensions/github/nodes/gh_personalaccesstoken) | GitHub Personal Access Token | +| ![GH_PersonalAccessTokenRequest](/images/extensions/github/gh_personalaccesstokenrequest.png) | [GH_PersonalAccessTokenRequest](/opengraph/extensions/github/nodes/gh_personalaccesstokenrequest) | GitHub Personal Access Token Request | +| ![GH_RepoRole](/images/extensions/github/gh_reporole.png) | [GH_RepoRole](/opengraph/extensions/github/nodes/gh_reporole) | GitHub Repo Role | +| ![GH_RepoSecret](/images/extensions/github/gh_reposecret.png) | [GH_RepoSecret](/opengraph/extensions/github/nodes/gh_reposecret) | GitHub Repo Secret | +| ![GH_Repository](/images/extensions/github/gh_repository.png) | [GH_Repository](/opengraph/extensions/github/nodes/gh_repository) | GitHub Repository | +| ![GH_RepoVariable](/images/extensions/github/gh_repovariable.png) | [GH_RepoVariable](/opengraph/extensions/github/nodes/gh_repovariable) | GitHub Repo Variable | +| ![GH_SamlIdentityProvider](/images/extensions/github/gh_samlidentityprovider.png) | [GH_SamlIdentityProvider](/opengraph/extensions/github/nodes/gh_samlidentityprovider) | GitHub SAML Identity Provider | +| ![GH_SecretScanningAlert](/images/extensions/github/gh_secretscanningalert.png) | [GH_SecretScanningAlert](/opengraph/extensions/github/nodes/gh_secretscanningalert) | GitHub Secret Scanning Alert | +| ![GH_Team](/images/extensions/github/gh_team.png) | [GH_Team](/opengraph/extensions/github/nodes/gh_team) | GitHub Team | +| ![GH_TeamRole](/images/extensions/github/gh_teamrole.png) | [GH_TeamRole](/opengraph/extensions/github/nodes/gh_teamrole) | GitHub Team Role | +| ![GH_User](/images/extensions/github/gh_user.png) | [GH_User](/opengraph/extensions/github/nodes/gh_user) | GitHub User | +| ![GH_Workflow](/images/extensions/github/gh_workflow.png) | [GH_Workflow](/opengraph/extensions/github/nodes/gh_workflow) | GitHub Workflow | +| ![GH_WorkflowJob](/images/extensions/github/gh_workflowjob.png) | [GH_WorkflowJob](/opengraph/extensions/github/nodes/gh_workflowjob) | GitHub Workflow Job | +| ![GH_WorkflowStep](/images/extensions/github/gh_workflowstep.png) | [GH_WorkflowStep](/opengraph/extensions/github/nodes/gh_workflowstep) | GitHub Workflow Step | + +## Edges + +| Relationship Kind | Traversable | Description | +|-------------------|:-----------:|-------------| +| [GH_AddAssignee](/opengraph/extensions/github/edges/gh_addassignee) | ❌ | [Repository] Repo role can assign users to issues and pull requests | +| [GH_AddCollaborator](/opengraph/extensions/github/edges/gh_addcollaborator) | ❌ | [Organization] Org role can add outside collaborators | +| [GH_AddLabel](/opengraph/extensions/github/edges/gh_addlabel) | ❌ | [Repository] Repo role can add labels to issues and pull requests | +| [GH_AddMember](/opengraph/extensions/github/edges/gh_addmember) | ✅ | Team role can add members to the team (maintainer privilege) | +| [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto) | ❌ | [Repository] Repo role has admin access to the repository. | +| [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) | ❌ | [Repository] Repo role can bypass merge-gate branch protections (PR reviews, lock branch). Suppressed by enforce_admins. | +| [GH_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances) | ❌ | User or team can bypass pull request requirements on a branch protection rule | +| [GH_CallsWorkflow](/opengraph/extensions/github/edges/gh_callsworkflow) | ❌ | [Workflow] Job calls a reusable workflow — GH_WorkflowJob → GH_Workflow | +| [GH_CanAccess](/opengraph/extensions/github/edges/gh_canaccess) | ❌ | Personal access token or app installation can access this repository or organization | +| [GH_CanAssumeIdentity](/opengraph/extensions/github/edges/gh_canassumeidentity) | ✅ | Repository can assume this cloud identity via OIDC federation (Azure workload identity or AWS IAM role) | +| [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch) | ✅ | [Repository - Computed] Role can create new branches in this repository (unprotected branches that bypass the merge gate) | +| [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) | ✅ | [Repository - Computed] Repo role can modify or remove the branch protection rules governing this branch (computed from GH_EditRepoProtections + GH_ProtectedBy) | +| [GH_CanPwnRequest](/opengraph/extensions/github/edges/gh_canpwnrequest) | ✅ | [Computed] Repo role can exploit a pwn-requestable workflow to execute arbitrary code with the target's secrets and permissions — GH_RepoRole → GH_Repository / GH_Branch | +| [GH_CanReadSecretScanningAlert](/opengraph/extensions/github/edges/gh_canreadsecretscanningalert) | ✅ | [Computed] Role can read secret scanning alerts (computed from GH_ViewSecretScanningAlerts permission + GH_Contains) | +| [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) | ✅ | [Repository - Computed] Role can push to this branch after evaluating branch protection rules, push restrictions, and bypass allowances | +| [GH_CloseDiscussion](/opengraph/extensions/github/edges/gh_closediscussion) | ❌ | [Repository] Repo role can close discussions | +| [GH_CloseIssue](/opengraph/extensions/github/edges/gh_closeissue) | ❌ | [Repository] Repo role can close issues | +| [GH_ClosePullRequest](/opengraph/extensions/github/edges/gh_closepullrequest) | ❌ | [Repository] Repo role can close pull requests | +| [GH_Contains](/opengraph/extensions/github/edges/gh_contains) | ❌ | Container relationship for organizational hierarchy (org contains secrets/variables, repo contains secrets/variables, environment contains secrets/variables) | +| [GH_ConvertIssuesToDiscussions](/opengraph/extensions/github/edges/gh_convertissuestodiscussions) | ❌ | [Repository] Repo role can convert issues to discussions | +| [GH_CreateDiscussionCategory](/opengraph/extensions/github/edges/gh_creatediscussioncategory) | ❌ | [Repository] Repo role can create discussion categories | +| [GH_CreateRepository](/opengraph/extensions/github/edges/gh_createrepository) | ❌ | [Organization] Org role can create repositories in the organization | +| [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/github/edges/gh_createsolomergequeueentry) | ❌ | Repo role can create solo merge queue entries | +| [GH_CreateTag](/opengraph/extensions/github/edges/gh_createtag) | ❌ | [Repository] Repo role can create tags and releases | +| [GH_CreateTeam](/opengraph/extensions/github/edges/gh_createteam) | ❌ | [Organization] Org role can create teams in the organization | +| [GH_DeleteAlertsCodeScanning](/opengraph/extensions/github/edges/gh_deletealertscodescanning) | ❌ | [Repository] Repo role can delete code scanning alerts | +| [GH_DeleteDiscussion](/opengraph/extensions/github/edges/gh_deletediscussion) | ❌ | [Repository] Repo role can delete discussions | +| [GH_DeleteDiscussionComment](/opengraph/extensions/github/edges/gh_deletediscussioncomment) | ❌ | [Repository] Repo role can delete discussion comments | +| [GH_DeleteIssue](/opengraph/extensions/github/edges/gh_deleteissue) | ❌ | [Repository] Repo role can delete issues | +| [GH_DeleteTag](/opengraph/extensions/github/edges/gh_deletetag) | ❌ | [Repository] Repo role can delete tags and releases | +| [GH_DependsOn](/opengraph/extensions/github/edges/gh_dependson) | ❌ | [Workflow] Job must run after another job (needs: dependency) — ordering only, not an access path | +| [GH_DeploysTo](/opengraph/extensions/github/edges/gh_deploysto) | ❌ | [Workflow] Job deploys to a GitHub Environment — GH_WorkflowJob → GH_Environment | +| [GH_EditCategoryOnDiscussion](/opengraph/extensions/github/edges/gh_editcategoryondiscussion) | ❌ | [Repository] Repo role can change the category of a discussion | +| [GH_EditDiscussionCategory](/opengraph/extensions/github/edges/gh_editdiscussioncategory) | ❌ | [Repository] Repo role can edit discussion categories | +| [GH_EditDiscussionComment](/opengraph/extensions/github/edges/gh_editdiscussioncomment) | ❌ | [Repository] Repo role can edit discussion comments | +| [GH_EditRepoAnnouncementBanners](/opengraph/extensions/github/edges/gh_editrepoannouncementbanners) | ❌ | [Repository] Repo role can edit repository announcement banners | +| [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues) | ❌ | [Repository] Repo role can edit custom property values on the repository | +| [GH_EditRepoMetadata](/opengraph/extensions/github/edges/gh_editrepometadata) | ❌ | [Repository] Repo role can edit repository metadata | +| [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) | ❌ | Repo role can edit branch protection rules | +| [GH_HasBaseRole](/opengraph/extensions/github/edges/gh_hasbaserole) | ✅ | Role inherits permissions from another role | +| [GH_HasBranch](/opengraph/extensions/github/edges/gh_hasbranch) | ❌ | Repository has this branch | +| [GH_HasEnvironment](/opengraph/extensions/github/edges/gh_hasenvironment) | ❌ | Repository or branch has/can deploy to this environment | +| [GH_HasExternalIdentity](/opengraph/extensions/github/edges/gh_hasexternalidentity) | ❌ | SAML identity provider has this external identity | +| [GH_HasJob](/opengraph/extensions/github/edges/gh_hasjob) | ❌ | [Workflow] Workflow contains this job — GH_Workflow → GH_WorkflowJob | +| [GH_HasMember](/opengraph/extensions/github/edges/gh_hasmember) | ❌ | Enterprise or organization has this user as a member | +| [GH_HasPersonalAccessToken](/opengraph/extensions/github/edges/gh_haspersonalaccesstoken) | ❌ | User owns this personal access token that has been granted access to the organization | +| [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest) | ❌ | User has a pending personal access token request for the organization | +| [GH_HasRole](/opengraph/extensions/github/edges/gh_hasrole) | ✅ | User or team has a role assignment (org role, team role, or repo role) | +| [GH_HasSamlIdentityProvider](/opengraph/extensions/github/edges/gh_hassamlidentityprovider) | ❌ | Organization has this SAML identity provider configured | +| [GH_HasSecret](/opengraph/extensions/github/edges/gh_hassecret) | ✅ | Repository or environment has access to this secret | +| [GH_HasStep](/opengraph/extensions/github/edges/gh_hasstep) | ❌ | [Workflow] Job contains this step — GH_WorkflowJob → GH_WorkflowStep | +| [GH_HasVariable](/opengraph/extensions/github/edges/gh_hasvariable) | ✅ | Repository has access to this variable (org-level or repo-level) | +| [GH_HasWorkflow](/opengraph/extensions/github/edges/gh_hasworkflow) | ❌ | Repository has this workflow | +| [GH_InstalledAs](/opengraph/extensions/github/edges/gh_installedas) | ✅ | GitHub App is installed as this app installation on an organization | +| [GH_InviteMember](/opengraph/extensions/github/edges/gh_invitemember) | ❌ | [Organization] Org role can invite members to the organization | +| [GH_JumpMergeQueue](/opengraph/extensions/github/edges/gh_jumpmergequeue) | ❌ | Repo role can jump the merge queue | +| [GH_ManageDeployKeys](/opengraph/extensions/github/edges/gh_managedeploykeys) | ❌ | [Repository] Repo role can manage deploy keys | +| [GH_ManageDiscussionBadges](/opengraph/extensions/github/edges/gh_managediscussionbadges) | ❌ | [Repository] Repo role can manage discussion badges | +| [GH_ManageOrganizationWebhooks](/opengraph/extensions/github/edges/gh_manageorganizationwebhooks) | ❌ | [Organization] Org role can manage organization webhooks | +| [GH_ManageRepoSecurityProducts](/opengraph/extensions/github/edges/gh_managereposecurityproducts) | ❌ | Repo role can manage repo-level security products | +| [GH_ManageSecurityProducts](/opengraph/extensions/github/edges/gh_managesecurityproducts) | ❌ | Repo role can manage security products | +| [GH_ManageSettingsMergeTypes](/opengraph/extensions/github/edges/gh_managesettingsmergetypes) | ❌ | [Repository] Repo role can manage allowed merge types | +| [GH_ManageSettingsPages](/opengraph/extensions/github/edges/gh_managesettingspages) | ❌ | [Repository] Repo role can manage GitHub Pages settings | +| [GH_ManageSettingsProjects](/opengraph/extensions/github/edges/gh_managesettingsprojects) | ❌ | [Repository] Repo role can manage project settings | +| [GH_ManageSettingsWiki](/opengraph/extensions/github/edges/gh_managesettingswiki) | ❌ | [Repository] Repo role can manage wiki settings | +| [GH_ManageTopics](/opengraph/extensions/github/edges/gh_managetopics) | ❌ | [Repository] Repo role can manage repository topics | +| [GH_ManageWebhooks](/opengraph/extensions/github/edges/gh_managewebhooks) | ❌ | [Repository] Repo role can manage repository webhooks | +| [GH_MapsToUser](/opengraph/extensions/github/edges/gh_mapstouser) | ❌ | External identity maps to a GitHub user or identity provider user | +| [GH_MarkAsDuplicate](/opengraph/extensions/github/edges/gh_markasduplicate) | ❌ | [Repository] Repo role can mark issues or pull requests as duplicates | +| [GH_MemberOf](/opengraph/extensions/github/edges/gh_memberof) | ✅ | Team role is a member of a team, or team is a nested member of a parent team | +| [GH_OrgBypassCodeScanningDismissalRequests](/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests) | ❌ | [Organization] Org role can bypass code scanning dismissal requests | +| [GH_OrgBypassSecretScanningClosureRequests](/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests) | ❌ | [Organization] Org role can bypass secret scanning closure requests | +| [GH_OrgReviewAndManageSecretScanningBypassRequests](/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests) | ❌ | [Organization] Org role can review and manage secret scanning bypass requests | +| [GH_OrgReviewAndManageSecretScanningClosureRequests](/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests) | ❌ | [Organization] Org role can review and manage secret scanning closure requests | +| [GH_Owns](/opengraph/extensions/github/edges/gh_owns) | ✅ | Organization owns a repository | +| [GH_ProtectedBy](/opengraph/extensions/github/edges/gh_protectedby) | ❌ | Branch protection rule protects this branch | +| [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch) | ❌ | [Repository] Repo role can push to branches with push restrictions. Not affected by enforce_admins. | +| [GH_ReadCodeScanning](/opengraph/extensions/github/edges/gh_readcodescanning) | ❌ | [Repository] Repo role can read code scanning results | +| [GH_ReadOrganizationActionsUsageMetrics](/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics) | ❌ | [Organization] Org role can read Actions usage metrics | +| [GH_ReadOrganizationCustomOrgRole](/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole) | ❌ | [Organization] Org role can read custom org role definitions | +| [GH_ReadOrganizationCustomRepoRole](/opengraph/extensions/github/edges/gh_readorganizationcustomreporole) | ❌ | [Organization] Org role can read custom repo role definitions | +| [GH_ReadRepoContents](/opengraph/extensions/github/edges/gh_readrepocontents) | ❌ | [Repository] Repo role can read repository contents | +| [GH_RemoveAssignee](/opengraph/extensions/github/edges/gh_removeassignee) | ❌ | [Repository] Repo role can remove assignees from issues and pull requests | +| [GH_RemoveLabel](/opengraph/extensions/github/edges/gh_removelabel) | ❌ | [Repository] Repo role can remove labels from issues and pull requests | +| [GH_ReopenDiscussion](/opengraph/extensions/github/edges/gh_reopendiscussion) | ❌ | [Repository] Repo role can reopen discussions | +| [GH_ReopenIssue](/opengraph/extensions/github/edges/gh_reopenissue) | ❌ | [Repository] Repo role can reopen closed issues | +| [GH_ReopenPullRequest](/opengraph/extensions/github/edges/gh_reopenpullrequest) | ❌ | [Repository] Repo role can reopen closed pull requests | +| [GH_RequestPrReview](/opengraph/extensions/github/edges/gh_requestprreview) | ❌ | [Repository] Repo role can request pull request reviews | +| [GH_ResolveDependabotAlerts](/opengraph/extensions/github/edges/gh_resolvedependabotalerts) | ❌ | [Repository] Repo role can resolve Dependabot alerts | +| [GH_ResolveSecretScanningAlerts](/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts) | ❌ | [Organization] Org role can resolve secret scanning alerts | +| [GH_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush) | ❌ | User or team is allowed to push to branches protected by this rule | +| [GH_RunOrgMigration](/opengraph/extensions/github/edges/gh_runorgmigration) | ❌ | [Repository] Repo role can run organization migrations | +| [GH_SetInteractionLimits](/opengraph/extensions/github/edges/gh_setinteractionlimits) | ❌ | [Repository] Repo role can set interaction limits on the repository | +| [GH_SetIssueType](/opengraph/extensions/github/edges/gh_setissuetype) | ❌ | [Repository] Repo role can set issue types | +| [GH_SetMilestone](/opengraph/extensions/github/edges/gh_setmilestone) | ❌ | [Repository] Repo role can set milestones on issues and pull requests | +| [GH_SetSocialPreview](/opengraph/extensions/github/edges/gh_setsocialpreview) | ❌ | [Repository] Repo role can set the repository social preview image | +| [GH_SyncedTo](/opengraph/extensions/github/edges/gh_syncedto) | ✅ | External identity (Azure, Okta, PingOne) is synced to this GitHub user via SSO/SCIM | +| [GH_ToggleDiscussionAnswer](/opengraph/extensions/github/edges/gh_togglediscussionanswer) | ❌ | [Repository] Repo role can toggle discussion answers | +| [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize) | ❌ | [Repository] Repo role can minimize discussion comments | +| [GH_TransferRepository](/opengraph/extensions/github/edges/gh_transferrepository) | ❌ | [Organization] Org role can transfer repositories | +| [GH_UsesSecret](/opengraph/extensions/github/edges/gh_usessecret) | ❌ | [Workflow] Step references a secret by name — GH_WorkflowStep → GH_Secret (name match) | +| [GH_UsesVariable](/opengraph/extensions/github/edges/gh_usesvariable) | ❌ | [Workflow] Step references a variable by name — GH_WorkflowStep → GH_Variable (name match) | +| [GH_ValidToken](/opengraph/extensions/github/edges/gh_validtoken) | ✅ | Secret scanning alert contains a valid, active token belonging to this user | +| [GH_ViewDependabotAlerts](/opengraph/extensions/github/edges/gh_viewdependabotalerts) | ❌ | [Repository] Repo role can view Dependabot alerts | +| [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) | ❌ | [Repository] Role can view secret scanning alerts | +| [GH_WriteCodeScanning](/opengraph/extensions/github/edges/gh_writecodescanning) | ❌ | [Repository] Repo role can upload code scanning results | +| [GH_WriteOrganizationActionsSecrets](/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets) | ❌ | [Organization] Org role can write Actions secrets | +| [GH_WriteOrganizationActionsSettings](/opengraph/extensions/github/edges/gh_writeorganizationactionssettings) | ❌ | [Organization] Org role can write Actions settings | +| [GH_WriteOrganizationActionsVariables](/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables) | ❌ | [Organization] Org role can write Actions variables | +| [GH_WriteOrganizationCustomOrgRole](/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole) | ✅ | [Organization] Org role can write custom org role definitions | +| [GH_WriteOrganizationCustomRepoRole](/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole) | ❌ | [Organization] Org role can write custom repo role definitions | +| [GH_WriteOrganizationNetworkConfigurations](/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations) | ❌ | [Organization] Org role can write network configurations | +| [GH_WriteRepoContents](/opengraph/extensions/github/edges/gh_writerepocontents) | ❌ | [Repository] Repo role can write repository contents | +| [GH_WriteRepoPullRequests](/opengraph/extensions/github/edges/gh_writerepopullrequests) | ❌ | [Repository] Repo role can create and merge pull requests | diff --git a/docs/og-docs-automation b/docs/og-docs-automation index 678d767..b8dd9d8 160000 --- a/docs/og-docs-automation +++ b/docs/og-docs-automation @@ -1 +1 @@ -Subproject commit 678d767e67b675a0bcb06a52856b903a2d9b32f9 +Subproject commit b8dd9d861231c4858b78b8df134d5a2cad7ba200 diff --git a/docs/og-docs.json b/docs/og-docs.json index 0d8ea3c..59a9d65 100644 --- a/docs/og-docs.json +++ b/docs/og-docs.json @@ -1,11 +1,13 @@ { "extensionSchemaPath": "extension/schema.json", + "extensionShortName": "GitHub", "gitHubBaseUrl": "https://github.com/SpecterOps/openhound-github", "stripTitlePrefix": "GitHub: ", "savedSearchesDir": "extension/saved_searches", "zoneRulesDir": "extension/privilege_zone_rules", "nodeDescriptionsDir": "descriptions/nodes", "edgeDescriptionsDir": "descriptions/edges", + "openHoundStructure": true, "imagesDir": "descriptions/images", "iconSize": 32, "iconScale": 0.55 From 4da62a72e4265a4a74a1e068740900a1511942b0 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Tue, 14 Apr 2026 20:06:27 +0200 Subject: [PATCH 07/16] rm githound references --- descriptions/edges/GH_AddMember.md | 2 +- descriptions/edges/GH_BypassPullRequestAllowances.md | 2 +- descriptions/edges/GH_CallsWorkflow.md | 2 +- descriptions/edges/GH_CanAccess.md | 2 +- descriptions/edges/GH_CanAssumeIdentity.md | 2 +- descriptions/edges/GH_CanCreateBranch.md | 2 +- descriptions/edges/GH_CanEditProtection.md | 2 +- descriptions/edges/GH_CanPwnRequest.md | 2 +- descriptions/edges/GH_CanReadSecretScanningAlert.md | 2 +- descriptions/edges/GH_CanWriteBranch.md | 2 +- descriptions/edges/GH_DependsOn.md | 2 +- descriptions/edges/GH_DeploysTo.md | 2 +- descriptions/edges/GH_HasBaseRole.md | 2 +- descriptions/edges/GH_HasBranch.md | 2 +- descriptions/edges/GH_HasEnvironment.md | 2 +- descriptions/edges/GH_HasExternalIdentity.md | 2 +- descriptions/edges/GH_HasJob.md | 2 +- descriptions/edges/GH_HasPersonalAccessToken.md | 2 +- descriptions/edges/GH_HasPersonalAccessTokenRequest.md | 2 +- descriptions/edges/GH_HasRole.md | 2 +- descriptions/edges/GH_HasSamlIdentityProvider.md | 2 +- descriptions/edges/GH_HasSecret.md | 2 +- descriptions/edges/GH_HasStep.md | 2 +- descriptions/edges/GH_HasVariable.md | 2 +- descriptions/edges/GH_HasWorkflow.md | 2 +- descriptions/edges/GH_InstalledAs.md | 2 +- descriptions/edges/GH_MapsToUser.md | 2 +- descriptions/edges/GH_MemberOf.md | 2 +- descriptions/edges/GH_Owns.md | 2 +- descriptions/edges/GH_ProtectedBy.md | 2 +- descriptions/edges/GH_RestrictionsCanPush.md | 2 +- descriptions/edges/GH_SyncedTo.md | 2 +- descriptions/edges/GH_UsesSecret.md | 2 +- descriptions/edges/GH_UsesVariable.md | 2 +- descriptions/edges/GH_ValidToken.md | 2 +- descriptions/nodes/GH_BranchProtectionRule.md | 2 +- .../opengraph/extensions/github/edges/gh_addmember.mdx | 2 +- .../github/edges/gh_bypasspullrequestallowances.mdx | 2 +- .../opengraph/extensions/github/edges/gh_callsworkflow.mdx | 2 +- .../opengraph/extensions/github/edges/gh_canaccess.mdx | 2 +- .../extensions/github/edges/gh_canassumeidentity.mdx | 2 +- .../extensions/github/edges/gh_cancreatebranch.mdx | 2 +- .../extensions/github/edges/gh_caneditprotection.mdx | 2 +- .../opengraph/extensions/github/edges/gh_canpwnrequest.mdx | 2 +- .../github/edges/gh_canreadsecretscanningalert.mdx | 2 +- .../opengraph/extensions/github/edges/gh_canwritebranch.mdx | 2 +- .../opengraph/extensions/github/edges/gh_dependson.mdx | 2 +- .../opengraph/extensions/github/edges/gh_deploysto.mdx | 2 +- .../opengraph/extensions/github/edges/gh_hasbaserole.mdx | 2 +- .../opengraph/extensions/github/edges/gh_hasbranch.mdx | 2 +- .../opengraph/extensions/github/edges/gh_hasenvironment.mdx | 2 +- .../extensions/github/edges/gh_hasexternalidentity.mdx | 2 +- .../opengraph/extensions/github/edges/gh_hasjob.mdx | 2 +- .../extensions/github/edges/gh_haspersonalaccesstoken.mdx | 2 +- .../github/edges/gh_haspersonalaccesstokenrequest.mdx | 2 +- .../opengraph/extensions/github/edges/gh_hasrole.mdx | 2 +- .../extensions/github/edges/gh_hassamlidentityprovider.mdx | 2 +- .../opengraph/extensions/github/edges/gh_hassecret.mdx | 2 +- .../opengraph/extensions/github/edges/gh_hasstep.mdx | 2 +- .../opengraph/extensions/github/edges/gh_hasvariable.mdx | 2 +- .../opengraph/extensions/github/edges/gh_hasworkflow.mdx | 2 +- .../opengraph/extensions/github/edges/gh_installedas.mdx | 2 +- .../opengraph/extensions/github/edges/gh_mapstouser.mdx | 2 +- .../opengraph/extensions/github/edges/gh_memberof.mdx | 2 +- .../opengraph/extensions/github/edges/gh_owns.mdx | 2 +- .../opengraph/extensions/github/edges/gh_protectedby.mdx | 2 +- .../extensions/github/edges/gh_restrictionscanpush.mdx | 2 +- .../opengraph/extensions/github/edges/gh_syncedto.mdx | 2 +- .../opengraph/extensions/github/edges/gh_usessecret.mdx | 6 +++--- .../opengraph/extensions/github/edges/gh_usesvariable.mdx | 2 +- .../opengraph/extensions/github/edges/gh_validtoken.mdx | 2 +- .../extensions/github/nodes/gh_branchprotectionrule.mdx | 2 +- docs/official-docs/opengraph/extensions/github/queries.mdx | 2 +- extension/privilege_zone_rules/README.md | 2 +- extension/saved_searches/README.md | 2 +- .../repos-vulnerable-to-workflow-secret-exfil.json | 2 +- 76 files changed, 78 insertions(+), 78 deletions(-) diff --git a/descriptions/edges/GH_AddMember.md b/descriptions/edges/GH_AddMember.md index 4e865e8..f37350d 100644 --- a/descriptions/edges/GH_AddMember.md +++ b/descriptions/edges/GH_AddMember.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_AddMember` edge indicates that a team role with the Maintainer permission level can add new members to the team. It is created by `Git-HoundTeam` when enumerating team membership roles. This edge is traversable because the ability to add members grants indirect access -- a maintainer can add any user to the team, and that user then inherits all of the team's repository permissions, effectively expanding the attack surface. +The traversable `GH_AddMember` edge indicates that a team role with the Maintainer permission level can add new members to the team. This edge is traversable because the ability to add members grants indirect access -- a maintainer can add any user to the team, and that user then inherits all of the team's repository permissions, effectively expanding the attack surface. diff --git a/descriptions/edges/GH_BypassPullRequestAllowances.md b/descriptions/edges/GH_BypassPullRequestAllowances.md index a2e5a4d..d47e6b9 100644 --- a/descriptions/edges/GH_BypassPullRequestAllowances.md +++ b/descriptions/edges/GH_BypassPullRequestAllowances.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_BypassPullRequestAllowances` edge represents a per-actor allowance that bypasses the pull request review requirement on a branch protection rule. Created by `Git-HoundBranch` when collecting BPR bypass allowances, this edge identifies specific users or teams that can merge code without going through the normal PR review process. This is a significant security concern because these actors can push or merge changes directly, circumventing code review controls that protect branch integrity. Note that this bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, meaning even listed actors must follow the PR review requirement. +The non-traversable `GH_BypassPullRequestAllowances` edge represents a per-actor allowance that bypasses the pull request review requirement on a branch protection rule. This edge identifies specific users or teams that can merge code without going through the normal PR review process. This is a significant security concern because these actors can push or merge changes directly, circumventing code review controls that protect branch integrity. Note that this bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, meaning even listed actors must follow the PR review requirement. diff --git a/descriptions/edges/GH_CallsWorkflow.md b/descriptions/edges/GH_CallsWorkflow.md index 1c6f616..2aba42e 100644 --- a/descriptions/edges/GH_CallsWorkflow.md +++ b/descriptions/edges/GH_CallsWorkflow.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_CallsWorkflow` edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. Created by `Parse-GitHoundWorkflow`, this edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. +The traversable `GH_CallsWorkflow` edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. This edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. ### Local vs. remote reusable workflows diff --git a/descriptions/edges/GH_CanAccess.md b/descriptions/edges/GH_CanAccess.md index 6b21cfb..7c6d342 100644 --- a/descriptions/edges/GH_CanAccess.md +++ b/descriptions/edges/GH_CanAccess.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_CanAccess` edge indicates that a personal access token or app installation has been granted access to specific repositories. It is created by `Git-HoundPersonalAccessToken` and `Git-HoundPersonalAccessTokenRequest` for PATs, and by `Git-HoundAppInstallation` for app installations. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. +The non-traversable `GH_CanAccess` edge indicates that a personal access token or app installation has been granted access to specific repositories. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. diff --git a/descriptions/edges/GH_CanAssumeIdentity.md b/descriptions/edges/GH_CanAssumeIdentity.md index f6d330f..e865832 100644 --- a/descriptions/edges/GH_CanAssumeIdentity.md +++ b/descriptions/edges/GH_CanAssumeIdentity.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_CanAssumeIdentity` edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. Created by the collector when matching GitHub OIDC subject claims to cloud workload identity federation configurations, this edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS. +The traversable `GH_CanAssumeIdentity` edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. This edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS. diff --git a/descriptions/edges/GH_CanCreateBranch.md b/descriptions/edges/GH_CanCreateBranch.md index 02729b1..1e765ca 100644 --- a/descriptions/edges/GH_CanCreateBranch.md +++ b/descriptions/edges/GH_CanCreateBranch.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_CanCreateBranch` edge is a computed edge indicating that a role or actor can create new branches in a repository. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from `GH_User` or `GH_Team` are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. +The traversable `GH_CanCreateBranch` edge is a computed edge indicating that a role or actor can create new branches in a repository. The computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from `GH_User` or `GH_Team` are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios diff --git a/descriptions/edges/GH_CanEditProtection.md b/descriptions/edges/GH_CanEditProtection.md index ac5be73..968fe0d 100644 --- a/descriptions/edges/GH_CanEditProtection.md +++ b/descriptions/edges/GH_CanEditProtection.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_CanEditProtection` edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, this edge is emitted when the role has `GH_EditRepoProtections` or `GH_AdminTo` permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. +The traversable `GH_CanEditProtection` edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. This edge is emitted when the role has `GH_EditRepoProtections` or `GH_AdminTo` permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. ## Scenarios diff --git a/descriptions/edges/GH_CanPwnRequest.md b/descriptions/edges/GH_CanPwnRequest.md index e02989a..3b06037 100644 --- a/descriptions/edges/GH_CanPwnRequest.md +++ b/descriptions/edges/GH_CanPwnRequest.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_CanPwnRequest` edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. Created by `Get-PwnRequestEdges`, this is a computed edge that combines workflow analysis with repository access and fork policy evaluation. +The traversable `GH_CanPwnRequest` edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. This is a computed edge that combines workflow analysis with repository access and fork policy evaluation. ### Pwn Request Conditions diff --git a/descriptions/edges/GH_CanReadSecretScanningAlert.md b/descriptions/edges/GH_CanReadSecretScanningAlert.md index 66d931a..15e576b 100644 --- a/descriptions/edges/GH_CanReadSecretScanningAlert.md +++ b/descriptions/edges/GH_CanReadSecretScanningAlert.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_CanReadSecretScanningAlert` edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. Created by `Compute-GitHoundSecretScanningAccess` with no additional API calls, the computation cross-references `GH_ViewSecretScanningAlerts` permission edges with `GH_Contains` structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the `GH_ValidToken` edge enables identity compromise of the token's owner. +The traversable `GH_CanReadSecretScanningAlert` edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. The computation cross-references `GH_ViewSecretScanningAlerts` permission edges with `GH_Contains` structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the `GH_ValidToken` edge enables identity compromise of the token's owner. Each edge includes a `reason` property (`org_role_permission` or `repo_role_permission`) and a `query_composition` Cypher query showing the underlying graph evidence. diff --git a/descriptions/edges/GH_CanWriteBranch.md b/descriptions/edges/GH_CanWriteBranch.md index e0b7847..0e8332e 100644 --- a/descriptions/edges/GH_CanWriteBranch.md +++ b/descriptions/edges/GH_CanWriteBranch.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_CanWriteBranch` edge is a computed edge indicating that a role or actor can push to a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from `GH_User` or `GH_Team` are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. +The traversable `GH_CanWriteBranch` edge is a computed edge indicating that a role or actor can push to a specific branch. The computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from `GH_User` or `GH_Team` are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios diff --git a/descriptions/edges/GH_DependsOn.md b/descriptions/edges/GH_DependsOn.md index a799856..28a64fb 100644 --- a/descriptions/edges/GH_DependsOn.md +++ b/descriptions/edges/GH_DependsOn.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_DependsOn` edge represents a `needs:` dependency between two jobs in the same workflow. Created by `Parse-GitHoundWorkflow`, this edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. +The non-traversable `GH_DependsOn` edge represents a `needs:` dependency between two jobs in the same workflow. This edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. diff --git a/descriptions/edges/GH_DeploysTo.md b/descriptions/edges/GH_DeploysTo.md index a72867a..0458bc7 100644 --- a/descriptions/edges/GH_DeploysTo.md +++ b/descriptions/edges/GH_DeploysTo.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_DeploysTo` edge links a workflow job to the GitHub Environment it targets via the `environment:` key. Created by `Parse-GitHoundWorkflow`, this edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. +The non-traversable `GH_DeploysTo` edge links a workflow job to the GitHub Environment it targets via the `environment:` key. This edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. diff --git a/descriptions/edges/GH_HasBaseRole.md b/descriptions/edges/GH_HasBaseRole.md index cf5d40a..cac239c 100644 --- a/descriptions/edges/GH_HasBaseRole.md +++ b/descriptions/edges/GH_HasBaseRole.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_HasBaseRole` edge represents role inheritance within the GitHub permission hierarchy. Org roles inherit down to all-repo roles (e.g., Owners inherits to all_repo_admin), and custom roles inherit from their base roles (e.g., a custom_role inherits from write). It is created by `Git-HoundOrganization` (for org-to-repo role inheritance) and `Git-HoundRepository` (for repo-level role inheritance). This edge is traversable because it extends permissions through the role hierarchy, meaning a principal with a higher-level role implicitly holds all inherited lower-level roles. +The traversable `GH_HasBaseRole` edge represents role inheritance within the GitHub permission hierarchy. Org roles inherit down to all-repo roles (e.g., Owners inherits to all_repo_admin), and custom roles inherit from their base roles (e.g., a custom_role inherits from write). This edge is traversable because it extends permissions through the role hierarchy, meaning a principal with a higher-level role implicitly holds all inherited lower-level roles. diff --git a/descriptions/edges/GH_HasBranch.md b/descriptions/edges/GH_HasBranch.md index 6cde74f..4030e1f 100644 --- a/descriptions/edges/GH_HasBranch.md +++ b/descriptions/edges/GH_HasBranch.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasBranch` edge represents the relationship between a repository and its branches. Created by `Git-HoundBranch`, this edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like `GH_CanWriteBranch` and `GH_CanEditProtection` model the effective access. +The non-traversable `GH_HasBranch` edge represents the relationship between a repository and its branches. This edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like `GH_CanWriteBranch` and `GH_CanEditProtection` model the effective access. diff --git a/descriptions/edges/GH_HasEnvironment.md b/descriptions/edges/GH_HasEnvironment.md index e2b6e9a..300eb5a 100644 --- a/descriptions/edges/GH_HasEnvironment.md +++ b/descriptions/edges/GH_HasEnvironment.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasEnvironment` edge represents the relationship between a repository or branch and its deployment environments. Created by `Git-HoundEnvironment`, this edge links environments to the repositories that define them and to the branches that are allowed to deploy to them (via deployment branch policies). Environments are security-relevant because they can gate access to secrets and cloud credentials, and their deployment branch policies control which branches can trigger deployments. +The non-traversable `GH_HasEnvironment` edge represents the relationship between a repository or branch and its deployment environments. This edge links environments to the repositories that define them and to the branches that are allowed to deploy to them (via deployment branch policies). Environments are security-relevant because they can gate access to secrets and cloud credentials, and their deployment branch policies control which branches can trigger deployments. diff --git a/descriptions/edges/GH_HasExternalIdentity.md b/descriptions/edges/GH_HasExternalIdentity.md index f7426f7..1bf91e7 100644 --- a/descriptions/edges/GH_HasExternalIdentity.md +++ b/descriptions/edges/GH_HasExternalIdentity.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasExternalIdentity` edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. Created by `Git-HoundGraphQlSamlProvider`, this edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the `GH_MapsToUser` edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. +The non-traversable `GH_HasExternalIdentity` edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. This edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the `GH_MapsToUser` edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. diff --git a/descriptions/edges/GH_HasJob.md b/descriptions/edges/GH_HasJob.md index 5c49fe9..3cae84f 100644 --- a/descriptions/edges/GH_HasJob.md +++ b/descriptions/edges/GH_HasJob.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_HasJob` edge links a workflow to each of its jobs. Created by `Parse-GitHoundWorkflow`, this edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. +The traversable `GH_HasJob` edge links a workflow to each of its jobs. This edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. diff --git a/descriptions/edges/GH_HasPersonalAccessToken.md b/descriptions/edges/GH_HasPersonalAccessToken.md index 7982d5f..785869c 100644 --- a/descriptions/edges/GH_HasPersonalAccessToken.md +++ b/descriptions/edges/GH_HasPersonalAccessToken.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasPersonalAccessToken` edge represents the relationship between a user and their fine-grained personal access tokens that have been granted access to the organization. Created by `Git-HoundPersonalAccessToken`, this edge links each approved token back to the user who created it. Fine-grained personal access tokens are security-significant because they provide programmatic access to organization resources with specific scoped permissions. Tracking token ownership is essential for understanding which users have standing API access and for identifying tokens that may need revocation. +The non-traversable `GH_HasPersonalAccessToken` edge represents the relationship between a user and their fine-grained personal access tokens that have been granted access to the organization. This edge links each approved token back to the user who created it. Fine-grained personal access tokens are security-significant because they provide programmatic access to organization resources with specific scoped permissions. Tracking token ownership is essential for understanding which users have standing API access and for identifying tokens that may need revocation. diff --git a/descriptions/edges/GH_HasPersonalAccessTokenRequest.md b/descriptions/edges/GH_HasPersonalAccessTokenRequest.md index 7ffaa0b..d0fac2f 100644 --- a/descriptions/edges/GH_HasPersonalAccessTokenRequest.md +++ b/descriptions/edges/GH_HasPersonalAccessTokenRequest.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasPersonalAccessTokenRequest` edge represents the relationship between a user and their pending personal access token requests awaiting organizational approval. Created by `Git-HoundPersonalAccessTokenRequest`, this edge links each pending token request back to the user who submitted it. Pending token requests are security-relevant because they represent access that may soon be granted, and reviewing them helps administrators understand what permissions users are requesting before approval. Organizations that require approval for fine-grained PATs will have these requests queued until an administrator acts on them. +The non-traversable `GH_HasPersonalAccessTokenRequest` edge represents the relationship between a user and their pending personal access token requests awaiting organizational approval. This edge links each pending token request back to the user who submitted it. Pending token requests are security-relevant because they represent access that may soon be granted, and reviewing them helps administrators understand what permissions users are requesting before approval. Organizations that require approval for fine-grained PATs will have these requests queued until an administrator acts on them. diff --git a/descriptions/edges/GH_HasRole.md b/descriptions/edges/GH_HasRole.md index cd6c268..cdfde84 100644 --- a/descriptions/edges/GH_HasRole.md +++ b/descriptions/edges/GH_HasRole.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_HasRole` edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. It is created by `Git-HoundUser` (for org roles), `Git-HoundRepositoryRole` (for repo roles), and `Git-HoundTeam` (for team roles). Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. +The traversable `GH_HasRole` edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. diff --git a/descriptions/edges/GH_HasSamlIdentityProvider.md b/descriptions/edges/GH_HasSamlIdentityProvider.md index 95a544e..373cfaa 100644 --- a/descriptions/edges/GH_HasSamlIdentityProvider.md +++ b/descriptions/edges/GH_HasSamlIdentityProvider.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasSamlIdentityProvider` edge represents the relationship between an organization and its SAML identity provider configuration. Created by `Git-HoundGraphQlSamlProvider`, this edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. +The non-traversable `GH_HasSamlIdentityProvider` edge represents the relationship between an organization and its SAML identity provider configuration. This edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. diff --git a/descriptions/edges/GH_HasSecret.md b/descriptions/edges/GH_HasSecret.md index 5780d58..398e017 100644 --- a/descriptions/edges/GH_HasSecret.md +++ b/descriptions/edges/GH_HasSecret.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_HasSecret` edge represents the relationship between a repository or environment and the secrets accessible within that context. Created by `Git-HoundOrganizationSecret`, `Git-HoundSecret`, and `Git-HoundEnvironment`, this edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via `GH_CanWriteBranch` or `GH_CanCreateBranch`) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. +The traversable `GH_HasSecret` edge represents the relationship between a repository or environment and the secrets accessible within that context. This edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via `GH_CanWriteBranch` or `GH_CanCreateBranch`) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. diff --git a/descriptions/edges/GH_HasStep.md b/descriptions/edges/GH_HasStep.md index 27aab07..781b770 100644 --- a/descriptions/edges/GH_HasStep.md +++ b/descriptions/edges/GH_HasStep.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_HasStep` edge links a job to each of its steps in execution order. Created by `Parse-GitHoundWorkflow`, this edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. +The traversable `GH_HasStep` edge links a job to each of its steps in execution order. This edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. diff --git a/descriptions/edges/GH_HasVariable.md b/descriptions/edges/GH_HasVariable.md index 8a62f5d..80c8d90 100644 --- a/descriptions/edges/GH_HasVariable.md +++ b/descriptions/edges/GH_HasVariable.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_HasVariable` edge represents the relationship between a repository and the variables accessible within that context. Created by `Git-HoundOrganizationSecret` and `Git-HoundVariable`, this edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via `GH_CanWriteBranch` or `GH_CanCreateBranch`) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. +The traversable `GH_HasVariable` edge represents the relationship between a repository and the variables accessible within that context. This edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via `GH_CanWriteBranch` or `GH_CanCreateBranch`) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. diff --git a/descriptions/edges/GH_HasWorkflow.md b/descriptions/edges/GH_HasWorkflow.md index 80f80f1..7b144aa 100644 --- a/descriptions/edges/GH_HasWorkflow.md +++ b/descriptions/edges/GH_HasWorkflow.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasWorkflow` edge represents the relationship between a repository and its GitHub Actions workflows. Created by `Git-HoundWorkflow`, this edge links each discovered workflow definition to its parent repository. Workflows are significant from a security perspective because they can execute arbitrary code with repository permissions, access secrets, and assume cloud identities. This structural edge enables analysts to enumerate which workflows exist in a given repository. +The non-traversable `GH_HasWorkflow` edge represents the relationship between a repository and its GitHub Actions workflows. This edge links each discovered workflow definition to its parent repository. Workflows are significant from a security perspective because they can execute arbitrary code with repository permissions, access secrets, and assume cloud identities. This structural edge enables analysts to enumerate which workflows exist in a given repository. diff --git a/descriptions/edges/GH_InstalledAs.md b/descriptions/edges/GH_InstalledAs.md index ec16e5b..341f585 100644 --- a/descriptions/edges/GH_InstalledAs.md +++ b/descriptions/edges/GH_InstalledAs.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_InstalledAs` edge links a GitHub App to its installation within the organization. It is created by `Git-HoundAppInstallation` during app installation enumeration. This edge is traversable because it connects the app definition to its active installation, which determines the specific set of repositories and permissions the app has been granted. Understanding the relationship between an app and its installation is essential for tracing how app-level permissions translate into repository access. +The traversable `GH_InstalledAs` edge links a GitHub App to its installation within the organization. This edge is traversable because it connects the app definition to its active installation, which determines the specific set of repositories and permissions the app has been granted. Understanding the relationship between an app and its installation is essential for tracing how app-level permissions translate into repository access. diff --git a/descriptions/edges/GH_MapsToUser.md b/descriptions/edges/GH_MapsToUser.md index ad31310..238dfde 100644 --- a/descriptions/edges/GH_MapsToUser.md +++ b/descriptions/edges/GH_MapsToUser.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](https://bloodhound.specterops.io/resources/nodes/az-user), [Okta_User](https://bloodhound.specterops.io/opengraph/extensions/okta/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. It is created by `Git-HoundGraphQlSamlProvider` for SAML-linked identities and `Git-HoundScimUser` for SCIM-provisioned identities. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. +The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](https://bloodhound.specterops.io/resources/nodes/az-user), [Okta_User](https://bloodhound.specterops.io/opengraph/extensions/okta/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. diff --git a/descriptions/edges/GH_MemberOf.md b/descriptions/edges/GH_MemberOf.md index 70fddb9..463ef2b 100644 --- a/descriptions/edges/GH_MemberOf.md +++ b/descriptions/edges/GH_MemberOf.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_MemberOf` edge represents team membership, linking a team role to its parent team or a child team to a parent team in nested team hierarchies. It is created by `Git-HoundTeam` during team enumeration. This edge is traversable because team membership extends access transitively -- a user who holds a role in a child team inherits the repository permissions of all ancestor teams in the nesting hierarchy, making it a key component of attack path analysis. +The traversable `GH_MemberOf` edge represents team membership, linking a team role to its parent team or a child team to a parent team in nested team hierarchies. This edge is traversable because team membership extends access transitively -- a user who holds a role in a child team inherits the repository permissions of all ancestor teams in the nesting hierarchy, making it a key component of attack path analysis. diff --git a/descriptions/edges/GH_Owns.md b/descriptions/edges/GH_Owns.md index 95a3ff5..55800fc 100644 --- a/descriptions/edges/GH_Owns.md +++ b/descriptions/edges/GH_Owns.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_Owns` edge represents that an organization owns a repository. Created by `Git-HoundRepository`, this edge establishes the foundation of the access control model by linking repositories to their owning organization. It is traversable because repository ownership is a critical relationship for understanding how organizational permissions cascade down to repository-level access, making it essential for attack path analysis. +The traversable `GH_Owns` edge represents that an organization owns a repository. This edge establishes the foundation of the access control model by linking repositories to their owning organization. It is traversable because repository ownership is a critical relationship for understanding how organizational permissions cascade down to repository-level access, making it essential for attack path analysis. diff --git a/descriptions/edges/GH_ProtectedBy.md b/descriptions/edges/GH_ProtectedBy.md index ba21050..85c7a60 100644 --- a/descriptions/edges/GH_ProtectedBy.md +++ b/descriptions/edges/GH_ProtectedBy.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ProtectedBy` edge represents that a branch protection rule applies to a specific branch. Created by `Git-HoundBranch` when branch protection rules are collected, this edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed edge functions (`Compute-GitHoundBranchAccess`) to determine effective push access; the computed `GH_CanWriteBranch` and `GH_CanEditProtection` edges carry traversability instead. +The non-traversable `GH_ProtectedBy` edge represents that a branch protection rule applies to a specific branch. This edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed branch-access edges to determine effective push access; the computed `GH_CanWriteBranch` and `GH_CanEditProtection` edges carry traversability instead. diff --git a/descriptions/edges/GH_RestrictionsCanPush.md b/descriptions/edges/GH_RestrictionsCanPush.md index e2434a9..56d3325 100644 --- a/descriptions/edges/GH_RestrictionsCanPush.md +++ b/descriptions/edges/GH_RestrictionsCanPush.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_RestrictionsCanPush` edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. Created by `Git-HoundBranch` when collecting BPR push allowances, this edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike `GH_BypassPullRequestAllowances`, this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. +The non-traversable `GH_RestrictionsCanPush` edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. This edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike `GH_BypassPullRequestAllowances`, this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. diff --git a/descriptions/edges/GH_SyncedTo.md b/descriptions/edges/GH_SyncedTo.md index e1557d8..c759433 100644 --- a/descriptions/edges/GH_SyncedTo.md +++ b/descriptions/edges/GH_SyncedTo.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_SyncedTo` edge is a hybrid edge that maps an external IdP user to a GitHub user based on SCIM provisioning. Created by `Git-HoundScimUser` when SCIM data links an external identity to a GitHub account, this edge represents a confirmed identity linkage between an external identity provider and GitHub. It is traversable because compromising the IdP account provides a verified path to the corresponding GitHub account, making it a critical edge for cross-system attack path analysis. This edge enables analysts to trace access from enterprise identity providers like Azure AD, Okta, or PingOne into the GitHub environment. +The traversable `GH_SyncedTo` edge is a hybrid edge that maps an external IdP user to a GitHub user based on SCIM provisioning. This edge represents a confirmed identity linkage between an external identity provider and GitHub. It is traversable because compromising the IdP account provides a verified path to the corresponding GitHub account, making it a critical edge for cross-system attack path analysis. This edge enables analysts to trace access from enterprise identity providers like Azure AD, Okta, or PingOne into the GitHub environment. diff --git a/descriptions/edges/GH_UsesSecret.md b/descriptions/edges/GH_UsesSecret.md index 86eb72d..324bd50 100644 --- a/descriptions/edges/GH_UsesSecret.md +++ b/descriptions/edges/GH_UsesSecret.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_UsesSecret` edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. Created by `Parse-GitHoundWorkflow`, this edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. +The traversable `GH_UsesSecret` edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. This edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. ### Matching strategy diff --git a/descriptions/edges/GH_UsesVariable.md b/descriptions/edges/GH_UsesVariable.md index cbf58c3..2598b5d 100644 --- a/descriptions/edges/GH_UsesVariable.md +++ b/descriptions/edges/GH_UsesVariable.md @@ -1,6 +1,6 @@ ## General Information -The non-traversable `GH_UsesVariable` edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. Created by `Parse-GitHoundWorkflow`, this edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). +The non-traversable `GH_UsesVariable` edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. This edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). ### Matching strategy diff --git a/descriptions/edges/GH_ValidToken.md b/descriptions/edges/GH_ValidToken.md index 16340bf..087aa8b 100644 --- a/descriptions/edges/GH_ValidToken.md +++ b/descriptions/edges/GH_ValidToken.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_ValidToken` edge represents a secret scanning alert that contains a valid, active GitHub Personal Access Token belonging to a specific user. Created by `Git-HoundSecretScanningAlert`, this edge is only emitted when the alert's state is `open`, the secret type is `github_personal_access_token`, and the token is confirmed valid by calling the GitHub API. This edge is traversable because possessing the leaked token grants the ability to act as the token's owner, effectively compromising that user's identity and all permissions granted to the token. +The traversable `GH_ValidToken` edge represents a secret scanning alert that contains a valid, active GitHub Personal Access Token belonging to a specific user. This edge is only emitted when the alert's state is `open`, the secret type is `github_personal_access_token`, and the token is confirmed valid by calling the GitHub API. This edge is traversable because possessing the leaked token grants the ability to act as the token's owner, effectively compromising that user's identity and all permissions granted to the token. diff --git a/descriptions/nodes/GH_BranchProtectionRule.md b/descriptions/nodes/GH_BranchProtectionRule.md index 7ebe199..63aa15d 100644 --- a/descriptions/nodes/GH_BranchProtectionRule.md +++ b/descriptions/nodes/GH_BranchProtectionRule.md @@ -21,7 +21,7 @@ Branch protection rules are critical security controls. Key settings to review: The only branch protection configuration that blocks the write-access → workflow → secrets exfiltration attack path is `push_restrictions` + `blocks_creations` on a `*` pattern rule. However, users with `GH_PushProtectedBranch`, `GH_AdminTo`, `GH_RestrictionsCanPush`, or `GH_EditRepoProtections` can bypass this control. -For complete analysis, see [BloodHound Docs: GitHound - Mitigating Controls](https://bloodhound.specterops.io/opengraph/extensions/github/mitigating-controls). +For complete analysis, see [BloodHound Docs: GitHub - Mitigating Controls](https://bloodhound.specterops.io/opengraph/extensions/github/mitigating-controls). ### Identifying Bypass Actors diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx index cfee1ab..de62490 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_AddMember` edge indicates that a team role with the Maintainer permission level can add new members to the team. It is created by `Git-HoundTeam` when enumerating team membership roles. This edge is traversable because the ability to add members grants indirect access -- a maintainer can add any user to the team, and that user then inherits all of the team's repository permissions, effectively expanding the attack surface. +The traversable `GH_AddMember` edge indicates that a team role with the Maintainer permission level can add new members to the team. This edge is traversable because the ability to add members grants indirect access -- a maintainer can add any user to the team, and that user then inherits all of the team's repository permissions, effectively expanding the attack surface. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx index 92db5c6..7c20759 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_BypassPullRequestAllowances` edge represents a per-actor allowance that bypasses the pull request review requirement on a branch protection rule. Created by `Git-HoundBranch` when collecting BPR bypass allowances, this edge identifies specific users or teams that can merge code without going through the normal PR review process. This is a significant security concern because these actors can push or merge changes directly, circumventing code review controls that protect branch integrity. Note that this bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, meaning even listed actors must follow the PR review requirement. +The non-traversable `GH_BypassPullRequestAllowances` edge represents a per-actor allowance that bypasses the pull request review requirement on a branch protection rule. This edge identifies specific users or teams that can merge code without going through the normal PR review process. This is a significant security concern because these actors can push or merge changes directly, circumventing code review controls that protect branch integrity. Note that this bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, meaning even listed actors must follow the PR review requirement. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx index a911bdb..8607010 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx @@ -11,7 +11,7 @@ Traversable: false ## General Information -The traversable `GH_CallsWorkflow` edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. Created by `Parse-GitHoundWorkflow`, this edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. +The traversable `GH_CallsWorkflow` edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. This edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. ### Local vs. remote reusable workflows diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx index def8251..a12de6b 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_CanAccess` edge indicates that a personal access token or app installation has been granted access to specific repositories. It is created by `Git-HoundPersonalAccessToken` and `Git-HoundPersonalAccessTokenRequest` for PATs, and by `Git-HoundAppInstallation` for app installations. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. +The non-traversable `GH_CanAccess` edge indicates that a personal access token or app installation has been granted access to specific repositories. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx index f553072..d4b4d07 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_CanAssumeIdentity` edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. Created by the collector when matching GitHub OIDC subject claims to cloud workload identity federation configurations, this edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS. +The traversable `GH_CanAssumeIdentity` edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. This edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx index 5529cc8..8239c65 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx @@ -11,7 +11,7 @@ Traversable: true ## General Information -The traversable `GH_CanCreateBranch` edge is a computed edge indicating that a role or actor can create new branches in a repository. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from [GH_User](/opengraph/extensions/github/nodes/gh_user) or [GH_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. +The traversable `GH_CanCreateBranch` edge is a computed edge indicating that a role or actor can create new branches in a repository. The computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from [GH_User](/opengraph/extensions/github/nodes/gh_user) or [GH_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx index a09a8b5..0da7604 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx @@ -11,7 +11,7 @@ Traversable: true ## General Information -The traversable `GH_CanEditProtection` edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, this edge is emitted when the role has [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) or [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto) permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. +The traversable `GH_CanEditProtection` edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. This edge is emitted when the role has [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) or [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto) permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. ## Scenarios diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx index 228060e..a1bf94d 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx @@ -11,7 +11,7 @@ Traversable: true ## General Information -The traversable `GH_CanPwnRequest` edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. Created by `Get-PwnRequestEdges`, this is a computed edge that combines workflow analysis with repository access and fork policy evaluation. +The traversable `GH_CanPwnRequest` edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. This is a computed edge that combines workflow analysis with repository access and fork policy evaluation. ### Pwn Request Conditions diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx index cf748b8..83b8a5a 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx @@ -11,7 +11,7 @@ Traversable: true ## General Information -The traversable `GH_CanReadSecretScanningAlert` edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. Created by `Compute-GitHoundSecretScanningAccess` with no additional API calls, the computation cross-references [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) permission edges with [GH_Contains](/opengraph/extensions/github/edges/gh_contains) structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the [GH_ValidToken](/opengraph/extensions/github/edges/gh_validtoken) edge enables identity compromise of the token's owner. +The traversable `GH_CanReadSecretScanningAlert` edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. The computation cross-references [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) permission edges with [GH_Contains](/opengraph/extensions/github/edges/gh_contains) structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the [GH_ValidToken](/opengraph/extensions/github/edges/gh_validtoken) edge enables identity compromise of the token's owner. Each edge includes a `reason` property (`org_role_permission` or `repo_role_permission`) and a `query_composition` Cypher query showing the underlying graph evidence. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx index e7ca58a..5a63b0a 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx @@ -11,7 +11,7 @@ Traversable: true ## General Information -The traversable `GH_CanWriteBranch` edge is a computed edge indicating that a role or actor can push to a specific branch. Created by `Compute-GitHoundBranchAccess` with no additional API calls, the computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from [GH_User](/opengraph/extensions/github/nodes/gh_user) or [GH_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. +The traversable `GH_CanWriteBranch` edge is a computed edge indicating that a role or actor can push to a specific branch. The computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from [GH_User](/opengraph/extensions/github/nodes/gh_user) or [GH_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx index 8b107b9..a8f33e8 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_DependsOn` edge represents a `needs:` dependency between two jobs in the same workflow. Created by `Parse-GitHoundWorkflow`, this edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. +The non-traversable `GH_DependsOn` edge represents a `needs:` dependency between two jobs in the same workflow. This edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx index 4394727..c0daf99 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_DeploysTo` edge links a workflow job to the GitHub Environment it targets via the `environment:` key. Created by `Parse-GitHoundWorkflow`, this edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. +The non-traversable `GH_DeploysTo` edge links a workflow job to the GitHub Environment it targets via the `environment:` key. This edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx index 5809ad0..bafb99e 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_HasBaseRole` edge represents role inheritance within the GitHub permission hierarchy. Org roles inherit down to all-repo roles (e.g., Owners inherits to all_repo_admin), and custom roles inherit from their base roles (e.g., a custom_role inherits from write). It is created by `Git-HoundOrganization` (for org-to-repo role inheritance) and `Git-HoundRepository` (for repo-level role inheritance). This edge is traversable because it extends permissions through the role hierarchy, meaning a principal with a higher-level role implicitly holds all inherited lower-level roles. +The traversable `GH_HasBaseRole` edge represents role inheritance within the GitHub permission hierarchy. Org roles inherit down to all-repo roles (e.g., Owners inherits to all_repo_admin), and custom roles inherit from their base roles (e.g., a custom_role inherits from write). This edge is traversable because it extends permissions through the role hierarchy, meaning a principal with a higher-level role implicitly holds all inherited lower-level roles. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx index 2541187..d175105 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasBranch` edge represents the relationship between a repository and its branches. Created by `Git-HoundBranch`, this edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) model the effective access. +The non-traversable `GH_HasBranch` edge represents the relationship between a repository and its branches. This edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) model the effective access. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx index bdb4006..025819f 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasEnvironment` edge represents the relationship between a repository or branch and its deployment environments. Created by `Git-HoundEnvironment`, this edge links environments to the repositories that define them and to the branches that are allowed to deploy to them (via deployment branch policies). Environments are security-relevant because they can gate access to secrets and cloud credentials, and their deployment branch policies control which branches can trigger deployments. +The non-traversable `GH_HasEnvironment` edge represents the relationship between a repository or branch and its deployment environments. This edge links environments to the repositories that define them and to the branches that are allowed to deploy to them (via deployment branch policies). Environments are security-relevant because they can gate access to secrets and cloud credentials, and their deployment branch policies control which branches can trigger deployments. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx index dbd198d..4b02bec 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasExternalIdentity` edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. Created by `Git-HoundGraphQlSamlProvider`, this edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the [GH_MapsToUser](/opengraph/extensions/github/edges/gh_mapstouser) edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. +The non-traversable `GH_HasExternalIdentity` edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. This edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the [GH_MapsToUser](/opengraph/extensions/github/edges/gh_mapstouser) edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx index 59e5a23..bff612f 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The traversable `GH_HasJob` edge links a workflow to each of its jobs. Created by `Parse-GitHoundWorkflow`, this edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. +The traversable `GH_HasJob` edge links a workflow to each of its jobs. This edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx index 5605dce..8555287 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasPersonalAccessToken` edge represents the relationship between a user and their fine-grained personal access tokens that have been granted access to the organization. Created by `Git-HoundPersonalAccessToken`, this edge links each approved token back to the user who created it. Fine-grained personal access tokens are security-significant because they provide programmatic access to organization resources with specific scoped permissions. Tracking token ownership is essential for understanding which users have standing API access and for identifying tokens that may need revocation. +The non-traversable `GH_HasPersonalAccessToken` edge represents the relationship between a user and their fine-grained personal access tokens that have been granted access to the organization. This edge links each approved token back to the user who created it. Fine-grained personal access tokens are security-significant because they provide programmatic access to organization resources with specific scoped permissions. Tracking token ownership is essential for understanding which users have standing API access and for identifying tokens that may need revocation. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx index 8123bf7..c710007 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasPersonalAccessTokenRequest` edge represents the relationship between a user and their pending personal access token requests awaiting organizational approval. Created by `Git-HoundPersonalAccessTokenRequest`, this edge links each pending token request back to the user who submitted it. Pending token requests are security-relevant because they represent access that may soon be granted, and reviewing them helps administrators understand what permissions users are requesting before approval. Organizations that require approval for fine-grained PATs will have these requests queued until an administrator acts on them. +The non-traversable `GH_HasPersonalAccessTokenRequest` edge represents the relationship between a user and their pending personal access token requests awaiting organizational approval. This edge links each pending token request back to the user who submitted it. Pending token requests are security-relevant because they represent access that may soon be granted, and reviewing them helps administrators understand what permissions users are requesting before approval. Organizations that require approval for fine-grained PATs will have these requests queued until an administrator acts on them. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx index afe2108..ece8a88 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_HasRole` edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. It is created by `Git-HoundUser` (for org roles), `Git-HoundRepositoryRole` (for repo roles), and `Git-HoundTeam` (for team roles). Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. +The traversable `GH_HasRole` edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx index 69ca2c2..51cef4b 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasSamlIdentityProvider` edge represents the relationship between an organization and its SAML identity provider configuration. Created by `Git-HoundGraphQlSamlProvider`, this edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. +The non-traversable `GH_HasSamlIdentityProvider` edge represents the relationship between an organization and its SAML identity provider configuration. This edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx index a9da313..6935df2 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_HasSecret` edge represents the relationship between a repository or environment and the secrets accessible within that context. Created by `Git-HoundOrganizationSecret`, `Git-HoundSecret`, and `Git-HoundEnvironment`, this edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch)) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. +The traversable `GH_HasSecret` edge represents the relationship between a repository or environment and the secrets accessible within that context. This edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch)) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx index 13d133c..9a0515b 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The traversable `GH_HasStep` edge links a job to each of its steps in execution order. Created by `Parse-GitHoundWorkflow`, this edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. +The traversable `GH_HasStep` edge links a job to each of its steps in execution order. This edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx index 465e18f..1e28b09 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_HasVariable` edge represents the relationship between a repository and the variables accessible within that context. Created by `Git-HoundOrganizationSecret` and `Git-HoundVariable`, this edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch)) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. +The traversable `GH_HasVariable` edge represents the relationship between a repository and the variables accessible within that context. This edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch)) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx index 598856b..44410e0 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasWorkflow` edge represents the relationship between a repository and its GitHub Actions workflows. Created by `Git-HoundWorkflow`, this edge links each discovered workflow definition to its parent repository. Workflows are significant from a security perspective because they can execute arbitrary code with repository permissions, access secrets, and assume cloud identities. This structural edge enables analysts to enumerate which workflows exist in a given repository. +The non-traversable `GH_HasWorkflow` edge represents the relationship between a repository and its GitHub Actions workflows. This edge links each discovered workflow definition to its parent repository. Workflows are significant from a security perspective because they can execute arbitrary code with repository permissions, access secrets, and assume cloud identities. This structural edge enables analysts to enumerate which workflows exist in a given repository. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx index 68662ba..cc961f3 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_InstalledAs` edge links a GitHub App to its installation within the organization. It is created by `Git-HoundAppInstallation` during app installation enumeration. This edge is traversable because it connects the app definition to its active installation, which determines the specific set of repositories and permissions the app has been granted. Understanding the relationship between an app and its installation is essential for tracing how app-level permissions translate into repository access. +The traversable `GH_InstalledAs` edge links a GitHub App to its installation within the organization. This edge is traversable because it connects the app definition to its active installation, which determines the specific set of repositories and permissions the app has been granted. Understanding the relationship between an app and its installation is essential for tracing how app-level permissions translate into repository access. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx index e75c985..13701d5 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](/resources/nodes/az-user), [Okta_User](/opengraph/extensions/okta/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. It is created by `Git-HoundGraphQlSamlProvider` for SAML-linked identities and `Git-HoundScimUser` for SCIM-provisioned identities. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. +The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](/resources/nodes/az-user), [Okta_User](/opengraph/extensions/okta/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx index 36b406a..31f4efd 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_MemberOf` edge represents team membership, linking a team role to its parent team or a child team to a parent team in nested team hierarchies. It is created by `Git-HoundTeam` during team enumeration. This edge is traversable because team membership extends access transitively -- a user who holds a role in a child team inherits the repository permissions of all ancestor teams in the nesting hierarchy, making it a key component of attack path analysis. +The traversable `GH_MemberOf` edge represents team membership, linking a team role to its parent team or a child team to a parent team in nested team hierarchies. This edge is traversable because team membership extends access transitively -- a user who holds a role in a child team inherits the repository permissions of all ancestor teams in the nesting hierarchy, making it a key component of attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx index 5ac3076..56b1e45 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_Owns` edge represents that an organization owns a repository. Created by `Git-HoundRepository`, this edge establishes the foundation of the access control model by linking repositories to their owning organization. It is traversable because repository ownership is a critical relationship for understanding how organizational permissions cascade down to repository-level access, making it essential for attack path analysis. +The traversable `GH_Owns` edge represents that an organization owns a repository. This edge establishes the foundation of the access control model by linking repositories to their owning organization. It is traversable because repository ownership is a critical relationship for understanding how organizational permissions cascade down to repository-level access, making it essential for attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx index 5979f33..5b6e144 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ProtectedBy` edge represents that a branch protection rule applies to a specific branch. Created by `Git-HoundBranch` when branch protection rules are collected, this edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed edge functions (`Compute-GitHoundBranchAccess`) to determine effective push access; the computed [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) edges carry traversability instead. +The non-traversable `GH_ProtectedBy` edge represents that a branch protection rule applies to a specific branch. This edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed branch-access edges to determine effective push access; the computed [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) edges carry traversability instead. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx index 4be127b..25f3ac6 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_RestrictionsCanPush` edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. Created by `Git-HoundBranch` when collecting BPR push allowances, this edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike [GH_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances), this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. +The non-traversable `GH_RestrictionsCanPush` edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. This edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike [GH_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances), this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx index 2e661ee..406999e 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_SyncedTo` edge is a hybrid edge that maps an external IdP user to a GitHub user based on SCIM provisioning. Created by `Git-HoundScimUser` when SCIM data links an external identity to a GitHub account, this edge represents a confirmed identity linkage between an external identity provider and GitHub. It is traversable because compromising the IdP account provides a verified path to the corresponding GitHub account, making it a critical edge for cross-system attack path analysis. This edge enables analysts to trace access from enterprise identity providers like Azure AD, Okta, or PingOne into the GitHub environment. +The traversable `GH_SyncedTo` edge is a hybrid edge that maps an external IdP user to a GitHub user based on SCIM provisioning. This edge represents a confirmed identity linkage between an external identity provider and GitHub. It is traversable because compromising the IdP account provides a verified path to the corresponding GitHub account, making it a critical edge for cross-system attack path analysis. This edge enables analysts to trace access from enterprise identity providers like Azure AD, Okta, or PingOne into the GitHub environment. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx index 6cf8a72..7881ff8 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx @@ -11,14 +11,14 @@ Traversable: false ## General Information -The traversable `GH_UsesSecret` edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. Created by `Parse-GitHoundWorkflow`, this edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. +The traversable `GH_UsesSecret` edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. This edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. ### Matching strategy Edges use `match_by: property` with two matchers to disambiguate between secrets with the same name across repositories: -- **GH_RepoSecret** is matched by `name` + `repository_id` (the GitHub node_id of the repository). -- **[GH_OrgSecret](/opengraph/extensions/github/nodes/gh_orgsecret)** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level secret scope). +- **[GH_RepoSecret](/opengraph/extensions/github/nodes/gh_reposecret)** is matched by `name` + `repository_id` (the GitHub node_id of the repository). +- **GH_OrgSecret** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level secret scope). This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two `GH_UsesSecret` edges — one to the repo-level secret and one to the org-level secret — reflecting that either could supply the value at runtime depending on scope precedence. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx index 7e593b0..54585de 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx @@ -11,7 +11,7 @@ Traversable: false ## General Information -The non-traversable `GH_UsesVariable` edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. Created by `Parse-GitHoundWorkflow`, this edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). +The non-traversable `GH_UsesVariable` edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. This edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). ### Matching strategy diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx index 9fe912a..0b8f1b9 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_ValidToken` edge represents a secret scanning alert that contains a valid, active GitHub Personal Access Token belonging to a specific user. Created by `Git-HoundSecretScanningAlert`, this edge is only emitted when the alert's state is `open`, the secret type is `github_personal_access_token`, and the token is confirmed valid by calling the GitHub API. This edge is traversable because possessing the leaked token grants the ability to act as the token's owner, effectively compromising that user's identity and all permissions granted to the token. +The traversable `GH_ValidToken` edge represents a secret scanning alert that contains a valid, active GitHub Personal Access Token belonging to a specific user. This edge is only emitted when the alert's state is `open`, the secret type is `github_personal_access_token`, and the token is confirmed valid by calling the GitHub API. This edge is traversable because possessing the leaked token grants the ability to act as the token's owner, effectively compromising that user's identity and all permissions granted to the token. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_branchprotectionrule.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_branchprotectionrule.mdx index 9473522..06955cc 100644 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_branchprotectionrule.mdx +++ b/docs/official-docs/opengraph/extensions/github/nodes/gh_branchprotectionrule.mdx @@ -29,7 +29,7 @@ Branch protection rules are critical security controls. Key settings to review: The only branch protection configuration that blocks the write-access → workflow → secrets exfiltration attack path is `push_restrictions` + `blocks_creations` on a `*` pattern rule. However, users with [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch), [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto), [GH_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush), or [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) can bypass this control. -For complete analysis, see [BloodHound Docs: GitHound - Mitigating Controls](/opengraph/extensions/github/mitigating-controls). +For complete analysis, see [BloodHound Docs: GitHub - Mitigating Controls](/opengraph/extensions/github/mitigating-controls). ### Identifying Bypass Actors diff --git a/docs/official-docs/opengraph/extensions/github/queries.mdx b/docs/official-docs/opengraph/extensions/github/queries.mdx index f9dadf5..1816972 100644 --- a/docs/official-docs/opengraph/extensions/github/queries.mdx +++ b/docs/official-docs/opengraph/extensions/github/queries.mdx @@ -538,7 +538,7 @@ This query can be imported into BloodHound from the [repos-secret-scanning-disab ## Repos Vulnerable to Workflow Secret Exfiltration -Secrets reachable by users who can create new branches (computed by Compute-GitHoundBranchAccess). The GH_CanCreateBranch edge accounts for branch protection rules, push restrictions, blocks_creations settings, and all bypass mechanisms (admin, push_protected_branch, pushAllowances). Edges emit from RepoRole in the common case; per-actor edges from User/Team are only present when per-rule allowances grant additional access beyond the role. +Secrets reachable by users who can create new branches. The GH_CanCreateBranch edge accounts for branch protection rules, push restrictions, blocks_creations settings, and all bypass mechanisms (admin, push_protected_branch, pushAllowances). Edges emit from RepoRole in the common case; per-actor edges from User/Team are only present when per-rule allowances grant additional access beyond the role. ```cypher MATCH p1=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_CanCreateBranch]->(repo:GH_Repository)-[:GH_HasSecret]->(s) diff --git a/extension/privilege_zone_rules/README.md b/extension/privilege_zone_rules/README.md index cbe753e..f5a3fe1 100644 --- a/extension/privilege_zone_rules/README.md +++ b/extension/privilege_zone_rules/README.md @@ -1,6 +1,6 @@ # Privilege Zone Classification Rules -This directory contains Tier Zero (T0) classification rules for GitHub organizations collected by GitHound. These rules identify assets whose compromise grants control over the entire organization or the ability to compromise everything else. +This directory contains Tier Zero (T0) classification rules for GitHub organizations. These rules identify assets whose compromise grants control over the entire organization or the ability to compromise everything else. For the full rationale and classification methodology, see [Documentation/TIER_ZERO.md](../Documentation/TIER_ZERO.md). diff --git a/extension/saved_searches/README.md b/extension/saved_searches/README.md index 9a4450d..f7416b6 100644 --- a/extension/saved_searches/README.md +++ b/extension/saved_searches/README.md @@ -1,4 +1,4 @@ -# GitHound Saved Queries +# Saved Queries Pre-built Cypher queries for identifying security-relevant configurations across your GitHub organization. Each query is stored as an individual JSON file with `name`, `query`, and `description` fields, designed to be imported into BloodHound's saved queries feature. diff --git a/extension/saved_searches/repos-vulnerable-to-workflow-secret-exfil.json b/extension/saved_searches/repos-vulnerable-to-workflow-secret-exfil.json index c98b364..55f0a4e 100644 --- a/extension/saved_searches/repos-vulnerable-to-workflow-secret-exfil.json +++ b/extension/saved_searches/repos-vulnerable-to-workflow-secret-exfil.json @@ -1,5 +1,5 @@ { "name": "GitHub: Repos Vulnerable to Workflow Secret Exfiltration", "query": "MATCH p1=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_CanCreateBranch]->(repo:GH_Repository)-[:GH_HasSecret]->(s)\nWHERE (s:GH_RepoSecret\nOR s:GH_OrgSecret)\nOPTIONAL MATCH p2=(repo)<-[:GH_CanCreateBranch]-(:GH_User)\nOPTIONAL MATCH p3=(repo)<-[:GH_CanCreateBranch]-(:GH_Team)<-[:GH_HasRole|GH_MemberOf|GH_AddMember*1..]-(:GH_User)\nRETURN p1, p2, p3\nLIMIT 1000", - "description": "Secrets reachable by users who can create new branches (computed by Compute-GitHoundBranchAccess). The GH_CanCreateBranch edge accounts for branch protection rules, push restrictions, blocks_creations settings, and all bypass mechanisms (admin, push_protected_branch, pushAllowances). Edges emit from RepoRole in the common case; per-actor edges from User/Team are only present when per-rule allowances grant additional access beyond the role." + "description": "Secrets reachable by users who can create new branches. The GH_CanCreateBranch edge accounts for branch protection rules, push restrictions, blocks_creations settings, and all bypass mechanisms (admin, push_protected_branch, pushAllowances). Edges emit from RepoRole in the common case; per-actor edges from User/Team are only present when per-rule allowances grant additional access beyond the role." } From 319ad4db4968428d488520c05a582bdd29b5e494 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Wed, 15 Apr 2026 09:26:09 +0200 Subject: [PATCH 08/16] fix missing word in query description --- docs/official-docs/opengraph/extensions/github/queries.mdx | 2 +- extension/saved_searches/org-owners.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/official-docs/opengraph/extensions/github/queries.mdx b/docs/official-docs/opengraph/extensions/github/queries.mdx index 1816972..7a5319a 100644 --- a/docs/official-docs/opengraph/extensions/github/queries.mdx +++ b/docs/official-docs/opengraph/extensions/github/queries.mdx @@ -403,7 +403,7 @@ This query can be imported into BloodHound from the [members-can-invite-outside- ## Organization Owners -Returns all users hold the organization owners role. +Returns all users who hold the organization owners role. ```cypher MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) diff --git a/extension/saved_searches/org-owners.json b/extension/saved_searches/org-owners.json index 0559270..1ea106d 100644 --- a/extension/saved_searches/org-owners.json +++ b/extension/saved_searches/org-owners.json @@ -1,5 +1,5 @@ { "name": "GitHub: Organization Owners", "query": "MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'})\nRETURN p\nLIMIT 1000", - "description": "Returns all users hold the organization owners role." + "description": "Returns all users who hold the organization owners role." } From 64a2db3e3e4e34779b167db8d9c24172543726c3 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Wed, 15 Apr 2026 09:37:46 +0200 Subject: [PATCH 09/16] add zone to pz rules output file --- .../github/privilege-zone-rules.mdx | 22 +++++++++++++++++++ docs/og-docs-automation | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/docs/official-docs/opengraph/extensions/github/privilege-zone-rules.mdx b/docs/official-docs/opengraph/extensions/github/privilege-zone-rules.mdx index 7f0c33c..900b5a4 100644 --- a/docs/official-docs/opengraph/extensions/github/privilege-zone-rules.mdx +++ b/docs/official-docs/opengraph/extensions/github/privilege-zone-rules.mdx @@ -14,6 +14,8 @@ This file is automatically generated from the [JSON Privilege Zone rule files](h The synthetic all_repo_admin role grants admin access to every repository in the organization. This role is inherited by the owners role via GH_HasBaseRole and cascades admin permissions including branch protection editing, secret access, and deploy key management to all repositories. +Zone: Tier Zero + ```cypher MATCH (n:GH_OrgRole) WHERE n.name ENDS @@ -27,6 +29,8 @@ This rule is defined in the [t0-all-repo-admin-role.json](https://github.com/Spe GitHub App installations scoped to all repositories in the organization that have at least one write permission. A compromised app credential grants write access to every repository. Installations with only read permissions are excluded — they pose a data exfiltration risk but do not grant control over the organization. +Zone: Tier Zero + ```cypher MATCH (n:GH_AppInstallation {repository_selection:'all'}) WHERE n.permissions CONTAINS '"write"' @@ -39,6 +43,8 @@ This rule is defined in the [t0-app-installations-all-repos.json](https://github GitHub App definitions whose installations have write access to all repositories. The app owner controls the private key that can generate tokens for any installation. Compromise of the app's private key grants write access to every repository in organizations where it is installed. Apps whose installations have only read permissions are excluded. +Zone: Tier Zero + ```cypher MATCH (n:GH_App)-[:GH_InstalledAs]->(i:GH_AppInstallation {repository_selection:'all'}) WHERE i.permissions CONTAINS '"write"' @@ -51,6 +57,8 @@ This rule is defined in the [t0-apps-all-repos.json](https://github.com/SpecterO External identities from SAML/SCIM providers that map to GitHub users holding the owners role. Compromise of these external identities in the identity provider grants organizational owner access to GitHub via SSO. +Zone: Tier Zero + ```cypher MATCH (n:GH_ExternalIdentity)-[:GH_MapsToUser]->(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) RETURN n @@ -62,6 +70,8 @@ This rule is defined in the [t0-external-identities-owners.json](https://github. GitHub organizations are the root trust boundary for all repositories, teams, users, and settings. Compromise of the organization grants full administrative control over all contained assets. +Zone: Tier Zero + ```cypher MATCH (n:GH_Organization) RETURN n @@ -73,6 +83,8 @@ This rule is defined in the [t0-organizations.json](https://github.com/SpecterOp Users who hold the organization owners role have full administrative control over the GitHub organization. Compromise of any owner account grants control over all repositories, secrets, SSO configuration, and cloud identities. +Zone: Tier Zero + ```cypher MATCH (n:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) RETURN n @@ -84,6 +96,8 @@ This rule is defined in the [t0-owner-users.json](https://github.com/SpecterOps/ The owners organization role grants full administrative control including all repository admin, member management, SSO configuration, app management, and billing. Owners inherit all_repo_admin, cascading admin access to every repository, secret, environment, and cloud identity in the organization. +Zone: Tier Zero + ```cypher MATCH (n:GH_OrgRole {short_name:'owners'}) RETURN n @@ -95,6 +109,8 @@ This rule is defined in the [t0-owners-role.json](https://github.com/SpecterOps/ Fine-grained personal access tokens scoped to all repositories in the organization that have at least one write permission. A single compromised token grants write access to every repository. PATs with only read permissions are excluded — they pose a data exfiltration risk but do not grant control over the organization. +Zone: Tier Zero + ```cypher MATCH (n:GH_PersonalAccessToken {repository_selection:'all'}) WHERE n.permissions CONTAINS '"write"' @@ -107,6 +123,8 @@ This rule is defined in the [t0-pats-all-repos.json](https://github.com/SpecterO Custom organization roles with write_organization_custom_org_role permission can modify organization role definitions, including setting the base_role to inherit all_repo_admin. Since this permission only exists on custom organization roles, the holder can escalate the role they already hold — a guaranteed self-escalation path to full organizational control. +Zone: Tier Zero + ```cypher MATCH (n:GH_OrgRole)-[:GH_WriteOrganizationCustomOrgRole]->(:GH_Organization) RETURN n @@ -118,6 +136,8 @@ This rule is defined in the [t0-privilege-escalation-roles.json](https://github. Users who hold custom organization roles with write_organization_custom_org_role permission. These users can modify organization role definitions — including the role they hold — to set the base_role to all_repo_admin, granting themselves admin access to every repository in the organization. +Zone: Tier Zero + ```cypher MATCH (n:GH_User)-[:GH_HasRole|GH_HasBaseRole*1..]->(:GH_OrgRole)-[:GH_WriteOrganizationCustomOrgRole]->(:GH_Organization) RETURN n @@ -129,6 +149,8 @@ This rule is defined in the [t0-privilege-escalation-users.json](https://github. SAML identity providers control authentication for all organization members via SSO. Compromise of the identity provider grants the ability to impersonate any user, including organization owners, by manipulating SAML assertions or resetting credentials. +Zone: Tier Zero + ```cypher MATCH (n:GH_SamlIdentityProvider) RETURN n diff --git a/docs/og-docs-automation b/docs/og-docs-automation index b8dd9d8..d2165a8 160000 --- a/docs/og-docs-automation +++ b/docs/og-docs-automation @@ -1 +1 @@ -Subproject commit b8dd9d861231c4858b78b8df134d5a2cad7ba200 +Subproject commit d2165a85734c92d0b7d8f61c2e0cf28437b653c9 From 8615bf81dfa659bbbd4f0228c1740e874a5ad3e2 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Wed, 15 Apr 2026 09:39:56 +0200 Subject: [PATCH 10/16] fix GH_Uses* edge descriptions --- .../opengraph/extensions/github/edges/gh_usessecret.mdx | 4 ++-- .../opengraph/extensions/github/edges/gh_usesvariable.mdx | 6 +++--- docs/official-docs/opengraph/extensions/github/schema.mdx | 6 +++--- extension/schema.json | 8 ++++---- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx index 7881ff8..262d11d 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx @@ -1,6 +1,6 @@ --- title: 'GH_UsesSecret' -description: '[Workflow] Step references a secret by name — GH_WorkflowStep → GH_Secret (name match)' +description: '[Workflow] Step references a secret by name — GH_WorkflowStep → GH_RepoSecret / GH_OrgSecret (name match)' --- Applies to BloodHound Enterprise and CE @@ -18,7 +18,7 @@ The traversable `GH_UsesSecret` edge links a workflow step to the secret it refe Edges use `match_by: property` with two matchers to disambiguate between secrets with the same name across repositories: - **[GH_RepoSecret](/opengraph/extensions/github/nodes/gh_reposecret)** is matched by `name` + `repository_id` (the GitHub node_id of the repository). -- **GH_OrgSecret** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level secret scope). +- **[GH_OrgSecret](/opengraph/extensions/github/nodes/gh_orgsecret)** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level secret scope). This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two `GH_UsesSecret` edges — one to the repo-level secret and one to the org-level secret — reflecting that either could supply the value at runtime depending on scope precedence. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx index 54585de..5fc3a65 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx @@ -1,6 +1,6 @@ --- title: 'GH_UsesVariable' -description: '[Workflow] Step references a variable by name — GH_WorkflowStep → GH_Variable (name match)' +description: '[Workflow] Step references a variable by name — GH_WorkflowStep → GH_RepoVariable / GH_OrgVariable (name match)' --- Applies to BloodHound Enterprise and CE @@ -17,8 +17,8 @@ The non-traversable `GH_UsesVariable` edge links a workflow step to the variable Edges use `match_by: property` with two matchers to disambiguate between variables with the same name across repositories: -- **GH_RepoVariable** is matched by `name` + `repository_id` (the GitHub node_id of the repository). -- **GH_OrgVariable** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level variable scope). +- **[GH_RepoVariable](/opengraph/extensions/github/nodes/gh_repovariable)** is matched by `name` + `repository_id` (the GitHub node_id of the repository). +- **[GH_OrgVariable](/opengraph/extensions/github/nodes/gh_orgvariable)** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level variable scope). This means one `${{ vars.MY_VAR }}` expression can produce up to two `GH_UsesVariable` edges — one to the repo-level variable and one to the org-level variable. diff --git a/docs/official-docs/opengraph/extensions/github/schema.mdx b/docs/official-docs/opengraph/extensions/github/schema.mdx index 3b28d00..b283a78 100644 --- a/docs/official-docs/opengraph/extensions/github/schema.mdx +++ b/docs/official-docs/opengraph/extensions/github/schema.mdx @@ -9,7 +9,7 @@ icon: circle-nodes **Name:** SOGitHub
**Display Name:** GitHub Extension (by SpecterOps)
-**Version:** v1.2.1
+**Version:** v1.2.2
**Namespace:** GH
**Environment Kind:** GH_Organization
**Source Kind:** GitHub @@ -153,8 +153,8 @@ This file is automatically generated from the [extension schema definition file] | [GH_ToggleDiscussionAnswer](/opengraph/extensions/github/edges/gh_togglediscussionanswer) | ❌ | [Repository] Repo role can toggle discussion answers | | [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize) | ❌ | [Repository] Repo role can minimize discussion comments | | [GH_TransferRepository](/opengraph/extensions/github/edges/gh_transferrepository) | ❌ | [Organization] Org role can transfer repositories | -| [GH_UsesSecret](/opengraph/extensions/github/edges/gh_usessecret) | ❌ | [Workflow] Step references a secret by name — GH_WorkflowStep → GH_Secret (name match) | -| [GH_UsesVariable](/opengraph/extensions/github/edges/gh_usesvariable) | ❌ | [Workflow] Step references a variable by name — GH_WorkflowStep → GH_Variable (name match) | +| [GH_UsesSecret](/opengraph/extensions/github/edges/gh_usessecret) | ❌ | [Workflow] Step references a secret by name — GH_WorkflowStep → GH_RepoSecret / GH_OrgSecret (name match) | +| [GH_UsesVariable](/opengraph/extensions/github/edges/gh_usesvariable) | ❌ | [Workflow] Step references a variable by name — GH_WorkflowStep → GH_RepoVariable / GH_OrgVariable (name match) | | [GH_ValidToken](/opengraph/extensions/github/edges/gh_validtoken) | ✅ | Secret scanning alert contains a valid, active token belonging to this user | | [GH_ViewDependabotAlerts](/opengraph/extensions/github/edges/gh_viewdependabotalerts) | ❌ | [Repository] Repo role can view Dependabot alerts | | [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) | ❌ | [Repository] Role can view secret scanning alerts | diff --git a/extension/schema.json b/extension/schema.json index 0737048..b0d2b87 100644 --- a/extension/schema.json +++ b/extension/schema.json @@ -2,7 +2,7 @@ "schema": { "name": "SOGitHub", "display_name": "GitHub Extension (by SpecterOps)", - "version": "v1.2.1", + "version": "v1.2.2", "namespace": "GH" }, "node_kinds": [ @@ -778,12 +778,12 @@ }, { "name": "GH_UsesSecret", - "description": "[Workflow] Step references a secret by name — GH_WorkflowStep → GH_Secret (name match)", + "description": "[Workflow] Step references a secret by name — GH_WorkflowStep → GH_RepoSecret / GH_OrgSecret (name match)", "is_traversable": false }, { "name": "GH_UsesVariable", - "description": "[Workflow] Step references a variable by name — GH_WorkflowStep → GH_Variable (name match)", + "description": "[Workflow] Step references a variable by name — GH_WorkflowStep → GH_RepoVariable / GH_OrgVariable (name match)", "is_traversable": false } ], @@ -801,4 +801,4 @@ } ], "relationship_findings": [] -} \ No newline at end of file +} From ce2d051367d184ecd72dbe537e581ff6a87db68e Mon Sep 17 00:00:00 2001 From: JonasBK Date: Wed, 15 Apr 2026 13:06:33 +0200 Subject: [PATCH 11/16] schema description wording --- docs/official-docs/opengraph/extensions/github/schema.mdx | 4 ++-- docs/og-docs-automation | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/official-docs/opengraph/extensions/github/schema.mdx b/docs/official-docs/opengraph/extensions/github/schema.mdx index b283a78..5aa91f8 100644 --- a/docs/official-docs/opengraph/extensions/github/schema.mdx +++ b/docs/official-docs/opengraph/extensions/github/schema.mdx @@ -1,6 +1,6 @@ --- title: Schema -description: GitHub extension definition schema +description: GitHub extension schema definition icon: circle-nodes --- @@ -166,4 +166,4 @@ This file is automatically generated from the [extension schema definition file] | [GH_WriteOrganizationCustomRepoRole](/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole) | ❌ | [Organization] Org role can write custom repo role definitions | | [GH_WriteOrganizationNetworkConfigurations](/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations) | ❌ | [Organization] Org role can write network configurations | | [GH_WriteRepoContents](/opengraph/extensions/github/edges/gh_writerepocontents) | ❌ | [Repository] Repo role can write repository contents | -| [GH_WriteRepoPullRequests](/opengraph/extensions/github/edges/gh_writerepopullrequests) | ❌ | [Repository] Repo role can create and merge pull requests | +| [GH_WriteRepoPullRequests](/opengraph/extensions/github/edges/gh_writerepopullrequests) | ❌ | [Repository] Repo role can create and merge pull requests | diff --git a/docs/og-docs-automation b/docs/og-docs-automation index d2165a8..400bd30 160000 --- a/docs/og-docs-automation +++ b/docs/og-docs-automation @@ -1 +1 @@ -Subproject commit d2165a85734c92d0b7d8f61c2e0cf28437b653c9 +Subproject commit 400bd3010e6b106b77991ad6eb2eb586cb627862 From 7a3c0c36f6a2712f4b1b15933fedd5da9d1c51ba Mon Sep 17 00:00:00 2001 From: JonasBK Date: Wed, 15 Apr 2026 20:44:38 +0200 Subject: [PATCH 12/16] fix cypher query --- docs/official-docs/opengraph/extensions/github/queries.mdx | 1 + docs/official-docs/opengraph/extensions/github/schema.mdx | 2 +- .../unprotected-default-branch-with-workflow.json | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/official-docs/opengraph/extensions/github/queries.mdx b/docs/official-docs/opengraph/extensions/github/queries.mdx index 7a5319a..a9dc114 100644 --- a/docs/official-docs/opengraph/extensions/github/queries.mdx +++ b/docs/official-docs/opengraph/extensions/github/queries.mdx @@ -661,6 +661,7 @@ Returns all repositories that have GitHub Actions workflows and an unprotected d MATCH p=(repo:GH_Repository)-[:GH_HasWorkflow]->(:GH_Workflow) MATCH p1=(repo)-[:GH_HasBranch]->(branch:GH_Branch) WHERE repo.default_branch = branch.short_name +AND branch.protected = false RETURN p1 LIMIT 1000 ``` diff --git a/docs/official-docs/opengraph/extensions/github/schema.mdx b/docs/official-docs/opengraph/extensions/github/schema.mdx index 5aa91f8..8c13358 100644 --- a/docs/official-docs/opengraph/extensions/github/schema.mdx +++ b/docs/official-docs/opengraph/extensions/github/schema.mdx @@ -166,4 +166,4 @@ This file is automatically generated from the [extension schema definition file] | [GH_WriteOrganizationCustomRepoRole](/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole) | ❌ | [Organization] Org role can write custom repo role definitions | | [GH_WriteOrganizationNetworkConfigurations](/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations) | ❌ | [Organization] Org role can write network configurations | | [GH_WriteRepoContents](/opengraph/extensions/github/edges/gh_writerepocontents) | ❌ | [Repository] Repo role can write repository contents | -| [GH_WriteRepoPullRequests](/opengraph/extensions/github/edges/gh_writerepopullrequests) | ❌ | [Repository] Repo role can create and merge pull requests | +| [GH_WriteRepoPullRequests](/opengraph/extensions/github/edges/gh_writerepopullrequests) | ❌ | [Repository] Repo role can create and merge pull requests | diff --git a/extension/saved_searches/unprotected-default-branch-with-workflow.json b/extension/saved_searches/unprotected-default-branch-with-workflow.json index 51af78b..70de2fb 100644 --- a/extension/saved_searches/unprotected-default-branch-with-workflow.json +++ b/extension/saved_searches/unprotected-default-branch-with-workflow.json @@ -1,5 +1,5 @@ { "name": "GitHub: Repositories with Workflows and Unprotected Default Branch", - "query": "MATCH p=(repo:GH_Repository)-[:GH_HasWorkflow]->(:GH_Workflow)\nMATCH p1=(repo)-[:GH_HasBranch]->(branch:GH_Branch)\nWHERE repo.default_branch = branch.short_name\nRETURN p1\nLIMIT 1000", + "query": "MATCH p=(repo:GH_Repository)-[:GH_HasWorkflow]->(:GH_Workflow)\nMATCH p1=(repo)-[:GH_HasBranch]->(branch:GH_Branch)\nWHERE repo.default_branch = branch.short_name\nAND branch.protected = false\nRETURN p1\nLIMIT 1000", "description": "Returns all repositories that have GitHub Actions workflows and an unprotected default branch. This means that users with GH_WriteRepoContents to the Repository can overwrite or change the workflow." } From 3348bcc1510401da28c382107b8f9f414888f464 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Wed, 15 Apr 2026 20:53:16 +0200 Subject: [PATCH 13/16] rm privilege_zone_rules/README.md --- extension/privilege_zone_rules/README.md | 42 ------------------------ 1 file changed, 42 deletions(-) delete mode 100644 extension/privilege_zone_rules/README.md diff --git a/extension/privilege_zone_rules/README.md b/extension/privilege_zone_rules/README.md deleted file mode 100644 index f5a3fe1..0000000 --- a/extension/privilege_zone_rules/README.md +++ /dev/null @@ -1,42 +0,0 @@ -# Privilege Zone Classification Rules - -This directory contains Tier Zero (T0) classification rules for GitHub organizations. These rules identify assets whose compromise grants control over the entire organization or the ability to compromise everything else. - -For the full rationale and classification methodology, see [Documentation/TIER_ZERO.md](../Documentation/TIER_ZERO.md). - -## Rule Format - -Each rule is a JSON file with the following schema: - -| Field | Type | Description | -|-------|------|-------------| -| `name` | string | Display name prefixed with `GitHub: Tier Zero` | -| `description` | string | Explanation of why this asset is T0 | -| `cypher` | string | Cypher query that returns nodes to classify as T0 | -| `enabled` | boolean | Whether the rule is active | -| `allow_disable` | boolean | Whether the rule can be disabled by the user | - -All rules use `RETURN n` (returning individual nodes for classification) rather than `RETURN p` (returning paths for visualization). - -## Rules - -### Control Plane — Organizational Authority - -| Rule | File | Description | -|------|------|-------------| -| Tier Zero Organizations | [t0-organizations.json](t0-organizations.json) | The organization itself — root trust boundary | -| Tier Zero Owners Role | [t0-owners-role.json](t0-owners-role.json) | The owners org role — full administrative control | -| Tier Zero Owner Users | [t0-owner-users.json](t0-owner-users.json) | Users holding the owners role | -| Tier Zero SAML Identity Providers | [t0-saml-identity-providers.json](t0-saml-identity-providers.json) | SAML IdP — controls SSO authentication | -| Tier Zero External Identities (Owner-Mapped) | [t0-external-identities-owners.json](t0-external-identities-owners.json) | IdP identities mapped to org owners | -| Tier Zero Privilege Escalation Roles | [t0-privilege-escalation-roles.json](t0-privilege-escalation-roles.json) | Custom roles with `write_organization_custom_org_role` — guaranteed self-escalation to all_repo_admin | -| Tier Zero Privilege Escalation Users | [t0-privilege-escalation-users.json](t0-privilege-escalation-users.json) | Users holding privilege escalation roles | - -### Data Plane — Universal Repository Access - -| Rule | File | Description | -|------|------|-------------| -| Tier Zero All-Repo Admin Role | [t0-all-repo-admin-role.json](t0-all-repo-admin-role.json) | Synthetic role granting admin on every repository | -| Tier Zero App Installations (All Repositories) | [t0-app-installations-all-repos.json](t0-app-installations-all-repos.json) | App installations scoped to all repositories | -| Tier Zero Apps (All-Repository Installations) | [t0-apps-all-repos.json](t0-apps-all-repos.json) | App definitions with all-repository installations | -| Tier Zero PATs (All Repositories) | [t0-pats-all-repos.json](t0-pats-all-repos.json) | Personal access tokens scoped to all repositories | From 683de80121af4f2fec1276158c3f0ee6c8acc874 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Fri, 17 Apr 2026 10:54:13 +0200 Subject: [PATCH 14/16] rm backticks around nodes and edges --- descriptions/edges/GH_AddAssignee.md | 2 +- descriptions/edges/GH_AddCollaborator.md | 2 +- descriptions/edges/GH_AddLabel.md | 2 +- descriptions/edges/GH_AddMember.md | 2 +- descriptions/edges/GH_AdminTo.md | 2 +- .../edges/GH_BypassBranchProtection.md | 2 +- .../edges/GH_BypassPullRequestAllowances.md | 2 +- descriptions/edges/GH_CallsWorkflow.md | 2 +- descriptions/edges/GH_CanAccess.md | 2 +- descriptions/edges/GH_CanAssumeIdentity.md | 2 +- descriptions/edges/GH_CanCreateBranch.md | 6 +++--- descriptions/edges/GH_CanEditProtection.md | 6 +++--- descriptions/edges/GH_CanPwnRequest.md | 10 +++++----- .../edges/GH_CanReadSecretScanningAlert.md | 6 +++--- descriptions/edges/GH_CanWriteBranch.md | 6 +++--- descriptions/edges/GH_CloseDiscussion.md | 2 +- descriptions/edges/GH_CloseIssue.md | 2 +- descriptions/edges/GH_ClosePullRequest.md | 2 +- descriptions/edges/GH_Contains.md | 2 +- .../edges/GH_ConvertIssuesToDiscussions.md | 2 +- .../edges/GH_CreateDiscussionCategory.md | 2 +- descriptions/edges/GH_CreateRepository.md | 2 +- .../edges/GH_CreateSoloMergeQueueEntry.md | 2 +- descriptions/edges/GH_CreateTag.md | 2 +- descriptions/edges/GH_CreateTeam.md | 2 +- .../edges/GH_DeleteAlertsCodeScanning.md | 2 +- descriptions/edges/GH_DeleteDiscussion.md | 2 +- .../edges/GH_DeleteDiscussionComment.md | 2 +- descriptions/edges/GH_DeleteIssue.md | 2 +- descriptions/edges/GH_DeleteTag.md | 2 +- descriptions/edges/GH_DependsOn.md | 2 +- descriptions/edges/GH_DeploysTo.md | 2 +- .../edges/GH_EditCategoryOnDiscussion.md | 2 +- .../edges/GH_EditDiscussionCategory.md | 2 +- descriptions/edges/GH_EditDiscussionComment.md | 2 +- .../edges/GH_EditRepoAnnouncementBanners.md | 2 +- .../edges/GH_EditRepoCustomPropertiesValues.md | 2 +- descriptions/edges/GH_EditRepoMetadata.md | 2 +- descriptions/edges/GH_EditRepoProtections.md | 2 +- descriptions/edges/GH_HasBaseRole.md | 2 +- descriptions/edges/GH_HasBranch.md | 2 +- descriptions/edges/GH_HasEnvironment.md | 2 +- descriptions/edges/GH_HasExternalIdentity.md | 2 +- descriptions/edges/GH_HasJob.md | 2 +- descriptions/edges/GH_HasMember.md | 2 +- .../edges/GH_HasPersonalAccessToken.md | 2 +- .../edges/GH_HasPersonalAccessTokenRequest.md | 2 +- descriptions/edges/GH_HasRole.md | 2 +- .../edges/GH_HasSamlIdentityProvider.md | 2 +- descriptions/edges/GH_HasSecret.md | 2 +- descriptions/edges/GH_HasStep.md | 2 +- descriptions/edges/GH_HasVariable.md | 2 +- descriptions/edges/GH_HasWorkflow.md | 2 +- descriptions/edges/GH_InstalledAs.md | 2 +- descriptions/edges/GH_InviteMember.md | 2 +- descriptions/edges/GH_JumpMergeQueue.md | 2 +- descriptions/edges/GH_ManageDeployKeys.md | 2 +- .../edges/GH_ManageDiscussionBadges.md | 2 +- .../edges/GH_ManageOrganizationWebhooks.md | 2 +- .../edges/GH_ManageRepoSecurityProducts.md | 2 +- .../edges/GH_ManageSecurityProducts.md | 2 +- .../edges/GH_ManageSettingsMergeTypes.md | 2 +- descriptions/edges/GH_ManageSettingsPages.md | 2 +- .../edges/GH_ManageSettingsProjects.md | 2 +- descriptions/edges/GH_ManageSettingsWiki.md | 2 +- descriptions/edges/GH_ManageTopics.md | 2 +- descriptions/edges/GH_ManageWebhooks.md | 2 +- descriptions/edges/GH_MapsToUser.md | 2 +- descriptions/edges/GH_MarkAsDuplicate.md | 2 +- descriptions/edges/GH_MemberOf.md | 2 +- ...H_OrgBypassCodeScanningDismissalRequests.md | 2 +- ...H_OrgBypassSecretScanningClosureRequests.md | 2 +- ...iewAndManageSecretScanningBypassRequests.md | 2 +- ...ewAndManageSecretScanningClosureRequests.md | 2 +- descriptions/edges/GH_Owns.md | 2 +- descriptions/edges/GH_ProtectedBy.md | 2 +- descriptions/edges/GH_PushProtectedBranch.md | 2 +- descriptions/edges/GH_ReadCodeScanning.md | 2 +- .../GH_ReadOrganizationActionsUsageMetrics.md | 2 +- .../edges/GH_ReadOrganizationCustomOrgRole.md | 2 +- .../edges/GH_ReadOrganizationCustomRepoRole.md | 2 +- descriptions/edges/GH_ReadRepoContents.md | 2 +- descriptions/edges/GH_RemoveAssignee.md | 2 +- descriptions/edges/GH_RemoveLabel.md | 2 +- descriptions/edges/GH_ReopenDiscussion.md | 2 +- descriptions/edges/GH_ReopenIssue.md | 2 +- descriptions/edges/GH_ReopenPullRequest.md | 2 +- descriptions/edges/GH_RequestPrReview.md | 2 +- .../edges/GH_ResolveDependabotAlerts.md | 2 +- .../edges/GH_ResolveSecretScanningAlerts.md | 2 +- descriptions/edges/GH_RestrictionsCanPush.md | 2 +- descriptions/edges/GH_RunOrgMigration.md | 2 +- descriptions/edges/GH_SetInteractionLimits.md | 2 +- descriptions/edges/GH_SetIssueType.md | 2 +- descriptions/edges/GH_SetMilestone.md | 2 +- descriptions/edges/GH_SetSocialPreview.md | 2 +- descriptions/edges/GH_SyncedTo.md | 2 +- .../edges/GH_ToggleDiscussionAnswer.md | 2 +- .../GH_ToggleDiscussionCommentMinimize.md | 2 +- descriptions/edges/GH_TransferRepository.md | 2 +- descriptions/edges/GH_UsesSecret.md | 4 ++-- descriptions/edges/GH_UsesVariable.md | 4 ++-- descriptions/edges/GH_ValidToken.md | 2 +- descriptions/edges/GH_ViewDependabotAlerts.md | 2 +- .../edges/GH_ViewSecretScanningAlerts.md | 2 +- descriptions/edges/GH_WriteCodeScanning.md | 2 +- .../GH_WriteOrganizationActionsSecrets.md | 2 +- .../GH_WriteOrganizationActionsSettings.md | 2 +- .../GH_WriteOrganizationActionsVariables.md | 2 +- .../edges/GH_WriteOrganizationCustomOrgRole.md | 2 +- .../GH_WriteOrganizationCustomRepoRole.md | 2 +- ...H_WriteOrganizationNetworkConfigurations.md | 2 +- descriptions/edges/GH_WriteRepoContents.md | 2 +- descriptions/edges/GH_WriteRepoPullRequests.md | 2 +- descriptions/nodes/GH_App.md | 2 +- descriptions/nodes/GH_AppInstallation.md | 2 +- descriptions/nodes/GH_Branch.md | 2 +- descriptions/nodes/GH_BranchProtectionRule.md | 18 +++++++++--------- descriptions/nodes/GH_OrgSecret.md | 2 +- descriptions/nodes/GH_OrgVariable.md | 2 +- descriptions/nodes/GH_Repository.md | 2 +- .../extensions/github/edges/gh_addassignee.mdx | 2 +- .../github/edges/gh_addcollaborator.mdx | 2 +- .../extensions/github/edges/gh_addlabel.mdx | 2 +- .../extensions/github/edges/gh_addmember.mdx | 2 +- .../extensions/github/edges/gh_adminto.mdx | 2 +- .../github/edges/gh_bypassbranchprotection.mdx | 2 +- .../edges/gh_bypasspullrequestallowances.mdx | 2 +- .../github/edges/gh_callsworkflow.mdx | 2 +- .../extensions/github/edges/gh_canaccess.mdx | 2 +- .../github/edges/gh_canassumeidentity.mdx | 2 +- .../github/edges/gh_cancreatebranch.mdx | 4 ++-- .../github/edges/gh_caneditprotection.mdx | 2 +- .../github/edges/gh_canpwnrequest.mdx | 4 ++-- .../edges/gh_canreadsecretscanningalert.mdx | 2 +- .../github/edges/gh_canwritebranch.mdx | 2 +- .../github/edges/gh_closediscussion.mdx | 2 +- .../extensions/github/edges/gh_closeissue.mdx | 2 +- .../github/edges/gh_closepullrequest.mdx | 2 +- .../extensions/github/edges/gh_contains.mdx | 2 +- .../edges/gh_convertissuestodiscussions.mdx | 2 +- .../edges/gh_creatediscussioncategory.mdx | 2 +- .../github/edges/gh_createrepository.mdx | 2 +- .../edges/gh_createsolomergequeueentry.mdx | 2 +- .../extensions/github/edges/gh_createtag.mdx | 2 +- .../extensions/github/edges/gh_createteam.mdx | 2 +- .../edges/gh_deletealertscodescanning.mdx | 2 +- .../github/edges/gh_deletediscussion.mdx | 2 +- .../edges/gh_deletediscussioncomment.mdx | 2 +- .../extensions/github/edges/gh_deleteissue.mdx | 2 +- .../extensions/github/edges/gh_deletetag.mdx | 2 +- .../extensions/github/edges/gh_dependson.mdx | 2 +- .../extensions/github/edges/gh_deploysto.mdx | 2 +- .../edges/gh_editcategoryondiscussion.mdx | 2 +- .../github/edges/gh_editdiscussioncategory.mdx | 2 +- .../github/edges/gh_editdiscussioncomment.mdx | 2 +- .../edges/gh_editrepoannouncementbanners.mdx | 2 +- .../gh_editrepocustompropertiesvalues.mdx | 2 +- .../github/edges/gh_editrepometadata.mdx | 2 +- .../github/edges/gh_editrepoprotections.mdx | 2 +- .../extensions/github/edges/gh_hasbaserole.mdx | 2 +- .../extensions/github/edges/gh_hasbranch.mdx | 2 +- .../github/edges/gh_hasenvironment.mdx | 2 +- .../github/edges/gh_hasexternalidentity.mdx | 2 +- .../extensions/github/edges/gh_hasjob.mdx | 2 +- .../extensions/github/edges/gh_hasmember.mdx | 2 +- .../github/edges/gh_haspersonalaccesstoken.mdx | 2 +- .../edges/gh_haspersonalaccesstokenrequest.mdx | 2 +- .../extensions/github/edges/gh_hasrole.mdx | 2 +- .../edges/gh_hassamlidentityprovider.mdx | 2 +- .../extensions/github/edges/gh_hassecret.mdx | 2 +- .../extensions/github/edges/gh_hasstep.mdx | 2 +- .../extensions/github/edges/gh_hasvariable.mdx | 2 +- .../extensions/github/edges/gh_hasworkflow.mdx | 2 +- .../extensions/github/edges/gh_installedas.mdx | 2 +- .../github/edges/gh_invitemember.mdx | 2 +- .../github/edges/gh_jumpmergequeue.mdx | 2 +- .../github/edges/gh_managedeploykeys.mdx | 2 +- .../github/edges/gh_managediscussionbadges.mdx | 2 +- .../edges/gh_manageorganizationwebhooks.mdx | 2 +- .../edges/gh_managereposecurityproducts.mdx | 2 +- .../github/edges/gh_managesecurityproducts.mdx | 2 +- .../edges/gh_managesettingsmergetypes.mdx | 2 +- .../github/edges/gh_managesettingspages.mdx | 2 +- .../github/edges/gh_managesettingsprojects.mdx | 2 +- .../github/edges/gh_managesettingswiki.mdx | 2 +- .../github/edges/gh_managetopics.mdx | 2 +- .../github/edges/gh_managewebhooks.mdx | 2 +- .../extensions/github/edges/gh_mapstouser.mdx | 2 +- .../github/edges/gh_markasduplicate.mdx | 2 +- .../extensions/github/edges/gh_memberof.mdx | 2 +- ..._orgbypasscodescanningdismissalrequests.mdx | 2 +- ..._orgbypasssecretscanningclosurerequests.mdx | 2 +- ...ewandmanagesecretscanningbypassrequests.mdx | 2 +- ...wandmanagesecretscanningclosurerequests.mdx | 2 +- .../extensions/github/edges/gh_owns.mdx | 2 +- .../extensions/github/edges/gh_protectedby.mdx | 2 +- .../github/edges/gh_pushprotectedbranch.mdx | 2 +- .../github/edges/gh_readcodescanning.mdx | 2 +- .../gh_readorganizationactionsusagemetrics.mdx | 2 +- .../edges/gh_readorganizationcustomorgrole.mdx | 2 +- .../gh_readorganizationcustomreporole.mdx | 2 +- .../github/edges/gh_readrepocontents.mdx | 2 +- .../github/edges/gh_removeassignee.mdx | 2 +- .../extensions/github/edges/gh_removelabel.mdx | 2 +- .../github/edges/gh_reopendiscussion.mdx | 2 +- .../extensions/github/edges/gh_reopenissue.mdx | 2 +- .../github/edges/gh_reopenpullrequest.mdx | 2 +- .../github/edges/gh_requestprreview.mdx | 2 +- .../edges/gh_resolvedependabotalerts.mdx | 2 +- .../edges/gh_resolvesecretscanningalerts.mdx | 2 +- .../github/edges/gh_restrictionscanpush.mdx | 2 +- .../github/edges/gh_runorgmigration.mdx | 2 +- .../github/edges/gh_setinteractionlimits.mdx | 2 +- .../github/edges/gh_setissuetype.mdx | 2 +- .../github/edges/gh_setmilestone.mdx | 2 +- .../github/edges/gh_setsocialpreview.mdx | 2 +- .../extensions/github/edges/gh_syncedto.mdx | 2 +- .../github/edges/gh_togglediscussionanswer.mdx | 2 +- .../gh_togglediscussioncommentminimize.mdx | 2 +- .../github/edges/gh_transferrepository.mdx | 2 +- .../extensions/github/edges/gh_usessecret.mdx | 4 ++-- .../github/edges/gh_usesvariable.mdx | 4 ++-- .../extensions/github/edges/gh_validtoken.mdx | 2 +- .../github/edges/gh_viewdependabotalerts.mdx | 2 +- .../edges/gh_viewsecretscanningalerts.mdx | 2 +- .../github/edges/gh_writecodescanning.mdx | 2 +- .../gh_writeorganizationactionssecrets.mdx | 2 +- .../gh_writeorganizationactionssettings.mdx | 2 +- .../gh_writeorganizationactionsvariables.mdx | 2 +- .../gh_writeorganizationcustomorgrole.mdx | 2 +- .../gh_writeorganizationcustomreporole.mdx | 2 +- ..._writeorganizationnetworkconfigurations.mdx | 2 +- .../github/edges/gh_writerepocontents.mdx | 2 +- .../github/edges/gh_writerepopullrequests.mdx | 2 +- 235 files changed, 261 insertions(+), 261 deletions(-) diff --git a/descriptions/edges/GH_AddAssignee.md b/descriptions/edges/GH_AddAssignee.md index c519fa1..34c648d 100644 --- a/descriptions/edges/GH_AddAssignee.md +++ b/descriptions/edges/GH_AddAssignee.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_AddAssignee` edge represents a role's ability to assign users to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_AddAssignee edge represents a role's ability to assign users to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_AddCollaborator.md b/descriptions/edges/GH_AddCollaborator.md index b023bb9..0b5e07f 100644 --- a/descriptions/edges/GH_AddCollaborator.md +++ b/descriptions/edges/GH_AddCollaborator.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_AddCollaborator` edge represents that a role has the ability to add outside collaborators to organization repositories. This permission is typically restricted to Owners, as it grants repository access to external users who are not members of the organization. Outside collaborators bypass organizational membership controls, making this permission significant for security because it can be used to grant access to untrusted external identities without the visibility that full membership provides. +The non-traversable GH_AddCollaborator edge represents that a role has the ability to add outside collaborators to organization repositories. This permission is typically restricted to Owners, as it grants repository access to external users who are not members of the organization. Outside collaborators bypass organizational membership controls, making this permission significant for security because it can be used to grant access to untrusted external identities without the visibility that full membership provides. diff --git a/descriptions/edges/GH_AddLabel.md b/descriptions/edges/GH_AddLabel.md index 922eec0..a295b14 100644 --- a/descriptions/edges/GH_AddLabel.md +++ b/descriptions/edges/GH_AddLabel.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_AddLabel` edge represents a role's ability to add labels to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_AddLabel edge represents a role's ability to add labels to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_AddMember.md b/descriptions/edges/GH_AddMember.md index f37350d..2401de1 100644 --- a/descriptions/edges/GH_AddMember.md +++ b/descriptions/edges/GH_AddMember.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_AddMember` edge indicates that a team role with the Maintainer permission level can add new members to the team. This edge is traversable because the ability to add members grants indirect access -- a maintainer can add any user to the team, and that user then inherits all of the team's repository permissions, effectively expanding the attack surface. +The traversable GH_AddMember edge indicates that a team role with the Maintainer permission level can add new members to the team. This edge is traversable because the ability to add members grants indirect access -- a maintainer can add any user to the team, and that user then inherits all of the team's repository permissions, effectively expanding the attack surface. diff --git a/descriptions/edges/GH_AdminTo.md b/descriptions/edges/GH_AdminTo.md index a357f91..35e3373 100644 --- a/descriptions/edges/GH_AdminTo.md +++ b/descriptions/edges/GH_AdminTo.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_AdminTo` edge represents a role's full administrative access to the repository. Admin is the highest built-in repository role and grants control over all repository settings, including dangerous operations like deleting the repository or modifying its visibility. Admin access bypasses most protections including branch protection rules, unless `enforce_admins` is explicitly enabled on the branch protection rule. This edge is a key permission in the computed branch access model and is a high-value target in attack path analysis. +The non-traversable GH_AdminTo edge represents a role's full administrative access to the repository. Admin is the highest built-in repository role and grants control over all repository settings, including dangerous operations like deleting the repository or modifying its visibility. Admin access bypasses most protections including branch protection rules, unless `enforce_admins` is explicitly enabled on the branch protection rule. This edge is a key permission in the computed branch access model and is a high-value target in attack path analysis. diff --git a/descriptions/edges/GH_BypassBranchProtection.md b/descriptions/edges/GH_BypassBranchProtection.md index 974bf25..1df3e65 100644 --- a/descriptions/edges/GH_BypassBranchProtection.md +++ b/descriptions/edges/GH_BypassBranchProtection.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_BypassBranchProtection` edge represents a role's ability to bypass branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Bypassing branch protection allows merging pull requests without satisfying required review or status check requirements, effectively circumventing the merge gate. This bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, which forces even admins to comply with the protection policy. +The non-traversable GH_BypassBranchProtection edge represents a role's ability to bypass branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Bypassing branch protection allows merging pull requests without satisfying required review or status check requirements, effectively circumventing the merge gate. This bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, which forces even admins to comply with the protection policy. diff --git a/descriptions/edges/GH_BypassPullRequestAllowances.md b/descriptions/edges/GH_BypassPullRequestAllowances.md index d47e6b9..44a1635 100644 --- a/descriptions/edges/GH_BypassPullRequestAllowances.md +++ b/descriptions/edges/GH_BypassPullRequestAllowances.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_BypassPullRequestAllowances` edge represents a per-actor allowance that bypasses the pull request review requirement on a branch protection rule. This edge identifies specific users or teams that can merge code without going through the normal PR review process. This is a significant security concern because these actors can push or merge changes directly, circumventing code review controls that protect branch integrity. Note that this bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, meaning even listed actors must follow the PR review requirement. +The non-traversable GH_BypassPullRequestAllowances edge represents a per-actor allowance that bypasses the pull request review requirement on a branch protection rule. This edge identifies specific users or teams that can merge code without going through the normal PR review process. This is a significant security concern because these actors can push or merge changes directly, circumventing code review controls that protect branch integrity. Note that this bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, meaning even listed actors must follow the PR review requirement. diff --git a/descriptions/edges/GH_CallsWorkflow.md b/descriptions/edges/GH_CallsWorkflow.md index 2aba42e..0861184 100644 --- a/descriptions/edges/GH_CallsWorkflow.md +++ b/descriptions/edges/GH_CallsWorkflow.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_CallsWorkflow` edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. This edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. +The traversable GH_CallsWorkflow edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. This edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. ### Local vs. remote reusable workflows diff --git a/descriptions/edges/GH_CanAccess.md b/descriptions/edges/GH_CanAccess.md index 7c6d342..c6c016d 100644 --- a/descriptions/edges/GH_CanAccess.md +++ b/descriptions/edges/GH_CanAccess.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_CanAccess` edge indicates that a personal access token or app installation has been granted access to specific repositories. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. +The non-traversable GH_CanAccess edge indicates that a personal access token or app installation has been granted access to specific repositories. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. diff --git a/descriptions/edges/GH_CanAssumeIdentity.md b/descriptions/edges/GH_CanAssumeIdentity.md index e865832..ea9e12a 100644 --- a/descriptions/edges/GH_CanAssumeIdentity.md +++ b/descriptions/edges/GH_CanAssumeIdentity.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_CanAssumeIdentity` edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. This edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS. +The traversable GH_CanAssumeIdentity edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. This edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS. diff --git a/descriptions/edges/GH_CanCreateBranch.md b/descriptions/edges/GH_CanCreateBranch.md index 1e765ca..1a412e2 100644 --- a/descriptions/edges/GH_CanCreateBranch.md +++ b/descriptions/edges/GH_CanCreateBranch.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_CanCreateBranch` edge is a computed edge indicating that a role or actor can create new branches in a repository. The computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from `GH_User` or `GH_Team` are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. +The traversable GH_CanCreateBranch edge is a computed edge indicating that a role or actor can create new branches in a repository. The computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from GH_User or GH_Team are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios @@ -28,7 +28,7 @@ graph LR ### `push_protected_branch` — Push-protected role bypasses wildcard BPR -A wildcard BPR blocks creations. The `GH_PushProtectedBranch` permission bypasses the push gate regardless of `enforce_admins`. +A wildcard BPR blocks creations. The GH_PushProtectedBranch permission bypasses the push gate regardless of `enforce_admins`. ```mermaid graph LR @@ -41,7 +41,7 @@ graph LR ### `push_allowance` — Per-actor push restriction bypass -User or Team listed in the wildcard BPR's `pushAllowances` can create branches. This is a per-actor delta edge — only emitted when the actor's role doesn't already grant `GH_CanCreateBranch`. +User or Team listed in the wildcard BPR's `pushAllowances` can create branches. This is a per-actor delta edge — only emitted when the actor's role doesn't already grant GH_CanCreateBranch. ```mermaid graph LR diff --git a/descriptions/edges/GH_CanEditProtection.md b/descriptions/edges/GH_CanEditProtection.md index 968fe0d..455e7eb 100644 --- a/descriptions/edges/GH_CanEditProtection.md +++ b/descriptions/edges/GH_CanEditProtection.md @@ -1,12 +1,12 @@ ## General Information -The traversable `GH_CanEditProtection` edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. This edge is emitted when the role has `GH_EditRepoProtections` or `GH_AdminTo` permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. +The traversable GH_CanEditProtection edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. This edge is emitted when the role has GH_EditRepoProtections or GH_AdminTo permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. ## Scenarios ### `admin` — Admin can edit protections -The admin role has `GH_AdminTo` which implicitly grants the ability to modify or remove any branch protection rule. +The admin role has GH_AdminTo which implicitly grants the ability to modify or remove any branch protection rule. ```mermaid graph LR @@ -18,7 +18,7 @@ graph LR ### `edit_repo_protections` — Explicit edit permission -A custom or standard role with the `GH_EditRepoProtections` permission can modify or remove branch protection rules. +A custom or standard role with the GH_EditRepoProtections permission can modify or remove branch protection rules. ```mermaid graph LR diff --git a/descriptions/edges/GH_CanPwnRequest.md b/descriptions/edges/GH_CanPwnRequest.md index 3b06037..3c0e4d6 100644 --- a/descriptions/edges/GH_CanPwnRequest.md +++ b/descriptions/edges/GH_CanPwnRequest.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_CanPwnRequest` edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. This is a computed edge that combines workflow analysis with repository access and fork policy evaluation. +The traversable GH_CanPwnRequest edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. This is a computed edge that combines workflow analysis with repository access and fork policy evaluation. ### Pwn Request Conditions @@ -14,9 +14,9 @@ A workflow is considered pwn-requestable (`is_pwn_requestable = true`) when **al ### Edge Drawing Conditions -An edge is drawn from a `GH_RepoRole` to the repository (and its branches) when: +An edge is drawn from a GH_RepoRole to the repository (and its branches) when: -1. **Read access**: The role has a `GH_ReadRepoContents` edge to the repository (read access is the minimum required to fork). +1. **Read access**: The role has a GH_ReadRepoContents edge to the repository (read access is the minimum required to fork). 2. **Forkability**: The repository can be forked by the role holder: - **Public repos**: Always forkable by anyone on GitHub. - **Private/internal repos**: Requires both the organization setting `members_can_fork_private_repositories = true` AND the repository setting `allow_forking = true`. @@ -34,12 +34,12 @@ An attacker who exploits a pwn request gains code execution in the workflow runn - **Repository secrets** scoped to the base branch - **Organization secrets** accessible by the repository - **GITHUB_TOKEN** with the workflow's declared permissions (often `write`) -- **OIDC tokens** if `id-token: write` is set, enabling cloud identity assumption via `GH_CanAssumeIdentity` +- **OIDC tokens** if `id-token: write` is set, enabling cloud identity assumption via GH_CanAssumeIdentity - **Environment secrets** if the workflow job targets a deployment environment ### Caveats -- **OIDC traversal requires `id-token: write`**: The attack chain from `GH_CanPwnRequest` through `GH_CanAssumeIdentity` to a cloud role is only valid if the pwn-requestable workflow (or job) explicitly declares `id-token: write` in its `permissions:` block. The `id-token` permission defaults to `none` and is never implicitly granted — even when the workflow has no `permissions:` block at all. The `permissions` property on the `GH_WorkflowJob` node can be inspected to verify this. +- **OIDC traversal requires `id-token: write`**: The attack chain from GH_CanPwnRequest through GH_CanAssumeIdentity to a cloud role is only valid if the pwn-requestable workflow (or job) explicitly declares `id-token: write` in its `permissions:` block. The `id-token` permission defaults to `none` and is never implicitly granted — even when the workflow has no `permissions:` block at all. The `permissions` property on the GH_WorkflowJob node can be inspected to verify this. - **GITHUB_TOKEN permissions**: The `permissions:` block controls what the `GITHUB_TOKEN` can do (e.g., push commits, create releases), but has no effect on secret access, OIDC token requests (governed separately by `id-token`), or arbitrary code execution. A workflow with `contents: read` is still fully exploitable via pwn request for secret exfiltration and lateral movement — only write-back to the repository is limited. ```mermaid diff --git a/descriptions/edges/GH_CanReadSecretScanningAlert.md b/descriptions/edges/GH_CanReadSecretScanningAlert.md index 15e576b..6c5f5fa 100644 --- a/descriptions/edges/GH_CanReadSecretScanningAlert.md +++ b/descriptions/edges/GH_CanReadSecretScanningAlert.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_CanReadSecretScanningAlert` edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. The computation cross-references `GH_ViewSecretScanningAlerts` permission edges with `GH_Contains` structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the `GH_ValidToken` edge enables identity compromise of the token's owner. +The traversable GH_CanReadSecretScanningAlert edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. The computation cross-references GH_ViewSecretScanningAlerts permission edges with GH_Contains structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the GH_ValidToken edge enables identity compromise of the token's owner. Each edge includes a `reason` property (`org_role_permission` or `repo_role_permission`) and a `query_composition` Cypher query showing the underlying graph evidence. @@ -8,7 +8,7 @@ Each edge includes a `reason` property (`org_role_permission` or `repo_role_perm ### `org_role_permission` — Org role views alerts via organization -An org role with `GH_ViewSecretScanningAlerts` to the organization can read all secret scanning alerts across the entire org. The computation follows `GH_Contains` edges from the organization to each alert. +An org role with GH_ViewSecretScanningAlerts to the organization can read all secret scanning alerts across the entire org. The computation follows GH_Contains edges from the organization to each alert. ```mermaid graph LR @@ -20,7 +20,7 @@ graph LR ### `repo_role_permission` — Repo role views alerts via repository -A repo role with `GH_ViewSecretScanningAlerts` to the repository can read secret scanning alerts in that specific repo. The computation follows `GH_Contains` edges from the repository to each alert. +A repo role with GH_ViewSecretScanningAlerts to the repository can read secret scanning alerts in that specific repo. The computation follows GH_Contains edges from the repository to each alert. ```mermaid graph LR diff --git a/descriptions/edges/GH_CanWriteBranch.md b/descriptions/edges/GH_CanWriteBranch.md index 0e8332e..12b6b57 100644 --- a/descriptions/edges/GH_CanWriteBranch.md +++ b/descriptions/edges/GH_CanWriteBranch.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_CanWriteBranch` edge is a computed edge indicating that a role or actor can push to a specific branch. The computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from `GH_User` or `GH_Team` are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. +The traversable GH_CanWriteBranch edge is a computed edge indicating that a role or actor can push to a specific branch. The computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from GH_User or GH_Team are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios @@ -29,7 +29,7 @@ graph LR ### `push_protected_branch` — Push gate bypass -Push gate blocked by `push_restrictions` (no merge gate block). The `GH_PushProtectedBranch` permission bypasses the push gate regardless of `enforce_admins`. +Push gate blocked by `push_restrictions` (no merge gate block). The GH_PushProtectedBranch permission bypasses the push gate regardless of `enforce_admins`. ```mermaid graph LR @@ -42,7 +42,7 @@ graph LR ### `bypass_branch_protection` — Merge gate bypass -Merge gate blocked by PR reviews. The `GH_BypassBranchProtection` permission bypasses the merge gate. Requires `enforce_admins=false`; suppressed when `enforce_admins=true`. +Merge gate blocked by PR reviews. The GH_BypassBranchProtection permission bypasses the merge gate. Requires `enforce_admins=false`; suppressed when `enforce_admins=true`. ```mermaid graph LR diff --git a/descriptions/edges/GH_CloseDiscussion.md b/descriptions/edges/GH_CloseDiscussion.md index 2ca6011..b87271b 100644 --- a/descriptions/edges/GH_CloseDiscussion.md +++ b/descriptions/edges/GH_CloseDiscussion.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_CloseDiscussion` edge represents a role's ability to close discussions, preventing further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_CloseDiscussion edge represents a role's ability to close discussions, preventing further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_CloseIssue.md b/descriptions/edges/GH_CloseIssue.md index 9e1b638..d360a6e 100644 --- a/descriptions/edges/GH_CloseIssue.md +++ b/descriptions/edges/GH_CloseIssue.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_CloseIssue` edge represents a role's ability to close issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_CloseIssue edge represents a role's ability to close issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ClosePullRequest.md b/descriptions/edges/GH_ClosePullRequest.md index bc6ec67..4ed4971 100644 --- a/descriptions/edges/GH_ClosePullRequest.md +++ b/descriptions/edges/GH_ClosePullRequest.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ClosePullRequest` edge represents a role's ability to close pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ClosePullRequest edge represents a role's ability to close pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_Contains.md b/descriptions/edges/GH_Contains.md index c445055..01de8b8 100644 --- a/descriptions/edges/GH_Contains.md +++ b/descriptions/edges/GH_Contains.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_Contains` edge represents structural containment within the GitHub resource hierarchy. The organization serves as the top-level container for users, teams, repositories, roles, secrets, app installations, and personal access tokens. Repositories contain their own repo-level secrets, and environments contain environment-scoped secrets. This edge is created by the collector to establish the organizational hierarchy of GitHub resources and is not traversable because containment alone does not imply privilege escalation. +The non-traversable GH_Contains edge represents structural containment within the GitHub resource hierarchy. The organization serves as the top-level container for users, teams, repositories, roles, secrets, app installations, and personal access tokens. Repositories contain their own repo-level secrets, and environments contain environment-scoped secrets. This edge is created by the collector to establish the organizational hierarchy of GitHub resources and is not traversable because containment alone does not imply privilege escalation. diff --git a/descriptions/edges/GH_ConvertIssuesToDiscussions.md b/descriptions/edges/GH_ConvertIssuesToDiscussions.md index 3f77b34..4cbd4a2 100644 --- a/descriptions/edges/GH_ConvertIssuesToDiscussions.md +++ b/descriptions/edges/GH_ConvertIssuesToDiscussions.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ConvertIssuesToDiscussions` edge represents a role's ability to convert issues to discussions, moving them from the issue tracker to the discussions forum. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ConvertIssuesToDiscussions edge represents a role's ability to convert issues to discussions, moving them from the issue tracker to the discussions forum. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_CreateDiscussionCategory.md b/descriptions/edges/GH_CreateDiscussionCategory.md index 72d7b6b..383d0a0 100644 --- a/descriptions/edges/GH_CreateDiscussionCategory.md +++ b/descriptions/edges/GH_CreateDiscussionCategory.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_CreateDiscussionCategory` edge represents a role's ability to create new discussion categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_CreateDiscussionCategory edge represents a role's ability to create new discussion categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_CreateRepository.md b/descriptions/edges/GH_CreateRepository.md index 09603f1..0481e4e 100644 --- a/descriptions/edges/GH_CreateRepository.md +++ b/descriptions/edges/GH_CreateRepository.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_CreateRepository` edge represents that a role has the ability to create new repositories within the organization. This permission is available to Owners and custom organization roles that have been granted the repository creation permission. Creating repositories can introduce new attack surface to an organization, as each new repository is a potential vector for code execution through GitHub Actions workflows, secret exposure, and supply chain attacks. +The non-traversable GH_CreateRepository edge represents that a role has the ability to create new repositories within the organization. This permission is available to Owners and custom organization roles that have been granted the repository creation permission. Creating repositories can introduce new attack surface to an organization, as each new repository is a potential vector for code execution through GitHub Actions workflows, secret exposure, and supply chain attacks. diff --git a/descriptions/edges/GH_CreateSoloMergeQueueEntry.md b/descriptions/edges/GH_CreateSoloMergeQueueEntry.md index ecfedd7..07dc0b9 100644 --- a/descriptions/edges/GH_CreateSoloMergeQueueEntry.md +++ b/descriptions/edges/GH_CreateSoloMergeQueueEntry.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_CreateSoloMergeQueueEntry` edge represents a role's ability to create solo merge queue entries, effectively bypassing the merge queue by merging independently of other queued changes. This permission is available to Admin roles and custom roles that have been granted this specific permission. Solo merge queue entries skip the batching and ordering guarantees of the merge queue, allowing changes to land without waiting for or being tested alongside other pending merges. This can circumvent the integration testing benefits that merge queues provide. +The non-traversable GH_CreateSoloMergeQueueEntry edge represents a role's ability to create solo merge queue entries, effectively bypassing the merge queue by merging independently of other queued changes. This permission is available to Admin roles and custom roles that have been granted this specific permission. Solo merge queue entries skip the batching and ordering guarantees of the merge queue, allowing changes to land without waiting for or being tested alongside other pending merges. This can circumvent the integration testing benefits that merge queues provide. diff --git a/descriptions/edges/GH_CreateTag.md b/descriptions/edges/GH_CreateTag.md index f1bdb02..14f3e65 100644 --- a/descriptions/edges/GH_CreateTag.md +++ b/descriptions/edges/GH_CreateTag.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_CreateTag` edge represents a role's ability to create tags and releases. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. Creating tags can trigger CI/CD workflows and publish release artifacts. +The non-traversable GH_CreateTag edge represents a role's ability to create tags and releases. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. Creating tags can trigger CI/CD workflows and publish release artifacts. diff --git a/descriptions/edges/GH_CreateTeam.md b/descriptions/edges/GH_CreateTeam.md index 45b6bc3..f310b8f 100644 --- a/descriptions/edges/GH_CreateTeam.md +++ b/descriptions/edges/GH_CreateTeam.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_CreateTeam` edge represents that a role has the ability to create teams within the organization. Teams are the primary mechanism for granting groups of users access to repositories, so team creation is a stepping stone to broader access. This edge is created by the collector when enumerating organization role permissions, and its security significance lies in the fact that a newly created team can be granted repository access and then populated with controlled accounts. +The non-traversable GH_CreateTeam edge represents that a role has the ability to create teams within the organization. Teams are the primary mechanism for granting groups of users access to repositories, so team creation is a stepping stone to broader access. This edge is created by the collector when enumerating organization role permissions, and its security significance lies in the fact that a newly created team can be granted repository access and then populated with controlled accounts. diff --git a/descriptions/edges/GH_DeleteAlertsCodeScanning.md b/descriptions/edges/GH_DeleteAlertsCodeScanning.md index 5c68ed6..3a917e8 100644 --- a/descriptions/edges/GH_DeleteAlertsCodeScanning.md +++ b/descriptions/edges/GH_DeleteAlertsCodeScanning.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_DeleteAlertsCodeScanning` edge represents a role's ability to delete code scanning alerts from the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting code scanning alerts can obscure security vulnerabilities that have been detected in the codebase, which is significant from an audit and compliance perspective. An attacker with this permission could suppress evidence of vulnerabilities they have introduced. +The non-traversable GH_DeleteAlertsCodeScanning edge represents a role's ability to delete code scanning alerts from the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting code scanning alerts can obscure security vulnerabilities that have been detected in the codebase, which is significant from an audit and compliance perspective. An attacker with this permission could suppress evidence of vulnerabilities they have introduced. diff --git a/descriptions/edges/GH_DeleteDiscussion.md b/descriptions/edges/GH_DeleteDiscussion.md index 071ebd1..0033b84 100644 --- a/descriptions/edges/GH_DeleteDiscussion.md +++ b/descriptions/edges/GH_DeleteDiscussion.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_DeleteDiscussion` edge represents a role's ability to delete discussions. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_DeleteDiscussion edge represents a role's ability to delete discussions. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_DeleteDiscussionComment.md b/descriptions/edges/GH_DeleteDiscussionComment.md index d251db4..bda23c6 100644 --- a/descriptions/edges/GH_DeleteDiscussionComment.md +++ b/descriptions/edges/GH_DeleteDiscussionComment.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_DeleteDiscussionComment` edge represents a role's ability to delete discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_DeleteDiscussionComment edge represents a role's ability to delete discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_DeleteIssue.md b/descriptions/edges/GH_DeleteIssue.md index 7e586d3..04ad299 100644 --- a/descriptions/edges/GH_DeleteIssue.md +++ b/descriptions/edges/GH_DeleteIssue.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_DeleteIssue` edge represents a role's ability to delete issues permanently. Deleted issues cannot be recovered. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting issues can destroy audit trails and remove evidence of security discussions or vulnerability reports. +The non-traversable GH_DeleteIssue edge represents a role's ability to delete issues permanently. Deleted issues cannot be recovered. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting issues can destroy audit trails and remove evidence of security discussions or vulnerability reports. diff --git a/descriptions/edges/GH_DeleteTag.md b/descriptions/edges/GH_DeleteTag.md index a4080ca..755e162 100644 --- a/descriptions/edges/GH_DeleteTag.md +++ b/descriptions/edges/GH_DeleteTag.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_DeleteTag` edge represents a role's ability to delete tags and releases. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting tags can break downstream dependency references and remove published artifacts. +The non-traversable GH_DeleteTag edge represents a role's ability to delete tags and releases. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting tags can break downstream dependency references and remove published artifacts. diff --git a/descriptions/edges/GH_DependsOn.md b/descriptions/edges/GH_DependsOn.md index 28a64fb..38455b5 100644 --- a/descriptions/edges/GH_DependsOn.md +++ b/descriptions/edges/GH_DependsOn.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_DependsOn` edge represents a `needs:` dependency between two jobs in the same workflow. This edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. +The non-traversable GH_DependsOn edge represents a `needs:` dependency between two jobs in the same workflow. This edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. diff --git a/descriptions/edges/GH_DeploysTo.md b/descriptions/edges/GH_DeploysTo.md index 0458bc7..4689fbe 100644 --- a/descriptions/edges/GH_DeploysTo.md +++ b/descriptions/edges/GH_DeploysTo.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_DeploysTo` edge links a workflow job to the GitHub Environment it targets via the `environment:` key. This edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. +The non-traversable GH_DeploysTo edge links a workflow job to the GitHub Environment it targets via the `environment:` key. This edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. diff --git a/descriptions/edges/GH_EditCategoryOnDiscussion.md b/descriptions/edges/GH_EditCategoryOnDiscussion.md index 447e91d..066529b 100644 --- a/descriptions/edges/GH_EditCategoryOnDiscussion.md +++ b/descriptions/edges/GH_EditCategoryOnDiscussion.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_EditCategoryOnDiscussion` edge represents a role's ability to change the category of a discussion, moving it between categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_EditCategoryOnDiscussion edge represents a role's ability to change the category of a discussion, moving it between categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_EditDiscussionCategory.md b/descriptions/edges/GH_EditDiscussionCategory.md index d961d79..592d27c 100644 --- a/descriptions/edges/GH_EditDiscussionCategory.md +++ b/descriptions/edges/GH_EditDiscussionCategory.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_EditDiscussionCategory` edge represents a role's ability to edit discussion categories to reorganize discussion classification. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_EditDiscussionCategory edge represents a role's ability to edit discussion categories to reorganize discussion classification. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_EditDiscussionComment.md b/descriptions/edges/GH_EditDiscussionComment.md index 5013e6d..2978aef 100644 --- a/descriptions/edges/GH_EditDiscussionComment.md +++ b/descriptions/edges/GH_EditDiscussionComment.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_EditDiscussionComment` edge represents a role's ability to edit discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_EditDiscussionComment edge represents a role's ability to edit discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_EditRepoAnnouncementBanners.md b/descriptions/edges/GH_EditRepoAnnouncementBanners.md index daf2830..75f1a61 100644 --- a/descriptions/edges/GH_EditRepoAnnouncementBanners.md +++ b/descriptions/edges/GH_EditRepoAnnouncementBanners.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_EditRepoAnnouncementBanners` edge represents a role's ability to edit repository announcement banners displayed to visitors. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_EditRepoAnnouncementBanners edge represents a role's ability to edit repository announcement banners displayed to visitors. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_EditRepoCustomPropertiesValues.md b/descriptions/edges/GH_EditRepoCustomPropertiesValues.md index 0f43ead..f00b434 100644 --- a/descriptions/edges/GH_EditRepoCustomPropertiesValues.md +++ b/descriptions/edges/GH_EditRepoCustomPropertiesValues.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_EditRepoCustomPropertiesValues` edge represents a role's ability to edit custom property values on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Custom properties are organization-defined metadata fields on repositories that can be used for classification, compliance tagging, or policy enforcement via rulesets. Modifying custom property values could alter which organization-level rulesets apply to the repository, potentially bypassing security controls that are scoped by property-based targeting. +The non-traversable GH_EditRepoCustomPropertiesValues edge represents a role's ability to edit custom property values on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Custom properties are organization-defined metadata fields on repositories that can be used for classification, compliance tagging, or policy enforcement via rulesets. Modifying custom property values could alter which organization-level rulesets apply to the repository, potentially bypassing security controls that are scoped by property-based targeting. diff --git a/descriptions/edges/GH_EditRepoMetadata.md b/descriptions/edges/GH_EditRepoMetadata.md index 7d73576..4c650c9 100644 --- a/descriptions/edges/GH_EditRepoMetadata.md +++ b/descriptions/edges/GH_EditRepoMetadata.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_EditRepoMetadata` edge represents a role's ability to edit repository metadata including description, homepage URL, and visibility settings. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_EditRepoMetadata edge represents a role's ability to edit repository metadata including description, homepage URL, and visibility settings. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_EditRepoProtections.md b/descriptions/edges/GH_EditRepoProtections.md index 49e5da2..de39956 100644 --- a/descriptions/edges/GH_EditRepoProtections.md +++ b/descriptions/edges/GH_EditRepoProtections.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_EditRepoProtections` edge represents a role's ability to edit or remove branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Modifying a branch protection rule is an indirect bypass -- removing or weakening protections opens the branch to direct push or unreviewed merges, making this a high-severity permission from a security perspective. Attack paths that include this edge can escalate to full branch write access by first disabling protections. +The non-traversable GH_EditRepoProtections edge represents a role's ability to edit or remove branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Modifying a branch protection rule is an indirect bypass -- removing or weakening protections opens the branch to direct push or unreviewed merges, making this a high-severity permission from a security perspective. Attack paths that include this edge can escalate to full branch write access by first disabling protections. diff --git a/descriptions/edges/GH_HasBaseRole.md b/descriptions/edges/GH_HasBaseRole.md index cac239c..2a79127 100644 --- a/descriptions/edges/GH_HasBaseRole.md +++ b/descriptions/edges/GH_HasBaseRole.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_HasBaseRole` edge represents role inheritance within the GitHub permission hierarchy. Org roles inherit down to all-repo roles (e.g., Owners inherits to all_repo_admin), and custom roles inherit from their base roles (e.g., a custom_role inherits from write). This edge is traversable because it extends permissions through the role hierarchy, meaning a principal with a higher-level role implicitly holds all inherited lower-level roles. +The traversable GH_HasBaseRole edge represents role inheritance within the GitHub permission hierarchy. Org roles inherit down to all-repo roles (e.g., Owners inherits to all_repo_admin), and custom roles inherit from their base roles (e.g., a custom_role inherits from write). This edge is traversable because it extends permissions through the role hierarchy, meaning a principal with a higher-level role implicitly holds all inherited lower-level roles. diff --git a/descriptions/edges/GH_HasBranch.md b/descriptions/edges/GH_HasBranch.md index 4030e1f..b65366a 100644 --- a/descriptions/edges/GH_HasBranch.md +++ b/descriptions/edges/GH_HasBranch.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasBranch` edge represents the relationship between a repository and its branches. This edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like `GH_CanWriteBranch` and `GH_CanEditProtection` model the effective access. +The non-traversable GH_HasBranch edge represents the relationship between a repository and its branches. This edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like GH_CanWriteBranch and GH_CanEditProtection model the effective access. diff --git a/descriptions/edges/GH_HasEnvironment.md b/descriptions/edges/GH_HasEnvironment.md index 300eb5a..2f46635 100644 --- a/descriptions/edges/GH_HasEnvironment.md +++ b/descriptions/edges/GH_HasEnvironment.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasEnvironment` edge represents the relationship between a repository or branch and its deployment environments. This edge links environments to the repositories that define them and to the branches that are allowed to deploy to them (via deployment branch policies). Environments are security-relevant because they can gate access to secrets and cloud credentials, and their deployment branch policies control which branches can trigger deployments. +The non-traversable GH_HasEnvironment edge represents the relationship between a repository or branch and its deployment environments. This edge links environments to the repositories that define them and to the branches that are allowed to deploy to them (via deployment branch policies). Environments are security-relevant because they can gate access to secrets and cloud credentials, and their deployment branch policies control which branches can trigger deployments. diff --git a/descriptions/edges/GH_HasExternalIdentity.md b/descriptions/edges/GH_HasExternalIdentity.md index 1bf91e7..4aea643 100644 --- a/descriptions/edges/GH_HasExternalIdentity.md +++ b/descriptions/edges/GH_HasExternalIdentity.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasExternalIdentity` edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. This edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the `GH_MapsToUser` edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. +The non-traversable GH_HasExternalIdentity edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. This edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the GH_MapsToUser edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. diff --git a/descriptions/edges/GH_HasJob.md b/descriptions/edges/GH_HasJob.md index 3cae84f..cbfcb0a 100644 --- a/descriptions/edges/GH_HasJob.md +++ b/descriptions/edges/GH_HasJob.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_HasJob` edge links a workflow to each of its jobs. This edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. +The traversable GH_HasJob edge links a workflow to each of its jobs. This edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. diff --git a/descriptions/edges/GH_HasMember.md b/descriptions/edges/GH_HasMember.md index 40e1260..660f1bd 100644 --- a/descriptions/edges/GH_HasMember.md +++ b/descriptions/edges/GH_HasMember.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasMember` edge represents the relationship between a GitHub enterprise or organization and a user who is a member of that scope. This edge records membership as directory context rather than as an access path: being listed as a member does not by itself describe what the user can do, only that the user belongs to the enterprise or organization. Membership remains security-relevant because it defines the population from which roles, team assignments, and token approvals are drawn, and it helps analysts understand who is inside the trust boundary when reviewing GitHub exposure. +The non-traversable GH_HasMember edge represents the relationship between a GitHub enterprise or organization and a user who is a member of that scope. This edge records membership as directory context rather than as an access path: being listed as a member does not by itself describe what the user can do, only that the user belongs to the enterprise or organization. Membership remains security-relevant because it defines the population from which roles, team assignments, and token approvals are drawn, and it helps analysts understand who is inside the trust boundary when reviewing GitHub exposure. diff --git a/descriptions/edges/GH_HasPersonalAccessToken.md b/descriptions/edges/GH_HasPersonalAccessToken.md index 785869c..9e340b5 100644 --- a/descriptions/edges/GH_HasPersonalAccessToken.md +++ b/descriptions/edges/GH_HasPersonalAccessToken.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasPersonalAccessToken` edge represents the relationship between a user and their fine-grained personal access tokens that have been granted access to the organization. This edge links each approved token back to the user who created it. Fine-grained personal access tokens are security-significant because they provide programmatic access to organization resources with specific scoped permissions. Tracking token ownership is essential for understanding which users have standing API access and for identifying tokens that may need revocation. +The non-traversable GH_HasPersonalAccessToken edge represents the relationship between a user and their fine-grained personal access tokens that have been granted access to the organization. This edge links each approved token back to the user who created it. Fine-grained personal access tokens are security-significant because they provide programmatic access to organization resources with specific scoped permissions. Tracking token ownership is essential for understanding which users have standing API access and for identifying tokens that may need revocation. diff --git a/descriptions/edges/GH_HasPersonalAccessTokenRequest.md b/descriptions/edges/GH_HasPersonalAccessTokenRequest.md index d0fac2f..ca85f2b 100644 --- a/descriptions/edges/GH_HasPersonalAccessTokenRequest.md +++ b/descriptions/edges/GH_HasPersonalAccessTokenRequest.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasPersonalAccessTokenRequest` edge represents the relationship between a user and their pending personal access token requests awaiting organizational approval. This edge links each pending token request back to the user who submitted it. Pending token requests are security-relevant because they represent access that may soon be granted, and reviewing them helps administrators understand what permissions users are requesting before approval. Organizations that require approval for fine-grained PATs will have these requests queued until an administrator acts on them. +The non-traversable GH_HasPersonalAccessTokenRequest edge represents the relationship between a user and their pending personal access token requests awaiting organizational approval. This edge links each pending token request back to the user who submitted it. Pending token requests are security-relevant because they represent access that may soon be granted, and reviewing them helps administrators understand what permissions users are requesting before approval. Organizations that require approval for fine-grained PATs will have these requests queued until an administrator acts on them. diff --git a/descriptions/edges/GH_HasRole.md b/descriptions/edges/GH_HasRole.md index cdfde84..38a030a 100644 --- a/descriptions/edges/GH_HasRole.md +++ b/descriptions/edges/GH_HasRole.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_HasRole` edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. +The traversable GH_HasRole edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. diff --git a/descriptions/edges/GH_HasSamlIdentityProvider.md b/descriptions/edges/GH_HasSamlIdentityProvider.md index 373cfaa..0ae7fd7 100644 --- a/descriptions/edges/GH_HasSamlIdentityProvider.md +++ b/descriptions/edges/GH_HasSamlIdentityProvider.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasSamlIdentityProvider` edge represents the relationship between an organization and its SAML identity provider configuration. This edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. +The non-traversable GH_HasSamlIdentityProvider edge represents the relationship between an organization and its SAML identity provider configuration. This edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. diff --git a/descriptions/edges/GH_HasSecret.md b/descriptions/edges/GH_HasSecret.md index 398e017..7bf1cac 100644 --- a/descriptions/edges/GH_HasSecret.md +++ b/descriptions/edges/GH_HasSecret.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_HasSecret` edge represents the relationship between a repository or environment and the secrets accessible within that context. This edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via `GH_CanWriteBranch` or `GH_CanCreateBranch`) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. +The traversable GH_HasSecret edge represents the relationship between a repository or environment and the secrets accessible within that context. This edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via GH_CanWriteBranch or GH_CanCreateBranch) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. diff --git a/descriptions/edges/GH_HasStep.md b/descriptions/edges/GH_HasStep.md index 781b770..1664dad 100644 --- a/descriptions/edges/GH_HasStep.md +++ b/descriptions/edges/GH_HasStep.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_HasStep` edge links a job to each of its steps in execution order. This edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. +The traversable GH_HasStep edge links a job to each of its steps in execution order. This edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. diff --git a/descriptions/edges/GH_HasVariable.md b/descriptions/edges/GH_HasVariable.md index 80c8d90..bf7061f 100644 --- a/descriptions/edges/GH_HasVariable.md +++ b/descriptions/edges/GH_HasVariable.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_HasVariable` edge represents the relationship between a repository and the variables accessible within that context. This edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via `GH_CanWriteBranch` or `GH_CanCreateBranch`) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. +The traversable GH_HasVariable edge represents the relationship between a repository and the variables accessible within that context. This edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via GH_CanWriteBranch or GH_CanCreateBranch) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. diff --git a/descriptions/edges/GH_HasWorkflow.md b/descriptions/edges/GH_HasWorkflow.md index 7b144aa..8ec759e 100644 --- a/descriptions/edges/GH_HasWorkflow.md +++ b/descriptions/edges/GH_HasWorkflow.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_HasWorkflow` edge represents the relationship between a repository and its GitHub Actions workflows. This edge links each discovered workflow definition to its parent repository. Workflows are significant from a security perspective because they can execute arbitrary code with repository permissions, access secrets, and assume cloud identities. This structural edge enables analysts to enumerate which workflows exist in a given repository. +The non-traversable GH_HasWorkflow edge represents the relationship between a repository and its GitHub Actions workflows. This edge links each discovered workflow definition to its parent repository. Workflows are significant from a security perspective because they can execute arbitrary code with repository permissions, access secrets, and assume cloud identities. This structural edge enables analysts to enumerate which workflows exist in a given repository. diff --git a/descriptions/edges/GH_InstalledAs.md b/descriptions/edges/GH_InstalledAs.md index 341f585..8c49d68 100644 --- a/descriptions/edges/GH_InstalledAs.md +++ b/descriptions/edges/GH_InstalledAs.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_InstalledAs` edge links a GitHub App to its installation within the organization. This edge is traversable because it connects the app definition to its active installation, which determines the specific set of repositories and permissions the app has been granted. Understanding the relationship between an app and its installation is essential for tracing how app-level permissions translate into repository access. +The traversable GH_InstalledAs edge links a GitHub App to its installation within the organization. This edge is traversable because it connects the app definition to its active installation, which determines the specific set of repositories and permissions the app has been granted. Understanding the relationship between an app and its installation is essential for tracing how app-level permissions translate into repository access. diff --git a/descriptions/edges/GH_InviteMember.md b/descriptions/edges/GH_InviteMember.md index 7e620b9..75bf35c 100644 --- a/descriptions/edges/GH_InviteMember.md +++ b/descriptions/edges/GH_InviteMember.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_InviteMember` edge represents that a role has the ability to invite new members to the organization. This permission is typically restricted to Owners, as inviting members expands the organization's trust boundary by granting new users access to internal resources. An attacker with this permission could invite a controlled account to gain persistent access to the organization's repositories, teams, and secrets. +The non-traversable GH_InviteMember edge represents that a role has the ability to invite new members to the organization. This permission is typically restricted to Owners, as inviting members expands the organization's trust boundary by granting new users access to internal resources. An attacker with this permission could invite a controlled account to gain persistent access to the organization's repositories, teams, and secrets. diff --git a/descriptions/edges/GH_JumpMergeQueue.md b/descriptions/edges/GH_JumpMergeQueue.md index 2fffb3b..f061ed6 100644 --- a/descriptions/edges/GH_JumpMergeQueue.md +++ b/descriptions/edges/GH_JumpMergeQueue.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_JumpMergeQueue` edge represents a role's ability to jump ahead of other entries in the merge queue. This permission is available to Admin roles and custom roles that have been granted this specific permission. Merge queues enforce an ordered sequence of CI checks and merges; jumping the queue allows a principal to prioritize their changes ahead of others. While less severe than bypassing protections entirely, this permission can be used to accelerate the landing of malicious changes before other queued entries are reviewed or tested. +The non-traversable GH_JumpMergeQueue edge represents a role's ability to jump ahead of other entries in the merge queue. This permission is available to Admin roles and custom roles that have been granted this specific permission. Merge queues enforce an ordered sequence of CI checks and merges; jumping the queue allows a principal to prioritize their changes ahead of others. While less severe than bypassing protections entirely, this permission can be used to accelerate the landing of malicious changes before other queued entries are reviewed or tested. diff --git a/descriptions/edges/GH_ManageDeployKeys.md b/descriptions/edges/GH_ManageDeployKeys.md index 7a7149c..5c8759e 100644 --- a/descriptions/edges/GH_ManageDeployKeys.md +++ b/descriptions/edges/GH_ManageDeployKeys.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ManageDeployKeys` edge represents a role's ability to create, modify, and delete deploy keys for the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deploy keys provide SSH-based access to the repository, and a deploy key with write access can push commits directly without going through the GitHub web interface or API authentication. Managing deploy keys is security-significant because it enables the creation of persistent, credential-based access that operates outside the normal user authentication flow. +The non-traversable GH_ManageDeployKeys edge represents a role's ability to create, modify, and delete deploy keys for the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deploy keys provide SSH-based access to the repository, and a deploy key with write access can push commits directly without going through the GitHub web interface or API authentication. Managing deploy keys is security-significant because it enables the creation of persistent, credential-based access that operates outside the normal user authentication flow. diff --git a/descriptions/edges/GH_ManageDiscussionBadges.md b/descriptions/edges/GH_ManageDiscussionBadges.md index 9f91e71..796d7de 100644 --- a/descriptions/edges/GH_ManageDiscussionBadges.md +++ b/descriptions/edges/GH_ManageDiscussionBadges.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ManageDiscussionBadges` edge represents a role's ability to manage discussion badges used to highlight discussion participants. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ManageDiscussionBadges edge represents a role's ability to manage discussion badges used to highlight discussion participants. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ManageOrganizationWebhooks.md b/descriptions/edges/GH_ManageOrganizationWebhooks.md index 969c63a..d3a282c 100644 --- a/descriptions/edges/GH_ManageOrganizationWebhooks.md +++ b/descriptions/edges/GH_ManageOrganizationWebhooks.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ManageOrganizationWebhooks` edge represents that a role has the ability to manage organization-level webhooks. This edge is dynamically generated from custom organization role permissions discovered by the collector. Webhooks can be configured to send event data to external endpoints, making this permission significant for security because an attacker could create or modify webhooks to exfiltrate repository data, commit contents, or issue details to an attacker-controlled server, or use them as a persistence mechanism. +The non-traversable GH_ManageOrganizationWebhooks edge represents that a role has the ability to manage organization-level webhooks. This edge is dynamically generated from custom organization role permissions discovered by the collector. Webhooks can be configured to send event data to external endpoints, making this permission significant for security because an attacker could create or modify webhooks to exfiltrate repository data, commit contents, or issue details to an attacker-controlled server, or use them as a persistence mechanism. diff --git a/descriptions/edges/GH_ManageRepoSecurityProducts.md b/descriptions/edges/GH_ManageRepoSecurityProducts.md index e4a3e0d..43f8ae7 100644 --- a/descriptions/edges/GH_ManageRepoSecurityProducts.md +++ b/descriptions/edges/GH_ManageRepoSecurityProducts.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ManageRepoSecurityProducts` edge represents a role's ability to manage repository-specific security product settings. This permission is available to Admin roles and custom roles that have been granted this specific permission. Unlike the broader `GH_ManageSecurityProducts` permission, this edge is scoped to repository-level security configuration such as repository-specific scanning settings and alert management. Disabling repository-level security products can create blind spots in vulnerability detection for the specific repository. +The non-traversable GH_ManageRepoSecurityProducts edge represents a role's ability to manage repository-specific security product settings. This permission is available to Admin roles and custom roles that have been granted this specific permission. Unlike the broader GH_ManageSecurityProducts permission, this edge is scoped to repository-level security configuration such as repository-specific scanning settings and alert management. Disabling repository-level security products can create blind spots in vulnerability detection for the specific repository. diff --git a/descriptions/edges/GH_ManageSecurityProducts.md b/descriptions/edges/GH_ManageSecurityProducts.md index 213fbc0..4d4d314 100644 --- a/descriptions/edges/GH_ManageSecurityProducts.md +++ b/descriptions/edges/GH_ManageSecurityProducts.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ManageSecurityProducts` edge represents a role's ability to manage security product settings on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Managing security products allows enabling or disabling features such as secret scanning, code scanning, and Dependabot alerts. An attacker with this permission could disable security features to prevent detection of vulnerabilities or leaked secrets, making this a high-severity permission for security posture management. +The non-traversable GH_ManageSecurityProducts edge represents a role's ability to manage security product settings on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Managing security products allows enabling or disabling features such as secret scanning, code scanning, and Dependabot alerts. An attacker with this permission could disable security features to prevent detection of vulnerabilities or leaked secrets, making this a high-severity permission for security posture management. diff --git a/descriptions/edges/GH_ManageSettingsMergeTypes.md b/descriptions/edges/GH_ManageSettingsMergeTypes.md index cf64017..c01a792 100644 --- a/descriptions/edges/GH_ManageSettingsMergeTypes.md +++ b/descriptions/edges/GH_ManageSettingsMergeTypes.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ManageSettingsMergeTypes` edge represents a role's ability to configure allowed merge types (merge commit, squash, rebase) on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ManageSettingsMergeTypes edge represents a role's ability to configure allowed merge types (merge commit, squash, rebase) on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ManageSettingsPages.md b/descriptions/edges/GH_ManageSettingsPages.md index e826cff..c669771 100644 --- a/descriptions/edges/GH_ManageSettingsPages.md +++ b/descriptions/edges/GH_ManageSettingsPages.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ManageSettingsPages` edge represents a role's ability to manage GitHub Pages settings including enabling, disabling, and configuring the source. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ManageSettingsPages edge represents a role's ability to manage GitHub Pages settings including enabling, disabling, and configuring the source. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ManageSettingsProjects.md b/descriptions/edges/GH_ManageSettingsProjects.md index 18b9be4..0a06e55 100644 --- a/descriptions/edges/GH_ManageSettingsProjects.md +++ b/descriptions/edges/GH_ManageSettingsProjects.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ManageSettingsProjects` edge represents a role's ability to manage project board settings on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ManageSettingsProjects edge represents a role's ability to manage project board settings on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ManageSettingsWiki.md b/descriptions/edges/GH_ManageSettingsWiki.md index 73a2e88..97756cb 100644 --- a/descriptions/edges/GH_ManageSettingsWiki.md +++ b/descriptions/edges/GH_ManageSettingsWiki.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ManageSettingsWiki` edge represents a role's ability to enable or disable the repository wiki. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ManageSettingsWiki edge represents a role's ability to enable or disable the repository wiki. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ManageTopics.md b/descriptions/edges/GH_ManageTopics.md index 78c101b..191096a 100644 --- a/descriptions/edges/GH_ManageTopics.md +++ b/descriptions/edges/GH_ManageTopics.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ManageTopics` edge represents a role's ability to manage repository topics used for discovery and classification. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ManageTopics edge represents a role's ability to manage repository topics used for discovery and classification. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ManageWebhooks.md b/descriptions/edges/GH_ManageWebhooks.md index 84bfa3a..e2d9e4c 100644 --- a/descriptions/edges/GH_ManageWebhooks.md +++ b/descriptions/edges/GH_ManageWebhooks.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ManageWebhooks` edge represents a role's ability to create, modify, and delete repository-level webhooks. This permission is available to Admin roles and custom roles that have been granted this specific permission. Webhooks can exfiltrate repository events and code changes to external endpoints, making this a security-sensitive permission. An attacker with this permission could configure a webhook to receive push event payloads containing commit diffs, effectively creating a covert channel for data exfiltration. +The non-traversable GH_ManageWebhooks edge represents a role's ability to create, modify, and delete repository-level webhooks. This permission is available to Admin roles and custom roles that have been granted this specific permission. Webhooks can exfiltrate repository events and code changes to external endpoints, making this a security-sensitive permission. An attacker with this permission could configure a webhook to receive push event payloads containing commit diffs, effectively creating a covert channel for data exfiltration. diff --git a/descriptions/edges/GH_MapsToUser.md b/descriptions/edges/GH_MapsToUser.md index 238dfde..5e785eb 100644 --- a/descriptions/edges/GH_MapsToUser.md +++ b/descriptions/edges/GH_MapsToUser.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](https://bloodhound.specterops.io/resources/nodes/az-user), [Okta_User](https://bloodhound.specterops.io/opengraph/extensions/okta/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. +The non-traversable GH_MapsToUser edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](https://bloodhound.specterops.io/resources/nodes/az-user), [Okta_User](https://bloodhound.specterops.io/opengraph/extensions/okta/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. diff --git a/descriptions/edges/GH_MarkAsDuplicate.md b/descriptions/edges/GH_MarkAsDuplicate.md index 6ed4117..fc78807 100644 --- a/descriptions/edges/GH_MarkAsDuplicate.md +++ b/descriptions/edges/GH_MarkAsDuplicate.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_MarkAsDuplicate` edge represents a role's ability to mark issues or pull requests as duplicates. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_MarkAsDuplicate edge represents a role's ability to mark issues or pull requests as duplicates. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_MemberOf.md b/descriptions/edges/GH_MemberOf.md index 463ef2b..f6e3ca5 100644 --- a/descriptions/edges/GH_MemberOf.md +++ b/descriptions/edges/GH_MemberOf.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_MemberOf` edge represents team membership, linking a team role to its parent team or a child team to a parent team in nested team hierarchies. This edge is traversable because team membership extends access transitively -- a user who holds a role in a child team inherits the repository permissions of all ancestor teams in the nesting hierarchy, making it a key component of attack path analysis. +The traversable GH_MemberOf edge represents team membership, linking a team role to its parent team or a child team to a parent team in nested team hierarchies. This edge is traversable because team membership extends access transitively -- a user who holds a role in a child team inherits the repository permissions of all ancestor teams in the nesting hierarchy, making it a key component of attack path analysis. diff --git a/descriptions/edges/GH_OrgBypassCodeScanningDismissalRequests.md b/descriptions/edges/GH_OrgBypassCodeScanningDismissalRequests.md index ac43501..47a213d 100644 --- a/descriptions/edges/GH_OrgBypassCodeScanningDismissalRequests.md +++ b/descriptions/edges/GH_OrgBypassCodeScanningDismissalRequests.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_OrgBypassCodeScanningDismissalRequests` edge represents that a role can bypass code scanning dismissal requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows suppressing code scanning security findings without the standard review process, which is significant because an attacker could use it to hide vulnerabilities or malicious code patterns that would otherwise be flagged by automated scanning tools. +The non-traversable GH_OrgBypassCodeScanningDismissalRequests edge represents that a role can bypass code scanning dismissal requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows suppressing code scanning security findings without the standard review process, which is significant because an attacker could use it to hide vulnerabilities or malicious code patterns that would otherwise be flagged by automated scanning tools. diff --git a/descriptions/edges/GH_OrgBypassSecretScanningClosureRequests.md b/descriptions/edges/GH_OrgBypassSecretScanningClosureRequests.md index 62aec77..ae2dc37 100644 --- a/descriptions/edges/GH_OrgBypassSecretScanningClosureRequests.md +++ b/descriptions/edges/GH_OrgBypassSecretScanningClosureRequests.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_OrgBypassSecretScanningClosureRequests` edge represents that a role can bypass secret scanning closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows closing secret scanning alerts without going through the standard review and approval process, which is significant because an attacker could use it to suppress alerts about leaked credentials and prevent incident response teams from being notified. +The non-traversable GH_OrgBypassSecretScanningClosureRequests edge represents that a role can bypass secret scanning closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows closing secret scanning alerts without going through the standard review and approval process, which is significant because an attacker could use it to suppress alerts about leaked credentials and prevent incident response teams from being notified. diff --git a/descriptions/edges/GH_OrgReviewAndManageSecretScanningBypassRequests.md b/descriptions/edges/GH_OrgReviewAndManageSecretScanningBypassRequests.md index c41a80d..a2623dc 100644 --- a/descriptions/edges/GH_OrgReviewAndManageSecretScanningBypassRequests.md +++ b/descriptions/edges/GH_OrgReviewAndManageSecretScanningBypassRequests.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_OrgReviewAndManageSecretScanningBypassRequests` edge represents that a role can review and manage secret scanning push protection bypass requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Push protection prevents secrets from being committed to repositories, and bypass requests allow developers to override this protection for specific commits. An attacker with this permission could approve their own or an accomplice's bypass requests, allowing secrets to be committed to repositories without triggering push protection blocks. +The non-traversable GH_OrgReviewAndManageSecretScanningBypassRequests edge represents that a role can review and manage secret scanning push protection bypass requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Push protection prevents secrets from being committed to repositories, and bypass requests allow developers to override this protection for specific commits. An attacker with this permission could approve their own or an accomplice's bypass requests, allowing secrets to be committed to repositories without triggering push protection blocks. diff --git a/descriptions/edges/GH_OrgReviewAndManageSecretScanningClosureRequests.md b/descriptions/edges/GH_OrgReviewAndManageSecretScanningClosureRequests.md index 45c276f..db4466c 100644 --- a/descriptions/edges/GH_OrgReviewAndManageSecretScanningClosureRequests.md +++ b/descriptions/edges/GH_OrgReviewAndManageSecretScanningClosureRequests.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_OrgReviewAndManageSecretScanningClosureRequests` edge represents that a role can review and manage secret scanning alert closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Alert closure requests are part of the workflow for closing secret scanning alerts, and this permission controls who can approve or deny those requests. An attacker with this permission could approve closure requests to suppress alerts about actively leaked credentials, undermining the organization's secret scanning remediation process. +The non-traversable GH_OrgReviewAndManageSecretScanningClosureRequests edge represents that a role can review and manage secret scanning alert closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Alert closure requests are part of the workflow for closing secret scanning alerts, and this permission controls who can approve or deny those requests. An attacker with this permission could approve closure requests to suppress alerts about actively leaked credentials, undermining the organization's secret scanning remediation process. diff --git a/descriptions/edges/GH_Owns.md b/descriptions/edges/GH_Owns.md index 55800fc..bedd056 100644 --- a/descriptions/edges/GH_Owns.md +++ b/descriptions/edges/GH_Owns.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_Owns` edge represents that an organization owns a repository. This edge establishes the foundation of the access control model by linking repositories to their owning organization. It is traversable because repository ownership is a critical relationship for understanding how organizational permissions cascade down to repository-level access, making it essential for attack path analysis. +The traversable GH_Owns edge represents that an organization owns a repository. This edge establishes the foundation of the access control model by linking repositories to their owning organization. It is traversable because repository ownership is a critical relationship for understanding how organizational permissions cascade down to repository-level access, making it essential for attack path analysis. diff --git a/descriptions/edges/GH_ProtectedBy.md b/descriptions/edges/GH_ProtectedBy.md index 85c7a60..3c81dbd 100644 --- a/descriptions/edges/GH_ProtectedBy.md +++ b/descriptions/edges/GH_ProtectedBy.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ProtectedBy` edge represents that a branch protection rule applies to a specific branch. This edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed branch-access edges to determine effective push access; the computed `GH_CanWriteBranch` and `GH_CanEditProtection` edges carry traversability instead. +The non-traversable GH_ProtectedBy edge represents that a branch protection rule applies to a specific branch. This edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed branch-access edges to determine effective push access; the computed GH_CanWriteBranch and GH_CanEditProtection edges carry traversability instead. diff --git a/descriptions/edges/GH_PushProtectedBranch.md b/descriptions/edges/GH_PushProtectedBranch.md index edee54d..26ba504 100644 --- a/descriptions/edges/GH_PushProtectedBranch.md +++ b/descriptions/edges/GH_PushProtectedBranch.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_PushProtectedBranch` edge represents a role's ability to push directly to branches that are protected by push restrictions. This permission is available to Admin and Maintain roles. This edge bypasses the push gate of branch protection, allowing direct commits to protected branches without going through the pull request workflow. Unlike merge gate bypasses (such as `GH_BypassBranchProtection`), this push gate bypass is NOT suppressed by the `enforce_admins` setting on the branch protection rule, making it a particularly potent permission. +The non-traversable GH_PushProtectedBranch edge represents a role's ability to push directly to branches that are protected by push restrictions. This permission is available to Admin and Maintain roles. This edge bypasses the push gate of branch protection, allowing direct commits to protected branches without going through the pull request workflow. Unlike merge gate bypasses (such as GH_BypassBranchProtection), this push gate bypass is NOT suppressed by the `enforce_admins` setting on the branch protection rule, making it a particularly potent permission. diff --git a/descriptions/edges/GH_ReadCodeScanning.md b/descriptions/edges/GH_ReadCodeScanning.md index 9931ba0..ab0ece3 100644 --- a/descriptions/edges/GH_ReadCodeScanning.md +++ b/descriptions/edges/GH_ReadCodeScanning.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ReadCodeScanning` edge represents a role's ability to read code scanning analysis results and alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. Code scanning alerts may reveal exploitable vulnerabilities in the codebase. +The non-traversable GH_ReadCodeScanning edge represents a role's ability to read code scanning analysis results and alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. Code scanning alerts may reveal exploitable vulnerabilities in the codebase. diff --git a/descriptions/edges/GH_ReadOrganizationActionsUsageMetrics.md b/descriptions/edges/GH_ReadOrganizationActionsUsageMetrics.md index 85d25b0..53abbb1 100644 --- a/descriptions/edges/GH_ReadOrganizationActionsUsageMetrics.md +++ b/descriptions/edges/GH_ReadOrganizationActionsUsageMetrics.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ReadOrganizationActionsUsageMetrics` edge represents that a role can read GitHub Actions usage metrics for the organization. This edge is dynamically generated from custom organization role permissions discovered by the collector. Usage metrics provide visibility into workflow execution patterns, runner utilization, and billing data across the organization. While this is primarily an informational permission, it can reveal which repositories have active CI/CD pipelines and the scale of automation in use. +The non-traversable GH_ReadOrganizationActionsUsageMetrics edge represents that a role can read GitHub Actions usage metrics for the organization. This edge is dynamically generated from custom organization role permissions discovered by the collector. Usage metrics provide visibility into workflow execution patterns, runner utilization, and billing data across the organization. While this is primarily an informational permission, it can reveal which repositories have active CI/CD pipelines and the scale of automation in use. diff --git a/descriptions/edges/GH_ReadOrganizationCustomOrgRole.md b/descriptions/edges/GH_ReadOrganizationCustomOrgRole.md index dc8a2c1..4d44593 100644 --- a/descriptions/edges/GH_ReadOrganizationCustomOrgRole.md +++ b/descriptions/edges/GH_ReadOrganizationCustomOrgRole.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ReadOrganizationCustomOrgRole` edge represents that a role can read custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom org role definitions allows a user to enumerate the permissions granted to each custom role, which provides reconnaissance value for understanding the organization's access control model and identifying roles with elevated privileges. +The non-traversable GH_ReadOrganizationCustomOrgRole edge represents that a role can read custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom org role definitions allows a user to enumerate the permissions granted to each custom role, which provides reconnaissance value for understanding the organization's access control model and identifying roles with elevated privileges. diff --git a/descriptions/edges/GH_ReadOrganizationCustomRepoRole.md b/descriptions/edges/GH_ReadOrganizationCustomRepoRole.md index 630967f..347cbcd 100644 --- a/descriptions/edges/GH_ReadOrganizationCustomRepoRole.md +++ b/descriptions/edges/GH_ReadOrganizationCustomRepoRole.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ReadOrganizationCustomRepoRole` edge represents that a role can read custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom repo role definitions allows a user to enumerate the permissions granted to each custom repository role, which provides reconnaissance value for understanding repository-level access controls and identifying roles that grant elevated repository permissions. +The non-traversable GH_ReadOrganizationCustomRepoRole edge represents that a role can read custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom repo role definitions allows a user to enumerate the permissions granted to each custom repository role, which provides reconnaissance value for understanding repository-level access controls and identifying roles that grant elevated repository permissions. diff --git a/descriptions/edges/GH_ReadRepoContents.md b/descriptions/edges/GH_ReadRepoContents.md index bab175e..ecc4dfd 100644 --- a/descriptions/edges/GH_ReadRepoContents.md +++ b/descriptions/edges/GH_ReadRepoContents.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ReadRepoContents` edge represents a role's ability to read repository contents including source code, issues, and pull requests. This is the base level of repository access, available to all roles at the Read permission level and above (Read, Triage, Write, Maintain, Admin). +The non-traversable GH_ReadRepoContents edge represents a role's ability to read repository contents including source code, issues, and pull requests. This is the base level of repository access, available to all roles at the Read permission level and above (Read, Triage, Write, Maintain, Admin). diff --git a/descriptions/edges/GH_RemoveAssignee.md b/descriptions/edges/GH_RemoveAssignee.md index 10d53d6..4cdf99a 100644 --- a/descriptions/edges/GH_RemoveAssignee.md +++ b/descriptions/edges/GH_RemoveAssignee.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_RemoveAssignee` edge represents a role's ability to remove assignees from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_RemoveAssignee edge represents a role's ability to remove assignees from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_RemoveLabel.md b/descriptions/edges/GH_RemoveLabel.md index 1638801..b46799d 100644 --- a/descriptions/edges/GH_RemoveLabel.md +++ b/descriptions/edges/GH_RemoveLabel.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_RemoveLabel` edge represents a role's ability to remove labels from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_RemoveLabel edge represents a role's ability to remove labels from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ReopenDiscussion.md b/descriptions/edges/GH_ReopenDiscussion.md index 0d254fc..8bef672 100644 --- a/descriptions/edges/GH_ReopenDiscussion.md +++ b/descriptions/edges/GH_ReopenDiscussion.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ReopenDiscussion` edge represents a role's ability to reopen closed discussions to allow further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ReopenDiscussion edge represents a role's ability to reopen closed discussions to allow further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ReopenIssue.md b/descriptions/edges/GH_ReopenIssue.md index 7f96b3c..5ee1d12 100644 --- a/descriptions/edges/GH_ReopenIssue.md +++ b/descriptions/edges/GH_ReopenIssue.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ReopenIssue` edge represents a role's ability to reopen closed issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ReopenIssue edge represents a role's ability to reopen closed issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ReopenPullRequest.md b/descriptions/edges/GH_ReopenPullRequest.md index 5dd7979..7d1a47f 100644 --- a/descriptions/edges/GH_ReopenPullRequest.md +++ b/descriptions/edges/GH_ReopenPullRequest.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ReopenPullRequest` edge represents a role's ability to reopen closed pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ReopenPullRequest edge represents a role's ability to reopen closed pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_RequestPrReview.md b/descriptions/edges/GH_RequestPrReview.md index 812a458..fed1b81 100644 --- a/descriptions/edges/GH_RequestPrReview.md +++ b/descriptions/edges/GH_RequestPrReview.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_RequestPrReview` edge represents a role's ability to request pull request reviews from specific users or teams. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_RequestPrReview edge represents a role's ability to request pull request reviews from specific users or teams. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ResolveDependabotAlerts.md b/descriptions/edges/GH_ResolveDependabotAlerts.md index 2a23443..a7d56ee 100644 --- a/descriptions/edges/GH_ResolveDependabotAlerts.md +++ b/descriptions/edges/GH_ResolveDependabotAlerts.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ResolveDependabotAlerts` edge represents a role's ability to dismiss or resolve Dependabot alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could dismiss valid alerts to suppress vulnerability warnings and prevent remediation. +The non-traversable GH_ResolveDependabotAlerts edge represents a role's ability to dismiss or resolve Dependabot alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could dismiss valid alerts to suppress vulnerability warnings and prevent remediation. diff --git a/descriptions/edges/GH_ResolveSecretScanningAlerts.md b/descriptions/edges/GH_ResolveSecretScanningAlerts.md index a95d1b7..1f651ef 100644 --- a/descriptions/edges/GH_ResolveSecretScanningAlerts.md +++ b/descriptions/edges/GH_ResolveSecretScanningAlerts.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ResolveSecretScanningAlerts` edge represents that a role can resolve (close) secret scanning alerts at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Resolving a secret scanning alert marks a leaked secret as addressed, which removes it from active monitoring dashboards. An attacker with this permission could suppress alerts about leaked credentials to prevent incident response teams from detecting and rotating compromised secrets. +The non-traversable GH_ResolveSecretScanningAlerts edge represents that a role can resolve (close) secret scanning alerts at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Resolving a secret scanning alert marks a leaked secret as addressed, which removes it from active monitoring dashboards. An attacker with this permission could suppress alerts about leaked credentials to prevent incident response teams from detecting and rotating compromised secrets. diff --git a/descriptions/edges/GH_RestrictionsCanPush.md b/descriptions/edges/GH_RestrictionsCanPush.md index 56d3325..dbbea1b 100644 --- a/descriptions/edges/GH_RestrictionsCanPush.md +++ b/descriptions/edges/GH_RestrictionsCanPush.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_RestrictionsCanPush` edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. This edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike `GH_BypassPullRequestAllowances`, this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. +The non-traversable GH_RestrictionsCanPush edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. This edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike GH_BypassPullRequestAllowances, this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. diff --git a/descriptions/edges/GH_RunOrgMigration.md b/descriptions/edges/GH_RunOrgMigration.md index c8138cc..a9f9b0d 100644 --- a/descriptions/edges/GH_RunOrgMigration.md +++ b/descriptions/edges/GH_RunOrgMigration.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_RunOrgMigration` edge represents a role's ability to run organization migrations on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Organization migrations export repository data including source code, issues, and pull requests, which can be used to transfer repository contents to another organization. This permission is security-relevant because it enables bulk data export from the repository. +The non-traversable GH_RunOrgMigration edge represents a role's ability to run organization migrations on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Organization migrations export repository data including source code, issues, and pull requests, which can be used to transfer repository contents to another organization. This permission is security-relevant because it enables bulk data export from the repository. diff --git a/descriptions/edges/GH_SetInteractionLimits.md b/descriptions/edges/GH_SetInteractionLimits.md index 95a5ae2..608b27a 100644 --- a/descriptions/edges/GH_SetInteractionLimits.md +++ b/descriptions/edges/GH_SetInteractionLimits.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_SetInteractionLimits` edge represents a role's ability to set temporary interaction limits to restrict who can comment, open issues, or create pull requests. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_SetInteractionLimits edge represents a role's ability to set temporary interaction limits to restrict who can comment, open issues, or create pull requests. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_SetIssueType.md b/descriptions/edges/GH_SetIssueType.md index 0697166..7fb422c 100644 --- a/descriptions/edges/GH_SetIssueType.md +++ b/descriptions/edges/GH_SetIssueType.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_SetIssueType` edge represents a role's ability to set issue types. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_SetIssueType edge represents a role's ability to set issue types. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_SetMilestone.md b/descriptions/edges/GH_SetMilestone.md index 2a236fe..31dcd23 100644 --- a/descriptions/edges/GH_SetMilestone.md +++ b/descriptions/edges/GH_SetMilestone.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_SetMilestone` edge represents a role's ability to set milestones on issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_SetMilestone edge represents a role's ability to set milestones on issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_SetSocialPreview.md b/descriptions/edges/GH_SetSocialPreview.md index b1871f1..b8839a5 100644 --- a/descriptions/edges/GH_SetSocialPreview.md +++ b/descriptions/edges/GH_SetSocialPreview.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_SetSocialPreview` edge represents a role's ability to set the repository social preview image shown in link previews. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_SetSocialPreview edge represents a role's ability to set the repository social preview image shown in link previews. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_SyncedTo.md b/descriptions/edges/GH_SyncedTo.md index c759433..4698ce3 100644 --- a/descriptions/edges/GH_SyncedTo.md +++ b/descriptions/edges/GH_SyncedTo.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_SyncedTo` edge is a hybrid edge that maps an external IdP user to a GitHub user based on SCIM provisioning. This edge represents a confirmed identity linkage between an external identity provider and GitHub. It is traversable because compromising the IdP account provides a verified path to the corresponding GitHub account, making it a critical edge for cross-system attack path analysis. This edge enables analysts to trace access from enterprise identity providers like Azure AD, Okta, or PingOne into the GitHub environment. +The traversable GH_SyncedTo edge is a hybrid edge that maps an external IdP user to a GitHub user based on SCIM provisioning. This edge represents a confirmed identity linkage between an external identity provider and GitHub. It is traversable because compromising the IdP account provides a verified path to the corresponding GitHub account, making it a critical edge for cross-system attack path analysis. This edge enables analysts to trace access from enterprise identity providers like Azure AD, Okta, or PingOne into the GitHub environment. diff --git a/descriptions/edges/GH_ToggleDiscussionAnswer.md b/descriptions/edges/GH_ToggleDiscussionAnswer.md index fa32822..fd249a1 100644 --- a/descriptions/edges/GH_ToggleDiscussionAnswer.md +++ b/descriptions/edges/GH_ToggleDiscussionAnswer.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ToggleDiscussionAnswer` edge represents a role's ability to mark or unmark a discussion comment as the accepted answer. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ToggleDiscussionAnswer edge represents a role's ability to mark or unmark a discussion comment as the accepted answer. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_ToggleDiscussionCommentMinimize.md b/descriptions/edges/GH_ToggleDiscussionCommentMinimize.md index eb41ea8..1df14bb 100644 --- a/descriptions/edges/GH_ToggleDiscussionCommentMinimize.md +++ b/descriptions/edges/GH_ToggleDiscussionCommentMinimize.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ToggleDiscussionCommentMinimize` edge represents a role's ability to minimize or restore discussion comments, hiding them from default view. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ToggleDiscussionCommentMinimize edge represents a role's ability to minimize or restore discussion comments, hiding them from default view. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/descriptions/edges/GH_TransferRepository.md b/descriptions/edges/GH_TransferRepository.md index 042a381..89b1a1c 100644 --- a/descriptions/edges/GH_TransferRepository.md +++ b/descriptions/edges/GH_TransferRepository.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_TransferRepository` edge represents that a role has the ability to transfer repositories to or from the organization. This permission is typically restricted to Owners, as transferring a repository can move it outside of the organization's security controls, branch protection rules, and audit logging. An attacker with this permission could transfer a repository to an organization they control, effectively exfiltrating the codebase and its associated secrets. +The non-traversable GH_TransferRepository edge represents that a role has the ability to transfer repositories to or from the organization. This permission is typically restricted to Owners, as transferring a repository can move it outside of the organization's security controls, branch protection rules, and audit logging. An attacker with this permission could transfer a repository to an organization they control, effectively exfiltrating the codebase and its associated secrets. diff --git a/descriptions/edges/GH_UsesSecret.md b/descriptions/edges/GH_UsesSecret.md index 324bd50..2a8b875 100644 --- a/descriptions/edges/GH_UsesSecret.md +++ b/descriptions/edges/GH_UsesSecret.md @@ -1,6 +1,6 @@ ## General Information -The traversable `GH_UsesSecret` edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. This edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. +The traversable GH_UsesSecret edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. This edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. ### Matching strategy @@ -9,7 +9,7 @@ Edges use `match_by: property` with two matchers to disambiguate between secrets - **GH_RepoSecret** is matched by `name` + `repository_id` (the GitHub node_id of the repository). - **GH_OrgSecret** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level secret scope). -This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two `GH_UsesSecret` edges — one to the repo-level secret and one to the org-level secret — reflecting that either could supply the value at runtime depending on scope precedence. +This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two GH_UsesSecret edges — one to the repo-level secret and one to the org-level secret — reflecting that either could supply the value at runtime depending on scope precedence. ### Context property diff --git a/descriptions/edges/GH_UsesVariable.md b/descriptions/edges/GH_UsesVariable.md index 2598b5d..746553d 100644 --- a/descriptions/edges/GH_UsesVariable.md +++ b/descriptions/edges/GH_UsesVariable.md @@ -1,6 +1,6 @@ ## General Information -The non-traversable `GH_UsesVariable` edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. This edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). +The non-traversable GH_UsesVariable edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. This edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). ### Matching strategy @@ -9,7 +9,7 @@ Edges use `match_by: property` with two matchers to disambiguate between variabl - **GH_RepoVariable** is matched by `name` + `repository_id` (the GitHub node_id of the repository). - **GH_OrgVariable** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level variable scope). -This means one `${{ vars.MY_VAR }}` expression can produce up to two `GH_UsesVariable` edges — one to the repo-level variable and one to the org-level variable. +This means one `${{ vars.MY_VAR }}` expression can produce up to two GH_UsesVariable edges — one to the repo-level variable and one to the org-level variable. ### Context property diff --git a/descriptions/edges/GH_ValidToken.md b/descriptions/edges/GH_ValidToken.md index 087aa8b..9983c1f 100644 --- a/descriptions/edges/GH_ValidToken.md +++ b/descriptions/edges/GH_ValidToken.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_ValidToken` edge represents a secret scanning alert that contains a valid, active GitHub Personal Access Token belonging to a specific user. This edge is only emitted when the alert's state is `open`, the secret type is `github_personal_access_token`, and the token is confirmed valid by calling the GitHub API. This edge is traversable because possessing the leaked token grants the ability to act as the token's owner, effectively compromising that user's identity and all permissions granted to the token. +The traversable GH_ValidToken edge represents a secret scanning alert that contains a valid, active GitHub Personal Access Token belonging to a specific user. This edge is only emitted when the alert's state is `open`, the secret type is `github_personal_access_token`, and the token is confirmed valid by calling the GitHub API. This edge is traversable because possessing the leaked token grants the ability to act as the token's owner, effectively compromising that user's identity and all permissions granted to the token. diff --git a/descriptions/edges/GH_ViewDependabotAlerts.md b/descriptions/edges/GH_ViewDependabotAlerts.md index f7c3051..533c961 100644 --- a/descriptions/edges/GH_ViewDependabotAlerts.md +++ b/descriptions/edges/GH_ViewDependabotAlerts.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ViewDependabotAlerts` edge represents a role's ability to view Dependabot security alerts, which reveal known vulnerabilities in the repository's dependencies. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. This information could be used to identify and exploit unpatched vulnerabilities. +The non-traversable GH_ViewDependabotAlerts edge represents a role's ability to view Dependabot security alerts, which reveal known vulnerabilities in the repository's dependencies. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. This information could be used to identify and exploit unpatched vulnerabilities. diff --git a/descriptions/edges/GH_ViewSecretScanningAlerts.md b/descriptions/edges/GH_ViewSecretScanningAlerts.md index d5f3e66..4949b72 100644 --- a/descriptions/edges/GH_ViewSecretScanningAlerts.md +++ b/descriptions/edges/GH_ViewSecretScanningAlerts.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_ViewSecretScanningAlerts` edge represents that a role can view secret scanning alerts at the organization or repository level. This edge is dynamically generated from custom role permissions discovered by the collector. Secret scanning alerts may reveal details about leaked credentials, including partial or full secret values and the locations where they were detected. This makes the permission significant for security because an attacker with access to view these alerts could harvest exposed credentials for use in lateral movement or privilege escalation. +The non-traversable GH_ViewSecretScanningAlerts edge represents that a role can view secret scanning alerts at the organization or repository level. This edge is dynamically generated from custom role permissions discovered by the collector. Secret scanning alerts may reveal details about leaked credentials, including partial or full secret values and the locations where they were detected. This makes the permission significant for security because an attacker with access to view these alerts could harvest exposed credentials for use in lateral movement or privilege escalation. diff --git a/descriptions/edges/GH_WriteCodeScanning.md b/descriptions/edges/GH_WriteCodeScanning.md index 691ffad..42fbcbf 100644 --- a/descriptions/edges/GH_WriteCodeScanning.md +++ b/descriptions/edges/GH_WriteCodeScanning.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_WriteCodeScanning` edge represents a role's ability to upload code scanning analysis results. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could upload falsified SARIF results to suppress real alerts or inject misleading findings. +The non-traversable GH_WriteCodeScanning edge represents a role's ability to upload code scanning analysis results. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could upload falsified SARIF results to suppress real alerts or inject misleading findings. diff --git a/descriptions/edges/GH_WriteOrganizationActionsSecrets.md b/descriptions/edges/GH_WriteOrganizationActionsSecrets.md index 45cd17f..e89dcc8 100644 --- a/descriptions/edges/GH_WriteOrganizationActionsSecrets.md +++ b/descriptions/edges/GH_WriteOrganizationActionsSecrets.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_WriteOrganizationActionsSecrets` edge represents that a role can write organization-level GitHub Actions secrets. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level secrets are available to workflows across multiple repositories and often contain credentials for external systems such as cloud providers, package registries, and deployment targets. An attacker with this permission could overwrite existing secrets to inject malicious credentials or create new secrets to facilitate lateral movement. +The non-traversable GH_WriteOrganizationActionsSecrets edge represents that a role can write organization-level GitHub Actions secrets. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level secrets are available to workflows across multiple repositories and often contain credentials for external systems such as cloud providers, package registries, and deployment targets. An attacker with this permission could overwrite existing secrets to inject malicious credentials or create new secrets to facilitate lateral movement. diff --git a/descriptions/edges/GH_WriteOrganizationActionsSettings.md b/descriptions/edges/GH_WriteOrganizationActionsSettings.md index 37e383b..1735a85 100644 --- a/descriptions/edges/GH_WriteOrganizationActionsSettings.md +++ b/descriptions/edges/GH_WriteOrganizationActionsSettings.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_WriteOrganizationActionsSettings` edge represents that a role can modify organization-level GitHub Actions settings. This edge is dynamically generated from custom organization role permissions discovered by the collector. These settings control which actions are allowed to run within the organization and the default permissions granted to the `GITHUB_TOKEN` in workflows. An attacker with this permission could weaken restrictions to allow untrusted third-party actions or elevate default token permissions to enable write access across repositories. +The non-traversable GH_WriteOrganizationActionsSettings edge represents that a role can modify organization-level GitHub Actions settings. This edge is dynamically generated from custom organization role permissions discovered by the collector. These settings control which actions are allowed to run within the organization and the default permissions granted to the `GITHUB_TOKEN` in workflows. An attacker with this permission could weaken restrictions to allow untrusted third-party actions or elevate default token permissions to enable write access across repositories. diff --git a/descriptions/edges/GH_WriteOrganizationActionsVariables.md b/descriptions/edges/GH_WriteOrganizationActionsVariables.md index 50261c7..bb88a27 100644 --- a/descriptions/edges/GH_WriteOrganizationActionsVariables.md +++ b/descriptions/edges/GH_WriteOrganizationActionsVariables.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_WriteOrganizationActionsVariables` edge represents that a role can write organization-level GitHub Actions variables. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level variables are available to workflows across multiple repositories and often contain configuration values such as environment URLs, feature flags, and service endpoints. An attacker with this permission could overwrite existing variables to redirect workflows to malicious endpoints or alter application behavior. +The non-traversable GH_WriteOrganizationActionsVariables edge represents that a role can write organization-level GitHub Actions variables. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level variables are available to workflows across multiple repositories and often contain configuration values such as environment URLs, feature flags, and service endpoints. An attacker with this permission could overwrite existing variables to redirect workflows to malicious endpoints or alter application behavior. diff --git a/descriptions/edges/GH_WriteOrganizationCustomOrgRole.md b/descriptions/edges/GH_WriteOrganizationCustomOrgRole.md index dee33b8..46c7887 100644 --- a/descriptions/edges/GH_WriteOrganizationCustomOrgRole.md +++ b/descriptions/edges/GH_WriteOrganizationCustomOrgRole.md @@ -1,3 +1,3 @@ ## General Information -The traversable `GH_WriteOrganizationCustomOrgRole` edge represents that a role can create or modify custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying organization role definitions can escalate privileges because an attacker could add permissions to an existing custom role that is already assigned to their account, including setting the base_role to inherit all_repo_admin. Since this permission can only belong to custom organization roles, the user necessarily holds the role they can modify — guaranteeing a self-escalation path. This makes it a Tier Zero privilege escalation vector. +The traversable GH_WriteOrganizationCustomOrgRole edge represents that a role can create or modify custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying organization role definitions can escalate privileges because an attacker could add permissions to an existing custom role that is already assigned to their account, including setting the base_role to inherit all_repo_admin. Since this permission can only belong to custom organization roles, the user necessarily holds the role they can modify — guaranteeing a self-escalation path. This makes it a Tier Zero privilege escalation vector. diff --git a/descriptions/edges/GH_WriteOrganizationCustomRepoRole.md b/descriptions/edges/GH_WriteOrganizationCustomRepoRole.md index 7eb9080..b58a3ee 100644 --- a/descriptions/edges/GH_WriteOrganizationCustomRepoRole.md +++ b/descriptions/edges/GH_WriteOrganizationCustomRepoRole.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_WriteOrganizationCustomRepoRole` edge represents that a role can create or modify custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying repository role definitions can escalate privileges because an attacker could add permissions such as admin access, bypass branch protections, or secret management to a custom repo role that is already assigned to their account. This makes it a high-impact permission for gaining elevated access to repositories across the organization. +The non-traversable GH_WriteOrganizationCustomRepoRole edge represents that a role can create or modify custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying repository role definitions can escalate privileges because an attacker could add permissions such as admin access, bypass branch protections, or secret management to a custom repo role that is already assigned to their account. This makes it a high-impact permission for gaining elevated access to repositories across the organization. diff --git a/descriptions/edges/GH_WriteOrganizationNetworkConfigurations.md b/descriptions/edges/GH_WriteOrganizationNetworkConfigurations.md index 1515128..6e48d96 100644 --- a/descriptions/edges/GH_WriteOrganizationNetworkConfigurations.md +++ b/descriptions/edges/GH_WriteOrganizationNetworkConfigurations.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_WriteOrganizationNetworkConfigurations` edge represents that a role can modify organization network configurations. This edge is dynamically generated from custom organization role permissions discovered by the collector. Network configurations control how GitHub-hosted runners connect to private resources such as internal APIs, databases, and cloud services. An attacker with this permission could modify network settings to route runner traffic through attacker-controlled infrastructure or grant runners access to previously isolated network segments. +The non-traversable GH_WriteOrganizationNetworkConfigurations edge represents that a role can modify organization network configurations. This edge is dynamically generated from custom organization role permissions discovered by the collector. Network configurations control how GitHub-hosted runners connect to private resources such as internal APIs, databases, and cloud services. An attacker with this permission could modify network settings to route runner traffic through attacker-controlled infrastructure or grant runners access to previously isolated network segments. diff --git a/descriptions/edges/GH_WriteRepoContents.md b/descriptions/edges/GH_WriteRepoContents.md index d34094b..fb8838a 100644 --- a/descriptions/edges/GH_WriteRepoContents.md +++ b/descriptions/edges/GH_WriteRepoContents.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_WriteRepoContents` edge represents a role's ability to push commits to the repository. This permission is available to Write, Maintain, and Admin roles. Pushing code can modify application behavior and introduce vulnerabilities, making this a security-significant edge. However, this edge represents only the raw permission; actual branch push capability is determined by the computed `GH_CanWriteBranch` edge, which factors in branch protection rules and push restrictions. +The non-traversable GH_WriteRepoContents edge represents a role's ability to push commits to the repository. This permission is available to Write, Maintain, and Admin roles. Pushing code can modify application behavior and introduce vulnerabilities, making this a security-significant edge. However, this edge represents only the raw permission; actual branch push capability is determined by the computed GH_CanWriteBranch edge, which factors in branch protection rules and push restrictions. diff --git a/descriptions/edges/GH_WriteRepoPullRequests.md b/descriptions/edges/GH_WriteRepoPullRequests.md index 9197c69..01aa5bb 100644 --- a/descriptions/edges/GH_WriteRepoPullRequests.md +++ b/descriptions/edges/GH_WriteRepoPullRequests.md @@ -1,3 +1,3 @@ ## General Information -The non-traversable `GH_WriteRepoPullRequests` edge represents a role's ability to create and merge pull requests in the repository. This permission is available to Write, Maintain, and Admin roles. Pull request merge access is security-significant because merging code into protected branches is a common vector for introducing unauthorized changes; however, actual merge capability on protected branches is further governed by branch protection rules and required reviews. +The non-traversable GH_WriteRepoPullRequests edge represents a role's ability to create and merge pull requests in the repository. This permission is available to Write, Maintain, and Admin roles. Pull request merge access is security-significant because merging code into protected branches is a common vector for introducing unauthorized changes; however, actual merge capability on protected branches is further governed by branch protection rules and required reviews. diff --git a/descriptions/nodes/GH_App.md b/descriptions/nodes/GH_App.md index 1446b48..5aabcbe 100644 --- a/descriptions/nodes/GH_App.md +++ b/descriptions/nodes/GH_App.md @@ -1,5 +1,5 @@ ## Description -Represents a GitHub App definition — the registered application entity. The app owner holds the private key that can generate installation access tokens for **every** `GH_AppInstallation` of this app. If the private key is compromised, all installations across all organizations are affected. +Represents a GitHub App definition — the registered application entity. The app owner holds the private key that can generate installation access tokens for **every** GH_AppInstallation of this app. If the private key is compromised, all installations across all organizations are affected. App definitions are retrieved via the public `GET /apps/{app_slug}` endpoint (no authentication required) after discovering unique app slugs from the organization's app installations. diff --git a/descriptions/nodes/GH_AppInstallation.md b/descriptions/nodes/GH_AppInstallation.md index 54f8113..cc6bd09 100644 --- a/descriptions/nodes/GH_AppInstallation.md +++ b/descriptions/nodes/GH_AppInstallation.md @@ -2,4 +2,4 @@ Represents a GitHub App installed on an organization. App installations have specific permissions and can be scoped to all repositories or a selection of repositories. The permissions granted to the app are captured as a JSON string in the properties. -Each installation is linked to its parent `GH_App` via a `GH_InstalledAs` edge. For installations with `repository_selection` set to `all`, `GH_CanAccess` edges are created to every repository in the organization. For installations with `repository_selection` set to `selected`, repository-level edges cannot be enumerated with a PAT (requires app installation token authentication). +Each installation is linked to its parent GH_App via a GH_InstalledAs edge. For installations with `repository_selection` set to `all`, GH_CanAccess edges are created to every repository in the organization. For installations with `repository_selection` set to `selected`, repository-level edges cannot be enumerated with a PAT (requires app installation token authentication). diff --git a/descriptions/nodes/GH_Branch.md b/descriptions/nodes/GH_Branch.md index 92ab09e..6826226 100644 --- a/descriptions/nodes/GH_Branch.md +++ b/descriptions/nodes/GH_Branch.md @@ -1,3 +1,3 @@ ## Description -Represents a Git branch within a repository. Branch nodes capture basic branch information and whether the branch is protected. Protection rule details are stored in separate `GH_BranchProtectionRule` nodes, linked via `GH_ProtectedBy` edges. +Represents a Git branch within a repository. Branch nodes capture basic branch information and whether the branch is protected. Protection rule details are stored in separate GH_BranchProtectionRule nodes, linked via GH_ProtectedBy edges. diff --git a/descriptions/nodes/GH_BranchProtectionRule.md b/descriptions/nodes/GH_BranchProtectionRule.md index 63aa15d..c4bde91 100644 --- a/descriptions/nodes/GH_BranchProtectionRule.md +++ b/descriptions/nodes/GH_BranchProtectionRule.md @@ -9,17 +9,17 @@ A single protection rule can apply to multiple branches via pattern matching (e. Branch protection rules are critical security controls. Key settings to review: - **enforce_admins**: Enforces merge-gate controls (PR reviews, lock branch) for admins and users with `bypass_branch_protection`. Does **not** enforce push-gate controls (`push_restrictions`) for admins or users with `push_protected_branch`. -- **required_pull_request_reviews**: Blocks direct pushes to existing protected branches. Bypassed by `GH_BypassBranchProtection` and `GH_BypassPullRequestAllowances` (both suppressed by `enforce_admins`). -- **push_restrictions**: Restricts who can push. Bypassed by `GH_PushProtectedBranch`, `GH_AdminTo`, and `GH_RestrictionsCanPush` (none suppressed by `enforce_admins`). +- **required_pull_request_reviews**: Blocks direct pushes to existing protected branches. Bypassed by GH_BypassBranchProtection and GH_BypassPullRequestAllowances (both suppressed by `enforce_admins`). +- **push_restrictions**: Restricts who can push. Bypassed by GH_PushProtectedBranch, GH_AdminTo, and GH_RestrictionsCanPush (none suppressed by `enforce_admins`). - **blocks_creations**: Restricts new branch creation when `push_restrictions` is also `true`. Same bypass vectors as `push_restrictions`. Silently reverts to `false` if `push_restrictions` is disabled. -- **lock_branch**: Makes branch read-only. Bypassed by `GH_BypassBranchProtection` (suppressed by `enforce_admins`). +- **lock_branch**: Makes branch read-only. Bypassed by GH_BypassBranchProtection (suppressed by `enforce_admins`). - **require_code_owner_reviews**: If `false`, changes to critical paths may not require owner approval. - **allows_force_pushes**: Controls whether history rewrites are allowed. Does **not** grant push access — it is not a bypass mechanism. - **allows_deletions**: If `true`, branches can be deleted (potentially losing code). ### Secret Exfiltration Mitigation -The only branch protection configuration that blocks the write-access → workflow → secrets exfiltration attack path is `push_restrictions` + `blocks_creations` on a `*` pattern rule. However, users with `GH_PushProtectedBranch`, `GH_AdminTo`, `GH_RestrictionsCanPush`, or `GH_EditRepoProtections` can bypass this control. +The only branch protection configuration that blocks the write-access → workflow → secrets exfiltration attack path is `push_restrictions` + `blocks_creations` on a `*` pattern rule. However, users with GH_PushProtectedBranch, GH_AdminTo, GH_RestrictionsCanPush, or GH_EditRepoProtections can bypass this control. For complete analysis, see [BloodHound Docs: GitHub - Mitigating Controls](https://bloodhound.specterops.io/opengraph/extensions/github/mitigating-controls). @@ -27,8 +27,8 @@ For complete analysis, see [BloodHound Docs: GitHub - Mitigating Controls](https Use these edges to identify users and teams with elevated branch permissions: -- `GH_BypassPullRequestAllowances` — can bypass PR requirements on a specific rule (PR reviews only) -- `GH_RestrictionsCanPush` — can push despite push restrictions on a specific rule -- `GH_BypassBranchProtection` — repo-wide bypass of merge-gate controls (PR reviews + lock branch) -- `GH_PushProtectedBranch` — repo-wide bypass of push-gate controls (push restrictions + blocks creations) -- `GH_EditRepoProtections` — can remove/modify protection rules entirely +- GH_BypassPullRequestAllowances — can bypass PR requirements on a specific rule (PR reviews only) +- GH_RestrictionsCanPush — can push despite push restrictions on a specific rule +- GH_BypassBranchProtection — repo-wide bypass of merge-gate controls (PR reviews + lock branch) +- GH_PushProtectedBranch — repo-wide bypass of push-gate controls (push restrictions + blocks creations) +- GH_EditRepoProtections — can remove/modify protection rules entirely diff --git a/descriptions/nodes/GH_OrgSecret.md b/descriptions/nodes/GH_OrgSecret.md index cf8213b..024cca1 100644 --- a/descriptions/nodes/GH_OrgSecret.md +++ b/descriptions/nodes/GH_OrgSecret.md @@ -1,3 +1,3 @@ ## Description -Represents an organization-level GitHub Actions secret. Organization secrets can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how `GH_HasSecret` edges are resolved to repository nodes. +Represents an organization-level GitHub Actions secret. Organization secrets can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how GH_HasSecret edges are resolved to repository nodes. diff --git a/descriptions/nodes/GH_OrgVariable.md b/descriptions/nodes/GH_OrgVariable.md index a5b97a7..472e233 100644 --- a/descriptions/nodes/GH_OrgVariable.md +++ b/descriptions/nodes/GH_OrgVariable.md @@ -1,3 +1,3 @@ ## Description -Represents an organization-level GitHub Actions variable. Organization variables can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how `GH_HasVariable` edges are resolved to repository nodes. Unlike secrets, variable values are readable via the API. +Represents an organization-level GitHub Actions variable. Organization variables can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how GH_HasVariable edges are resolved to repository nodes. Unlike secrets, variable values are readable via the API. diff --git a/descriptions/nodes/GH_Repository.md b/descriptions/nodes/GH_Repository.md index 0f9382b..82569a3 100644 --- a/descriptions/nodes/GH_Repository.md +++ b/descriptions/nodes/GH_Repository.md @@ -1,3 +1,3 @@ ## Description -Represents a GitHub repository within the organization. Repository nodes capture metadata about the repo including visibility, Actions enablement status, and security configuration. Repository role nodes (`GH_RepoRole`) are created alongside each repository to represent the permission levels available. +Represents a GitHub repository within the organization. Repository nodes capture metadata about the repo including visibility, Actions enablement status, and security configuration. Repository role nodes (GH_RepoRole) are created alongside each repository to represent the permission levels available. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_addassignee.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_addassignee.mdx index 62a718d..a9ee964 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_addassignee.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_addassignee.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_AddAssignee` edge represents a role's ability to assign users to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_AddAssignee edge represents a role's ability to assign users to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_addcollaborator.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_addcollaborator.mdx index fdb6921..e431f27 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_addcollaborator.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_addcollaborator.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_AddCollaborator` edge represents that a role has the ability to add outside collaborators to organization repositories. This permission is typically restricted to Owners, as it grants repository access to external users who are not members of the organization. Outside collaborators bypass organizational membership controls, making this permission significant for security because it can be used to grant access to untrusted external identities without the visibility that full membership provides. +The non-traversable GH_AddCollaborator edge represents that a role has the ability to add outside collaborators to organization repositories. This permission is typically restricted to Owners, as it grants repository access to external users who are not members of the organization. Outside collaborators bypass organizational membership controls, making this permission significant for security because it can be used to grant access to untrusted external identities without the visibility that full membership provides. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_addlabel.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_addlabel.mdx index 30232c8..0791fc8 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_addlabel.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_addlabel.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_AddLabel` edge represents a role's ability to add labels to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_AddLabel edge represents a role's ability to add labels to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx index de62490..5806155 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_AddMember` edge indicates that a team role with the Maintainer permission level can add new members to the team. This edge is traversable because the ability to add members grants indirect access -- a maintainer can add any user to the team, and that user then inherits all of the team's repository permissions, effectively expanding the attack surface. +The traversable GH_AddMember edge indicates that a team role with the Maintainer permission level can add new members to the team. This edge is traversable because the ability to add members grants indirect access -- a maintainer can add any user to the team, and that user then inherits all of the team's repository permissions, effectively expanding the attack surface. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_adminto.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_adminto.mdx index 8f4c837..780c8da 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_adminto.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_adminto.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_AdminTo` edge represents a role's full administrative access to the repository. Admin is the highest built-in repository role and grants control over all repository settings, including dangerous operations like deleting the repository or modifying its visibility. Admin access bypasses most protections including branch protection rules, unless `enforce_admins` is explicitly enabled on the branch protection rule. This edge is a key permission in the computed branch access model and is a high-value target in attack path analysis. +The non-traversable GH_AdminTo edge represents a role's full administrative access to the repository. Admin is the highest built-in repository role and grants control over all repository settings, including dangerous operations like deleting the repository or modifying its visibility. Admin access bypasses most protections including branch protection rules, unless `enforce_admins` is explicitly enabled on the branch protection rule. This edge is a key permission in the computed branch access model and is a high-value target in attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_bypassbranchprotection.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_bypassbranchprotection.mdx index c4d994a..77e1da3 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_bypassbranchprotection.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_bypassbranchprotection.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_BypassBranchProtection` edge represents a role's ability to bypass branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Bypassing branch protection allows merging pull requests without satisfying required review or status check requirements, effectively circumventing the merge gate. This bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, which forces even admins to comply with the protection policy. +The non-traversable GH_BypassBranchProtection edge represents a role's ability to bypass branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Bypassing branch protection allows merging pull requests without satisfying required review or status check requirements, effectively circumventing the merge gate. This bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, which forces even admins to comply with the protection policy. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx index 7c20759..bc3542b 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_BypassPullRequestAllowances` edge represents a per-actor allowance that bypasses the pull request review requirement on a branch protection rule. This edge identifies specific users or teams that can merge code without going through the normal PR review process. This is a significant security concern because these actors can push or merge changes directly, circumventing code review controls that protect branch integrity. Note that this bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, meaning even listed actors must follow the PR review requirement. +The non-traversable GH_BypassPullRequestAllowances edge represents a per-actor allowance that bypasses the pull request review requirement on a branch protection rule. This edge identifies specific users or teams that can merge code without going through the normal PR review process. This is a significant security concern because these actors can push or merge changes directly, circumventing code review controls that protect branch integrity. Note that this bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, meaning even listed actors must follow the PR review requirement. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx index 8607010..b948a8f 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx @@ -11,7 +11,7 @@ Traversable: false ## General Information -The traversable `GH_CallsWorkflow` edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. This edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. +The traversable GH_CallsWorkflow edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. This edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. ### Local vs. remote reusable workflows diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx index a12de6b..1ce45ba 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_CanAccess` edge indicates that a personal access token or app installation has been granted access to specific repositories. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. +The non-traversable GH_CanAccess edge indicates that a personal access token or app installation has been granted access to specific repositories. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx index d4b4d07..087aee8 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_CanAssumeIdentity` edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. This edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS. +The traversable GH_CanAssumeIdentity edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. This edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx index 8239c65..0e637ee 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx @@ -11,7 +11,7 @@ Traversable: true ## General Information -The traversable `GH_CanCreateBranch` edge is a computed edge indicating that a role or actor can create new branches in a repository. The computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from [GH_User](/opengraph/extensions/github/nodes/gh_user) or [GH_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. +The traversable GH_CanCreateBranch edge is a computed edge indicating that a role or actor can create new branches in a repository. The computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from [GH_User](/opengraph/extensions/github/nodes/gh_user) or [GH_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios @@ -52,7 +52,7 @@ graph LR ### `push_allowance` — Per-actor push restriction bypass -User or Team listed in the wildcard BPR's `pushAllowances` can create branches. This is a per-actor delta edge — only emitted when the actor's role doesn't already grant `GH_CanCreateBranch`. +User or Team listed in the wildcard BPR's `pushAllowances` can create branches. This is a per-actor delta edge — only emitted when the actor's role doesn't already grant GH_CanCreateBranch. ```mermaid graph LR diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx index 0da7604..905b75a 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx @@ -11,7 +11,7 @@ Traversable: true ## General Information -The traversable `GH_CanEditProtection` edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. This edge is emitted when the role has [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) or [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto) permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. +The traversable GH_CanEditProtection edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. This edge is emitted when the role has [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) or [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto) permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. ## Scenarios diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx index a1bf94d..2f48230 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx @@ -11,7 +11,7 @@ Traversable: true ## General Information -The traversable `GH_CanPwnRequest` edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. This is a computed edge that combines workflow analysis with repository access and fork policy evaluation. +The traversable GH_CanPwnRequest edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. This is a computed edge that combines workflow analysis with repository access and fork policy evaluation. ### Pwn Request Conditions @@ -50,7 +50,7 @@ An attacker who exploits a pwn request gains code execution in the workflow runn ### Caveats -- **OIDC traversal requires `id-token: write`**: The attack chain from `GH_CanPwnRequest` through [GH_CanAssumeIdentity](/opengraph/extensions/github/edges/gh_canassumeidentity) to a cloud role is only valid if the pwn-requestable workflow (or job) explicitly declares `id-token: write` in its `permissions:` block. The `id-token` permission defaults to `none` and is never implicitly granted — even when the workflow has no `permissions:` block at all. The `permissions` property on the [GH_WorkflowJob](/opengraph/extensions/github/nodes/gh_workflowjob) node can be inspected to verify this. +- **OIDC traversal requires `id-token: write`**: The attack chain from GH_CanPwnRequest through [GH_CanAssumeIdentity](/opengraph/extensions/github/edges/gh_canassumeidentity) to a cloud role is only valid if the pwn-requestable workflow (or job) explicitly declares `id-token: write` in its `permissions:` block. The `id-token` permission defaults to `none` and is never implicitly granted — even when the workflow has no `permissions:` block at all. The `permissions` property on the [GH_WorkflowJob](/opengraph/extensions/github/nodes/gh_workflowjob) node can be inspected to verify this. - **GITHUB_TOKEN permissions**: The `permissions:` block controls what the `GITHUB_TOKEN` can do (e.g., push commits, create releases), but has no effect on secret access, OIDC token requests (governed separately by `id-token`), or arbitrary code execution. A workflow with `contents: read` is still fully exploitable via pwn request for secret exfiltration and lateral movement — only write-back to the repository is limited. ```mermaid diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx index 83b8a5a..d92a2e9 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx @@ -11,7 +11,7 @@ Traversable: true ## General Information -The traversable `GH_CanReadSecretScanningAlert` edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. The computation cross-references [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) permission edges with [GH_Contains](/opengraph/extensions/github/edges/gh_contains) structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the [GH_ValidToken](/opengraph/extensions/github/edges/gh_validtoken) edge enables identity compromise of the token's owner. +The traversable GH_CanReadSecretScanningAlert edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. The computation cross-references [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) permission edges with [GH_Contains](/opengraph/extensions/github/edges/gh_contains) structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the [GH_ValidToken](/opengraph/extensions/github/edges/gh_validtoken) edge enables identity compromise of the token's owner. Each edge includes a `reason` property (`org_role_permission` or `repo_role_permission`) and a `query_composition` Cypher query showing the underlying graph evidence. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx index 5a63b0a..a2bef69 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx @@ -11,7 +11,7 @@ Traversable: true ## General Information -The traversable `GH_CanWriteBranch` edge is a computed edge indicating that a role or actor can push to a specific branch. The computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from [GH_User](/opengraph/extensions/github/nodes/gh_user) or [GH_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. +The traversable GH_CanWriteBranch edge is a computed edge indicating that a role or actor can push to a specific branch. The computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from [GH_User](/opengraph/extensions/github/nodes/gh_user) or [GH_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_closediscussion.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_closediscussion.mdx index 4d91443..2d19de3 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_closediscussion.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_closediscussion.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_CloseDiscussion` edge represents a role's ability to close discussions, preventing further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_CloseDiscussion edge represents a role's ability to close discussions, preventing further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_closeissue.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_closeissue.mdx index f235d3e..2d6f4d9 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_closeissue.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_closeissue.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_CloseIssue` edge represents a role's ability to close issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_CloseIssue edge represents a role's ability to close issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_closepullrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_closepullrequest.mdx index 0587a6b..7a41bb1 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_closepullrequest.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_closepullrequest.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ClosePullRequest` edge represents a role's ability to close pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ClosePullRequest edge represents a role's ability to close pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_contains.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_contains.mdx index b98099a..8cbfdec 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_contains.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_contains.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_Contains` edge represents structural containment within the GitHub resource hierarchy. The organization serves as the top-level container for users, teams, repositories, roles, secrets, app installations, and personal access tokens. Repositories contain their own repo-level secrets, and environments contain environment-scoped secrets. This edge is created by the collector to establish the organizational hierarchy of GitHub resources and is not traversable because containment alone does not imply privilege escalation. +The non-traversable GH_Contains edge represents structural containment within the GitHub resource hierarchy. The organization serves as the top-level container for users, teams, repositories, roles, secrets, app installations, and personal access tokens. Repositories contain their own repo-level secrets, and environments contain environment-scoped secrets. This edge is created by the collector to establish the organizational hierarchy of GitHub resources and is not traversable because containment alone does not imply privilege escalation. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_convertissuestodiscussions.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_convertissuestodiscussions.mdx index e285d04..492bbde 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_convertissuestodiscussions.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_convertissuestodiscussions.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ConvertIssuesToDiscussions` edge represents a role's ability to convert issues to discussions, moving them from the issue tracker to the discussions forum. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ConvertIssuesToDiscussions edge represents a role's ability to convert issues to discussions, moving them from the issue tracker to the discussions forum. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_creatediscussioncategory.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_creatediscussioncategory.mdx index 94702da..57d1f3d 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_creatediscussioncategory.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_creatediscussioncategory.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_CreateDiscussionCategory` edge represents a role's ability to create new discussion categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_CreateDiscussionCategory edge represents a role's ability to create new discussion categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_createrepository.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_createrepository.mdx index 332b6f4..334a8dc 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_createrepository.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_createrepository.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_CreateRepository` edge represents that a role has the ability to create new repositories within the organization. This permission is available to Owners and custom organization roles that have been granted the repository creation permission. Creating repositories can introduce new attack surface to an organization, as each new repository is a potential vector for code execution through GitHub Actions workflows, secret exposure, and supply chain attacks. +The non-traversable GH_CreateRepository edge represents that a role has the ability to create new repositories within the organization. This permission is available to Owners and custom organization roles that have been granted the repository creation permission. Creating repositories can introduce new attack surface to an organization, as each new repository is a potential vector for code execution through GitHub Actions workflows, secret exposure, and supply chain attacks. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_createsolomergequeueentry.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_createsolomergequeueentry.mdx index fb42e3d..92c55e9 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_createsolomergequeueentry.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_createsolomergequeueentry.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_CreateSoloMergeQueueEntry` edge represents a role's ability to create solo merge queue entries, effectively bypassing the merge queue by merging independently of other queued changes. This permission is available to Admin roles and custom roles that have been granted this specific permission. Solo merge queue entries skip the batching and ordering guarantees of the merge queue, allowing changes to land without waiting for or being tested alongside other pending merges. This can circumvent the integration testing benefits that merge queues provide. +The non-traversable GH_CreateSoloMergeQueueEntry edge represents a role's ability to create solo merge queue entries, effectively bypassing the merge queue by merging independently of other queued changes. This permission is available to Admin roles and custom roles that have been granted this specific permission. Solo merge queue entries skip the batching and ordering guarantees of the merge queue, allowing changes to land without waiting for or being tested alongside other pending merges. This can circumvent the integration testing benefits that merge queues provide. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_createtag.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_createtag.mdx index 092cf3a..dd5a241 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_createtag.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_createtag.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_CreateTag` edge represents a role's ability to create tags and releases. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. Creating tags can trigger CI/CD workflows and publish release artifacts. +The non-traversable GH_CreateTag edge represents a role's ability to create tags and releases. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. Creating tags can trigger CI/CD workflows and publish release artifacts. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_createteam.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_createteam.mdx index 1f5b47b..2847d8f 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_createteam.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_createteam.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_CreateTeam` edge represents that a role has the ability to create teams within the organization. Teams are the primary mechanism for granting groups of users access to repositories, so team creation is a stepping stone to broader access. This edge is created by the collector when enumerating organization role permissions, and its security significance lies in the fact that a newly created team can be granted repository access and then populated with controlled accounts. +The non-traversable GH_CreateTeam edge represents that a role has the ability to create teams within the organization. Teams are the primary mechanism for granting groups of users access to repositories, so team creation is a stepping stone to broader access. This edge is created by the collector when enumerating organization role permissions, and its security significance lies in the fact that a newly created team can be granted repository access and then populated with controlled accounts. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deletealertscodescanning.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deletealertscodescanning.mdx index daba56e..ec88a9b 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deletealertscodescanning.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deletealertscodescanning.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_DeleteAlertsCodeScanning` edge represents a role's ability to delete code scanning alerts from the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting code scanning alerts can obscure security vulnerabilities that have been detected in the codebase, which is significant from an audit and compliance perspective. An attacker with this permission could suppress evidence of vulnerabilities they have introduced. +The non-traversable GH_DeleteAlertsCodeScanning edge represents a role's ability to delete code scanning alerts from the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting code scanning alerts can obscure security vulnerabilities that have been detected in the codebase, which is significant from an audit and compliance perspective. An attacker with this permission could suppress evidence of vulnerabilities they have introduced. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussion.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussion.mdx index 70340b2..e04a805 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussion.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussion.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_DeleteDiscussion` edge represents a role's ability to delete discussions. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_DeleteDiscussion edge represents a role's ability to delete discussions. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussioncomment.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussioncomment.mdx index b2fa4a1..1798ec3 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussioncomment.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussioncomment.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_DeleteDiscussionComment` edge represents a role's ability to delete discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_DeleteDiscussionComment edge represents a role's ability to delete discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deleteissue.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deleteissue.mdx index 743a0f9..8a80df5 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deleteissue.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deleteissue.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_DeleteIssue` edge represents a role's ability to delete issues permanently. Deleted issues cannot be recovered. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting issues can destroy audit trails and remove evidence of security discussions or vulnerability reports. +The non-traversable GH_DeleteIssue edge represents a role's ability to delete issues permanently. Deleted issues cannot be recovered. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting issues can destroy audit trails and remove evidence of security discussions or vulnerability reports. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deletetag.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deletetag.mdx index 0f1da9a..d2f8ed5 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deletetag.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deletetag.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_DeleteTag` edge represents a role's ability to delete tags and releases. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting tags can break downstream dependency references and remove published artifacts. +The non-traversable GH_DeleteTag edge represents a role's ability to delete tags and releases. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting tags can break downstream dependency references and remove published artifacts. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx index a8f33e8..1629da3 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_DependsOn` edge represents a `needs:` dependency between two jobs in the same workflow. This edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. +The non-traversable GH_DependsOn edge represents a `needs:` dependency between two jobs in the same workflow. This edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx index c0daf99..9c66594 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_DeploysTo` edge links a workflow job to the GitHub Environment it targets via the `environment:` key. This edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. +The non-traversable GH_DeploysTo edge links a workflow job to the GitHub Environment it targets via the `environment:` key. This edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editcategoryondiscussion.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editcategoryondiscussion.mdx index d318d83..44a67e6 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editcategoryondiscussion.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editcategoryondiscussion.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_EditCategoryOnDiscussion` edge represents a role's ability to change the category of a discussion, moving it between categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_EditCategoryOnDiscussion edge represents a role's ability to change the category of a discussion, moving it between categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncategory.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncategory.mdx index ccc122b..6d237a7 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncategory.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncategory.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_EditDiscussionCategory` edge represents a role's ability to edit discussion categories to reorganize discussion classification. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_EditDiscussionCategory edge represents a role's ability to edit discussion categories to reorganize discussion classification. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncomment.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncomment.mdx index 5787387..50c2179 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncomment.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncomment.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_EditDiscussionComment` edge represents a role's ability to edit discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_EditDiscussionComment edge represents a role's ability to edit discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoannouncementbanners.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoannouncementbanners.mdx index d89f5c2..2ddecd5 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoannouncementbanners.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoannouncementbanners.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_EditRepoAnnouncementBanners` edge represents a role's ability to edit repository announcement banners displayed to visitors. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_EditRepoAnnouncementBanners edge represents a role's ability to edit repository announcement banners displayed to visitors. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues.mdx index aee5fa2..08282ad 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_EditRepoCustomPropertiesValues` edge represents a role's ability to edit custom property values on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Custom properties are organization-defined metadata fields on repositories that can be used for classification, compliance tagging, or policy enforcement via rulesets. Modifying custom property values could alter which organization-level rulesets apply to the repository, potentially bypassing security controls that are scoped by property-based targeting. +The non-traversable GH_EditRepoCustomPropertiesValues edge represents a role's ability to edit custom property values on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Custom properties are organization-defined metadata fields on repositories that can be used for classification, compliance tagging, or policy enforcement via rulesets. Modifying custom property values could alter which organization-level rulesets apply to the repository, potentially bypassing security controls that are scoped by property-based targeting. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepometadata.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepometadata.mdx index 9c3f765..357d32f 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepometadata.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepometadata.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_EditRepoMetadata` edge represents a role's ability to edit repository metadata including description, homepage URL, and visibility settings. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_EditRepoMetadata edge represents a role's ability to edit repository metadata including description, homepage URL, and visibility settings. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoprotections.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoprotections.mdx index eddbb38..abc1010 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoprotections.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoprotections.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_EditRepoProtections` edge represents a role's ability to edit or remove branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Modifying a branch protection rule is an indirect bypass -- removing or weakening protections opens the branch to direct push or unreviewed merges, making this a high-severity permission from a security perspective. Attack paths that include this edge can escalate to full branch write access by first disabling protections. +The non-traversable GH_EditRepoProtections edge represents a role's ability to edit or remove branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Modifying a branch protection rule is an indirect bypass -- removing or weakening protections opens the branch to direct push or unreviewed merges, making this a high-severity permission from a security perspective. Attack paths that include this edge can escalate to full branch write access by first disabling protections. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx index bafb99e..811a22f 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_HasBaseRole` edge represents role inheritance within the GitHub permission hierarchy. Org roles inherit down to all-repo roles (e.g., Owners inherits to all_repo_admin), and custom roles inherit from their base roles (e.g., a custom_role inherits from write). This edge is traversable because it extends permissions through the role hierarchy, meaning a principal with a higher-level role implicitly holds all inherited lower-level roles. +The traversable GH_HasBaseRole edge represents role inheritance within the GitHub permission hierarchy. Org roles inherit down to all-repo roles (e.g., Owners inherits to all_repo_admin), and custom roles inherit from their base roles (e.g., a custom_role inherits from write). This edge is traversable because it extends permissions through the role hierarchy, meaning a principal with a higher-level role implicitly holds all inherited lower-level roles. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx index d175105..9c890e5 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasBranch` edge represents the relationship between a repository and its branches. This edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) model the effective access. +The non-traversable GH_HasBranch edge represents the relationship between a repository and its branches. This edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) model the effective access. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx index 025819f..c10b153 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasEnvironment` edge represents the relationship between a repository or branch and its deployment environments. This edge links environments to the repositories that define them and to the branches that are allowed to deploy to them (via deployment branch policies). Environments are security-relevant because they can gate access to secrets and cloud credentials, and their deployment branch policies control which branches can trigger deployments. +The non-traversable GH_HasEnvironment edge represents the relationship between a repository or branch and its deployment environments. This edge links environments to the repositories that define them and to the branches that are allowed to deploy to them (via deployment branch policies). Environments are security-relevant because they can gate access to secrets and cloud credentials, and their deployment branch policies control which branches can trigger deployments. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx index 4b02bec..f5ba480 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasExternalIdentity` edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. This edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the [GH_MapsToUser](/opengraph/extensions/github/edges/gh_mapstouser) edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. +The non-traversable GH_HasExternalIdentity edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. This edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the [GH_MapsToUser](/opengraph/extensions/github/edges/gh_mapstouser) edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx index bff612f..9a6e786 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The traversable `GH_HasJob` edge links a workflow to each of its jobs. This edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. +The traversable GH_HasJob edge links a workflow to each of its jobs. This edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasmember.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasmember.mdx index bd68e98..40a274c 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasmember.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasmember.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasMember` edge represents the relationship between a GitHub enterprise or organization and a user who is a member of that scope. This edge records membership as directory context rather than as an access path: being listed as a member does not by itself describe what the user can do, only that the user belongs to the enterprise or organization. Membership remains security-relevant because it defines the population from which roles, team assignments, and token approvals are drawn, and it helps analysts understand who is inside the trust boundary when reviewing GitHub exposure. +The non-traversable GH_HasMember edge represents the relationship between a GitHub enterprise or organization and a user who is a member of that scope. This edge records membership as directory context rather than as an access path: being listed as a member does not by itself describe what the user can do, only that the user belongs to the enterprise or organization. Membership remains security-relevant because it defines the population from which roles, team assignments, and token approvals are drawn, and it helps analysts understand who is inside the trust boundary when reviewing GitHub exposure. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx index 8555287..2328603 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasPersonalAccessToken` edge represents the relationship between a user and their fine-grained personal access tokens that have been granted access to the organization. This edge links each approved token back to the user who created it. Fine-grained personal access tokens are security-significant because they provide programmatic access to organization resources with specific scoped permissions. Tracking token ownership is essential for understanding which users have standing API access and for identifying tokens that may need revocation. +The non-traversable GH_HasPersonalAccessToken edge represents the relationship between a user and their fine-grained personal access tokens that have been granted access to the organization. This edge links each approved token back to the user who created it. Fine-grained personal access tokens are security-significant because they provide programmatic access to organization resources with specific scoped permissions. Tracking token ownership is essential for understanding which users have standing API access and for identifying tokens that may need revocation. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx index c710007..5d712d0 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasPersonalAccessTokenRequest` edge represents the relationship between a user and their pending personal access token requests awaiting organizational approval. This edge links each pending token request back to the user who submitted it. Pending token requests are security-relevant because they represent access that may soon be granted, and reviewing them helps administrators understand what permissions users are requesting before approval. Organizations that require approval for fine-grained PATs will have these requests queued until an administrator acts on them. +The non-traversable GH_HasPersonalAccessTokenRequest edge represents the relationship between a user and their pending personal access token requests awaiting organizational approval. This edge links each pending token request back to the user who submitted it. Pending token requests are security-relevant because they represent access that may soon be granted, and reviewing them helps administrators understand what permissions users are requesting before approval. Organizations that require approval for fine-grained PATs will have these requests queued until an administrator acts on them. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx index ece8a88..27f16bb 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_HasRole` edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. +The traversable GH_HasRole edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx index 51cef4b..5396d13 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasSamlIdentityProvider` edge represents the relationship between an organization and its SAML identity provider configuration. This edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. +The non-traversable GH_HasSamlIdentityProvider edge represents the relationship between an organization and its SAML identity provider configuration. This edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx index 6935df2..36827fc 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_HasSecret` edge represents the relationship between a repository or environment and the secrets accessible within that context. This edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch)) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. +The traversable GH_HasSecret edge represents the relationship between a repository or environment and the secrets accessible within that context. This edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch)) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx index 9a0515b..a4feaa2 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The traversable `GH_HasStep` edge links a job to each of its steps in execution order. This edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. +The traversable GH_HasStep edge links a job to each of its steps in execution order. This edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx index 1e28b09..f5ea58d 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_HasVariable` edge represents the relationship between a repository and the variables accessible within that context. This edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch)) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. +The traversable GH_HasVariable edge represents the relationship between a repository and the variables accessible within that context. This edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch)) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx index 44410e0..7468894 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_HasWorkflow` edge represents the relationship between a repository and its GitHub Actions workflows. This edge links each discovered workflow definition to its parent repository. Workflows are significant from a security perspective because they can execute arbitrary code with repository permissions, access secrets, and assume cloud identities. This structural edge enables analysts to enumerate which workflows exist in a given repository. +The non-traversable GH_HasWorkflow edge represents the relationship between a repository and its GitHub Actions workflows. This edge links each discovered workflow definition to its parent repository. Workflows are significant from a security perspective because they can execute arbitrary code with repository permissions, access secrets, and assume cloud identities. This structural edge enables analysts to enumerate which workflows exist in a given repository. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx index cc961f3..b104e88 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_InstalledAs` edge links a GitHub App to its installation within the organization. This edge is traversable because it connects the app definition to its active installation, which determines the specific set of repositories and permissions the app has been granted. Understanding the relationship between an app and its installation is essential for tracing how app-level permissions translate into repository access. +The traversable GH_InstalledAs edge links a GitHub App to its installation within the organization. This edge is traversable because it connects the app definition to its active installation, which determines the specific set of repositories and permissions the app has been granted. Understanding the relationship between an app and its installation is essential for tracing how app-level permissions translate into repository access. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_invitemember.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_invitemember.mdx index 4eaf531..c840753 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_invitemember.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_invitemember.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_InviteMember` edge represents that a role has the ability to invite new members to the organization. This permission is typically restricted to Owners, as inviting members expands the organization's trust boundary by granting new users access to internal resources. An attacker with this permission could invite a controlled account to gain persistent access to the organization's repositories, teams, and secrets. +The non-traversable GH_InviteMember edge represents that a role has the ability to invite new members to the organization. This permission is typically restricted to Owners, as inviting members expands the organization's trust boundary by granting new users access to internal resources. An attacker with this permission could invite a controlled account to gain persistent access to the organization's repositories, teams, and secrets. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_jumpmergequeue.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_jumpmergequeue.mdx index f79cd78..b189aa5 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_jumpmergequeue.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_jumpmergequeue.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_JumpMergeQueue` edge represents a role's ability to jump ahead of other entries in the merge queue. This permission is available to Admin roles and custom roles that have been granted this specific permission. Merge queues enforce an ordered sequence of CI checks and merges; jumping the queue allows a principal to prioritize their changes ahead of others. While less severe than bypassing protections entirely, this permission can be used to accelerate the landing of malicious changes before other queued entries are reviewed or tested. +The non-traversable GH_JumpMergeQueue edge represents a role's ability to jump ahead of other entries in the merge queue. This permission is available to Admin roles and custom roles that have been granted this specific permission. Merge queues enforce an ordered sequence of CI checks and merges; jumping the queue allows a principal to prioritize their changes ahead of others. While less severe than bypassing protections entirely, this permission can be used to accelerate the landing of malicious changes before other queued entries are reviewed or tested. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managedeploykeys.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managedeploykeys.mdx index 1d30d91..846a35c 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managedeploykeys.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managedeploykeys.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ManageDeployKeys` edge represents a role's ability to create, modify, and delete deploy keys for the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deploy keys provide SSH-based access to the repository, and a deploy key with write access can push commits directly without going through the GitHub web interface or API authentication. Managing deploy keys is security-significant because it enables the creation of persistent, credential-based access that operates outside the normal user authentication flow. +The non-traversable GH_ManageDeployKeys edge represents a role's ability to create, modify, and delete deploy keys for the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deploy keys provide SSH-based access to the repository, and a deploy key with write access can push commits directly without going through the GitHub web interface or API authentication. Managing deploy keys is security-significant because it enables the creation of persistent, credential-based access that operates outside the normal user authentication flow. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managediscussionbadges.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managediscussionbadges.mdx index 6c70a25..8040d90 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managediscussionbadges.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managediscussionbadges.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ManageDiscussionBadges` edge represents a role's ability to manage discussion badges used to highlight discussion participants. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ManageDiscussionBadges edge represents a role's ability to manage discussion badges used to highlight discussion participants. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_manageorganizationwebhooks.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_manageorganizationwebhooks.mdx index 2586f7c..a7113db 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_manageorganizationwebhooks.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_manageorganizationwebhooks.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ManageOrganizationWebhooks` edge represents that a role has the ability to manage organization-level webhooks. This edge is dynamically generated from custom organization role permissions discovered by the collector. Webhooks can be configured to send event data to external endpoints, making this permission significant for security because an attacker could create or modify webhooks to exfiltrate repository data, commit contents, or issue details to an attacker-controlled server, or use them as a persistence mechanism. +The non-traversable GH_ManageOrganizationWebhooks edge represents that a role has the ability to manage organization-level webhooks. This edge is dynamically generated from custom organization role permissions discovered by the collector. Webhooks can be configured to send event data to external endpoints, making this permission significant for security because an attacker could create or modify webhooks to exfiltrate repository data, commit contents, or issue details to an attacker-controlled server, or use them as a persistence mechanism. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managereposecurityproducts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managereposecurityproducts.mdx index 1d5b6f2..648118c 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managereposecurityproducts.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managereposecurityproducts.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ManageRepoSecurityProducts` edge represents a role's ability to manage repository-specific security product settings. This permission is available to Admin roles and custom roles that have been granted this specific permission. Unlike the broader [GH_ManageSecurityProducts](/opengraph/extensions/github/edges/gh_managesecurityproducts) permission, this edge is scoped to repository-level security configuration such as repository-specific scanning settings and alert management. Disabling repository-level security products can create blind spots in vulnerability detection for the specific repository. +The non-traversable GH_ManageRepoSecurityProducts edge represents a role's ability to manage repository-specific security product settings. This permission is available to Admin roles and custom roles that have been granted this specific permission. Unlike the broader [GH_ManageSecurityProducts](/opengraph/extensions/github/edges/gh_managesecurityproducts) permission, this edge is scoped to repository-level security configuration such as repository-specific scanning settings and alert management. Disabling repository-level security products can create blind spots in vulnerability detection for the specific repository. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managesecurityproducts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesecurityproducts.mdx index 202b70a..55b0a95 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managesecurityproducts.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managesecurityproducts.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ManageSecurityProducts` edge represents a role's ability to manage security product settings on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Managing security products allows enabling or disabling features such as secret scanning, code scanning, and Dependabot alerts. An attacker with this permission could disable security features to prevent detection of vulnerabilities or leaked secrets, making this a high-severity permission for security posture management. +The non-traversable GH_ManageSecurityProducts edge represents a role's ability to manage security product settings on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Managing security products allows enabling or disabling features such as secret scanning, code scanning, and Dependabot alerts. An attacker with this permission could disable security features to prevent detection of vulnerabilities or leaked secrets, making this a high-severity permission for security posture management. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsmergetypes.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsmergetypes.mdx index e5ca318..98c7154 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsmergetypes.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsmergetypes.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ManageSettingsMergeTypes` edge represents a role's ability to configure allowed merge types (merge commit, squash, rebase) on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ManageSettingsMergeTypes edge represents a role's ability to configure allowed merge types (merge commit, squash, rebase) on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingspages.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingspages.mdx index 0cd06e7..77a9255 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingspages.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingspages.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ManageSettingsPages` edge represents a role's ability to manage GitHub Pages settings including enabling, disabling, and configuring the source. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ManageSettingsPages edge represents a role's ability to manage GitHub Pages settings including enabling, disabling, and configuring the source. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsprojects.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsprojects.mdx index 7e87738..086f2e0 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsprojects.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsprojects.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ManageSettingsProjects` edge represents a role's ability to manage project board settings on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ManageSettingsProjects edge represents a role's ability to manage project board settings on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingswiki.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingswiki.mdx index fdc557b..5d30114 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingswiki.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingswiki.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ManageSettingsWiki` edge represents a role's ability to enable or disable the repository wiki. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ManageSettingsWiki edge represents a role's ability to enable or disable the repository wiki. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managetopics.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managetopics.mdx index b890b3c..1e29a3e 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managetopics.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managetopics.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ManageTopics` edge represents a role's ability to manage repository topics used for discovery and classification. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ManageTopics edge represents a role's ability to manage repository topics used for discovery and classification. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managewebhooks.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managewebhooks.mdx index 949a64a..70f7314 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managewebhooks.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_managewebhooks.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ManageWebhooks` edge represents a role's ability to create, modify, and delete repository-level webhooks. This permission is available to Admin roles and custom roles that have been granted this specific permission. Webhooks can exfiltrate repository events and code changes to external endpoints, making this a security-sensitive permission. An attacker with this permission could configure a webhook to receive push event payloads containing commit diffs, effectively creating a covert channel for data exfiltration. +The non-traversable GH_ManageWebhooks edge represents a role's ability to create, modify, and delete repository-level webhooks. This permission is available to Admin roles and custom roles that have been granted this specific permission. Webhooks can exfiltrate repository events and code changes to external endpoints, making this a security-sensitive permission. An attacker with this permission could configure a webhook to receive push event payloads containing commit diffs, effectively creating a covert channel for data exfiltration. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx index 13701d5..f298fc5 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_MapsToUser` edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](/resources/nodes/az-user), [Okta_User](/opengraph/extensions/okta/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. +The non-traversable GH_MapsToUser edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](/resources/nodes/az-user), [Okta_User](/opengraph/extensions/okta/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_markasduplicate.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_markasduplicate.mdx index eb56270..2ca9e8c 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_markasduplicate.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_markasduplicate.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_MarkAsDuplicate` edge represents a role's ability to mark issues or pull requests as duplicates. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_MarkAsDuplicate edge represents a role's ability to mark issues or pull requests as duplicates. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx index 31f4efd..3251fee 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_MemberOf` edge represents team membership, linking a team role to its parent team or a child team to a parent team in nested team hierarchies. This edge is traversable because team membership extends access transitively -- a user who holds a role in a child team inherits the repository permissions of all ancestor teams in the nesting hierarchy, making it a key component of attack path analysis. +The traversable GH_MemberOf edge represents team membership, linking a team role to its parent team or a child team to a parent team in nested team hierarchies. This edge is traversable because team membership extends access transitively -- a user who holds a role in a child team inherits the repository permissions of all ancestor teams in the nesting hierarchy, making it a key component of attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests.mdx index 569dd0a..6bb0588 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_OrgBypassCodeScanningDismissalRequests` edge represents that a role can bypass code scanning dismissal requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows suppressing code scanning security findings without the standard review process, which is significant because an attacker could use it to hide vulnerabilities or malicious code patterns that would otherwise be flagged by automated scanning tools. +The non-traversable GH_OrgBypassCodeScanningDismissalRequests edge represents that a role can bypass code scanning dismissal requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows suppressing code scanning security findings without the standard review process, which is significant because an attacker could use it to hide vulnerabilities or malicious code patterns that would otherwise be flagged by automated scanning tools. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests.mdx index 47860e5..49c8f66 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_OrgBypassSecretScanningClosureRequests` edge represents that a role can bypass secret scanning closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows closing secret scanning alerts without going through the standard review and approval process, which is significant because an attacker could use it to suppress alerts about leaked credentials and prevent incident response teams from being notified. +The non-traversable GH_OrgBypassSecretScanningClosureRequests edge represents that a role can bypass secret scanning closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows closing secret scanning alerts without going through the standard review and approval process, which is significant because an attacker could use it to suppress alerts about leaked credentials and prevent incident response teams from being notified. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx index e725e3f..3c48b8f 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_OrgReviewAndManageSecretScanningBypassRequests` edge represents that a role can review and manage secret scanning push protection bypass requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Push protection prevents secrets from being committed to repositories, and bypass requests allow developers to override this protection for specific commits. An attacker with this permission could approve their own or an accomplice's bypass requests, allowing secrets to be committed to repositories without triggering push protection blocks. +The non-traversable GH_OrgReviewAndManageSecretScanningBypassRequests edge represents that a role can review and manage secret scanning push protection bypass requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Push protection prevents secrets from being committed to repositories, and bypass requests allow developers to override this protection for specific commits. An attacker with this permission could approve their own or an accomplice's bypass requests, allowing secrets to be committed to repositories without triggering push protection blocks. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx index 48f0351..e1e046f 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_OrgReviewAndManageSecretScanningClosureRequests` edge represents that a role can review and manage secret scanning alert closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Alert closure requests are part of the workflow for closing secret scanning alerts, and this permission controls who can approve or deny those requests. An attacker with this permission could approve closure requests to suppress alerts about actively leaked credentials, undermining the organization's secret scanning remediation process. +The non-traversable GH_OrgReviewAndManageSecretScanningClosureRequests edge represents that a role can review and manage secret scanning alert closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Alert closure requests are part of the workflow for closing secret scanning alerts, and this permission controls who can approve or deny those requests. An attacker with this permission could approve closure requests to suppress alerts about actively leaked credentials, undermining the organization's secret scanning remediation process. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx index 56b1e45..2ee5263 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_Owns` edge represents that an organization owns a repository. This edge establishes the foundation of the access control model by linking repositories to their owning organization. It is traversable because repository ownership is a critical relationship for understanding how organizational permissions cascade down to repository-level access, making it essential for attack path analysis. +The traversable GH_Owns edge represents that an organization owns a repository. This edge establishes the foundation of the access control model by linking repositories to their owning organization. It is traversable because repository ownership is a critical relationship for understanding how organizational permissions cascade down to repository-level access, making it essential for attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx index 5b6e144..c7e9f40 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ProtectedBy` edge represents that a branch protection rule applies to a specific branch. This edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed branch-access edges to determine effective push access; the computed [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) edges carry traversability instead. +The non-traversable GH_ProtectedBy edge represents that a branch protection rule applies to a specific branch. This edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed branch-access edges to determine effective push access; the computed [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) edges carry traversability instead. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_pushprotectedbranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_pushprotectedbranch.mdx index 8fbe95a..f6a441e 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_pushprotectedbranch.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_pushprotectedbranch.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_PushProtectedBranch` edge represents a role's ability to push directly to branches that are protected by push restrictions. This permission is available to Admin and Maintain roles. This edge bypasses the push gate of branch protection, allowing direct commits to protected branches without going through the pull request workflow. Unlike merge gate bypasses (such as [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection)), this push gate bypass is NOT suppressed by the `enforce_admins` setting on the branch protection rule, making it a particularly potent permission. +The non-traversable GH_PushProtectedBranch edge represents a role's ability to push directly to branches that are protected by push restrictions. This permission is available to Admin and Maintain roles. This edge bypasses the push gate of branch protection, allowing direct commits to protected branches without going through the pull request workflow. Unlike merge gate bypasses (such as [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection)), this push gate bypass is NOT suppressed by the `enforce_admins` setting on the branch protection rule, making it a particularly potent permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_readcodescanning.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readcodescanning.mdx index b5bdbb4..0fb366a 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_readcodescanning.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_readcodescanning.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ReadCodeScanning` edge represents a role's ability to read code scanning analysis results and alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. Code scanning alerts may reveal exploitable vulnerabilities in the codebase. +The non-traversable GH_ReadCodeScanning edge represents a role's ability to read code scanning analysis results and alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. Code scanning alerts may reveal exploitable vulnerabilities in the codebase. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics.mdx index 832d3e0..2c5d5a6 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ReadOrganizationActionsUsageMetrics` edge represents that a role can read GitHub Actions usage metrics for the organization. This edge is dynamically generated from custom organization role permissions discovered by the collector. Usage metrics provide visibility into workflow execution patterns, runner utilization, and billing data across the organization. While this is primarily an informational permission, it can reveal which repositories have active CI/CD pipelines and the scale of automation in use. +The non-traversable GH_ReadOrganizationActionsUsageMetrics edge represents that a role can read GitHub Actions usage metrics for the organization. This edge is dynamically generated from custom organization role permissions discovered by the collector. Usage metrics provide visibility into workflow execution patterns, runner utilization, and billing data across the organization. While this is primarily an informational permission, it can reveal which repositories have active CI/CD pipelines and the scale of automation in use. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole.mdx index aec96e1..3fd33b9 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ReadOrganizationCustomOrgRole` edge represents that a role can read custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom org role definitions allows a user to enumerate the permissions granted to each custom role, which provides reconnaissance value for understanding the organization's access control model and identifying roles with elevated privileges. +The non-traversable GH_ReadOrganizationCustomOrgRole edge represents that a role can read custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom org role definitions allows a user to enumerate the permissions granted to each custom role, which provides reconnaissance value for understanding the organization's access control model and identifying roles with elevated privileges. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomreporole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomreporole.mdx index c50ec65..afaceed 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomreporole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomreporole.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ReadOrganizationCustomRepoRole` edge represents that a role can read custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom repo role definitions allows a user to enumerate the permissions granted to each custom repository role, which provides reconnaissance value for understanding repository-level access controls and identifying roles that grant elevated repository permissions. +The non-traversable GH_ReadOrganizationCustomRepoRole edge represents that a role can read custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom repo role definitions allows a user to enumerate the permissions granted to each custom repository role, which provides reconnaissance value for understanding repository-level access controls and identifying roles that grant elevated repository permissions. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_readrepocontents.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readrepocontents.mdx index 4f1f5b2..62b3f52 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_readrepocontents.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_readrepocontents.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ReadRepoContents` edge represents a role's ability to read repository contents including source code, issues, and pull requests. This is the base level of repository access, available to all roles at the Read permission level and above (Read, Triage, Write, Maintain, Admin). +The non-traversable GH_ReadRepoContents edge represents a role's ability to read repository contents including source code, issues, and pull requests. This is the base level of repository access, available to all roles at the Read permission level and above (Read, Triage, Write, Maintain, Admin). diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_removeassignee.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_removeassignee.mdx index 0131f77..ea0dbec 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_removeassignee.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_removeassignee.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_RemoveAssignee` edge represents a role's ability to remove assignees from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_RemoveAssignee edge represents a role's ability to remove assignees from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_removelabel.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_removelabel.mdx index 07f13a5..4991b25 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_removelabel.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_removelabel.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_RemoveLabel` edge represents a role's ability to remove labels from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_RemoveLabel edge represents a role's ability to remove labels from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_reopendiscussion.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_reopendiscussion.mdx index a76d580..b4e706b 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_reopendiscussion.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_reopendiscussion.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ReopenDiscussion` edge represents a role's ability to reopen closed discussions to allow further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ReopenDiscussion edge represents a role's ability to reopen closed discussions to allow further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_reopenissue.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_reopenissue.mdx index 5068e94..68d4963 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_reopenissue.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_reopenissue.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ReopenIssue` edge represents a role's ability to reopen closed issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ReopenIssue edge represents a role's ability to reopen closed issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_reopenpullrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_reopenpullrequest.mdx index abcc456..0862292 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_reopenpullrequest.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_reopenpullrequest.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ReopenPullRequest` edge represents a role's ability to reopen closed pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ReopenPullRequest edge represents a role's ability to reopen closed pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_requestprreview.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_requestprreview.mdx index 0a5962f..77dfe7c 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_requestprreview.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_requestprreview.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_RequestPrReview` edge represents a role's ability to request pull request reviews from specific users or teams. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_RequestPrReview edge represents a role's ability to request pull request reviews from specific users or teams. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_resolvedependabotalerts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_resolvedependabotalerts.mdx index e952a97..ea008a8 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_resolvedependabotalerts.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_resolvedependabotalerts.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ResolveDependabotAlerts` edge represents a role's ability to dismiss or resolve Dependabot alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could dismiss valid alerts to suppress vulnerability warnings and prevent remediation. +The non-traversable GH_ResolveDependabotAlerts edge represents a role's ability to dismiss or resolve Dependabot alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could dismiss valid alerts to suppress vulnerability warnings and prevent remediation. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts.mdx index 8d07574..8acbc3f 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ResolveSecretScanningAlerts` edge represents that a role can resolve (close) secret scanning alerts at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Resolving a secret scanning alert marks a leaked secret as addressed, which removes it from active monitoring dashboards. An attacker with this permission could suppress alerts about leaked credentials to prevent incident response teams from detecting and rotating compromised secrets. +The non-traversable GH_ResolveSecretScanningAlerts edge represents that a role can resolve (close) secret scanning alerts at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Resolving a secret scanning alert marks a leaked secret as addressed, which removes it from active monitoring dashboards. An attacker with this permission could suppress alerts about leaked credentials to prevent incident response teams from detecting and rotating compromised secrets. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx index 25f3ac6..232acec 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_RestrictionsCanPush` edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. This edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike [GH_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances), this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. +The non-traversable GH_RestrictionsCanPush edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. This edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike [GH_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances), this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_runorgmigration.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_runorgmigration.mdx index 42db234..110e1d1 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_runorgmigration.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_runorgmigration.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_RunOrgMigration` edge represents a role's ability to run organization migrations on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Organization migrations export repository data including source code, issues, and pull requests, which can be used to transfer repository contents to another organization. This permission is security-relevant because it enables bulk data export from the repository. +The non-traversable GH_RunOrgMigration edge represents a role's ability to run organization migrations on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Organization migrations export repository data including source code, issues, and pull requests, which can be used to transfer repository contents to another organization. This permission is security-relevant because it enables bulk data export from the repository. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_setinteractionlimits.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_setinteractionlimits.mdx index 9ae2cd8..7e9c795 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_setinteractionlimits.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_setinteractionlimits.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_SetInteractionLimits` edge represents a role's ability to set temporary interaction limits to restrict who can comment, open issues, or create pull requests. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_SetInteractionLimits edge represents a role's ability to set temporary interaction limits to restrict who can comment, open issues, or create pull requests. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_setissuetype.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_setissuetype.mdx index f498bf7..fde251d 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_setissuetype.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_setissuetype.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_SetIssueType` edge represents a role's ability to set issue types. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_SetIssueType edge represents a role's ability to set issue types. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_setmilestone.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_setmilestone.mdx index 736b4f9..fa421bb 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_setmilestone.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_setmilestone.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_SetMilestone` edge represents a role's ability to set milestones on issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_SetMilestone edge represents a role's ability to set milestones on issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_setsocialpreview.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_setsocialpreview.mdx index 996e336..54eb6b3 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_setsocialpreview.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_setsocialpreview.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_SetSocialPreview` edge represents a role's ability to set the repository social preview image shown in link previews. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_SetSocialPreview edge represents a role's ability to set the repository social preview image shown in link previews. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx index 406999e..b1d37ad 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_SyncedTo` edge is a hybrid edge that maps an external IdP user to a GitHub user based on SCIM provisioning. This edge represents a confirmed identity linkage between an external identity provider and GitHub. It is traversable because compromising the IdP account provides a verified path to the corresponding GitHub account, making it a critical edge for cross-system attack path analysis. This edge enables analysts to trace access from enterprise identity providers like Azure AD, Okta, or PingOne into the GitHub environment. +The traversable GH_SyncedTo edge is a hybrid edge that maps an external IdP user to a GitHub user based on SCIM provisioning. This edge represents a confirmed identity linkage between an external identity provider and GitHub. It is traversable because compromising the IdP account provides a verified path to the corresponding GitHub account, making it a critical edge for cross-system attack path analysis. This edge enables analysts to trace access from enterprise identity providers like Azure AD, Okta, or PingOne into the GitHub environment. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussionanswer.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussionanswer.mdx index ed74acc..f6524cd 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussionanswer.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussionanswer.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ToggleDiscussionAnswer` edge represents a role's ability to mark or unmark a discussion comment as the accepted answer. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ToggleDiscussionAnswer edge represents a role's ability to mark or unmark a discussion comment as the accepted answer. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize.mdx index fbd3611..c98b9d0 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ToggleDiscussionCommentMinimize` edge represents a role's ability to minimize or restore discussion comments, hiding them from default view. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. +The non-traversable GH_ToggleDiscussionCommentMinimize edge represents a role's ability to minimize or restore discussion comments, hiding them from default view. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_transferrepository.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_transferrepository.mdx index af200a2..838f292 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_transferrepository.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_transferrepository.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_TransferRepository` edge represents that a role has the ability to transfer repositories to or from the organization. This permission is typically restricted to Owners, as transferring a repository can move it outside of the organization's security controls, branch protection rules, and audit logging. An attacker with this permission could transfer a repository to an organization they control, effectively exfiltrating the codebase and its associated secrets. +The non-traversable GH_TransferRepository edge represents that a role has the ability to transfer repositories to or from the organization. This permission is typically restricted to Owners, as transferring a repository can move it outside of the organization's security controls, branch protection rules, and audit logging. An attacker with this permission could transfer a repository to an organization they control, effectively exfiltrating the codebase and its associated secrets. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx index 262d11d..e0c3522 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx @@ -11,7 +11,7 @@ Traversable: false ## General Information -The traversable `GH_UsesSecret` edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. This edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. +The traversable GH_UsesSecret edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. This edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. ### Matching strategy @@ -20,7 +20,7 @@ Edges use `match_by: property` with two matchers to disambiguate between secrets - **[GH_RepoSecret](/opengraph/extensions/github/nodes/gh_reposecret)** is matched by `name` + `repository_id` (the GitHub node_id of the repository). - **[GH_OrgSecret](/opengraph/extensions/github/nodes/gh_orgsecret)** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level secret scope). -This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two `GH_UsesSecret` edges — one to the repo-level secret and one to the org-level secret — reflecting that either could supply the value at runtime depending on scope precedence. +This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two GH_UsesSecret edges — one to the repo-level secret and one to the org-level secret — reflecting that either could supply the value at runtime depending on scope precedence. ### Context property diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx index 5fc3a65..7259e17 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx @@ -11,7 +11,7 @@ Traversable: false ## General Information -The non-traversable `GH_UsesVariable` edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. This edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). +The non-traversable GH_UsesVariable edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. This edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). ### Matching strategy @@ -20,7 +20,7 @@ Edges use `match_by: property` with two matchers to disambiguate between variabl - **[GH_RepoVariable](/opengraph/extensions/github/nodes/gh_repovariable)** is matched by `name` + `repository_id` (the GitHub node_id of the repository). - **[GH_OrgVariable](/opengraph/extensions/github/nodes/gh_orgvariable)** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level variable scope). -This means one `${{ vars.MY_VAR }}` expression can produce up to two `GH_UsesVariable` edges — one to the repo-level variable and one to the org-level variable. +This means one `${{ vars.MY_VAR }}` expression can produce up to two GH_UsesVariable edges — one to the repo-level variable and one to the org-level variable. ### Context property diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx index 0b8f1b9..7d17360 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_ValidToken` edge represents a secret scanning alert that contains a valid, active GitHub Personal Access Token belonging to a specific user. This edge is only emitted when the alert's state is `open`, the secret type is `github_personal_access_token`, and the token is confirmed valid by calling the GitHub API. This edge is traversable because possessing the leaked token grants the ability to act as the token's owner, effectively compromising that user's identity and all permissions granted to the token. +The traversable GH_ValidToken edge represents a secret scanning alert that contains a valid, active GitHub Personal Access Token belonging to a specific user. This edge is only emitted when the alert's state is `open`, the secret type is `github_personal_access_token`, and the token is confirmed valid by calling the GitHub API. This edge is traversable because possessing the leaked token grants the ability to act as the token's owner, effectively compromising that user's identity and all permissions granted to the token. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_viewdependabotalerts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_viewdependabotalerts.mdx index c9efae1..0c6b6c3 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_viewdependabotalerts.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_viewdependabotalerts.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ViewDependabotAlerts` edge represents a role's ability to view Dependabot security alerts, which reveal known vulnerabilities in the repository's dependencies. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. This information could be used to identify and exploit unpatched vulnerabilities. +The non-traversable GH_ViewDependabotAlerts edge represents a role's ability to view Dependabot security alerts, which reveal known vulnerabilities in the repository's dependencies. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. This information could be used to identify and exploit unpatched vulnerabilities. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_viewsecretscanningalerts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_viewsecretscanningalerts.mdx index 2574c93..978cdcb 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_viewsecretscanningalerts.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_viewsecretscanningalerts.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_ViewSecretScanningAlerts` edge represents that a role can view secret scanning alerts at the organization or repository level. This edge is dynamically generated from custom role permissions discovered by the collector. Secret scanning alerts may reveal details about leaked credentials, including partial or full secret values and the locations where they were detected. This makes the permission significant for security because an attacker with access to view these alerts could harvest exposed credentials for use in lateral movement or privilege escalation. +The non-traversable GH_ViewSecretScanningAlerts edge represents that a role can view secret scanning alerts at the organization or repository level. This edge is dynamically generated from custom role permissions discovered by the collector. Secret scanning alerts may reveal details about leaked credentials, including partial or full secret values and the locations where they were detected. This makes the permission significant for security because an attacker with access to view these alerts could harvest exposed credentials for use in lateral movement or privilege escalation. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writecodescanning.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writecodescanning.mdx index 6f5e362..fb66121 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writecodescanning.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writecodescanning.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_WriteCodeScanning` edge represents a role's ability to upload code scanning analysis results. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could upload falsified SARIF results to suppress real alerts or inject misleading findings. +The non-traversable GH_WriteCodeScanning edge represents a role's ability to upload code scanning analysis results. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could upload falsified SARIF results to suppress real alerts or inject misleading findings. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets.mdx index b7d82da..b0d1364 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_WriteOrganizationActionsSecrets` edge represents that a role can write organization-level GitHub Actions secrets. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level secrets are available to workflows across multiple repositories and often contain credentials for external systems such as cloud providers, package registries, and deployment targets. An attacker with this permission could overwrite existing secrets to inject malicious credentials or create new secrets to facilitate lateral movement. +The non-traversable GH_WriteOrganizationActionsSecrets edge represents that a role can write organization-level GitHub Actions secrets. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level secrets are available to workflows across multiple repositories and often contain credentials for external systems such as cloud providers, package registries, and deployment targets. An attacker with this permission could overwrite existing secrets to inject malicious credentials or create new secrets to facilitate lateral movement. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssettings.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssettings.mdx index 9ca3420..3908ced 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssettings.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssettings.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_WriteOrganizationActionsSettings` edge represents that a role can modify organization-level GitHub Actions settings. This edge is dynamically generated from custom organization role permissions discovered by the collector. These settings control which actions are allowed to run within the organization and the default permissions granted to the `GITHUB_TOKEN` in workflows. An attacker with this permission could weaken restrictions to allow untrusted third-party actions or elevate default token permissions to enable write access across repositories. +The non-traversable GH_WriteOrganizationActionsSettings edge represents that a role can modify organization-level GitHub Actions settings. This edge is dynamically generated from custom organization role permissions discovered by the collector. These settings control which actions are allowed to run within the organization and the default permissions granted to the `GITHUB_TOKEN` in workflows. An attacker with this permission could weaken restrictions to allow untrusted third-party actions or elevate default token permissions to enable write access across repositories. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables.mdx index 93a32e7..8c9ce9b 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_WriteOrganizationActionsVariables` edge represents that a role can write organization-level GitHub Actions variables. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level variables are available to workflows across multiple repositories and often contain configuration values such as environment URLs, feature flags, and service endpoints. An attacker with this permission could overwrite existing variables to redirect workflows to malicious endpoints or alter application behavior. +The non-traversable GH_WriteOrganizationActionsVariables edge represents that a role can write organization-level GitHub Actions variables. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level variables are available to workflows across multiple repositories and often contain configuration values such as environment URLs, feature flags, and service endpoints. An attacker with this permission could overwrite existing variables to redirect workflows to malicious endpoints or alter application behavior. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole.mdx index 71cc56a..e001d84 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole.mdx @@ -11,4 +11,4 @@ Traversable: true ## General Information -The traversable `GH_WriteOrganizationCustomOrgRole` edge represents that a role can create or modify custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying organization role definitions can escalate privileges because an attacker could add permissions to an existing custom role that is already assigned to their account, including setting the base_role to inherit all_repo_admin. Since this permission can only belong to custom organization roles, the user necessarily holds the role they can modify — guaranteeing a self-escalation path. This makes it a Tier Zero privilege escalation vector. +The traversable GH_WriteOrganizationCustomOrgRole edge represents that a role can create or modify custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying organization role definitions can escalate privileges because an attacker could add permissions to an existing custom role that is already assigned to their account, including setting the base_role to inherit all_repo_admin. Since this permission can only belong to custom organization roles, the user necessarily holds the role they can modify — guaranteeing a self-escalation path. This makes it a Tier Zero privilege escalation vector. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole.mdx index b2b55c5..ad4acb4 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_WriteOrganizationCustomRepoRole` edge represents that a role can create or modify custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying repository role definitions can escalate privileges because an attacker could add permissions such as admin access, bypass branch protections, or secret management to a custom repo role that is already assigned to their account. This makes it a high-impact permission for gaining elevated access to repositories across the organization. +The non-traversable GH_WriteOrganizationCustomRepoRole edge represents that a role can create or modify custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying repository role definitions can escalate privileges because an attacker could add permissions such as admin access, bypass branch protections, or secret management to a custom repo role that is already assigned to their account. This makes it a high-impact permission for gaining elevated access to repositories across the organization. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations.mdx index a0f2374..434d3d9 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_WriteOrganizationNetworkConfigurations` edge represents that a role can modify organization network configurations. This edge is dynamically generated from custom organization role permissions discovered by the collector. Network configurations control how GitHub-hosted runners connect to private resources such as internal APIs, databases, and cloud services. An attacker with this permission could modify network settings to route runner traffic through attacker-controlled infrastructure or grant runners access to previously isolated network segments. +The non-traversable GH_WriteOrganizationNetworkConfigurations edge represents that a role can modify organization network configurations. This edge is dynamically generated from custom organization role permissions discovered by the collector. Network configurations control how GitHub-hosted runners connect to private resources such as internal APIs, databases, and cloud services. An attacker with this permission could modify network settings to route runner traffic through attacker-controlled infrastructure or grant runners access to previously isolated network segments. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writerepocontents.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writerepocontents.mdx index f811d5e..7d8d28c 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writerepocontents.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writerepocontents.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_WriteRepoContents` edge represents a role's ability to push commits to the repository. This permission is available to Write, Maintain, and Admin roles. Pushing code can modify application behavior and introduce vulnerabilities, making this a security-significant edge. However, this edge represents only the raw permission; actual branch push capability is determined by the computed [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) edge, which factors in branch protection rules and push restrictions. +The non-traversable GH_WriteRepoContents edge represents a role's ability to push commits to the repository. This permission is available to Write, Maintain, and Admin roles. Pushing code can modify application behavior and introduce vulnerabilities, making this a security-significant edge. However, this edge represents only the raw permission; actual branch push capability is determined by the computed [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) edge, which factors in branch protection rules and push restrictions. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writerepopullrequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writerepopullrequests.mdx index ab5cde7..334297e 100644 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writerepopullrequests.mdx +++ b/docs/official-docs/opengraph/extensions/github/edges/gh_writerepopullrequests.mdx @@ -11,4 +11,4 @@ Traversable: false ## General Information -The non-traversable `GH_WriteRepoPullRequests` edge represents a role's ability to create and merge pull requests in the repository. This permission is available to Write, Maintain, and Admin roles. Pull request merge access is security-significant because merging code into protected branches is a common vector for introducing unauthorized changes; however, actual merge capability on protected branches is further governed by branch protection rules and required reviews. +The non-traversable GH_WriteRepoPullRequests edge represents a role's ability to create and merge pull requests in the repository. This permission is available to Write, Maintain, and Admin roles. Pull request merge access is security-significant because merging code into protected branches is a common vector for introducing unauthorized changes; however, actual merge capability on protected branches is further governed by branch protection rules and required reviews. From 622e550576b5bd8cce4e5482eaac5f5d604b80a1 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Mon, 20 Apr 2026 12:03:43 +0200 Subject: [PATCH 15/16] git ignore official-docs dir --- .gitignore | 1 + .../images/extensions/github/gh_app.png | Bin 1136 -> 0 bytes .../extensions/github/gh_appinstallation.png | Bin 1028 -> 0 bytes .../images/extensions/github/gh_branch.png | Bin 1049 -> 0 bytes .../github/gh_branchprotectionrule.png | Bin 1071 -> 0 bytes .../extensions/github/gh_environment.png | Bin 1145 -> 0 bytes .../github/gh_environmentsecret.png | Bin 1027 -> 0 bytes .../github/gh_environmentvariable.png | Bin 1009 -> 0 bytes .../extensions/github/gh_externalidentity.png | Bin 1042 -> 0 bytes .../extensions/github/gh_organization.png | Bin 1137 -> 0 bytes .../images/extensions/github/gh_orgrole.png | Bin 1152 -> 0 bytes .../images/extensions/github/gh_orgsecret.png | Bin 1020 -> 0 bytes .../extensions/github/gh_orgvariable.png | Bin 1001 -> 0 bytes .../github/gh_personalaccesstoken.png | Bin 1154 -> 0 bytes .../github/gh_personalaccesstokenrequest.png | Bin 1089 -> 0 bytes .../images/extensions/github/gh_reporole.png | Bin 1021 -> 0 bytes .../extensions/github/gh_reposecret.png | Bin 1030 -> 0 bytes .../extensions/github/gh_repository.png | Bin 1022 -> 0 bytes .../extensions/github/gh_repovariable.png | Bin 1012 -> 0 bytes .../github/gh_samlidentityprovider.png | Bin 1095 -> 0 bytes .../github/gh_secretscanningalert.png | Bin 1105 -> 0 bytes .../images/extensions/github/gh_team.png | Bin 1122 -> 0 bytes .../images/extensions/github/gh_teamrole.png | Bin 1080 -> 0 bytes .../images/extensions/github/gh_user.png | Bin 1034 -> 0 bytes .../images/extensions/github/gh_workflow.png | Bin 1244 -> 0 bytes .../extensions/github/gh_workflowjob.png | Bin 1362 -> 0 bytes .../extensions/github/gh_workflowstep.png | Bin 1174 -> 0 bytes .../opengraph/extensions/github/docs.json | 158 ---- .../github/edges/gh_addassignee.mdx | 14 - .../github/edges/gh_addcollaborator.mdx | 14 - .../extensions/github/edges/gh_addlabel.mdx | 14 - .../extensions/github/edges/gh_addmember.mdx | 14 - .../extensions/github/edges/gh_adminto.mdx | 14 - .../edges/gh_bypassbranchprotection.mdx | 14 - .../edges/gh_bypasspullrequestallowances.mdx | 14 - .../github/edges/gh_callsworkflow.mdx | 21 - .../extensions/github/edges/gh_canaccess.mdx | 14 - .../github/edges/gh_canassumeidentity.mdx | 14 - .../github/edges/gh_cancreatebranch.mdx | 65 -- .../github/edges/gh_caneditprotection.mdx | 40 - .../github/edges/gh_canpwnrequest.mdx | 70 -- .../edges/gh_canreadsecretscanningalert.mdx | 42 -- .../github/edges/gh_canwritebranch.mdx | 93 --- .../github/edges/gh_closediscussion.mdx | 14 - .../extensions/github/edges/gh_closeissue.mdx | 14 - .../github/edges/gh_closepullrequest.mdx | 14 - .../extensions/github/edges/gh_contains.mdx | 14 - .../edges/gh_convertissuestodiscussions.mdx | 14 - .../edges/gh_creatediscussioncategory.mdx | 14 - .../github/edges/gh_createrepository.mdx | 14 - .../edges/gh_createsolomergequeueentry.mdx | 14 - .../extensions/github/edges/gh_createtag.mdx | 14 - .../extensions/github/edges/gh_createteam.mdx | 14 - .../edges/gh_deletealertscodescanning.mdx | 14 - .../github/edges/gh_deletediscussion.mdx | 14 - .../edges/gh_deletediscussioncomment.mdx | 14 - .../github/edges/gh_deleteissue.mdx | 14 - .../extensions/github/edges/gh_deletetag.mdx | 14 - .../extensions/github/edges/gh_dependson.mdx | 14 - .../extensions/github/edges/gh_deploysto.mdx | 14 - .../edges/gh_editcategoryondiscussion.mdx | 14 - .../edges/gh_editdiscussioncategory.mdx | 14 - .../github/edges/gh_editdiscussioncomment.mdx | 14 - .../edges/gh_editrepoannouncementbanners.mdx | 14 - .../gh_editrepocustompropertiesvalues.mdx | 14 - .../github/edges/gh_editrepometadata.mdx | 14 - .../github/edges/gh_editrepoprotections.mdx | 14 - .../github/edges/gh_hasbaserole.mdx | 14 - .../extensions/github/edges/gh_hasbranch.mdx | 14 - .../github/edges/gh_hasenvironment.mdx | 14 - .../github/edges/gh_hasexternalidentity.mdx | 14 - .../extensions/github/edges/gh_hasjob.mdx | 14 - .../extensions/github/edges/gh_hasmember.mdx | 14 - .../edges/gh_haspersonalaccesstoken.mdx | 14 - .../gh_haspersonalaccesstokenrequest.mdx | 14 - .../extensions/github/edges/gh_hasrole.mdx | 14 - .../edges/gh_hassamlidentityprovider.mdx | 14 - .../extensions/github/edges/gh_hassecret.mdx | 14 - .../extensions/github/edges/gh_hasstep.mdx | 14 - .../github/edges/gh_hasvariable.mdx | 14 - .../github/edges/gh_hasworkflow.mdx | 14 - .../github/edges/gh_installedas.mdx | 14 - .../github/edges/gh_invitemember.mdx | 14 - .../github/edges/gh_jumpmergequeue.mdx | 14 - .../github/edges/gh_managedeploykeys.mdx | 14 - .../edges/gh_managediscussionbadges.mdx | 14 - .../edges/gh_manageorganizationwebhooks.mdx | 14 - .../edges/gh_managereposecurityproducts.mdx | 14 - .../edges/gh_managesecurityproducts.mdx | 14 - .../edges/gh_managesettingsmergetypes.mdx | 14 - .../github/edges/gh_managesettingspages.mdx | 14 - .../edges/gh_managesettingsprojects.mdx | 14 - .../github/edges/gh_managesettingswiki.mdx | 14 - .../github/edges/gh_managetopics.mdx | 14 - .../github/edges/gh_managewebhooks.mdx | 14 - .../extensions/github/edges/gh_mapstouser.mdx | 14 - .../github/edges/gh_markasduplicate.mdx | 14 - .../extensions/github/edges/gh_memberof.mdx | 14 - ...orgbypasscodescanningdismissalrequests.mdx | 14 - ...orgbypasssecretscanningclosurerequests.mdx | 14 - ...wandmanagesecretscanningbypassrequests.mdx | 14 - ...andmanagesecretscanningclosurerequests.mdx | 14 - .../extensions/github/edges/gh_owns.mdx | 14 - .../github/edges/gh_protectedby.mdx | 14 - .../github/edges/gh_pushprotectedbranch.mdx | 14 - .../github/edges/gh_readcodescanning.mdx | 14 - ...gh_readorganizationactionsusagemetrics.mdx | 14 - .../gh_readorganizationcustomorgrole.mdx | 14 - .../gh_readorganizationcustomreporole.mdx | 14 - .../github/edges/gh_readrepocontents.mdx | 14 - .../github/edges/gh_removeassignee.mdx | 14 - .../github/edges/gh_removelabel.mdx | 14 - .../github/edges/gh_reopendiscussion.mdx | 14 - .../github/edges/gh_reopenissue.mdx | 14 - .../github/edges/gh_reopenpullrequest.mdx | 14 - .../github/edges/gh_requestprreview.mdx | 14 - .../edges/gh_resolvedependabotalerts.mdx | 14 - .../edges/gh_resolvesecretscanningalerts.mdx | 14 - .../github/edges/gh_restrictionscanpush.mdx | 14 - .../github/edges/gh_runorgmigration.mdx | 14 - .../github/edges/gh_setinteractionlimits.mdx | 14 - .../github/edges/gh_setissuetype.mdx | 14 - .../github/edges/gh_setmilestone.mdx | 14 - .../github/edges/gh_setsocialpreview.mdx | 14 - .../extensions/github/edges/gh_syncedto.mdx | 14 - .../edges/gh_togglediscussionanswer.mdx | 14 - .../gh_togglediscussioncommentminimize.mdx | 14 - .../github/edges/gh_transferrepository.mdx | 14 - .../extensions/github/edges/gh_usessecret.mdx | 30 - .../github/edges/gh_usesvariable.mdx | 30 - .../extensions/github/edges/gh_validtoken.mdx | 14 - .../github/edges/gh_viewdependabotalerts.mdx | 14 - .../edges/gh_viewsecretscanningalerts.mdx | 14 - .../github/edges/gh_writecodescanning.mdx | 14 - .../gh_writeorganizationactionssecrets.mdx | 14 - .../gh_writeorganizationactionssettings.mdx | 14 - .../gh_writeorganizationactionsvariables.mdx | 14 - .../gh_writeorganizationcustomorgrole.mdx | 14 - .../gh_writeorganizationcustomreporole.mdx | 14 - ...writeorganizationnetworkconfigurations.mdx | 14 - .../github/edges/gh_writerepocontents.mdx | 14 - .../github/edges/gh_writerepopullrequests.mdx | 14 - .../extensions/github/nodes/gh_app.mdx | 13 - .../github/nodes/gh_appinstallation.mdx | 13 - .../extensions/github/nodes/gh_branch.mdx | 11 - .../github/nodes/gh_branchprotectionrule.mdx | 42 -- .../github/nodes/gh_environment.mdx | 11 - .../github/nodes/gh_environmentsecret.mdx | 11 - .../github/nodes/gh_environmentvariable.mdx | 11 - .../github/nodes/gh_externalidentity.mdx | 11 - .../github/nodes/gh_organization.mdx | 11 - .../extensions/github/nodes/gh_orgrole.mdx | 11 - .../extensions/github/nodes/gh_orgsecret.mdx | 11 - .../github/nodes/gh_orgvariable.mdx | 11 - .../github/nodes/gh_personalaccesstoken.mdx | 11 - .../nodes/gh_personalaccesstokenrequest.mdx | 11 - .../extensions/github/nodes/gh_reporole.mdx | 11 - .../extensions/github/nodes/gh_reposecret.mdx | 11 - .../extensions/github/nodes/gh_repository.mdx | 11 - .../github/nodes/gh_repovariable.mdx | 11 - .../github/nodes/gh_samlidentityprovider.mdx | 11 - .../github/nodes/gh_secretscanningalert.mdx | 11 - .../extensions/github/nodes/gh_team.mdx | 11 - .../extensions/github/nodes/gh_teamrole.mdx | 11 - .../extensions/github/nodes/gh_user.mdx | 11 - .../extensions/github/nodes/gh_workflow.mdx | 11 - .../github/nodes/gh_workflowjob.mdx | 11 - .../github/nodes/gh_workflowstep.mdx | 11 - .../github/privilege-zone-rules.mdx | 160 ---- .../opengraph/extensions/github/queries.mdx | 695 ------------------ .../opengraph/extensions/github/schema.mdx | 169 ----- 171 files changed, 1 insertion(+), 3378 deletions(-) delete mode 100644 docs/official-docs/images/extensions/github/gh_app.png delete mode 100644 docs/official-docs/images/extensions/github/gh_appinstallation.png delete mode 100644 docs/official-docs/images/extensions/github/gh_branch.png delete mode 100644 docs/official-docs/images/extensions/github/gh_branchprotectionrule.png delete mode 100644 docs/official-docs/images/extensions/github/gh_environment.png delete mode 100644 docs/official-docs/images/extensions/github/gh_environmentsecret.png delete mode 100644 docs/official-docs/images/extensions/github/gh_environmentvariable.png delete mode 100644 docs/official-docs/images/extensions/github/gh_externalidentity.png delete mode 100644 docs/official-docs/images/extensions/github/gh_organization.png delete mode 100644 docs/official-docs/images/extensions/github/gh_orgrole.png delete mode 100644 docs/official-docs/images/extensions/github/gh_orgsecret.png delete mode 100644 docs/official-docs/images/extensions/github/gh_orgvariable.png delete mode 100644 docs/official-docs/images/extensions/github/gh_personalaccesstoken.png delete mode 100644 docs/official-docs/images/extensions/github/gh_personalaccesstokenrequest.png delete mode 100644 docs/official-docs/images/extensions/github/gh_reporole.png delete mode 100644 docs/official-docs/images/extensions/github/gh_reposecret.png delete mode 100644 docs/official-docs/images/extensions/github/gh_repository.png delete mode 100644 docs/official-docs/images/extensions/github/gh_repovariable.png delete mode 100644 docs/official-docs/images/extensions/github/gh_samlidentityprovider.png delete mode 100644 docs/official-docs/images/extensions/github/gh_secretscanningalert.png delete mode 100644 docs/official-docs/images/extensions/github/gh_team.png delete mode 100644 docs/official-docs/images/extensions/github/gh_teamrole.png delete mode 100644 docs/official-docs/images/extensions/github/gh_user.png delete mode 100644 docs/official-docs/images/extensions/github/gh_workflow.png delete mode 100644 docs/official-docs/images/extensions/github/gh_workflowjob.png delete mode 100644 docs/official-docs/images/extensions/github/gh_workflowstep.png delete mode 100644 docs/official-docs/opengraph/extensions/github/docs.json delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_addassignee.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_addcollaborator.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_addlabel.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_adminto.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_bypassbranchprotection.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_closediscussion.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_closeissue.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_closepullrequest.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_contains.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_convertissuestodiscussions.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_creatediscussioncategory.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_createrepository.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_createsolomergequeueentry.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_createtag.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_createteam.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_deletealertscodescanning.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussion.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussioncomment.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_deleteissue.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_deletetag.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_editcategoryondiscussion.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncategory.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncomment.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_editrepoannouncementbanners.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_editrepometadata.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_editrepoprotections.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasmember.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_invitemember.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_jumpmergequeue.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_managedeploykeys.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_managediscussionbadges.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_manageorganizationwebhooks.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_managereposecurityproducts.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_managesecurityproducts.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsmergetypes.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_managesettingspages.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsprojects.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_managesettingswiki.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_managetopics.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_managewebhooks.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_markasduplicate.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_pushprotectedbranch.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_readcodescanning.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomreporole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_readrepocontents.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_removeassignee.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_removelabel.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_reopendiscussion.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_reopenissue.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_reopenpullrequest.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_requestprreview.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_resolvedependabotalerts.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_runorgmigration.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_setinteractionlimits.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_setissuetype.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_setmilestone.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_setsocialpreview.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussionanswer.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_transferrepository.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_viewdependabotalerts.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_viewsecretscanningalerts.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_writecodescanning.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssettings.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_writerepocontents.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/edges/gh_writerepopullrequests.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_app.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_appinstallation.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_branch.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_branchprotectionrule.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_environment.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_environmentsecret.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_environmentvariable.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_externalidentity.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_organization.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_orgrole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_orgsecret.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_orgvariable.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstoken.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstokenrequest.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_reporole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_reposecret.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_repository.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_repovariable.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_samlidentityprovider.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_secretscanningalert.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_team.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_teamrole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_user.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_workflow.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_workflowjob.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/nodes/gh_workflowstep.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/privilege-zone-rules.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/queries.mdx delete mode 100644 docs/official-docs/opengraph/extensions/github/schema.mdx diff --git a/.gitignore b/.gitignore index da31ce0..cac8bd5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ # Custom *.duckdb ui_catalog.db +docs/official-docs/ site/ addons/ collectors/ diff --git a/docs/official-docs/images/extensions/github/gh_app.png b/docs/official-docs/images/extensions/github/gh_app.png deleted file mode 100644 index e3d3ba189337847f434919c62eb171a4357ad3ad..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1136 zcmV-$1dscPP)?1=kkT9NG;mG-+Dh z_7DTr_Mi}y96SXz>BU1+8>rBtP4pDkLL^0qrBFAAsFx*s*nlgcyJ*?<)LGZVBm~;S zyE7SgW4F7rrC9zN&tD4qP-NVMf4{GcL6_ySRMoF0JQXWf{&# zIv!(Xa)eCkfSmD*IWh$aNWh-9=3MHFiWpadMWLqV14xK0T1T?qX zy*{qbukv4FX>>p(aUvWR-I!^>)8gzRIJ;1EF*&u*<2yIG?d#ySuY=I!2y$w_=$zo} z0*!6$AVREdY}Eq}gzNcw`ANZ;E7=S?D?hWdvWSw+oanRGH_{y(raSm$!LX&{F@74l zq&Ck1iP~Ia4)C}G1H53EFa=4MDlwoHi?g2UUxN8?ilB64b~WR20B{~jesPM$f?oU>*vO!XGOCe!%nf5C9IZkD>XHAu-9ReZ4qs)&dG5GkKKbBQErvR76`-Gw#43 ztxgwz#UiH47+wEGOHxu>JN}6&{1Y?Snwkw`H|Azk0!zTdD$?;HI}aBPM69+3x<4PL zJ2+fbI+hW4gZ`J>Vcdbws5@gdEKqmGio@H3>%)&xj*m1~x&s4z`ppkq=(}V(PbI%R z7F3DPklTCtSF%mOZTI$YeLiHmP__8+nqMUxMPy*Zl}yfcWRj6BmPQ8+sk9m>*$hjg zgR1e2-Z(&Q{&?UC@I@wdV12n0<{j6&rkkl8q~kG`$ATR0#q`D#`Z2`{lTE-4LTdX) z#w#pL=7_FqVLajXatNp-#u4QiAhMV{FhGmbh1FKCofc7=WjWjvrCFX5&LHlbRTrxc z-~p8vrw=$~aheYa;YPJQm&k<(;bNJ$<@qLM{_(%dJfUob&Cmn@0000ZL1-IC6ox;m&;}Vv+k<=&j#X&ERty$I)xoAHu6nUAm4d`R80epDfE!YP9X=!&|>vgh?P?e2IbaXf-Q)15INLEm3^!1ppy#KDkwC`p*_sb zW-RYYE2%#$?9R--|DQK+=FJmcylt$pYcA@e3^H@|H$+a_gkVM_5}*SQ4bhN7%`&TmHM8%i|A>f>>fR zu%&a`PdJ5@?gsg(Bd2hOX804Nr=sn<>jMP~>_r;!t~viEg7B0t|BLL99HyTH5mRhnmy zf9Y$+k@y@pe>xja-zH||VU=_l0*J)tERD>kugKu(3I4z+3z-$mzF0CPUlT5jV6a>J zP;^H9!7*aVl&wvrJ!lH(XO{iK?J;+m&jpML0nX0({{xB#!mdsOCHjp4CvXABAhw4c zBJnxg9B% z%9+E*3i9sI2?|&B9pfeS=Jl(t+wJ4e=1l`{UcWlk=k|E{{K|FG-+kXzg^^uOu= zt6h&`E3}$AmC`;NnJ)oY&TSEj&Nxb9?MJZ-k(cv;Z7OZYu-9jL1B7RsW>AGAj}Zf4 zWTs+ayK5{A0&!_I?}=Fe83PSOX1sLpWS3ZSk$2xa*VSOFsq@j)MZ%wa>S*kp^kumN zRuT2XnJd{IFcpfG0000_i%O4Xs|3W2!2 z8{*AfvK2d|L!raDQ_>-g10BM3s1rKmmW#3+g$tYl9dvL|-H^kh9CvW1c6fTqlP&Ay zOf6)EEx;f#br#rfT7*N(B=SeJ03y5hue8c%RSwpz$B}o6KJ{U2&)CH> zhku^X?e}!xAHacY4;Tp7^J3$1Y|S12Ipx-a7}0O{o7lzWA@a`-Yq7r5${v<+FKW9T zk56{Lkj;6(&xMT!h}}N8;acty0ClU%qm@knnt%KFeHHW5 zM7uNpJhGd~Pg7f58?rOBIZAp#1}iIvi0wmbDq-qHUTi#$+WYo)qODzAX5Ze9+D>I} zWc*MjVCM+qwW${pjird|8Qd9Zr;eosFNMp91f=~q3*3&!ma_|p$yFx&= zI6rtKlaRKVA?6)3mu5IFN_t`F?7t0@z-!>HA6#bg!ng!Ua66uSy~rV|7<`ej{ucyc zJOP48fEzC&Vo(&n6QK&1pF`Aew7sVz$(8ucSM6^{+Gd3kqT4ybtaRp|;|G^R#xlm& zt?I}aKMwrhQZ3n>93n3t0I_g8hzZhjKvpOm2SD)7(s33frDIu;1c*smPhLHvVy;F7 ziJ{G584Cpc9{SWQ&6Uj?kq7-N%B_d;1Z)xRy}^>q0ZNu}kJHND*d%E%cR!bFe}Txr z0f>4a5*ZG3rQ3u4)vbxe%pXYdu1XH^nh>B5oB&_?!JGV(SI=1d=wtM$*&C6&9glMB zp^PJv+*fVVE+!680+GM#*2Y*DlPzagJ+3jgXAvMp)DYJ*KxDB>SU1k(r=rv1c09WM zzi~SrE%!JUIT0JKnM9ry2GC;s%V~>SUQP$0A>1gh=NjP>AzU1AeLZ)`IOG2SW0`}Z T$-*GB00000NkvXXu0mjfD**9^ diff --git a/docs/official-docs/images/extensions/github/gh_branchprotectionrule.png b/docs/official-docs/images/extensions/github/gh_branchprotectionrule.png deleted file mode 100644 index 9dbf139c19fd020a542eba9fc69d59fb915b73af..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1071 zcmV+~1kn45P)ZKWH0w6vsclq)CKp`=miK4%By!As#FwQ&Nm*(ywvVgrIS0D$O$y26m%vYT5!&1Xp>5m_$)^#tp)9HI{B>A zopf>^9NfS6-uL(3@4esm4bZ!YKpaQ{lH~%>ELQ>80CW$wT}1*O0RMWt9#{Z6%7Du^ z5m*4y=8O2WpJXgZbYd7O=tBzm08rE_daZ$?R>`lwU~Bi#Y9|9M;Sdog03z@RhyvW0 z8zYmNY&q;ETDeYUWryYU7v?JknC%3j6M$&bxfqd$$fu`?P7L?txLp*rO7d=ry~-P! z&S#ro907>HE+EFI{S@xZAin)pU(QX@UmuaYTVi8--vl9JiG&qEE9~)UKgGrOPUW~= z5}*HUf;f?mGnRk81dv1hR(8yV5nN%j!q;oRQ`Y}s>f)en|BU+2 zqgCo=nfigk07mZj0e0`dZwqDmn_pS_VXxzgx=H%F#8 z0Zuk7zN8iaDQGXF=){oiomc5(!%`(90x%9Z)^SAcuMNBDS|Sh?x*17?{e1)IMOOg! z09#`*C4FtYZvalZidr>qw*(9pgI4JbKnnSYhXbCS$HM`~v|1XO-U47jWs^+ml4k&J zIu>7=fWhG?Y*ri<65#;z9#S!XZJdNl)bhtfr6ABel{U8b9rpo1?)Fqq6%mn#$=#lE z{H~SjR?1csFwW&=fXvE{tMTIE6;}`ud6?qj6;~S;AIpI5={Rl~`Sv;4Hn0n+NirX~ z@0Cu+v6T^JfCVY!qm;Yam5Ld}^SPmzy401B=&z5MNk28yoNfBEQL-WsNrVGDy5}BB zuM++ACo}h37$>ma4!{JV0V9cUfbYME{x78T!+Q$FXRiPbFw)&3rR~J;4X_5Jv`YQL zkEOqeT^?c7f4(p0idtp%&Mzh>IKWuBX8p%)Few5NFwXA|ZUr1Y59LGP+d>BmAJ2qG}ET#}K3{oR3W3Ys^4u)-nhOK2x z+19Lmv1QRW>wM5XsOj4paqeLw86(2j1{qW%16N1fi#}-M9&U-HDrEY${2T0Td$>8* zn`;tp)Gu7P_ndRj_j`WlcYeR$Ifrpbz}r9ouxlQG9nF&feg|?5%v~3DAPW4~;1ksd ztci1V`Xpc+7#0m4ubZAeA5ND8tIdM7y%hjCouQB~A#ZJyh$nfnwXL0J0(d|Ti_{Vz z0gnJTz_tEf?v4gk!sC$L-Dh?>$}jUvqG=PjTunqZ0q!!n)ai0CH8+a$VuvAOJ>+zT z&-%ysYwv(E`Q@^hngS%?86bJQZX)xOn5C8zkqZ=ZMMC{!tgmhg5f{){LMuQuyT|J$ zwir1Tu^uPVmSVh7jy zd&TDjC_W$oe*^rw^+Q8P?a7}{k<%Ff)>k)?x3($diWTGZ{*>L_=Uvwa;`7BO;F1_< zguIX|aes7%L_BFos2prlM4g}uBfj~l%2upavb~P z{d*DBs2Bl38zxPO+@FU={38ji5Tf>Q#AEp=^oHpd7dIV|&w!-0dS+=4idPe`0!k>=`+-O#J$@xfnWbi;3z3Q#pvOmpH;67oYUY&e?!LBUTWLbc z%ijT?%uYv{`ug+3!Fva^*(?<+F-y(F7L|aswz{bvKda3`kKb2w)dC_tmpOByAhDxV zLj1h?t*Sl|Pg2O2`1sC^x|14(oX+sR_m=p)0PJWhq6uK!+TO}fsc%kQ6X;RM6}j%a zEw=d!H0fACLh*;LH+3HUI(ckuil%j`^$f_z6irryP51?U1L z3EjDOv!QC~t8h$v-Yd**M1T-6j8Z@XN)`(Y^x|}N&|-c;JuPxNL$UA=@>YgKd`TPY zL2VOqRDj8r(rBq~T z8a3)zmS#x12Crplm#7;-f=sQ1lnxacpe>3(DpJFM2YS>S*0xjzXF95{M#2XU=H~Agl$d{=!p)W zIRm&0+?E58WRS$AFrm1P9_~RO>;=FwZOX+8)~?O=a*l)D7wUgzfba3Jh?f8ZSOG=> zE>1*9-MruuHiP~2CF=`2WFGCyp+A8ujYKpOFzS#S1Mz+)?~D*i=q(Y~!!m6irZ;(! zFX511am08EFo3@SBa#gA@!byz^mU(#T%ug8@G!l}{??%sF@$0Xt&V&}l3$-qy*4>O zps$>8aUX$)fBZAWv z5JQ-r8}}~z`h4#573_QoJ>0|C%?ki*EbNG}!CtXALMj4)rGBuk5MD*u`uNxwi(78Afk=+>(F<=0<08-A5yl`OJ07R2- zp@)0iaXs8aD6ZG6@q)r}3otZb9K<2hEYIuxu0qC)-x>gYu$O^&zwC~8AfR zkFlQ#^Ouh*GOeofM}pXXR-#-yCeYXA`LE&0D8K!X0l3zMb6!gmHiDfm@nCw*-JNCH z{P^{H!?oMXIn2j-Zrr3XBn{V1*0eelT;?_YhphP+&?h(hM* z7(_v`1ho~Bfry8ZXfo*D@n?m_FMpT5e}cGy3-tn|h%9hEnhbLFjEd5q)0?tTd5*Yy z+@iFzZv8*NFTkgEzVzna<^hB68Jr6SPDL*3M@#JdIb!Eob&cP{WEB_zaet3}_U?%u zCL4=?srg=G_ErQ)5w{V~GoV`2g%Ub}bKUN(W|=nSqlz2lb(xe#RNSY2tj2)*ocwWm xpVxex*26%UQ9jQN92X%>T%h_qU!}zzzXG(ib32W2v)2Fs002ovPDHLkV1l28;nV;C diff --git a/docs/official-docs/images/extensions/github/gh_environmentvariable.png b/docs/official-docs/images/extensions/github/gh_environmentvariable.png deleted file mode 100644 index bee0e8450034ab7af47f11a39ff9b29a9d01412e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1009 zcmVY7I01KQ8I=7Xvz7$v;oX_M zS$D_XWSc(>%*Vt0|MNccywCsHLF3SXBrpu<(g9#fM;e#~@=d(k6FM*j{MY0$B?+vH z9Ujj#;1Y1wxsmAWVkjOarmO4?buDk&AxPQJp+!`5>ZRQV1-iw8;cb#35qp6`@m$ARH!MCIo92l()VowO1|@i4zV&QY@0!oa`446LU> zM=U+5@k34LJZqIX`QsC^mc8MAOb?P8KjdB;W`U9Oe>j)>0Mq%*>%idgWDj3`7HNtc zVB$`Oxy&n~5tX0Me9BNf%%cU1oMjX6`xxlm1;8Gyovc-M%5)cyRuK6(0dRVxw`p>~ zEjN+t-5g7N#MtNn01xK>*$^vnoB%WhI09mmX|&GkLG5g-c`l(daMGUi0H|CSCe+_m%5|^$x0``VFJOxbL$#{~l3oURXwd5HS@Vn^=DnJC-a{gtM>{ZX_Qkf4bUV+;I z1y}~&*+l+NNU2;<5H7~)Slfb*w!tQX&MNL;3Z@Nhhs|9jg6q}Po~TA|XF z<}$ChcK@vpqxFj|6dfB2IZ zxfOr~;1uu%YMW9M2qyY=GkI=*i%jWL<}$AU3W#*OrnK7ly#ek6-{h=v`=dpR{*N{G zXziOKH_QSje|mx;{`vyKdzf;J*I+UO41nn0qfHJbzoeGrdS9rJH#C^YBF-YlGeGq5 z;bafdh)TfU=2nX{nmu0@qgmCidIjM*H$ANCz-^izPH(ft;j|hWVi}$BT%(dA#1iLO fAJ1oK@QdF9`qxoc*w93B00000NkvXXu0mjf2%g}l diff --git a/docs/official-docs/images/extensions/github/gh_externalidentity.png b/docs/official-docs/images/extensions/github/gh_externalidentity.png deleted file mode 100644 index 0522f245b1b522c701133099811361bcd75ba6df..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1042 zcmV+t1nv8YP)KM)66XlaREs6k%DiLwcG7d5FDE-A!a2^6Kon~)0Iagb+9TQpKOdg`iO z%#8AEk3MWGIWRCEZ{9iYzK?ru2dzT|&HxD@C|v+M(zOEo29yuccS8h$Tfl#ZylzPX z>!PEq@Dm3 zcmRw6oF0#JZt{GMuo+CV$o;id9zD!BuO0(u-9)$v7_-UMzQ6z%FKGn&2U{ZE4?{1I zzL}y_Dq@qLwZ+sGpaRbTbvP78yPQN(x{gHdK!^(In<=)p@{Wj;NRfDBANd0yI2;O- zyz)6-ulHEw0A8<`Xe`dwW}Z^1=mRE!AAst90bc=$zQ6zHlxr~v~2phlWs8+=Z z;9p=Jz+-<80-pk0yrdmF>~2t$F0{)@=kc1&Srae|)@ncMf@=kV{y|QU$DPMnM}P`w z0OuypzcO+M5{Cw;9$*5jL#EYzejNDyz4QeJoW}_d*4fU;Xr$qf_g0o!T)5GcAhmFV zpI3ft*d`jQO+%s+doeVc`{lc7a@h<$Ekvkf7TMm+BSeL%Y0b5b#1-^70_t_{kSmIU zHj{L1BSV`>q9_WvY=-5#Y1cN2qBytRoxl*_I{)`pmdRzU^IQnQ{I_2=6(A#*&EQiM zE+nS*yq6*{<~i`!YepyV92hdq;(;h!NK8=`!k&UIKKl5xrsssA7g$`FLx>8|Sp2}~ zoi;W$JXkJDFQnkSm(e`P6m7(nEU1n$2Gn0!OlwCTY1bn)6hL0m z>mDp~kOsKFw))BiNE~UPyeAtzdYF;tr|mHGg6tD#;iVxdW7)HbKb}4z8jH8xkO)y> zabb?CwF9nW)en0d(PQAfst_j%&!5Q&qb>M;{%ijE`!9eEAc<|s+)U{X&>cDz=7X8` zn9@5-DYiEA057m|kE}AHb(5wY*^H1*$?|=)2?& z?xgF$yc>C|2m-e`d~tf4V-~0Tp<;#6DbH2xDZ&bInV04HIxUX)e*h9>0Czh)=>Px# M07*qoM6N<$f{%jPSpWb4 diff --git a/docs/official-docs/images/extensions/github/gh_organization.png b/docs/official-docs/images/extensions/github/gh_organization.png deleted file mode 100644 index 402f415250f7a1439ef2d148f70f5b83496511bd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1137 zcmV-%1djWOP)skFge~ zM8r&h03?7AK>N8cp%3~r!dfVZ604si*t)r*zFGzPj6@g-2r1-(E9jwTatL>qw=UvJ zEVWnE73na%oA+_$SKwqwweMza_D(& z>Fp!uycTk)4Bz*DshR;G-K-enAg^{kxj1*1IU0&u-Phk`6 zbdJ8HeOE#cfV;~}`?;`M9pk_S3vxarfY(>v+gEDyr>Dp!w`=~HClX*__98c){OG_p zU$lchT}lh0#JAzkRMTYzdR3*>>b!IGB<`Rb9e2=6=jh3r!T?J7;y&BqbKwelRI}HL zytm_vc9>4$i3I4r8pRiV4uI~7LAtL->k?puXJcXY@oY27ey#qU5wgi`=Fdz~5ases zzIzLYPcZe@!{)Rfc&Fp?YXWLbnEj=^77C(7L6i*r+(9qh6N6>jprUl5oL1n3EWkYf zjy8eVy)iBCFHS^>-5WFXwK?s0dIH)oj6hjb$a>(b5iHdX&Bo9S{05vTh>~d(3Zg{( znF-Ba9-Cu%Z0^XUxl~4dT(ctIVzdQT4URSePb7e&t-b|l23=|HY65cW88d$kk;x$j zW-k(%9BN2_jw@|NzQZBT-EC;n!(cP6T~uy214{rq$u!m00f2NTi^XC=x|22asfB_l z>91@{O+XR(WD1q?MSQQ8cSM`h&Vz*w{`u=~0PZhruo++B{=!Dt=eV7hzkY+3)?@4> z(>U6MeREV|`NJPo0XKk~|NC*Q?gMGy3P56Hrt0x~RFv|2Bt~Xb^NPYrlg?)q7%b(B zo`=8wp+7Jl3w{{*ibop{0oH)GkW+7XDNO@TPfvipZ(@(-Qkocvt7l0bIo;Z((^TPK z1bzZy1##E@U~!YDUU-_8)?-H^&!sZVpP3?;%BtkOD4|zTtua{wo(E`;g$ccX$j0Q; z1Y6~LUsK5IYE1MZE+e;RfO4mcg>eTx*pAz^YRRQClpYnyt!LSauju!BkQdzNM&$Lv z4_xQ)&FOU-Y)&g7Acs+H&jpkeA%}REa(li+oqzlvKJIPR{!(~U00000NkvXXu0mjf D3oRE8 diff --git a/docs/official-docs/images/extensions/github/gh_orgrole.png b/docs/official-docs/images/extensions/github/gh_orgrole.png deleted file mode 100644 index 93a4fd8e43ff6f081721de7e1cf84a72524518e9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1152 zcmV-`1b_R9P)eB9LGOyixs+wlMv`)4q0(wL!rzB4D=wlds2kjg-U`{ zaDz${a_H`%(1XOaP+W@Oc2rYKgkOPg#A;dUlN`#mDx2GQc7(7I7mW z0b76qFfcw$GIQNh=!KeAA)C3&#>$!)Qh|6Q5{(EbrgEuAj`DH#6C%n*Uy2W-td^Kg zr1|Gr6;pZKB;!gz0-ger+~3RX+&n?)^s$r+)b%~46KRTt9YLZSnqFeTg`m z-)-<>cRvLD2jt%c3t~f$tZ-rmPxCC!$0dNsYB6A8(TZBMuykz)2wpyb3%6 zF4VM&?`#K9)2brL@WzEM-!23rAekrzFsc}8TGf~EdiDqFHx-*86`No?x9OPkLS476 zvThL&{%pp2w0nrTYq!|WZCZy>>F;GEHO6*sleufR80{Xif1%4>mM$%TQNyvF+j14C zX;sqkDQa2;05!h@I8L)QR?{lxT6c@CXRSgd7r@L)#lnuI;4re8B}bGi7JjF$@1quW zPzyWM^?iya0WczBHnZgNF%^5smJeX$XWv6z<~Qqg6*KHl0ZE!i9(% zUYAaBJGWpXv&Yn>tKw|THXD3E$eUEf}QYhcGD+gyy2=Fhk4vf~cYRAKkUwHHFw>;}THG-6$_d>a5 zU(>8H$pbRLVDeqYXFh1DFOU}-f;oZBOUEkSBgTK-n z?)|y%_r3S~{oe04#rQCQPl0)$6lnmBNLv9O0qsNlI}s&d8F+Qbwj2={i>ZV$1NZ^B zCOfi~JkztMQOz9bf=0Ta1K`zceAmOP+c?!a-Fn~V7lEINIgvO42JjG=0nn^6#zG|| z9ED!fp?!Z7x4I>}{sb-z6ERG{Oh9gAOoLP3%%YyjjYT{NuV&M_wZVSNB_O{Lh=~nqy_yk2)k3=rvJ07iD8|-biq=+(+lTZf8A4>A#ZR?H60Tf-Oc-tad$@g){ z@#qQs1bm$_4T?+g?sseWj`upz(nT`n@ays&kL@d~@;YuJj58EaLL5Es-no=` z=l^{5E4`*mx}ae!Q~+q--wgV6-e3MAcCA;l*}1wZKg&QvUcn*=YfmEId)A`YbO9(X zS!kAtW|DMP=lkF zbK(%;xC|HyFb5*YjPi5e^DklCyHANBODk)MxI%YC}Q?0+|c1iFZ52sp>9hcVyoK%1hgn;ql{Ba=SX){XF#7RH_ z{s!U0lY&Tbem*e)5f52WfOUYq&DKQh zpx1PwDcib&NDl6Sc-8)IL^$pd*Z>4ClUv=2T4;!*AQgvUYrL8r%@Y>^Qc@TqH<)|* zWCz_cnNm~XLef`Wmm?E{KF=1^P2017Q#6v*+^R z8-HBbzVe&A`=^K(xIHL9if8~Qv*+^Uzdxp=^v4aEsJuYDJ)sq*2Il_@{0@A%-*ivB z{9}jgho?xr^VX5by_(JL^)Ajz~B3heH;N& z#5F{D20+Hlp?_9JHFGG_YWS*oH5al~y7%JX%`-0^={baNX&sg%3`00006; z>p}WCzsR<1$6dZ4&`)~k`_+5D_j~UhpmAuxDWD&SNEg7mbln3Mfm{>c_C*Ak2L5aE znwA9C!~vgo8gLC577tS0ouqq1Bw{Mzt`5Ro9RTQtO}>D+m%lRxOj5%m zwFGFuBOnPd*msP}7v3)u)`MvknV4N;ZvMG=v<#f7CZd{vq)V>Fqbie^k|bimhKRk; z4V$6yB}{7zm;8(?rltT5cm`;x?oOshdkDVWwkL7{d$YvQ_!8OG4I$zVplj0N;Y2t{qd;Ew>M7E{?@_Due5-4Z-^fk|0ZA94gvoH8QAea z1jqF(Or2~x=BBm9z(^L;D(-rohy_`gI$2)phRxZFKa1sYU|n$+W8m!ey==IN*)>e7 zNIV+k?#&d_qdlmBHgv=0n;)L-5;WL%Of1L1@qh-r1X!B+xZzZj5lY_&VC}nfdDH%s zeZkQ965jn}T19$3dnlGi6yP*Chs<8cWyl#*D|^CS9mJ!mSe{mJ&UVthp_a(Kh(}e_ zKpXLBWk?76!s5375bk-Mh^ZBZGIS%)@U3NZ!>(x)O5Z0D3v&C5B#D^Hlkd}2?If;< zA_UZP|LE7cFZqs8n~B*qUmG=04o^@4-fcucGsqW8zVD?>ODcYb`vC>`3#d3m{!d7u zTv2ekn0*x>g(z1Rpd0yG_HP^#*Sdn!!|~wP7yBk)Zr&8P_Y~Z!lwIA}moS)CQEu5X z3Qk>~0etgU%H6u~vz0hzfLz1n*tE8|`juWc$JIa^lb4cJYeBVgEO$g>z_oDKVHT!N zwcLt%VQ-c=dvQ_phu2-cT^-Rfa4uii4*mYeOSxdY5u6|Xg+HGc09Js{fmh%hL;^XS z(rjl}Hy9YnVsHApyAjx%B?d;aV&mB^N4Y8WHh!;w2f(MMwbh>a?H@k+;0QZO-LMP7{`B(`@JkXmaGXeI2&jwyWqxygyyiTDLq6m5b)3h zrM~JO~vUh^~iRJk%)|=%q7hB9bjQcG-;^UE9O# zJDFW)bTs+Hz|K3*zW?Wap7;4`!aHQ38#n_bZ4ZEEd!~Rnz}UmyJ0c0(2magRbKj<* zE1GurCIdHs%VHs$3endUC8GpU5gI?HRY;u)H`J!0*9XRQvgp&fDHFCK_32^UxE16`_6LBL{t-|Lw zS9t!+qz3XQf_&zB z+dGp3$kAqIuD6j*h3YuOce@2{1D86K05jJPdnTXA7nxotu~yy!Afp8N_Ea1t;j5D~ zN>xr=eIeX2ig`IL1(KMi=jr$nPd?WRo1DG1f~r*|L&>G%=Xdu6{KpHeWK&`50J(I? zRaU@uk2D`<5BKHtLW%EsiU6=taa11|RNUa;I?<9G-dA`C|W z9_5R!SKv_5-6-rFU#u)QM5dyI0o{$(Z-ySS}sn*K2M2B67ngSN|5iU&O4yMxz2k2@Qzn z(jk8O{{1wi=WeZ#Us?xP!>m14Q`)%uIxqvA(+iuS$7-45ABH$6dk--?RINhq*s>_$ zYnUh3>@qtICbPgXFzffw9tV^0$yIy2*O}dm0z!$)nBy4$8707AcZ`e@Bp#Nms-|ic z)?U{}v$vD#82RjsIy zB9=0cj0_cpG?CIRVMv!sPL@s?j;&KeC1*m48nIla(37A;oy0NdVlbEtuixXfeP^FZ z`j<|+d)|-#^FGhL&qoizp#xWe95Ajt0K3X#0)GLeF7|GVaUc(zb@}8K1%1)eW=scu z0&Yq{+K4ba)rXOcFq#N4mIwi0*;NjlGc3D`S*Y;BK2i5s1McHv5kCcV;0Z7Zkj?b7 zlpAshJ7KSQ$^-L|%|bETQf$&90}72>F$f4<-i~j%wsr zMo1fx1`au{THqdVBb5x3U%3>R+$>ah^6ZGRQv<+AMwp+AGL~puUv_F-TYV+nv5xpT zT?NJwrswgkkw8A*D+<$EcGYuy<+~X3bI}HwWmmbj`dWTo26p9deGiz-X8QSNrg4!M z%FY?{KfmVXzbC$P3OmQdq8bxd&JUA_huABg%4>QFFg1if766uVLmkNhe);`?z2a$$ ze0HjzY-WI1-F;$StznMBu>j~AFbyKe1i9yB=Zww5yB7IqBE-gWoI8ud%ue;W^5(f? zi4dt|Sbk1xh}hn+s2!T3oQp%}%zZyl-nXsembtl1zxx`d9yGMg7x9*{M->8f9MlDtp8=;4>g_oVR>j;D@x)+agmeFxge8GYb`d z{OxVv`Ke??^|vQ9;2)r)-?}9iw?g+EQ-arX4N=9g-$sFM$+MXO9^d+;B^*mAx1x)fReP^8o*|u;+tO26&U2JfML5CmR(ir#5DkE?-HUmn0~r*L^d-(U!+GC4~*3- z;Mu7@KL0e#MNoEXT)+E9-hg$)zt>O^>4^VfLY8D76JM{slD>bA$iSs$1*8(YK>U9y zO5Y-Kk6V;BCx8m@2k`BFvDW`|=a?_9L`cMg<%wokc9rXQ-(cCNl6;za;FD^K<_*$WgM^+Wp$qv<)1v1%G);@`&1d{&{i(`%2>i&1C!zuG&Vu-t);>{bO%wZUh$0MzqTPn%V zTQT~<5EjJ}E9Lvaf|pByb1D>Fx@SN_Pex)cSJ%}e^pG+#l&kBJWGE>fA45bWtxq2# zF-vSb{)wh#0gyHfRw`>F@lV9Q1Vk2mmI3F5G~f%M4J13Z9VrVWI=0RG_CEkzOnx&G zZ_~8orxinVF?8&9B<8K!GXS&ImWAnA_UbRs%!NToSI09zu`1B&{KO;=R`2qv zzT*XBu8?P?vc{|W4i8rElAoB2B&!cQhUnqg+j$wt(6Mb6XNq)e8^9|PsUw7lCvxaM)o_J&P^u$dWnKNsG>Pn+^tgiERP#ea?fWq^`&rb(_ zs}!XeN$8TvUyjwC`cGldw@T*eNoYA%8M=CTb#x;#6FSfjK z&vCeZ<*JMguOacbWCwup{ZxTpf7=^LVHmDm{#Lf@7NP<>05N5a)1Tb=uf;zNAnhG&G%291-F!1=qpaLygBmJ7v2B z3VK~<4?7i8b~bL89z3+oWl&e4N8_a_Y?iT$LS*9Jbq)ij2PLn*#u*Z}!}C7ziSd0+ zY?m**kUW3h@ArLvf1cm(4D~|?J_l|ALFEBhSDqKZDlN&JMz!CWQFWOeMO zG{-}Pb5;Zd5l2to%z~@USH8N+K`u+X{}NrX`v7bvr|hu+;U9l>+*>d*td0-KzgK{D zX@WQiZ+9cNmKHh4WdZ0(%;AfU;){;blb8d9_ghPgj{7@8{rI9I@^2i359mM)sC<#* z7ufNAJ~Bv~5|VBH03F@osx?kfIAVaV0oOq!nUmtYZ0$JCwRk@~aScGbKY+&;3tVqS zYEo=rf;BOEy+$)3Pwh)6XQ@_ki>z>Hh+M=nT48yWHUMCdey4v{A`$ux5ui+N|wp$_>hdYnt}wx zwVVbb-hof)O+2rQtX}*+c2nAZ8F2&Wp}Ho_+Y_d>w8+}Tordzi6H1oJ+Qc16ZmQ$} zEl1Y>1Iz@(GfhMFfHfKS8la}k)gb|d)S&)N76$?#eM2#H3&SV z@#gd?@7SCkg^oBz*`DjzCPEx>p2PM$O`Tu-9}o9=+x5rtJOBUy07*qoM6N<$f)aw{ A9RL6T diff --git a/docs/official-docs/images/extensions/github/gh_repository.png b/docs/official-docs/images/extensions/github/gh_repository.png deleted file mode 100644 index 94aa31565571b9ec3b1e09f2201d35af7eee36e7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1022 zcmV-bvt>wwJ(Z?b6(BvZ-P(aV=Jba$C8Hle zfOjO{_wl`V@7~=ZJ``XdCOkm#`^zpAmCJ zJ2suBfpvN!rusl}k%&bCv`xK<-MiYOe$1u&^*tBsT?_x(i~Kf~QAuZWqF5CY z1ht*~K{*zAW>1@n>nz5O&Ds0TQX6{ZkkcQ(2Ph|))a$s#MkLba)_i>s<@hE@TxuvF zl~!X35F%~^NqjN^+y!FCKa>W zIZ@37!M=O~R69*$uFCD|!Ls`B`W4Gt$N*vqj)v#>o;%mjNC|ubxbe2*yt=f$MW9-7w>+HA sLLqRYIG!s^LPX$VmygGDlbC<}AGjBf2o93HVE_OC07*qoM6N<$f-7#LhYFkph5(;*0VJer7FYx}>iD)Te83d&Po3A4 zB(N$D*}PMM>%f?Jp!awg>^)9EYej2oL2Ew>fRW6Q&F^5C8KUu*teETacWwX?s?10= z0V=Qn1OY;NH{+L26$y8PnaUA<{ETS)rFgUioU0_Fl7L`=T=i=nA|rhSI$LWZE{BoK zFnV_pGrdKD{9HjyRRJpS3Q+YPFH={~;%;{AiCkdw%{HTV7KyK}2@zdLGoh4`F9`CP zYXkcx2XHq#n7KB9-s3Id5bqC5vA2LBzvkiL*hd^`I!q%m*sJmFPYJU5oetn{AO`PJ z;KQ1F<|i)JopUq2#mC_%n5kUJ^FU`S^Ai_~V*yRE_EQ`~iW^R&I~< z5zsuWMn0_=Cvo`{AwX+uu@x{GeQHZy6q?Ks{_dG=jLX?1Zruv-KCtin%gE-pZQn~} z9#rfC4+0ACJMf=P*+^qV5Y3grIr`cz7S`HO!8by1qQb-Zj i6mRgZJ&#f2AO8!&=uv|5m|8FZ0000{Qvof*_UV|lD1sNi20u~J=l0yY?eX>s_ zxu~Sa2I@mkz0^J@hxU+D$=9h4Jwzv4frhyDrAS~JRImS z^Vf9B1+H`9Z8C_o5U1l)!Jux}Vq;1{6Kf$THk1|9(abT}Ru2%d_b zGrlRnx4^QTaH*4wdHgtrRqW@77#JJ^K+kGaDrNMnMmiOzko(gpX9f74Q#^7S0R?yt z%m8?Nv-kt^HHGbPe3T~{kC90wLlT% zTl8A{-b*<^ueFbfsQ?Gs9;Kpw4wwfX1Ajxk2fhQoQkZ^Cz4!yy z>gFmZWj5As%k5Z21ZRza8{v9B{p{b-H)$_XB!=@V;bh)jPfc?BV_e+eZUM^i(1Yl=7%7M0Ldacb?OYsX9U>q>L{}Pw3 zEaGsgIGk#Yh*=msFk|Ux<^KQ+@CRTjg^bwQj-ux@^qj`dcC@3ldRCK{}5v zT;z2oiEk#W1YAH?<%4KqBfX&^D4!}RG_XJaySK{9(ouU9BMm!GeJJQ_;H=` z%1N1LPww(oWWXvS_UbAk1rZO^F4aqT=}S|Vn#KCsZMpX^5I1n4k$@zz4_t7mUV;lZ z|D&SxK8GSj|3ch7EsIhRg<=f2UMl9#y?K?wIWkVaeXuL#dRF7vle-jhnp8fAFtCQR z8k0?68bpp?3|#A|VEH}%)R^yeZZ|_fl2}HxXMhMs&(tgqr;5$iU(1$SYnIc<>?Y82 zno-UwqT=qlS#<*s>AX38$a^-YjZhG7lLi)I#e`oj6dh>VhFz zG!XEje<1&$&aSJ{E(oVL zeUFs(g@KuK@63DdIdi_oa1Rr>0IUHq%2fGwASt)u9T;aVpQK zlV7YW(^CNx_#H5fNSNg1RW#i@61l{Q?U3Evrc!t+l{k%J2~QjOJxQLrdg-Of0W{r9 z>gpwoNVtVVu8%8wKLOT!!5QB8a1D>9xgsd;XDK}Vg+CtsN->k=Me&eVr>8oUpH7^i z^xFY7=kGbd0d}D2f*8W|q(8di%I8kynC#~FRIO6i_4vwpUVl5?BCA>@9)I<%d^`>0 zr3F3%(!o@c*WOAEB(K>HdtZOYi$9Ng?m5amLDRiVhUXfx3BM1!d@RFs3fS@>{IL!Y zSy~)O4v_otK6d%ILq45|6Iw_%%%8h^AE(l~PvKYxOb@UOBFVUk^P25o?PojWx)C6G zd6l!PD@-Ti4SD-s-3;Ih&dA4Q4ui-AuYTk*yN~os?(2dECedEm#H9SBRaGmF$TispI z3r1wVL#9|D?de$UgW`UcgYCPn_xnS$s=vF!13Uo+`fXTp5f$%uT~m_Ro`&dRqE6+w zryGVP4=p5#zjt2sbqi|E|D-GxxKOo97|~9D4I)phu3$vN*rMdhqSF_O1@aoAhg<*a zAV>I}H(inIMu6Z#5+gd_Aaol=^1F3xY1FGyrSKHH-0B7^)0y!Ayk@|4+HQwZ3jlUJ zi00rHK;gk|-FpeCc=zzJU6Mk2w~zf&GCE(mnZ%g XvGR|!Z&}%)00000NkvXXu0mjfveFB* diff --git a/docs/official-docs/images/extensions/github/gh_team.png b/docs/official-docs/images/extensions/github/gh_team.png deleted file mode 100644 index cc8c3c439920802317b6ff99eefcd682400115d2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1122 zcmV-o1fBbdP)ZF=!iC7{`BB4JuTTuf+y|0zSK1+(qXl?jS08C>Uyp(qyP7 z-{7$nb?ad88N5d+83Q>jO$NKw;D9<=4qluk=cQVd_*`r_kfCSghTfD8@9uJv?o=uE z9}aZyy?g(^zVChC`@RWAhXfRXG9ZT@05kN|fkVI^WACAmfv3RxF`uU)fw7nvGA99B zK*b+WvPBB>WpXnLnY2tME%tAB3>?>{-7#piblR6E;e9mV5iu5t6CeQxfC8|xu#UQ< z1%&?xt81bkYcyIlf5-rqqeMgrP&{%eH=XB~Z*_7r%1FfhXm<=Y_sdxC&hW^WJu$HY zB;XW~lx&fm)jFx9^ikwK9M@)Zzl?El=!=*mWQnkV!0bx4NcDd6TEzXR?3H{GJ?=<^ z)@Xo|o6fVdTE9_pfSuJknOn0UTpS#1-vTni^gLO69qV)Bq8WUmWQ${qXm<=Yo-O*X zbAUPNy=Wj#dlb3j+HAhKhjHEv#xiM{>h}jDM+QJ{Mqy=P-H#3pP$v++{|Df?dK$Um zV`s{gZ`z{}Ue zl1=88964T?zdM@JK7_dBK)|rWB+~F~&sZus#e+o=P0H=kz&EMnRIKojTc#!uHy6#H z-VasnxHiT`lXk}-la?vWmwWuXYgE}as#x7Kax;0N1tnXIy+_)e;BcNyBC42J z0qu@K<@e>_#0O-5=^VYO^W!%USy@ood{M?YKMdAn(lR^W{SlkkJlF|OKv-4J!hZ7p z`NuDR#_F1=OIpvI)iq`+BG+ zfF_8nW_8V;g;AoS;Ah0#^q{%L1@-|}*9@0z%>?3Jt^w%B+DL@`@P&_3IfXcCfE~UK z*Bh-G50px2eE5w6$F-^KE&JqGVRC>^ z`quvoG=Meho%!jjzyIW`%-4MJS>~h2{UqjH%RadoUNfvQX##l=2T5Jp8nZFk4##_s z*+&uJi>M&lGr+IuRC3b_spM1;EuuBMqJ8PLX1!T;8>mK+j|v&k8NWHzxn^_P4+&vL ozde`mT!b*O&4>29$%y~>Kd3OqIL;xF)&Kwi07*qoM6N<$g6Cf#B>(^b diff --git a/docs/official-docs/images/extensions/github/gh_teamrole.png b/docs/official-docs/images/extensions/github/gh_teamrole.png deleted file mode 100644 index facdd141b455104f84d3b1b8991d761b205ae7b0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1080 zcmV-81jqY{P)`Me4F*RmR z0k(jwIS`K|NG+rZt1*IeA%b&a|5m#}f1uN9H#j;e(rRDG`xJoZI9SAqfC5y37{JQn zeKyw$mO?jlx*B`s0!Jq$bEpBNMv)jrAZ936!fKRXek>AJW1bWbqt$MZ+ey>ue#B6o zGRQa*P=Gd|#3KoIA5{qWm1`+C(I4pKcGA?FrzQy%$r3UF%k1$;f>%#!H&Q%|Og?Fn zu({(4Y0Xn09af|KzV(*dx2DH#*lIU8es{?G4`?HJ6+AQ8$etqBgqh)yE~DrX*uA+hp1xc zbTv=HM<+$=HLydHmub)w7EAF~%ba)|azX&ni5A z@sOnr)ze-EG#{ddvraJzovubEpR%k}Z`J_Y*KCaquN?)+QWYOYR;o8o9fkJF1zVJ> zH&5vgbn4Ah>3_|d?+zRT%&I5j)TilWsbRsefNQ~=8W{n zEAPdAXg>G2Q#Y{I{ATqEH;FH$q#ze2)tdYs5CO-8j z^anbbe9Bbbla+(LCIt8wcnf^r>1xw|pC9v8_-ogC&k3z|!%*Ikm22{vag9k0h=NG7 zn`>JWHYVHheYct23jvcv7SWyoBI~UzJ|L{d2>55Lye?X^p46JzZqhcQ=DfB)LqL(q yo6{mUY)*%vAk1jC=L&|45GK~SY|m?WJn{d_d$&hgkVjAe0000ZKWH0Q9LGPps6hr{KN}Ci3iymQba1OH#1Kk}L(U~CCKUM;1ipeG9o{|ZBW>cHrhNi-|)xbTM}`N)cEv=sR4PANhV61`xyuM#fL$kN|2rDUU6PS=5`7T)1ks)n1~oP*A`RiXFtu(J&8CwSm-R?GJo#lJhOAt?`!yd)SmE~5*O(1i zbc}S8^#IQdL+slc0B25hqZ;%>95@7Kt)??lwQ~zh7qgRz$nwf_zEu(B{6snB>K z#^QZZWuJ6dE!EZQrfajWCltu0(8=!@(J>91C+`xGUcmiCpnogqnXOl~_m&zpEDVpIhEDL4!#R z$bu}h8zT-Tn^nsj?|p8MLO_vNM~-KJOtse*QyA$a6Nz}YuA7ZEEvGk{4Mfr=vgbVW zu&M)PMjuYgyytK_2!V8?8qWpp6(L=0(;LrgMEuA90g5$yq&=1Bp#T5?07*qoM6N<$ Ef@_1~a{vGU diff --git a/docs/official-docs/images/extensions/github/gh_workflow.png b/docs/official-docs/images/extensions/github/gh_workflow.png deleted file mode 100644 index b318aad0136672d0f55954e3b0dfcc8b17c68d09..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1244 zcmV<21S9*2P)ZKTI2E7{-4lRH8(}SIMb5fVrrP3sO1AQcFgLC9uT|My)#F z2qSgkpE{HwaC9L<1B5lMu!nZQL);Cf7=_4F+e4L!H_kRog{$5n0jWB)!~Nkn+h9W; z=_G%5pTFn%-tT?i?|nTq4gm-Q5kPc20IK830K0(J#M)Ov1U7;HntV1L0_(za#Ww+1 z0%olj;b4Hs$N*BWAFx9F$0Iy|%}x^cy@L52^GUz_3Vi zZK^497nf)Y5RDMIgrQ)7naPI;-gcH(Gh}mbZ6^fSKPaP?D~Me_lza)X(}&=_-Z>o( z>}>(Mfx3BqefewT`7vfDAKLH2!2sTlb~ODI^{B#nVu${bC(Oz}0fyr$`BKgG3=7zi zCbia`<$`8L!9+Afa%~E=TtPcIL+bV0R!ODzC?5TVa!^9kPkEV`Au?L+TTXZ|iiqx7 zA?SwN%Y6(z}D%T2dI;xT{F(?0QkHf(L zv1o{7dXL>)!3^taa=5T2ptYC+t~|3^5IcQLIKt5#qPw{QkLMF;dUXPGaH)69A78%v z=U-yugAEI4Yx{u6=mWC30>z^W`pG#Sj}fY>asQ*_ONa$mKM2{o&g?>43J!#s+pu594Sm60P{9X zrT0+s#fAk)y?$P$7dXs4Bb#2ZcU|wMRPseg} zf^KryMd=;a{CB`M@RfR0Y1`TTgD(a?<&%$v8<8vdBE#cPt+=_}&uM=R2n8hd{0mJKK&e!LwY+P9jLFQT8E+x3Ght1e@l z`Hh=Z5lGT}bDHFq&8Zs#h8eB)T);dc3=?ZywC7nG-0}ZW%GQgfL9p`x0000Ze`r%z6vsc&VuZNYD6LVFU`+>G><_a!EGdXO5@Xo2@Me(Q8NRRWW}_MEP^JsW7$93 zA1^O`$;*qa?hEgaci(;IeDAsEe9yfamJdC!8*l+NvIk&R_V|El;L!?fmqiV54)}M4 z&p8=ERcOk5(*ym$VQIiIl{Kwaao` zj8r7Xm7W0}&;3cx`Q98ERRVh8cR+8nH?Z&Ar)VqJJ(Y6_+4KTedIp#e-jPUbMHUG; zfqdAF_6FJ~zI-Of#kkb=kwl_kJ66l)d;z$s>MXd&s1pF zu>N^-+4;3Cc7F3s^G{}R6OaX_U?~DMh@ofy3YDYLEQU?0Npn{1*MivFAzR^neeEOY64T!*dKh3(xp z3KBV!NaESqExoQ^1?&M)WQyzjYR^eRLt`s;E|Cunjd8W-WWl&#Hc(Y(kzV(#LezFF zEp~;GT>}R(*&A2vT!P8o$gY8dig8(0}8?RX<5m1xaOd^S3HsBoTqx*&jtJ{HA&?)9=1sztmgYFw1oFjb*W`m+q3!wBQ!joPbjO~fnYX>$vNsHJn91wldacDijowIASG02XpC(gPIl&u$_-}{Nv`*w;qJxB<(SMvgLsJ8Qe1*^!$qA9 zfZEn(jP?cq=7V>L`DgOqw1N&xi(R#Y$^_|_22m1sw_O^<)U2NI^01c@BFV9QJJc{Y zbDN3wV*t~u5p}>;RcB%I4y%IckM9jKAH2h+9WPSb+DyaSuc6zxfrt0z@jtEcsu{Tt;31c z?ZB9eRNNl~z|tye$o$N0qTWD39+>Qnv`q{a*gfxfUy|cDpDe{C!ftAA#MbM|i&xwq zBz)G#+{_YLwe2XDVyPQ?fCE;y1LsH|#gK?ZF9yiWm9A|Gg2{mGpjfh{@?i4AVJV@% z1G=BC9S@Bwh=_U6iM7M2`fsUrEI$z)2l@rGf&G)GpLi6D`-9x|ihKQ1uPdJyYRIM+ zxZpe_spE;9KgE%33fOLJZlwLvV6ly7f-LcFAy(d_VgeG0S)kI`+{nIfKly(SrSF_% zUQEz5;&$f`rK^kP{|#IN_CHP}*WRD{g-tKNps3^JA{B`-@z%%E%F~D|pOw!kcQKg) zwgXr@oHX@yuIyqmJWg~;4+_G*90C%F!-&^2KJ5;J#N>8PAf7p&`m$Pss1qx_oO*c1%V{z6h+&kj=X!Emgc#ySEM3p1SmuiV14bwl UMj$mb=>Px#07*qoM6N<$f)lxqU;qFB diff --git a/docs/official-docs/images/extensions/github/gh_workflowstep.png b/docs/official-docs/images/extensions/github/gh_workflowstep.png deleted file mode 100644 index 536e94bd2f487fb56bb183f8b24fdaed58beea28..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1174 zcmV;H1Zn$;P)Sw!n*9sO>;py2NszP;gLAn{+m*Dz00}{YRAYgd_YL;ge*aY+rY`2vFumJqi;j>^N z=qO!n)_gz~$e4;~JVD=Jicna=e?EY}TiDksDhGy+R#jPFE3jQHTkYHhW^nL`69FHv z0Vn{;p)_OT*(TtB$=+^_`PoU<9~4ZL3Jl0d$OtG6a9=PS;m%hJgnE=?0Us5uqB4=W z#GlWf(EuN4kZ~m71O5Pf(RhOC+zOsEzSjab#i;8{WG?aa$)-u-0v1nL2{hdvjVJi_ z`;8L;AC>E$511rc!eJ$l18xSx5$@+V9CyCATVq=*vt3as34_Gq34%Qe!BE68PmH?G z)#0caj!8svHVFg}uBY%r$uZ{3OF8m$Qy6vm5%-+&F*=@Q7l7Iu zmfb7Kp){9=ui4ofI=8PUS^4ohUcG!FH4gCVLr)bpcP}rV$+f`MXaLJ)GnTdONJmRDnhE8t!mbLN;eO+g}s@gnj!3wxc0{-)@ z9|35sH60K;w}JzBJU%iL_oSYX+i3pR>jK^dr139p6>Yj;SZM*bk_bw?D6?TX=8DU< z`ag>ccm_z5CDz+-)9q+w48xumhM}{g+1)L(p;emwsO&;aG3-6J69^q1mqVbs&dfKr zTSyp2LnldCnT>cYv|+tW6KX6Q!*prLCf4Z*Ur7*4LWHb=3tF0iHhDl;*+6l?>5% zLJH7M`UX;rT*=tCQpkj;#a9T_Ef44p3MwwI4{TDq6MNEHbg)enR00!LZVHAW4tJ%rM&q z5)f^<2t=G(=}F}3Cs8x@Wkd(oK@=iW^v1$|X{*SM(Lu-T?nI2b&W+JQ6MWwaew2WX z#1~_O)~eO9Xcd+8NX!hC4IJ8EOo~7R;N#S1j9&Y)ql-y?Zi9i@?Z+WtlE@&g zXMpHp$)Pl%9)-8u-sWl1Dk^^;?4wmw)*lp(dTkOhbG~*w1HdAkUrrY};pOzG_z-S1 oujf7*AwsxV=kR)7 - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_AddAssignee edge represents a role's ability to assign users to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_addcollaborator.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_addcollaborator.mdx deleted file mode 100644 index e431f27..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_addcollaborator.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_AddCollaborator' -description: '[Organization] Org role can add outside collaborators' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_AddCollaborator edge represents that a role has the ability to add outside collaborators to organization repositories. This permission is typically restricted to Owners, as it grants repository access to external users who are not members of the organization. Outside collaborators bypass organizational membership controls, making this permission significant for security because it can be used to grant access to untrusted external identities without the visibility that full membership provides. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_addlabel.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_addlabel.mdx deleted file mode 100644 index 0791fc8..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_addlabel.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_AddLabel' -description: '[Repository] Repo role can add labels to issues and pull requests' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_AddLabel edge represents a role's ability to add labels to issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx deleted file mode 100644 index 5806155..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_addmember.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_AddMember' -description: 'Team role can add members to the team (maintainer privilege)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_AddMember edge indicates that a team role with the Maintainer permission level can add new members to the team. This edge is traversable because the ability to add members grants indirect access -- a maintainer can add any user to the team, and that user then inherits all of the team's repository permissions, effectively expanding the attack surface. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_adminto.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_adminto.mdx deleted file mode 100644 index 780c8da..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_adminto.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_AdminTo' -description: '[Repository] Repo role has admin access to the repository.' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_AdminTo edge represents a role's full administrative access to the repository. Admin is the highest built-in repository role and grants control over all repository settings, including dangerous operations like deleting the repository or modifying its visibility. Admin access bypasses most protections including branch protection rules, unless `enforce_admins` is explicitly enabled on the branch protection rule. This edge is a key permission in the computed branch access model and is a high-value target in attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_bypassbranchprotection.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_bypassbranchprotection.mdx deleted file mode 100644 index 77e1da3..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_bypassbranchprotection.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_BypassBranchProtection' -description: '[Repository] Repo role can bypass merge-gate branch protections (PR reviews, lock branch). Suppressed by enforce_admins.' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_BypassBranchProtection edge represents a role's ability to bypass branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Bypassing branch protection allows merging pull requests without satisfying required review or status check requirements, effectively circumventing the merge gate. This bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, which forces even admins to comply with the protection policy. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx deleted file mode 100644 index bc3542b..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_bypasspullrequestallowances.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_BypassPullRequestAllowances' -description: 'User or team can bypass pull request requirements on a branch protection rule' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_BypassPullRequestAllowances edge represents a per-actor allowance that bypasses the pull request review requirement on a branch protection rule. This edge identifies specific users or teams that can merge code without going through the normal PR review process. This is a significant security concern because these actors can push or merge changes directly, circumventing code review controls that protect branch integrity. Note that this bypass is suppressed when `enforce_admins` is enabled on the branch protection rule, meaning even listed actors must follow the PR review requirement. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx deleted file mode 100644 index b948a8f..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_callsworkflow.mdx +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: 'GH_CallsWorkflow' -description: '[Workflow] Job calls a reusable workflow — GH_WorkflowJob → GH_Workflow' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The traversable GH_CallsWorkflow edge links a workflow job to a reusable workflow it invokes via the `uses:` key at the job level. This edge captures the reusable workflow call graph, enabling analysts to trace inherited permissions and secret access through called workflows. - -### Local vs. remote reusable workflows - -- **Local** (`./. github/workflows/_ci.yml`): the destination is matched by `name` against workflows in the same repository. -- **Remote** (`org/repo/.github/workflows/file.yml@ref`): the destination is matched by the full reference string. If the called workflow has not been collected, the edge destination will not resolve. - -The `reusable_ref` property on the edge always contains the raw `uses:` value from the workflow file. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx deleted file mode 100644 index 1ce45ba..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canaccess.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_CanAccess' -description: 'Personal access token or app installation can access this repository or organization' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_CanAccess edge indicates that a personal access token or app installation has been granted access to specific repositories. This edge represents the scope of access granted to a token or app rather than a direct attack path, providing visibility into which repositories are reachable through non-human credentials. It is non-traversable because token and app access does not transitively extend to other principals. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx deleted file mode 100644 index 087aee8..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canassumeidentity.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_CanAssumeIdentity' -description: 'Repository can assume this cloud identity via OIDC federation (Azure workload identity or AWS IAM role)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_CanAssumeIdentity edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. This edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx deleted file mode 100644 index 0e637ee..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_cancreatebranch.mdx +++ /dev/null @@ -1,65 +0,0 @@ ---- -title: 'GH_CanCreateBranch' -description: '[Repository - Computed] Role can create new branches in this repository (unprotected branches that bypass the merge gate)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_CanCreateBranch edge is a computed edge indicating that a role or actor can create new branches in a repository. The computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from [GH_User](/opengraph/extensions/github/nodes/gh_user) or [GH_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. - -## Scenarios - -### `no_protection` — No wildcard BPR blocking creations - -No wildcard (`*`) BPR with `blocks_creations` exists. Any write-capable role can create new branches. - -```mermaid -graph LR - role("GH_RepoRole write") -->|GH_WriteRepoContents| repo("GH_Repository") - role ==>|GH_CanCreateBranch| repo -``` - -### `admin` — Admin bypasses wildcard BPR - -A wildcard BPR with `push_restrictions` and `blocks_creations` prevents branch creation. The admin role bypasses this restriction. - -```mermaid -graph LR - role("GH_RepoRole admin") -->|GH_AdminTo| repo("GH_Repository") - repo -->|GH_HasBranch| branch("GH_Branch main") - bpr("GH_BranchProtectionRule\npattern=*\npush_restrictions\nblocks_creations") -->|GH_ProtectedBy| branch - role ==>|GH_CanCreateBranch| repo -``` - -### `push_protected_branch` — Push-protected role bypasses wildcard BPR - -A wildcard BPR blocks creations. The [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch) permission bypasses the push gate regardless of `enforce_admins`. - -```mermaid -graph LR - role("GH_RepoRole maintain") -->|GH_WriteRepoContents| repo("GH_Repository") - role -->|GH_PushProtectedBranch| repo - repo -->|GH_HasBranch| branch("GH_Branch main") - bpr("GH_BranchProtectionRule\npattern=*\npush_restrictions\nblocks_creations") -->|GH_ProtectedBy| branch - role ==>|GH_CanCreateBranch| repo -``` - -### `push_allowance` — Per-actor push restriction bypass - -User or Team listed in the wildcard BPR's `pushAllowances` can create branches. This is a per-actor delta edge — only emitted when the actor's role doesn't already grant GH_CanCreateBranch. - -```mermaid -graph LR - user("GH_User alice") -->|GH_HasRole| role("GH_RepoRole write") - role -->|GH_WriteRepoContents| repo("GH_Repository") - repo -->|GH_HasBranch| branch("GH_Branch main") - bpr("GH_BranchProtectionRule\npattern=*\npush_restrictions\nblocks_creations") -->|GH_ProtectedBy| branch - user -->|GH_RestrictionsCanPush| bpr - user ==>|GH_CanCreateBranch| repo -``` diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx deleted file mode 100644 index 905b75a..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_caneditprotection.mdx +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: 'GH_CanEditProtection' -description: '[Repository - Computed] Repo role can modify or remove the branch protection rules governing this branch (computed from GH_EditRepoProtections + GH_ProtectedBy)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_CanEditProtection edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. This edge is emitted when the role has [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) or [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto) permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. - -## Scenarios - -### `admin` — Admin can edit protections - -The admin role has [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto) which implicitly grants the ability to modify or remove any branch protection rule. - -```mermaid -graph LR - role("GH_RepoRole admin") -->|GH_AdminTo| repo("GH_Repository") - repo -->|GH_HasBranch| branch("GH_Branch main") - bpr("GH_BranchProtectionRule") -->|GH_ProtectedBy| branch - role ==>|GH_CanEditProtection| branch -``` - -### `edit_repo_protections` — Explicit edit permission - -A custom or standard role with the [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) permission can modify or remove branch protection rules. - -```mermaid -graph LR - role("GH_RepoRole custom") -->|GH_EditRepoProtections| repo("GH_Repository") - repo -->|GH_HasBranch| branch("GH_Branch main") - bpr("GH_BranchProtectionRule") -->|GH_ProtectedBy| branch - role ==>|GH_CanEditProtection| branch -``` diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx deleted file mode 100644 index 2f48230..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canpwnrequest.mdx +++ /dev/null @@ -1,70 +0,0 @@ ---- -title: 'GH_CanPwnRequest' -description: '[Computed] Repo role can exploit a pwn-requestable workflow to execute arbitrary code with the target''s secrets and permissions — GH_RepoRole → GH_Repository / GH_Branch' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_CanPwnRequest edge indicates that a repository role can exploit a pwn-requestable workflow to execute arbitrary code with the base branch's secrets, GITHUB_TOKEN permissions, and OIDC identity. This is a computed edge that combines workflow analysis with repository access and fork policy evaluation. - -### Pwn Request Conditions - -A workflow is considered pwn-requestable (`is_pwn_requestable = true`) when **all** of the following are true: - -1. **`pull_request_target` trigger**: The workflow is triggered by `pull_request_target`, which runs in the context of the base branch (not the fork) and has access to the base branch's secrets and permissions. -2. **Attacker-controlled checkout**: A step uses `actions/checkout` with a `ref` parameter pointing to the pull request head, meaning attacker-supplied code from the fork replaces the trusted repository contents. Detected ref patterns: - - `${{ github.event.pull_request.head.sha }}` - - `${{ github.event.pull_request.head.ref }}` - - `${{ github.head_ref }}` - -### Edge Drawing Conditions - -An edge is drawn from a [GH_RepoRole](/opengraph/extensions/github/nodes/gh_reporole) to the repository (and its branches) when: - -1. **Read access**: The role has a [GH_ReadRepoContents](/opengraph/extensions/github/edges/gh_readrepocontents) edge to the repository (read access is the minimum required to fork). -2. **Forkability**: The repository can be forked by the role holder: - - **Public repos**: Always forkable by anyone on GitHub. - - **Private/internal repos**: Requires both the organization setting `members_can_fork_private_repositories = true` AND the repository setting `allow_forking = true`. -3. **Pwn-requestable workflow**: The repository has at least one workflow with `is_pwn_requestable = true`. - -### Branch Targeting - -- If the `pull_request_target` trigger has a `branches:` filter (e.g., `branches: [main]`), edges are drawn only to matching branches and the repository. -- If unconstrained, edges are drawn to the repository and all of its branches. - -### Attack Impact - -An attacker who exploits a pwn request gains code execution in the workflow runner with access to: - -- **Repository secrets** scoped to the base branch -- **Organization secrets** accessible by the repository -- **GITHUB_TOKEN** with the workflow's declared permissions (often `write`) -- **OIDC tokens** if `id-token: write` is set, enabling cloud identity assumption via [GH_CanAssumeIdentity](/opengraph/extensions/github/edges/gh_canassumeidentity) -- **Environment secrets** if the workflow job targets a deployment environment - -### Caveats - -- **OIDC traversal requires `id-token: write`**: The attack chain from GH_CanPwnRequest through [GH_CanAssumeIdentity](/opengraph/extensions/github/edges/gh_canassumeidentity) to a cloud role is only valid if the pwn-requestable workflow (or job) explicitly declares `id-token: write` in its `permissions:` block. The `id-token` permission defaults to `none` and is never implicitly granted — even when the workflow has no `permissions:` block at all. The `permissions` property on the [GH_WorkflowJob](/opengraph/extensions/github/nodes/gh_workflowjob) node can be inspected to verify this. -- **GITHUB_TOKEN permissions**: The `permissions:` block controls what the `GITHUB_TOKEN` can do (e.g., push commits, create releases), but has no effect on secret access, OIDC token requests (governed separately by `id-token`), or arbitrary code execution. A workflow with `contents: read` is still fully exploitable via pwn request for secret exfiltration and lateral movement — only write-back to the repository is limited. - -```mermaid -graph LR - role("GH_RepoRole repo-read") - repo("GH_Repository private-app") - branch("GH_Branch main") - wf("GH_Workflow vulnerable-ci.yml") - secret("GH_RepoSecret DEPLOY_KEY") - cloud("AWSRole deploy-prod") - - role -- GH_CanPwnRequest --> repo - role -- GH_CanPwnRequest --> branch - repo -.- |GH_HasWorkflow| wf - repo -.- |GH_Contains| secret - branch -- GH_CanAssumeIdentity --> cloud -``` diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx deleted file mode 100644 index d92a2e9..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canreadsecretscanningalert.mdx +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: 'GH_CanReadSecretScanningAlert' -description: '[Computed] Role can read secret scanning alerts (computed from GH_ViewSecretScanningAlerts permission + GH_Contains)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_CanReadSecretScanningAlert edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. The computation cross-references [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) permission edges with [GH_Contains](/opengraph/extensions/github/edges/gh_contains) structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the [GH_ValidToken](/opengraph/extensions/github/edges/gh_validtoken) edge enables identity compromise of the token's owner. - -Each edge includes a `reason` property (`org_role_permission` or `repo_role_permission`) and a `query_composition` Cypher query showing the underlying graph evidence. - -## Scenarios - -### `org_role_permission` — Org role views alerts via organization - -An org role with [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) to the organization can read all secret scanning alerts across the entire org. The computation follows [GH_Contains](/opengraph/extensions/github/edges/gh_contains) edges from the organization to each alert. - -```mermaid -graph LR - role("GH_OrgRole security_manager") -->|GH_ViewSecretScanningAlerts| org("GH_Organization") - org -->|GH_Contains| alert("GH_SecretScanningAlert #42") - role ==>|GH_CanReadSecretScanningAlert| alert - alert -.->|GH_ValidToken| user("GH_User jdoe") -``` - -### `repo_role_permission` — Repo role views alerts via repository - -A repo role with [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) to the repository can read secret scanning alerts in that specific repo. The computation follows [GH_Contains](/opengraph/extensions/github/edges/gh_contains) edges from the repository to each alert. - -```mermaid -graph LR - role("GH_RepoRole admin") -->|GH_ViewSecretScanningAlerts| repo("GH_Repository") - repo -->|GH_Contains| alert("GH_SecretScanningAlert #17") - role ==>|GH_CanReadSecretScanningAlert| alert - alert -.->|GH_ValidToken| user("GH_User jdoe") -``` diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx deleted file mode 100644 index a2bef69..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_canwritebranch.mdx +++ /dev/null @@ -1,93 +0,0 @@ ---- -title: 'GH_CanWriteBranch' -description: '[Repository - Computed] Role can push to this branch after evaluating branch protection rules, push restrictions, and bypass allowances' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_CanWriteBranch edge is a computed edge indicating that a role or actor can push to a specific branch. The computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from [GH_User](/opengraph/extensions/github/nodes/gh_user) or [GH_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence. - -## Scenarios - -### `no_protection` — Unprotected branch - -Branch has no BPR. Any write-capable role can push directly. - -```mermaid -graph LR - role("GH_RepoRole write") -->|GH_WriteRepoContents| repo("GH_Repository") - repo -->|GH_HasBranch| branch("GH_Branch develop") - role ==>|GH_CanWriteBranch| branch -``` - -### `admin` — Admin bypasses both gates - -BPR blocks both the merge gate (PR reviews) and push gate (push_restrictions). The admin role bypasses both gates. Requires `enforce_admins=false`; when `enforce_admins=true`, admin cannot bypass the merge gate. - -```mermaid -graph LR - role("GH_RepoRole admin") -->|GH_AdminTo| repo("GH_Repository") - repo -->|GH_HasBranch| branch("GH_Branch main") - bpr("GH_BranchProtectionRule\nrequired_pull_request_reviews\npush_restrictions\nenforce_admins=false") -->|GH_ProtectedBy| branch - role ==>|GH_CanWriteBranch| branch -``` - -### `push_protected_branch` — Push gate bypass - -Push gate blocked by `push_restrictions` (no merge gate block). The [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch) permission bypasses the push gate regardless of `enforce_admins`. - -```mermaid -graph LR - role("GH_RepoRole maintain") -->|GH_WriteRepoContents| repo("GH_Repository") - role -->|GH_PushProtectedBranch| repo - repo -->|GH_HasBranch| branch("GH_Branch main") - bpr("GH_BranchProtectionRule\npush_restrictions") -->|GH_ProtectedBy| branch - role ==>|GH_CanWriteBranch| branch -``` - -### `bypass_branch_protection` — Merge gate bypass - -Merge gate blocked by PR reviews. The [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) permission bypasses the merge gate. Requires `enforce_admins=false`; suppressed when `enforce_admins=true`. - -```mermaid -graph LR - role("GH_RepoRole custom") -->|GH_WriteRepoContents| repo("GH_Repository") - role -->|GH_BypassBranchProtection| repo - repo -->|GH_HasBranch| branch("GH_Branch main") - bpr("GH_BranchProtectionRule\nrequired_pull_request_reviews\nenforce_admins=false") -->|GH_ProtectedBy| branch - role ==>|GH_CanWriteBranch| branch -``` - -### `push_allowance` — Per-actor push restriction bypass - -User or Team listed in the BPR's `pushAllowances` bypasses the push gate. This is a per-actor delta edge — only emitted when the actor's role-level access doesn't already cover the branch. - -```mermaid -graph LR - user("GH_User alice") -->|GH_HasRole| role("GH_RepoRole write") - role -->|GH_WriteRepoContents| repo("GH_Repository") - repo -->|GH_HasBranch| branch("GH_Branch main") - bpr("GH_BranchProtectionRule\npush_restrictions") -->|GH_ProtectedBy| branch - user -->|GH_RestrictionsCanPush| bpr - user ==>|GH_CanWriteBranch| branch -``` - -### `bypass_pr_allowance` — Per-actor PR review bypass - -User or Team listed in the BPR's `bypassPullRequestAllowances` bypasses the merge gate (PR reviews only, not `lock_branch`). Requires `enforce_admins=false`. This is a per-actor delta edge — only emitted when the actor's role-level access doesn't already cover the branch. - -```mermaid -graph LR - user("GH_User alice") -->|GH_HasRole| role("GH_RepoRole write") - role -->|GH_WriteRepoContents| repo("GH_Repository") - repo -->|GH_HasBranch| branch("GH_Branch main") - bpr("GH_BranchProtectionRule\nrequired_pull_request_reviews\nenforce_admins=false") -->|GH_ProtectedBy| branch - user -->|GH_BypassPullRequestAllowances| bpr - user ==>|GH_CanWriteBranch| branch -``` diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_closediscussion.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_closediscussion.mdx deleted file mode 100644 index 2d19de3..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_closediscussion.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_CloseDiscussion' -description: '[Repository] Repo role can close discussions' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_CloseDiscussion edge represents a role's ability to close discussions, preventing further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_closeissue.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_closeissue.mdx deleted file mode 100644 index 2d6f4d9..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_closeissue.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_CloseIssue' -description: '[Repository] Repo role can close issues' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_CloseIssue edge represents a role's ability to close issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_closepullrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_closepullrequest.mdx deleted file mode 100644 index 7a41bb1..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_closepullrequest.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ClosePullRequest' -description: '[Repository] Repo role can close pull requests' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ClosePullRequest edge represents a role's ability to close pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_contains.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_contains.mdx deleted file mode 100644 index 8cbfdec..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_contains.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_Contains' -description: 'Container relationship for organizational hierarchy (org contains secrets/variables, repo contains secrets/variables, environment contains secrets/variables)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_Contains edge represents structural containment within the GitHub resource hierarchy. The organization serves as the top-level container for users, teams, repositories, roles, secrets, app installations, and personal access tokens. Repositories contain their own repo-level secrets, and environments contain environment-scoped secrets. This edge is created by the collector to establish the organizational hierarchy of GitHub resources and is not traversable because containment alone does not imply privilege escalation. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_convertissuestodiscussions.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_convertissuestodiscussions.mdx deleted file mode 100644 index 492bbde..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_convertissuestodiscussions.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ConvertIssuesToDiscussions' -description: '[Repository] Repo role can convert issues to discussions' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ConvertIssuesToDiscussions edge represents a role's ability to convert issues to discussions, moving them from the issue tracker to the discussions forum. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_creatediscussioncategory.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_creatediscussioncategory.mdx deleted file mode 100644 index 57d1f3d..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_creatediscussioncategory.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_CreateDiscussionCategory' -description: '[Repository] Repo role can create discussion categories' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_CreateDiscussionCategory edge represents a role's ability to create new discussion categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_createrepository.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_createrepository.mdx deleted file mode 100644 index 334a8dc..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_createrepository.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_CreateRepository' -description: '[Organization] Org role can create repositories in the organization' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_CreateRepository edge represents that a role has the ability to create new repositories within the organization. This permission is available to Owners and custom organization roles that have been granted the repository creation permission. Creating repositories can introduce new attack surface to an organization, as each new repository is a potential vector for code execution through GitHub Actions workflows, secret exposure, and supply chain attacks. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_createsolomergequeueentry.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_createsolomergequeueentry.mdx deleted file mode 100644 index 92c55e9..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_createsolomergequeueentry.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_CreateSoloMergeQueueEntry' -description: 'Repo role can create solo merge queue entries' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_CreateSoloMergeQueueEntry edge represents a role's ability to create solo merge queue entries, effectively bypassing the merge queue by merging independently of other queued changes. This permission is available to Admin roles and custom roles that have been granted this specific permission. Solo merge queue entries skip the batching and ordering guarantees of the merge queue, allowing changes to land without waiting for or being tested alongside other pending merges. This can circumvent the integration testing benefits that merge queues provide. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_createtag.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_createtag.mdx deleted file mode 100644 index dd5a241..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_createtag.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_CreateTag' -description: '[Repository] Repo role can create tags and releases' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_CreateTag edge represents a role's ability to create tags and releases. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. Creating tags can trigger CI/CD workflows and publish release artifacts. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_createteam.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_createteam.mdx deleted file mode 100644 index 2847d8f..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_createteam.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_CreateTeam' -description: '[Organization] Org role can create teams in the organization' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_CreateTeam edge represents that a role has the ability to create teams within the organization. Teams are the primary mechanism for granting groups of users access to repositories, so team creation is a stepping stone to broader access. This edge is created by the collector when enumerating organization role permissions, and its security significance lies in the fact that a newly created team can be granted repository access and then populated with controlled accounts. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deletealertscodescanning.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deletealertscodescanning.mdx deleted file mode 100644 index ec88a9b..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deletealertscodescanning.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_DeleteAlertsCodeScanning' -description: '[Repository] Repo role can delete code scanning alerts' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_DeleteAlertsCodeScanning edge represents a role's ability to delete code scanning alerts from the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting code scanning alerts can obscure security vulnerabilities that have been detected in the codebase, which is significant from an audit and compliance perspective. An attacker with this permission could suppress evidence of vulnerabilities they have introduced. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussion.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussion.mdx deleted file mode 100644 index e04a805..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussion.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_DeleteDiscussion' -description: '[Repository] Repo role can delete discussions' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_DeleteDiscussion edge represents a role's ability to delete discussions. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussioncomment.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussioncomment.mdx deleted file mode 100644 index 1798ec3..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deletediscussioncomment.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_DeleteDiscussionComment' -description: '[Repository] Repo role can delete discussion comments' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_DeleteDiscussionComment edge represents a role's ability to delete discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deleteissue.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deleteissue.mdx deleted file mode 100644 index 8a80df5..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deleteissue.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_DeleteIssue' -description: '[Repository] Repo role can delete issues' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_DeleteIssue edge represents a role's ability to delete issues permanently. Deleted issues cannot be recovered. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting issues can destroy audit trails and remove evidence of security discussions or vulnerability reports. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deletetag.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deletetag.mdx deleted file mode 100644 index d2f8ed5..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deletetag.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_DeleteTag' -description: '[Repository] Repo role can delete tags and releases' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_DeleteTag edge represents a role's ability to delete tags and releases. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deleting tags can break downstream dependency references and remove published artifacts. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx deleted file mode 100644 index 1629da3..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_dependson.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_DependsOn' -description: '[Workflow] Job must run after another job (needs: dependency) — ordering only, not an access path' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_DependsOn edge represents a `needs:` dependency between two jobs in the same workflow. This edge captures execution order constraints — the source job will not start until the destination job completes successfully. This edge is non-traversable because it represents sequencing only, not an access or privilege path. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx deleted file mode 100644 index 9c66594..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_deploysto.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_DeploysTo' -description: '[Workflow] Job deploys to a GitHub Environment — GH_WorkflowJob → GH_Environment' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_DeploysTo edge links a workflow job to the GitHub Environment it targets via the `environment:` key. This edge records which jobs deploy to which environments. Environments can gate deployments with protection rules (required reviewers, wait timers, deployment branch policies) and can expose environment-scoped secrets. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editcategoryondiscussion.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editcategoryondiscussion.mdx deleted file mode 100644 index 44a67e6..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editcategoryondiscussion.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_EditCategoryOnDiscussion' -description: '[Repository] Repo role can change the category of a discussion' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_EditCategoryOnDiscussion edge represents a role's ability to change the category of a discussion, moving it between categories. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncategory.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncategory.mdx deleted file mode 100644 index 6d237a7..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncategory.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_EditDiscussionCategory' -description: '[Repository] Repo role can edit discussion categories' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_EditDiscussionCategory edge represents a role's ability to edit discussion categories to reorganize discussion classification. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncomment.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncomment.mdx deleted file mode 100644 index 50c2179..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editdiscussioncomment.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_EditDiscussionComment' -description: '[Repository] Repo role can edit discussion comments' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_EditDiscussionComment edge represents a role's ability to edit discussion comments authored by any user. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoannouncementbanners.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoannouncementbanners.mdx deleted file mode 100644 index 2ddecd5..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoannouncementbanners.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_EditRepoAnnouncementBanners' -description: '[Repository] Repo role can edit repository announcement banners' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_EditRepoAnnouncementBanners edge represents a role's ability to edit repository announcement banners displayed to visitors. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues.mdx deleted file mode 100644 index 08282ad..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_EditRepoCustomPropertiesValues' -description: '[Repository] Repo role can edit custom property values on the repository' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_EditRepoCustomPropertiesValues edge represents a role's ability to edit custom property values on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Custom properties are organization-defined metadata fields on repositories that can be used for classification, compliance tagging, or policy enforcement via rulesets. Modifying custom property values could alter which organization-level rulesets apply to the repository, potentially bypassing security controls that are scoped by property-based targeting. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepometadata.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepometadata.mdx deleted file mode 100644 index 357d32f..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepometadata.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_EditRepoMetadata' -description: '[Repository] Repo role can edit repository metadata' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_EditRepoMetadata edge represents a role's ability to edit repository metadata including description, homepage URL, and visibility settings. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoprotections.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoprotections.mdx deleted file mode 100644 index abc1010..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_editrepoprotections.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_EditRepoProtections' -description: 'Repo role can edit branch protection rules' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_EditRepoProtections edge represents a role's ability to edit or remove branch protection rules on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Modifying a branch protection rule is an indirect bypass -- removing or weakening protections opens the branch to direct push or unreviewed merges, making this a high-severity permission from a security perspective. Attack paths that include this edge can escalate to full branch write access by first disabling protections. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx deleted file mode 100644 index 811a22f..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasbaserole.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasBaseRole' -description: 'Role inherits permissions from another role' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_HasBaseRole edge represents role inheritance within the GitHub permission hierarchy. Org roles inherit down to all-repo roles (e.g., Owners inherits to all_repo_admin), and custom roles inherit from their base roles (e.g., a custom_role inherits from write). This edge is traversable because it extends permissions through the role hierarchy, meaning a principal with a higher-level role implicitly holds all inherited lower-level roles. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx deleted file mode 100644 index 9c890e5..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasbranch.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasBranch' -description: 'Repository has this branch' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_HasBranch edge represents the relationship between a repository and its branches. This edge links each collected branch to its parent repository. It is a structural edge that provides the foundation for understanding branch-level protections and access controls. While not traversable itself, it connects repositories to branches where traversable edges like [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) model the effective access. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx deleted file mode 100644 index c10b153..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasenvironment.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasEnvironment' -description: 'Repository or branch has/can deploy to this environment' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_HasEnvironment edge represents the relationship between a repository or branch and its deployment environments. This edge links environments to the repositories that define them and to the branches that are allowed to deploy to them (via deployment branch policies). Environments are security-relevant because they can gate access to secrets and cloud credentials, and their deployment branch policies control which branches can trigger deployments. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx deleted file mode 100644 index f5ba480..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasexternalidentity.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasExternalIdentity' -description: 'SAML identity provider has this external identity' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_HasExternalIdentity edge represents the relationship between a SAML identity provider and the external identities (SSO users) it manages. This edge links each external identity to the SAML provider that authenticated it. External identities are a key component in cross-platform attack path analysis because they bridge the gap between corporate identity providers and GitHub user accounts via the [GH_MapsToUser](/opengraph/extensions/github/edges/gh_mapstouser) edge. Enumerating external identities reveals which corporate users have linked GitHub accounts and enables mapping from IdP compromise to GitHub access. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx deleted file mode 100644 index 9a6e786..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasjob.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasJob' -description: '[Workflow] Workflow contains this job — GH_Workflow → GH_WorkflowJob' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The traversable GH_HasJob edge links a workflow to each of its jobs. This edge is the primary structural link for walking from a workflow definition into its execution units. Because jobs can declare environments and permissions, traversing this edge enables analysts to reason about what a workflow can do and where it can deploy. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasmember.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasmember.mdx deleted file mode 100644 index 40a274c..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasmember.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasMember' -description: 'Enterprise or organization has this user as a member' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_HasMember edge represents the relationship between a GitHub enterprise or organization and a user who is a member of that scope. This edge records membership as directory context rather than as an access path: being listed as a member does not by itself describe what the user can do, only that the user belongs to the enterprise or organization. Membership remains security-relevant because it defines the population from which roles, team assignments, and token approvals are drawn, and it helps analysts understand who is inside the trust boundary when reviewing GitHub exposure. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx deleted file mode 100644 index 2328603..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstoken.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasPersonalAccessToken' -description: 'User owns this personal access token that has been granted access to the organization' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_HasPersonalAccessToken edge represents the relationship between a user and their fine-grained personal access tokens that have been granted access to the organization. This edge links each approved token back to the user who created it. Fine-grained personal access tokens are security-significant because they provide programmatic access to organization resources with specific scoped permissions. Tracking token ownership is essential for understanding which users have standing API access and for identifying tokens that may need revocation. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx deleted file mode 100644 index 5d712d0..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasPersonalAccessTokenRequest' -description: 'User has a pending personal access token request for the organization' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_HasPersonalAccessTokenRequest edge represents the relationship between a user and their pending personal access token requests awaiting organizational approval. This edge links each pending token request back to the user who submitted it. Pending token requests are security-relevant because they represent access that may soon be granted, and reviewing them helps administrators understand what permissions users are requesting before approval. Organizations that require approval for fine-grained PATs will have these requests queued until an administrator acts on them. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx deleted file mode 100644 index 27f16bb..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasrole.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasRole' -description: 'User or team has a role assignment (org role, team role, or repo role)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_HasRole edge represents the assignment of a user or team to a specific role within the organization, repository, or team. This is the primary edge for connecting identities to their permissions and serves as the foundation of all access paths in the GitHub permission model. Because role assignment is the starting point for determining what a principal can do, this edge is traversable and critical for attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx deleted file mode 100644 index 5396d13..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hassamlidentityprovider.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasSamlIdentityProvider' -description: 'Organization has this SAML identity provider configured' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_HasSamlIdentityProvider edge represents the relationship between an organization and its SAML identity provider configuration. This edge links an organization to the SAML SSO provider used for authentication and user provisioning. SAML identity providers are a critical security component because they establish the trust boundary between an external identity provider (such as Entra ID or Okta) and the GitHub organization. Understanding this relationship is essential for mapping cross-platform attack paths where compromise of the identity provider could lead to access within the GitHub organization. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx deleted file mode 100644 index 36827fc..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hassecret.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasSecret' -description: 'Repository or environment has access to this secret' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_HasSecret edge represents the relationship between a repository or environment and the secrets accessible within that context. This edge shows which secrets are available in which scopes. Repositories can have access to both organization-level secrets (scoped to selected repositories) and repository-level secrets, while environments contain their own environment-scoped secrets. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch)) can write a workflow that exfiltrates the secret values at runtime, making this a meaningful link in attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx deleted file mode 100644 index a4feaa2..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasstep.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasStep' -description: '[Workflow] Job contains this step — GH_WorkflowJob → GH_WorkflowStep' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The traversable GH_HasStep edge links a job to each of its steps in execution order. This edge enables analysts to enumerate all actions and shell commands executed by a job, including which secrets and variables each step consumes. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx deleted file mode 100644 index f5ea58d..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasvariable.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasVariable' -description: 'Repository has access to this variable (org-level or repo-level)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_HasVariable edge represents the relationship between a repository and the variables accessible within that context. This edge shows which variables are available in which scopes. Repositories can have access to both organization-level variables (scoped by visibility to all, private, or selected repositories) and repository-level variables defined directly on the repo. This edge is traversable because any principal that can push code to a repository (via [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) or [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch)) can write a workflow that reads variable values at runtime, and variables may contain configuration data useful for lateral movement such as deployment URLs, service names, or environment identifiers. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx deleted file mode 100644 index 7468894..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_hasworkflow.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_HasWorkflow' -description: 'Repository has this workflow' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_HasWorkflow edge represents the relationship between a repository and its GitHub Actions workflows. This edge links each discovered workflow definition to its parent repository. Workflows are significant from a security perspective because they can execute arbitrary code with repository permissions, access secrets, and assume cloud identities. This structural edge enables analysts to enumerate which workflows exist in a given repository. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx deleted file mode 100644 index b104e88..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_installedas.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_InstalledAs' -description: 'GitHub App is installed as this app installation on an organization' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_InstalledAs edge links a GitHub App to its installation within the organization. This edge is traversable because it connects the app definition to its active installation, which determines the specific set of repositories and permissions the app has been granted. Understanding the relationship between an app and its installation is essential for tracing how app-level permissions translate into repository access. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_invitemember.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_invitemember.mdx deleted file mode 100644 index c840753..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_invitemember.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_InviteMember' -description: '[Organization] Org role can invite members to the organization' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_InviteMember edge represents that a role has the ability to invite new members to the organization. This permission is typically restricted to Owners, as inviting members expands the organization's trust boundary by granting new users access to internal resources. An attacker with this permission could invite a controlled account to gain persistent access to the organization's repositories, teams, and secrets. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_jumpmergequeue.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_jumpmergequeue.mdx deleted file mode 100644 index b189aa5..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_jumpmergequeue.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_JumpMergeQueue' -description: 'Repo role can jump the merge queue' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_JumpMergeQueue edge represents a role's ability to jump ahead of other entries in the merge queue. This permission is available to Admin roles and custom roles that have been granted this specific permission. Merge queues enforce an ordered sequence of CI checks and merges; jumping the queue allows a principal to prioritize their changes ahead of others. While less severe than bypassing protections entirely, this permission can be used to accelerate the landing of malicious changes before other queued entries are reviewed or tested. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managedeploykeys.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managedeploykeys.mdx deleted file mode 100644 index 846a35c..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managedeploykeys.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ManageDeployKeys' -description: '[Repository] Repo role can manage deploy keys' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ManageDeployKeys edge represents a role's ability to create, modify, and delete deploy keys for the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Deploy keys provide SSH-based access to the repository, and a deploy key with write access can push commits directly without going through the GitHub web interface or API authentication. Managing deploy keys is security-significant because it enables the creation of persistent, credential-based access that operates outside the normal user authentication flow. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managediscussionbadges.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managediscussionbadges.mdx deleted file mode 100644 index 8040d90..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managediscussionbadges.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ManageDiscussionBadges' -description: '[Repository] Repo role can manage discussion badges' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ManageDiscussionBadges edge represents a role's ability to manage discussion badges used to highlight discussion participants. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_manageorganizationwebhooks.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_manageorganizationwebhooks.mdx deleted file mode 100644 index a7113db..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_manageorganizationwebhooks.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ManageOrganizationWebhooks' -description: '[Organization] Org role can manage organization webhooks' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ManageOrganizationWebhooks edge represents that a role has the ability to manage organization-level webhooks. This edge is dynamically generated from custom organization role permissions discovered by the collector. Webhooks can be configured to send event data to external endpoints, making this permission significant for security because an attacker could create or modify webhooks to exfiltrate repository data, commit contents, or issue details to an attacker-controlled server, or use them as a persistence mechanism. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managereposecurityproducts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managereposecurityproducts.mdx deleted file mode 100644 index 648118c..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managereposecurityproducts.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ManageRepoSecurityProducts' -description: 'Repo role can manage repo-level security products' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ManageRepoSecurityProducts edge represents a role's ability to manage repository-specific security product settings. This permission is available to Admin roles and custom roles that have been granted this specific permission. Unlike the broader [GH_ManageSecurityProducts](/opengraph/extensions/github/edges/gh_managesecurityproducts) permission, this edge is scoped to repository-level security configuration such as repository-specific scanning settings and alert management. Disabling repository-level security products can create blind spots in vulnerability detection for the specific repository. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managesecurityproducts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesecurityproducts.mdx deleted file mode 100644 index 55b0a95..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managesecurityproducts.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ManageSecurityProducts' -description: 'Repo role can manage security products' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ManageSecurityProducts edge represents a role's ability to manage security product settings on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Managing security products allows enabling or disabling features such as secret scanning, code scanning, and Dependabot alerts. An attacker with this permission could disable security features to prevent detection of vulnerabilities or leaked secrets, making this a high-severity permission for security posture management. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsmergetypes.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsmergetypes.mdx deleted file mode 100644 index 98c7154..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsmergetypes.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ManageSettingsMergeTypes' -description: '[Repository] Repo role can manage allowed merge types' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ManageSettingsMergeTypes edge represents a role's ability to configure allowed merge types (merge commit, squash, rebase) on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingspages.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingspages.mdx deleted file mode 100644 index 77a9255..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingspages.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ManageSettingsPages' -description: '[Repository] Repo role can manage GitHub Pages settings' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ManageSettingsPages edge represents a role's ability to manage GitHub Pages settings including enabling, disabling, and configuring the source. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsprojects.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsprojects.mdx deleted file mode 100644 index 086f2e0..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingsprojects.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ManageSettingsProjects' -description: '[Repository] Repo role can manage project settings' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ManageSettingsProjects edge represents a role's ability to manage project board settings on the repository. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingswiki.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingswiki.mdx deleted file mode 100644 index 5d30114..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managesettingswiki.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ManageSettingsWiki' -description: '[Repository] Repo role can manage wiki settings' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ManageSettingsWiki edge represents a role's ability to enable or disable the repository wiki. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managetopics.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managetopics.mdx deleted file mode 100644 index 1e29a3e..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managetopics.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ManageTopics' -description: '[Repository] Repo role can manage repository topics' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ManageTopics edge represents a role's ability to manage repository topics used for discovery and classification. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_managewebhooks.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_managewebhooks.mdx deleted file mode 100644 index 70f7314..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_managewebhooks.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ManageWebhooks' -description: '[Repository] Repo role can manage repository webhooks' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ManageWebhooks edge represents a role's ability to create, modify, and delete repository-level webhooks. This permission is available to Admin roles and custom roles that have been granted this specific permission. Webhooks can exfiltrate repository events and code changes to external endpoints, making this a security-sensitive permission. An attacker with this permission could configure a webhook to receive push event payloads containing commit diffs, effectively creating a covert channel for data exfiltration. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx deleted file mode 100644 index f298fc5..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_mapstouser.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_MapsToUser' -description: 'External identity maps to a GitHub user or identity provider user' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_MapsToUser edge maps an external identity (provisioned via SAML or SCIM) to a GitHub user within the organization, or to an external IdP user (such as [AZUser](/resources/nodes/az-user), [Okta_User](/opengraph/extensions/okta/nodes/okta_user), or [PingOneUser](https://github.com/andyrobbins/PingOneHound?tab=readme-ov-file#schema)) in hybrid graph scenarios. This edge represents identity correlation rather than an attack path, connecting a user's external IdP account to their GitHub account for visibility into federated identity mappings. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_markasduplicate.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_markasduplicate.mdx deleted file mode 100644 index 2ca9e8c..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_markasduplicate.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_MarkAsDuplicate' -description: '[Repository] Repo role can mark issues or pull requests as duplicates' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_MarkAsDuplicate edge represents a role's ability to mark issues or pull requests as duplicates. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx deleted file mode 100644 index 3251fee..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_memberof.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_MemberOf' -description: 'Team role is a member of a team, or team is a nested member of a parent team' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_MemberOf edge represents team membership, linking a team role to its parent team or a child team to a parent team in nested team hierarchies. This edge is traversable because team membership extends access transitively -- a user who holds a role in a child team inherits the repository permissions of all ancestor teams in the nesting hierarchy, making it a key component of attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests.mdx deleted file mode 100644 index 6bb0588..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_OrgBypassCodeScanningDismissalRequests' -description: '[Organization] Org role can bypass code scanning dismissal requests' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_OrgBypassCodeScanningDismissalRequests edge represents that a role can bypass code scanning dismissal requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows suppressing code scanning security findings without the standard review process, which is significant because an attacker could use it to hide vulnerabilities or malicious code patterns that would otherwise be flagged by automated scanning tools. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests.mdx deleted file mode 100644 index 49c8f66..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_OrgBypassSecretScanningClosureRequests' -description: '[Organization] Org role can bypass secret scanning closure requests' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_OrgBypassSecretScanningClosureRequests edge represents that a role can bypass secret scanning closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. This permission allows closing secret scanning alerts without going through the standard review and approval process, which is significant because an attacker could use it to suppress alerts about leaked credentials and prevent incident response teams from being notified. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx deleted file mode 100644 index 3c48b8f..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_OrgReviewAndManageSecretScanningBypassRequests' -description: '[Organization] Org role can review and manage secret scanning bypass requests' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_OrgReviewAndManageSecretScanningBypassRequests edge represents that a role can review and manage secret scanning push protection bypass requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Push protection prevents secrets from being committed to repositories, and bypass requests allow developers to override this protection for specific commits. An attacker with this permission could approve their own or an accomplice's bypass requests, allowing secrets to be committed to repositories without triggering push protection blocks. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx deleted file mode 100644 index e1e046f..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_OrgReviewAndManageSecretScanningClosureRequests' -description: '[Organization] Org role can review and manage secret scanning closure requests' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_OrgReviewAndManageSecretScanningClosureRequests edge represents that a role can review and manage secret scanning alert closure requests at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Alert closure requests are part of the workflow for closing secret scanning alerts, and this permission controls who can approve or deny those requests. An attacker with this permission could approve closure requests to suppress alerts about actively leaked credentials, undermining the organization's secret scanning remediation process. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx deleted file mode 100644 index 2ee5263..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_owns.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_Owns' -description: 'Organization owns a repository' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_Owns edge represents that an organization owns a repository. This edge establishes the foundation of the access control model by linking repositories to their owning organization. It is traversable because repository ownership is a critical relationship for understanding how organizational permissions cascade down to repository-level access, making it essential for attack path analysis. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx deleted file mode 100644 index c7e9f40..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_protectedby.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ProtectedBy' -description: 'Branch protection rule protects this branch' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ProtectedBy edge represents that a branch protection rule applies to a specific branch. This edge links protection rules to the branches they govern. Understanding which protections apply to a branch is critical for determining the effective access model — protections such as required reviews, status checks, and push restrictions directly impact who can modify a branch. This edge is consumed by the computed branch-access edges to determine effective push access; the computed [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) and [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) edges carry traversability instead. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_pushprotectedbranch.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_pushprotectedbranch.mdx deleted file mode 100644 index f6a441e..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_pushprotectedbranch.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_PushProtectedBranch' -description: '[Repository] Repo role can push to branches with push restrictions. Not affected by enforce_admins.' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_PushProtectedBranch edge represents a role's ability to push directly to branches that are protected by push restrictions. This permission is available to Admin and Maintain roles. This edge bypasses the push gate of branch protection, allowing direct commits to protected branches without going through the pull request workflow. Unlike merge gate bypasses (such as [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection)), this push gate bypass is NOT suppressed by the `enforce_admins` setting on the branch protection rule, making it a particularly potent permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_readcodescanning.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readcodescanning.mdx deleted file mode 100644 index 0fb366a..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_readcodescanning.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ReadCodeScanning' -description: '[Repository] Repo role can read code scanning results' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ReadCodeScanning edge represents a role's ability to read code scanning analysis results and alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. Code scanning alerts may reveal exploitable vulnerabilities in the codebase. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics.mdx deleted file mode 100644 index 2c5d5a6..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ReadOrganizationActionsUsageMetrics' -description: '[Organization] Org role can read Actions usage metrics' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ReadOrganizationActionsUsageMetrics edge represents that a role can read GitHub Actions usage metrics for the organization. This edge is dynamically generated from custom organization role permissions discovered by the collector. Usage metrics provide visibility into workflow execution patterns, runner utilization, and billing data across the organization. While this is primarily an informational permission, it can reveal which repositories have active CI/CD pipelines and the scale of automation in use. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole.mdx deleted file mode 100644 index 3fd33b9..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ReadOrganizationCustomOrgRole' -description: '[Organization] Org role can read custom org role definitions' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ReadOrganizationCustomOrgRole edge represents that a role can read custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom org role definitions allows a user to enumerate the permissions granted to each custom role, which provides reconnaissance value for understanding the organization's access control model and identifying roles with elevated privileges. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomreporole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomreporole.mdx deleted file mode 100644 index afaceed..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_readorganizationcustomreporole.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ReadOrganizationCustomRepoRole' -description: '[Organization] Org role can read custom repo role definitions' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ReadOrganizationCustomRepoRole edge represents that a role can read custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Reading custom repo role definitions allows a user to enumerate the permissions granted to each custom repository role, which provides reconnaissance value for understanding repository-level access controls and identifying roles that grant elevated repository permissions. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_readrepocontents.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_readrepocontents.mdx deleted file mode 100644 index 62b3f52..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_readrepocontents.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ReadRepoContents' -description: '[Repository] Repo role can read repository contents' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ReadRepoContents edge represents a role's ability to read repository contents including source code, issues, and pull requests. This is the base level of repository access, available to all roles at the Read permission level and above (Read, Triage, Write, Maintain, Admin). diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_removeassignee.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_removeassignee.mdx deleted file mode 100644 index ea0dbec..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_removeassignee.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_RemoveAssignee' -description: '[Repository] Repo role can remove assignees from issues and pull requests' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_RemoveAssignee edge represents a role's ability to remove assignees from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_removelabel.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_removelabel.mdx deleted file mode 100644 index 4991b25..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_removelabel.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_RemoveLabel' -description: '[Repository] Repo role can remove labels from issues and pull requests' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_RemoveLabel edge represents a role's ability to remove labels from issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_reopendiscussion.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_reopendiscussion.mdx deleted file mode 100644 index b4e706b..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_reopendiscussion.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ReopenDiscussion' -description: '[Repository] Repo role can reopen discussions' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ReopenDiscussion edge represents a role's ability to reopen closed discussions to allow further replies. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_reopenissue.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_reopenissue.mdx deleted file mode 100644 index 68d4963..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_reopenissue.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ReopenIssue' -description: '[Repository] Repo role can reopen closed issues' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ReopenIssue edge represents a role's ability to reopen closed issues. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_reopenpullrequest.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_reopenpullrequest.mdx deleted file mode 100644 index 0862292..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_reopenpullrequest.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ReopenPullRequest' -description: '[Repository] Repo role can reopen closed pull requests' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ReopenPullRequest edge represents a role's ability to reopen closed pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_requestprreview.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_requestprreview.mdx deleted file mode 100644 index 77dfe7c..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_requestprreview.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_RequestPrReview' -description: '[Repository] Repo role can request pull request reviews' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_RequestPrReview edge represents a role's ability to request pull request reviews from specific users or teams. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_resolvedependabotalerts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_resolvedependabotalerts.mdx deleted file mode 100644 index ea008a8..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_resolvedependabotalerts.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ResolveDependabotAlerts' -description: '[Repository] Repo role can resolve Dependabot alerts' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ResolveDependabotAlerts edge represents a role's ability to dismiss or resolve Dependabot alerts. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could dismiss valid alerts to suppress vulnerability warnings and prevent remediation. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts.mdx deleted file mode 100644 index 8acbc3f..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ResolveSecretScanningAlerts' -description: '[Organization] Org role can resolve secret scanning alerts' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ResolveSecretScanningAlerts edge represents that a role can resolve (close) secret scanning alerts at the organization level. This edge is dynamically generated from custom organization role permissions discovered by the collector. Resolving a secret scanning alert marks a leaked secret as addressed, which removes it from active monitoring dashboards. An attacker with this permission could suppress alerts about leaked credentials to prevent incident response teams from detecting and rotating compromised secrets. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx deleted file mode 100644 index 232acec..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_restrictionscanpush.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_RestrictionsCanPush' -description: 'User or team is allowed to push to branches protected by this rule' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_RestrictionsCanPush edge represents a per-actor allowance that grants push access through push restrictions on a branch protection rule. This edge identifies specific users or teams that are permitted to push to the protected branch even when push restrictions are active. This is security-relevant because push restrictions limit who can directly push to a branch, and actors with this allowance bypass that control. Unlike [GH_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances), this allowance is NOT suppressed by `enforce_admins` — listed actors retain push access regardless of admin enforcement settings. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_runorgmigration.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_runorgmigration.mdx deleted file mode 100644 index 110e1d1..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_runorgmigration.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_RunOrgMigration' -description: '[Repository] Repo role can run organization migrations' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_RunOrgMigration edge represents a role's ability to run organization migrations on the repository. This permission is available to Admin roles and custom roles that have been granted this specific permission. Organization migrations export repository data including source code, issues, and pull requests, which can be used to transfer repository contents to another organization. This permission is security-relevant because it enables bulk data export from the repository. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_setinteractionlimits.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_setinteractionlimits.mdx deleted file mode 100644 index 7e9c795..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_setinteractionlimits.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_SetInteractionLimits' -description: '[Repository] Repo role can set interaction limits on the repository' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_SetInteractionLimits edge represents a role's ability to set temporary interaction limits to restrict who can comment, open issues, or create pull requests. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_setissuetype.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_setissuetype.mdx deleted file mode 100644 index fde251d..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_setissuetype.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_SetIssueType' -description: '[Repository] Repo role can set issue types' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_SetIssueType edge represents a role's ability to set issue types. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_setmilestone.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_setmilestone.mdx deleted file mode 100644 index fa421bb..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_setmilestone.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_SetMilestone' -description: '[Repository] Repo role can set milestones on issues and pull requests' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_SetMilestone edge represents a role's ability to set milestones on issues and pull requests. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_setsocialpreview.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_setsocialpreview.mdx deleted file mode 100644 index 54eb6b3..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_setsocialpreview.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_SetSocialPreview' -description: '[Repository] Repo role can set the repository social preview image' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_SetSocialPreview edge represents a role's ability to set the repository social preview image shown in link previews. This permission is available to Maintain and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx deleted file mode 100644 index b1d37ad..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_syncedto.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_SyncedTo' -description: 'External identity (Azure, Okta, PingOne) is synced to this GitHub user via SSO/SCIM' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_SyncedTo edge is a hybrid edge that maps an external IdP user to a GitHub user based on SCIM provisioning. This edge represents a confirmed identity linkage between an external identity provider and GitHub. It is traversable because compromising the IdP account provides a verified path to the corresponding GitHub account, making it a critical edge for cross-system attack path analysis. This edge enables analysts to trace access from enterprise identity providers like Azure AD, Okta, or PingOne into the GitHub environment. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussionanswer.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussionanswer.mdx deleted file mode 100644 index f6524cd..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussionanswer.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ToggleDiscussionAnswer' -description: '[Repository] Repo role can toggle discussion answers' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ToggleDiscussionAnswer edge represents a role's ability to mark or unmark a discussion comment as the accepted answer. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize.mdx deleted file mode 100644 index c98b9d0..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ToggleDiscussionCommentMinimize' -description: '[Repository] Repo role can minimize discussion comments' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ToggleDiscussionCommentMinimize edge represents a role's ability to minimize or restore discussion comments, hiding them from default view. This permission is available to Triage, Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_transferrepository.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_transferrepository.mdx deleted file mode 100644 index 838f292..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_transferrepository.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_TransferRepository' -description: '[Organization] Org role can transfer repositories' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_TransferRepository edge represents that a role has the ability to transfer repositories to or from the organization. This permission is typically restricted to Owners, as transferring a repository can move it outside of the organization's security controls, branch protection rules, and audit logging. An attacker with this permission could transfer a repository to an organization they control, effectively exfiltrating the codebase and its associated secrets. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx deleted file mode 100644 index e0c3522..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_usessecret.mdx +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: 'GH_UsesSecret' -description: '[Workflow] Step references a secret by name — GH_WorkflowStep → GH_RepoSecret / GH_OrgSecret (name match)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The traversable GH_UsesSecret edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. This edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow. - -### Matching strategy - -Edges use `match_by: property` with two matchers to disambiguate between secrets with the same name across repositories: - -- **[GH_RepoSecret](/opengraph/extensions/github/nodes/gh_reposecret)** is matched by `name` + `repository_id` (the GitHub node_id of the repository). -- **[GH_OrgSecret](/opengraph/extensions/github/nodes/gh_orgsecret)** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level secret scope). - -This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two GH_UsesSecret edges — one to the repo-level secret and one to the org-level secret — reflecting that either could supply the value at runtime depending on scope precedence. - -### Context property - -The edge carries a `context` property indicating where the reference was found: -- `with` — inside a `with:` input block of a `uses:` action step -- `env` — inside the step's `env:` block -- `run` — inline within a `run:` shell script diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx deleted file mode 100644 index 7259e17..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_usesvariable.mdx +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: 'GH_UsesVariable' -description: '[Workflow] Step references a variable by name — GH_WorkflowStep → GH_RepoVariable / GH_OrgVariable (name match)' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_UsesVariable edge links a workflow step to the variable it references via a `${{ vars.NAME }}` expression. This edge maps variable consumption within workflows. Unlike secrets, variable values are readable via the API, making them lower sensitivity — but they can still influence workflow behavior (e.g., controlling target environments or feature flags). - -### Matching strategy - -Edges use `match_by: property` with two matchers to disambiguate between variables with the same name across repositories: - -- **[GH_RepoVariable](/opengraph/extensions/github/nodes/gh_repovariable)** is matched by `name` + `repository_id` (the GitHub node_id of the repository). -- **[GH_OrgVariable](/opengraph/extensions/github/nodes/gh_orgvariable)** is matched by `name` + `environmentid` (the node_id of the organization, which acts as the org-level variable scope). - -This means one `${{ vars.MY_VAR }}` expression can produce up to two GH_UsesVariable edges — one to the repo-level variable and one to the org-level variable. - -### Context property - -The edge carries a `context` property indicating where the reference was found: -- `with` — inside a `with:` input block of a `uses:` action step -- `env` — inside the step's `env:` block -- `run` — inline within a `run:` shell script diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx deleted file mode 100644 index 7d17360..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_validtoken.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ValidToken' -description: 'Secret scanning alert contains a valid, active token belonging to this user' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_ValidToken edge represents a secret scanning alert that contains a valid, active GitHub Personal Access Token belonging to a specific user. This edge is only emitted when the alert's state is `open`, the secret type is `github_personal_access_token`, and the token is confirmed valid by calling the GitHub API. This edge is traversable because possessing the leaked token grants the ability to act as the token's owner, effectively compromising that user's identity and all permissions granted to the token. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_viewdependabotalerts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_viewdependabotalerts.mdx deleted file mode 100644 index 0c6b6c3..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_viewdependabotalerts.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ViewDependabotAlerts' -description: '[Repository] Repo role can view Dependabot alerts' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ViewDependabotAlerts edge represents a role's ability to view Dependabot security alerts, which reveal known vulnerabilities in the repository's dependencies. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. This information could be used to identify and exploit unpatched vulnerabilities. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_viewsecretscanningalerts.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_viewsecretscanningalerts.mdx deleted file mode 100644 index 978cdcb..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_viewsecretscanningalerts.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_ViewSecretScanningAlerts' -description: '[Repository] Role can view secret scanning alerts' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_ViewSecretScanningAlerts edge represents that a role can view secret scanning alerts at the organization or repository level. This edge is dynamically generated from custom role permissions discovered by the collector. Secret scanning alerts may reveal details about leaked credentials, including partial or full secret values and the locations where they were detected. This makes the permission significant for security because an attacker with access to view these alerts could harvest exposed credentials for use in lateral movement or privilege escalation. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writecodescanning.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writecodescanning.mdx deleted file mode 100644 index fb66121..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writecodescanning.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_WriteCodeScanning' -description: '[Repository] Repo role can upload code scanning results' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_WriteCodeScanning edge represents a role's ability to upload code scanning analysis results. This permission is available to Write, Maintain, and Admin roles and custom roles that have been granted this specific permission. An attacker could upload falsified SARIF results to suppress real alerts or inject misleading findings. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets.mdx deleted file mode 100644 index b0d1364..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_WriteOrganizationActionsSecrets' -description: '[Organization] Org role can write Actions secrets' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_WriteOrganizationActionsSecrets edge represents that a role can write organization-level GitHub Actions secrets. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level secrets are available to workflows across multiple repositories and often contain credentials for external systems such as cloud providers, package registries, and deployment targets. An attacker with this permission could overwrite existing secrets to inject malicious credentials or create new secrets to facilitate lateral movement. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssettings.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssettings.mdx deleted file mode 100644 index 3908ced..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionssettings.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_WriteOrganizationActionsSettings' -description: '[Organization] Org role can write Actions settings' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_WriteOrganizationActionsSettings edge represents that a role can modify organization-level GitHub Actions settings. This edge is dynamically generated from custom organization role permissions discovered by the collector. These settings control which actions are allowed to run within the organization and the default permissions granted to the `GITHUB_TOKEN` in workflows. An attacker with this permission could weaken restrictions to allow untrusted third-party actions or elevate default token permissions to enable write access across repositories. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables.mdx deleted file mode 100644 index 8c9ce9b..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_WriteOrganizationActionsVariables' -description: '[Organization] Org role can write Actions variables' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_WriteOrganizationActionsVariables edge represents that a role can write organization-level GitHub Actions variables. This edge is dynamically generated from custom organization role permissions discovered by the collector. Organization-level variables are available to workflows across multiple repositories and often contain configuration values such as environment URLs, feature flags, and service endpoints. An attacker with this permission could overwrite existing variables to redirect workflows to malicious endpoints or alter application behavior. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole.mdx deleted file mode 100644 index e001d84..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_WriteOrganizationCustomOrgRole' -description: '[Organization] Org role can write custom org role definitions' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable GH_WriteOrganizationCustomOrgRole edge represents that a role can create or modify custom organization role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying organization role definitions can escalate privileges because an attacker could add permissions to an existing custom role that is already assigned to their account, including setting the base_role to inherit all_repo_admin. Since this permission can only belong to custom organization roles, the user necessarily holds the role they can modify — guaranteeing a self-escalation path. This makes it a Tier Zero privilege escalation vector. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole.mdx deleted file mode 100644 index ad4acb4..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_WriteOrganizationCustomRepoRole' -description: '[Organization] Org role can write custom repo role definitions' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_WriteOrganizationCustomRepoRole edge represents that a role can create or modify custom repository role definitions. This edge is dynamically generated from custom organization role permissions discovered by the collector. Modifying repository role definitions can escalate privileges because an attacker could add permissions such as admin access, bypass branch protections, or secret management to a custom repo role that is already assigned to their account. This makes it a high-impact permission for gaining elevated access to repositories across the organization. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations.mdx deleted file mode 100644 index 434d3d9..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_WriteOrganizationNetworkConfigurations' -description: '[Organization] Org role can write network configurations' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_WriteOrganizationNetworkConfigurations edge represents that a role can modify organization network configurations. This edge is dynamically generated from custom organization role permissions discovered by the collector. Network configurations control how GitHub-hosted runners connect to private resources such as internal APIs, databases, and cloud services. An attacker with this permission could modify network settings to route runner traffic through attacker-controlled infrastructure or grant runners access to previously isolated network segments. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writerepocontents.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writerepocontents.mdx deleted file mode 100644 index 7d8d28c..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writerepocontents.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_WriteRepoContents' -description: '[Repository] Repo role can write repository contents' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_WriteRepoContents edge represents a role's ability to push commits to the repository. This permission is available to Write, Maintain, and Admin roles. Pushing code can modify application behavior and introduce vulnerabilities, making this a security-significant edge. However, this edge represents only the raw permission; actual branch push capability is determined by the computed [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) edge, which factors in branch protection rules and push restrictions. diff --git a/docs/official-docs/opengraph/extensions/github/edges/gh_writerepopullrequests.mdx b/docs/official-docs/opengraph/extensions/github/edges/gh_writerepopullrequests.mdx deleted file mode 100644 index 334297e..0000000 --- a/docs/official-docs/opengraph/extensions/github/edges/gh_writerepopullrequests.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: 'GH_WriteRepoPullRequests' -description: '[Repository] Repo role can create and merge pull requests' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable GH_WriteRepoPullRequests edge represents a role's ability to create and merge pull requests in the repository. This permission is available to Write, Maintain, and Admin roles. Pull request merge access is security-significant because merging code into protected branches is a common vector for introducing unauthorized changes; however, actual merge capability on protected branches is further governed by branch protection rules and required reviews. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_app.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_app.mdx deleted file mode 100644 index 784c6f4..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_app.mdx +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: 'GH_App' -description: 'A GitHub App definition representing the registered application. The app owner controls the private key used to generate installation tokens.' -icon: '/images/extensions/github/gh_app.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub App definition — the registered application entity. The app owner holds the private key that can generate installation access tokens for **every** [GH_AppInstallation](/opengraph/extensions/github/nodes/gh_appinstallation) of this app. If the private key is compromised, all installations across all organizations are affected. - -App definitions are retrieved via the public `GET /apps/{app_slug}` endpoint (no authentication required) after discovering unique app slugs from the organization's app installations. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_appinstallation.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_appinstallation.mdx deleted file mode 100644 index 965a688..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_appinstallation.mdx +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: 'GH_AppInstallation' -description: 'A GitHub App installed on the organization with specific permissions and repository access' -icon: '/images/extensions/github/gh_appinstallation.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub App installed on an organization. App installations have specific permissions and can be scoped to all repositories or a selection of repositories. The permissions granted to the app are captured as a JSON string in the properties. - -Each installation is linked to its parent [GH_App](/opengraph/extensions/github/nodes/gh_app) via a [GH_InstalledAs](/opengraph/extensions/github/edges/gh_installedas) edge. For installations with `repository_selection` set to `all`, [GH_CanAccess](/opengraph/extensions/github/edges/gh_canaccess) edges are created to every repository in the organization. For installations with `repository_selection` set to `selected`, repository-level edges cannot be enumerated with a PAT (requires app installation token authentication). diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_branch.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_branch.mdx deleted file mode 100644 index 6f31223..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_branch.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_Branch' -description: 'A named reference in a repository representing a line of development' -icon: '/images/extensions/github/gh_branch.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a Git branch within a repository. Branch nodes capture basic branch information and whether the branch is protected. Protection rule details are stored in separate [GH_BranchProtectionRule](/opengraph/extensions/github/nodes/gh_branchprotectionrule) nodes, linked via [GH_ProtectedBy](/opengraph/extensions/github/edges/gh_protectedby) edges. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_branchprotectionrule.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_branchprotectionrule.mdx deleted file mode 100644 index 06955cc..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_branchprotectionrule.mdx +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: 'GH_BranchProtectionRule' -description: 'A branch protection rule that applies to one or more branches via pattern matching' -icon: '/images/extensions/github/gh_branchprotectionrule.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a branch protection rule configured on a GitHub repository. Protection rules define requirements that must be met before changes can be merged to matching branches, such as required reviews, status checks, and restrictions on who can push. - -A single protection rule can apply to multiple branches via pattern matching (e.g., `main`, `release/*`). - -## Security Considerations - -Branch protection rules are critical security controls. Key settings to review: - -- **enforce_admins**: Enforces merge-gate controls (PR reviews, lock branch) for admins and users with `bypass_branch_protection`. Does **not** enforce push-gate controls (`push_restrictions`) for admins or users with `push_protected_branch`. -- **required_pull_request_reviews**: Blocks direct pushes to existing protected branches. Bypassed by [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) and [GH_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances) (both suppressed by `enforce_admins`). -- **push_restrictions**: Restricts who can push. Bypassed by [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch), [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto), and [GH_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush) (none suppressed by `enforce_admins`). -- **blocks_creations**: Restricts new branch creation when `push_restrictions` is also `true`. Same bypass vectors as `push_restrictions`. Silently reverts to `false` if `push_restrictions` is disabled. -- **lock_branch**: Makes branch read-only. Bypassed by [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) (suppressed by `enforce_admins`). -- **require_code_owner_reviews**: If `false`, changes to critical paths may not require owner approval. -- **allows_force_pushes**: Controls whether history rewrites are allowed. Does **not** grant push access — it is not a bypass mechanism. -- **allows_deletions**: If `true`, branches can be deleted (potentially losing code). - -### Secret Exfiltration Mitigation - -The only branch protection configuration that blocks the write-access → workflow → secrets exfiltration attack path is `push_restrictions` + `blocks_creations` on a `*` pattern rule. However, users with [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch), [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto), [GH_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush), or [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) can bypass this control. - -For complete analysis, see [BloodHound Docs: GitHub - Mitigating Controls](/opengraph/extensions/github/mitigating-controls). - -### Identifying Bypass Actors - -Use these edges to identify users and teams with elevated branch permissions: - -- [GH_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances) — can bypass PR requirements on a specific rule (PR reviews only) -- [GH_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush) — can push despite push restrictions on a specific rule -- [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) — repo-wide bypass of merge-gate controls (PR reviews + lock branch) -- [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch) — repo-wide bypass of push-gate controls (push restrictions + blocks creations) -- [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) — can remove/modify protection rules entirely diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_environment.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_environment.mdx deleted file mode 100644 index b7d8131..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_environment.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_Environment' -description: 'A GitHub Actions deployment environment with protection rules and deployment branch policies' -icon: '/images/extensions/github/gh_environment.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub Actions deployment environment configured on a repository. Environments can have protection rules including required reviewers, wait timers, and deployment branch policies. When custom branch policies are configured, the environment is connected to specific branches; otherwise, it is connected directly to the repository. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_environmentsecret.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_environmentsecret.mdx deleted file mode 100644 index 08a6a93..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_environmentsecret.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_EnvironmentSecret' -description: 'An environment-level GitHub Actions secret scoped to a specific deployment environment' -icon: '/images/extensions/github/gh_environmentsecret.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents an environment-level GitHub Actions secret. These secrets are scoped to a specific deployment environment and are only available to workflow jobs that reference that environment. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_environmentvariable.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_environmentvariable.mdx deleted file mode 100644 index e090cfc..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_environmentvariable.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_EnvironmentVariable' -description: 'An environment-level GitHub Actions variable scoped to a specific deployment environment. Unlike secrets, variable values are readable.' -icon: '/images/extensions/github/gh_environmentvariable.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents an environment-level GitHub Actions variable. These variables are scoped to a specific deployment environment and are only available to workflow jobs that reference that environment. Unlike secrets, variable values are readable via the API. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_externalidentity.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_externalidentity.mdx deleted file mode 100644 index 1409778..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_externalidentity.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_ExternalIdentity' -description: 'An external identity from a SAML/SCIM provider linked to a GitHub user for SSO authentication' -icon: '/images/extensions/github/gh_externalidentity.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents an external identity from a SAML or SCIM identity provider that is linked to a GitHub user. External identities map corporate user accounts (from providers like Okta, Azure AD, etc.) to GitHub user accounts, enabling single sign-on authentication. Each external identity can have both SAML and SCIM identity attributes. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_organization.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_organization.mdx deleted file mode 100644 index 56b036b..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_organization.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_Organization' -description: 'A GitHub Organization—top-level container for repositories, teams, and settings' -icon: '/images/extensions/github/gh_organization.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub organization. This is the root node of the graph and serves as the primary container for all other nodes. Organization-level settings such as default repository permissions, Actions configuration, and security features are captured as properties on this node. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_orgrole.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_orgrole.mdx deleted file mode 100644 index ccdbedf..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_orgrole.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_OrgRole' -description: 'The role a user has at the organization level (e.g., admin, member)' -icon: '/images/extensions/github/gh_orgrole.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents an organization-level role such as Owner, Member, or a custom organization role. Org roles define what permissions a user or team has at the organization level. The Owner and Member roles are default (built-in), while custom roles inherit from a base role and can have additional permissions. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_orgsecret.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_orgsecret.mdx deleted file mode 100644 index c979f58..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_orgsecret.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_OrgSecret' -description: 'An organization-level GitHub Actions secret that can be scoped to all, private, or selected repositories' -icon: '/images/extensions/github/gh_orgsecret.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents an organization-level GitHub Actions secret. Organization secrets can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how [GH_HasSecret](/opengraph/extensions/github/edges/gh_hassecret) edges are resolved to repository nodes. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_orgvariable.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_orgvariable.mdx deleted file mode 100644 index 73b1084..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_orgvariable.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_OrgVariable' -description: 'An organization-level GitHub Actions variable that can be scoped to all, private, or selected repositories. Unlike secrets, variable values are readable.' -icon: '/images/extensions/github/gh_orgvariable.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents an organization-level GitHub Actions variable. Organization variables can be scoped to all repositories, only private/internal repositories, or a specific set of selected repositories. The visibility property determines how [GH_HasVariable](/opengraph/extensions/github/edges/gh_hasvariable) edges are resolved to repository nodes. Unlike secrets, variable values are readable via the API. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstoken.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstoken.mdx deleted file mode 100644 index eba69b3..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstoken.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_PersonalAccessToken' -description: 'A fine-grained personal access token granted access to organization resources' -icon: '/images/extensions/github/gh_personalaccesstoken.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a fine-grained personal access token that has been granted access to organization resources. PATs are linked to their owning user, the organization, and the repositories they can access. The permissions granted to the token are captured as a JSON string in the properties. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstokenrequest.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstokenrequest.mdx deleted file mode 100644 index a2a7615..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_personalaccesstokenrequest.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_PersonalAccessTokenRequest' -description: 'A pending request from an organization member to access organization resources with a fine-grained personal access token' -icon: '/images/extensions/github/gh_personalaccesstokenrequest.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a pending request from an organization member to access organization resources with a fine-grained personal access token. PAT requests are linked to their owning user and the organization. The requested permissions are captured as a JSON string in the properties. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_reporole.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_reporole.mdx deleted file mode 100644 index 99bbbf5..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_reporole.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_RepoRole' -description: 'The permission granted to a user or team on a repository (e.g., admin, write, read)' -icon: '/images/extensions/github/gh_reporole.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a repository-level permission role. Each repository has five default roles (Read, Write, Admin, Triage, Maintain) plus any custom repository roles defined at the organization level. Repo roles define what actions a user or team can perform on a specific repository. Default roles form an inheritance hierarchy (Triage -> Read, Maintain -> Write, Admin includes all), and custom roles inherit from one of the base roles. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_reposecret.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_reposecret.mdx deleted file mode 100644 index 270117d..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_reposecret.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_RepoSecret' -description: 'A repository-level GitHub Actions secret accessible only to workflows in that repository' -icon: '/images/extensions/github/gh_reposecret.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a repository-level GitHub Actions secret. These are secrets defined directly on a specific repository and are only accessible to workflows running in that repository. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_repository.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_repository.mdx deleted file mode 100644 index 333e14e..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_repository.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_Repository' -description: 'A code repository in an organization, containing files, issues, and other resources' -icon: '/images/extensions/github/gh_repository.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub repository within the organization. Repository nodes capture metadata about the repo including visibility, Actions enablement status, and security configuration. Repository role nodes ([GH_RepoRole](/opengraph/extensions/github/nodes/gh_reporole)) are created alongside each repository to represent the permission levels available. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_repovariable.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_repovariable.mdx deleted file mode 100644 index 5b14661..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_repovariable.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_RepoVariable' -description: 'A repository-level GitHub Actions variable accessible only to workflows in that repository. Unlike secrets, variable values are readable.' -icon: '/images/extensions/github/gh_repovariable.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a repository-level GitHub Actions variable. These are variables defined directly on a specific repository and are only accessible to workflows running in that repository. Unlike secrets, variable values are readable via the API. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_samlidentityprovider.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_samlidentityprovider.mdx deleted file mode 100644 index 8c0d8e2..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_samlidentityprovider.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_SamlIdentityProvider' -description: 'A SAML identity provider configured for the organization, enabling SSO' -icon: '/images/extensions/github/gh_samlidentityprovider.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a SAML identity provider configured for the organization. This node captures the SAML SSO configuration details and serves as the parent container for external identity mappings. Through external identities, it enables linking GitHub users to their corporate identities in the identity provider. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_secretscanningalert.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_secretscanningalert.mdx deleted file mode 100644 index b3084ee..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_secretscanningalert.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_SecretScanningAlert' -description: 'A GitHub Advanced Security alert indicating a secret was accidentally committed to a repository' -icon: '/images/extensions/github/gh_secretscanningalert.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub secret scanning alert detected in a repository. Secret scanning alerts are raised when GitHub detects a known secret pattern (such as an API key, token, or credential) committed to a repository. The alert captures the secret type, validity status, and current resolution state. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_team.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_team.mdx deleted file mode 100644 index 161f27a..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_team.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_Team' -description: 'A team within an organization, grouping users for shared access and collaboration' -icon: '/images/extensions/github/gh_team.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub team within the organization. Teams can have parent-child relationships, contain members with different roles (Member, Maintainer), and be assigned to repository roles. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_teamrole.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_teamrole.mdx deleted file mode 100644 index 74e1fbd..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_teamrole.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_TeamRole' -description: 'The role a user has within a team (e.g., maintainer, member)' -icon: '/images/extensions/github/gh_teamrole.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a role within a GitHub team. Each team has two built-in roles: Member and Maintainer. Maintainers can add and remove team members. Team roles connect users to teams and transitively to any repository roles assigned to the team. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_user.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_user.mdx deleted file mode 100644 index 9281e63..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_user.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_User' -description: 'An individual GitHub user account' -icon: '/images/extensions/github/gh_user.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub user who is a member of the organization. Users are associated with organization roles (Owner or Member) and can be assigned to repository roles and team roles. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_workflow.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_workflow.mdx deleted file mode 100644 index 1a9b1cf..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_workflow.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_Workflow' -description: 'A GitHub Actions workflow defined in a repository' -icon: '/images/extensions/github/gh_workflow.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a GitHub Actions workflow defined in a repository. Workflow nodes capture the workflow definition metadata including its file path, state, containing repository, and the full YAML contents of the workflow file. Only repositories with GitHub Actions enabled are queried for workflows. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_workflowjob.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_workflowjob.mdx deleted file mode 100644 index d545bb1..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_workflowjob.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_WorkflowJob' -description: 'A job within a GitHub Actions workflow, with a runner, permissions, and an ordered list of steps' -icon: '/images/extensions/github/gh_workflowjob.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a single job within a GitHub Actions workflow. Jobs are the top-level execution units of a workflow — they run on a runner, hold a set of steps, and can declare permissions, environments, and dependencies on other jobs. diff --git a/docs/official-docs/opengraph/extensions/github/nodes/gh_workflowstep.mdx b/docs/official-docs/opengraph/extensions/github/nodes/gh_workflowstep.mdx deleted file mode 100644 index a1da800..0000000 --- a/docs/official-docs/opengraph/extensions/github/nodes/gh_workflowstep.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: 'GH_WorkflowStep' -description: 'A single step within a GitHub Actions job — either a uses: action reference or a run: shell command' -icon: '/images/extensions/github/gh_workflowstep.png' ---- - -Applies to BloodHound Enterprise and CE - -## Description - -Represents a single step within a GitHub Actions job. A step is either a `uses:` action reference or a `run:` shell command. Steps are the leaf nodes of the workflow execution tree and are the primary location where secrets and variables are consumed. diff --git a/docs/official-docs/opengraph/extensions/github/privilege-zone-rules.mdx b/docs/official-docs/opengraph/extensions/github/privilege-zone-rules.mdx deleted file mode 100644 index 900b5a4..0000000 --- a/docs/official-docs/opengraph/extensions/github/privilege-zone-rules.mdx +++ /dev/null @@ -1,160 +0,0 @@ ---- -title: Privilege Zone Rules -description: GitHub extension Privilege Zone rules -icon: "gem" ---- - -Applies to BloodHound Enterprise and CE -The following Privilege Zone rules can be imported into BloodHound to group nodes for Cypher query analysis and BloodHound Enterprise finding generation. - -This file is automatically generated from the [JSON Privilege Zone rule files](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules). - - -## Tier Zero All-Repo Admin Role - -The synthetic all_repo_admin role grants admin access to every repository in the organization. This role is inherited by the owners role via GH_HasBaseRole and cascades admin permissions including branch protection editing, secret access, and deploy key management to all repositories. - -Zone: Tier Zero - -```cypher -MATCH (n:GH_OrgRole) -WHERE n.name ENDS -WITH '/all_repo_admin' -RETURN n -``` - -This rule is defined in the [t0-all-repo-admin-role.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-all-repo-admin-role.json) file. - -## Tier Zero App Installations (All Repositories) - -GitHub App installations scoped to all repositories in the organization that have at least one write permission. A compromised app credential grants write access to every repository. Installations with only read permissions are excluded — they pose a data exfiltration risk but do not grant control over the organization. - -Zone: Tier Zero - -```cypher -MATCH (n:GH_AppInstallation {repository_selection:'all'}) -WHERE n.permissions CONTAINS '"write"' -RETURN n -``` - -This rule is defined in the [t0-app-installations-all-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-app-installations-all-repos.json) file. - -## Tier Zero Apps (All-Repository Installations) - -GitHub App definitions whose installations have write access to all repositories. The app owner controls the private key that can generate tokens for any installation. Compromise of the app's private key grants write access to every repository in organizations where it is installed. Apps whose installations have only read permissions are excluded. - -Zone: Tier Zero - -```cypher -MATCH (n:GH_App)-[:GH_InstalledAs]->(i:GH_AppInstallation {repository_selection:'all'}) -WHERE i.permissions CONTAINS '"write"' -RETURN n -``` - -This rule is defined in the [t0-apps-all-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-apps-all-repos.json) file. - -## Tier Zero External Identities (Owner-Mapped) - -External identities from SAML/SCIM providers that map to GitHub users holding the owners role. Compromise of these external identities in the identity provider grants organizational owner access to GitHub via SSO. - -Zone: Tier Zero - -```cypher -MATCH (n:GH_ExternalIdentity)-[:GH_MapsToUser]->(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) -RETURN n -``` - -This rule is defined in the [t0-external-identities-owners.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-external-identities-owners.json) file. - -## Tier Zero Organizations - -GitHub organizations are the root trust boundary for all repositories, teams, users, and settings. Compromise of the organization grants full administrative control over all contained assets. - -Zone: Tier Zero - -```cypher -MATCH (n:GH_Organization) -RETURN n -``` - -This rule is defined in the [t0-organizations.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-organizations.json) file. - -## Tier Zero Owner Users - -Users who hold the organization owners role have full administrative control over the GitHub organization. Compromise of any owner account grants control over all repositories, secrets, SSO configuration, and cloud identities. - -Zone: Tier Zero - -```cypher -MATCH (n:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) -RETURN n -``` - -This rule is defined in the [t0-owner-users.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-owner-users.json) file. - -## Tier Zero Owners Role - -The owners organization role grants full administrative control including all repository admin, member management, SSO configuration, app management, and billing. Owners inherit all_repo_admin, cascading admin access to every repository, secret, environment, and cloud identity in the organization. - -Zone: Tier Zero - -```cypher -MATCH (n:GH_OrgRole {short_name:'owners'}) -RETURN n -``` - -This rule is defined in the [t0-owners-role.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-owners-role.json) file. - -## Tier Zero PATs (All Repositories) - -Fine-grained personal access tokens scoped to all repositories in the organization that have at least one write permission. A single compromised token grants write access to every repository. PATs with only read permissions are excluded — they pose a data exfiltration risk but do not grant control over the organization. - -Zone: Tier Zero - -```cypher -MATCH (n:GH_PersonalAccessToken {repository_selection:'all'}) -WHERE n.permissions CONTAINS '"write"' -RETURN n -``` - -This rule is defined in the [t0-pats-all-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-pats-all-repos.json) file. - -## Tier Zero Privilege Escalation Roles - -Custom organization roles with write_organization_custom_org_role permission can modify organization role definitions, including setting the base_role to inherit all_repo_admin. Since this permission only exists on custom organization roles, the holder can escalate the role they already hold — a guaranteed self-escalation path to full organizational control. - -Zone: Tier Zero - -```cypher -MATCH (n:GH_OrgRole)-[:GH_WriteOrganizationCustomOrgRole]->(:GH_Organization) -RETURN n -``` - -This rule is defined in the [t0-privilege-escalation-roles.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-privilege-escalation-roles.json) file. - -## Tier Zero Privilege Escalation Users - -Users who hold custom organization roles with write_organization_custom_org_role permission. These users can modify organization role definitions — including the role they hold — to set the base_role to all_repo_admin, granting themselves admin access to every repository in the organization. - -Zone: Tier Zero - -```cypher -MATCH (n:GH_User)-[:GH_HasRole|GH_HasBaseRole*1..]->(:GH_OrgRole)-[:GH_WriteOrganizationCustomOrgRole]->(:GH_Organization) -RETURN n -``` - -This rule is defined in the [t0-privilege-escalation-users.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-privilege-escalation-users.json) file. - -## Tier Zero SAML Identity Providers - -SAML identity providers control authentication for all organization members via SSO. Compromise of the identity provider grants the ability to impersonate any user, including organization owners, by manipulating SAML assertions or resetting credentials. - -Zone: Tier Zero - -```cypher -MATCH (n:GH_SamlIdentityProvider) -RETURN n -``` - -This rule is defined in the [t0-saml-identity-providers.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/privilege_zone_rules/t0-saml-identity-providers.json) file. - diff --git a/docs/official-docs/opengraph/extensions/github/queries.mdx b/docs/official-docs/opengraph/extensions/github/queries.mdx deleted file mode 100644 index a9dc114..0000000 --- a/docs/official-docs/opengraph/extensions/github/queries.mdx +++ /dev/null @@ -1,695 +0,0 @@ ---- -title: Cypher Queries -description: GitHub extension Cypher queries -icon: code ---- - -Applies to BloodHound Enterprise and CE -The following custom Cypher queries can be imported into BloodHound to enhance visibility. - -This file is automatically generated from the [JSON query files](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches). - - -## Actions SHA Pinning Not Required - -Finds organizations that do not require SHA pinning for GitHub Actions. Without pinning, actions referenced by tag can be silently replaced with malicious versions. - -```cypher -MATCH (org:GH_Organization {actions_sha_pinning_required: false}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [actions-sha-pinning-not-required.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/actions-sha-pinning-not-required.json) file. - -## Active Leaked Secrets - -Finds secret scanning alerts that are both unresolved and confirmed active. These are valid, usable credentials committed to source code and represent an immediate compromise risk. - -```cypher -MATCH p=(:GH_Repository)-[:GH_Contains]->(alert:GH_SecretScanningAlert {state: 'open', validity: 'active'}) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [active-leaked-secrets.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/active-leaked-secrets.json) file. - -## Advanced Security Disabled for New Repositories - -Finds organizations where GitHub Advanced Security is not automatically enabled for new repositories. New repositories will lack code scanning, secret scanning, and other GHAS features. - -```cypher -MATCH (org:GH_Organization {advanced_security_enabled_for_new_repositories: false}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [advanced-security-disabled-new-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/advanced-security-disabled-new-repos.json) file. - -## All GitHub Actions Allowed - -Finds organizations that allow all GitHub Actions to run, including third-party actions from the marketplace. This creates supply chain risk if a malicious or compromised action is used. - -```cypher -MATCH (org:GH_Organization {actions_allowed_actions: 'all'}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [all-actions-allowed.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/all-actions-allowed.json) file. - -## App Installations with Access to All Repositories - -Finds GitHub App installations that have access to every repository in the organization. A compromised app credential would affect all repositories. - -```cypher -MATCH (app:GH_AppInstallation {repository_selection: 'all'}) -RETURN app -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [app-installations-all-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/app-installations-all-repos.json) file. - -## Branch Protection Rules - Admins Not Enforced - -Finds branch protection rules where administrators can bypass all protections. Admins can push directly, skip reviews, and override status checks on these branches. - -```cypher -MATCH p=(:GH_BranchProtectionRule {enforce_admins: false})-[:GH_ProtectedBy]->(:GH_Branch) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [branch-protection-admins-not-enforced.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-admins-not-enforced.json) file. - -## Branch Protection Rules - Deletions Allowed - -Finds protected branches that can be deleted. Branch deletion can result in loss of code and removal of audit history. - -```cypher -MATCH p=(:GH_BranchProtectionRule {allows_deletions: true})-[:GH_ProtectedBy]->(:GH_Branch) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [branch-protection-deletions-allowed.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-deletions-allowed.json) file. - -## Branch Protection Rules - Force Pushes Allowed - -Finds branches where force pushes are allowed. Force pushes can rewrite commit history, potentially hiding malicious changes or destroying audit trails. - -```cypher -MATCH p=(:GH_BranchProtectionRule {allows_force_pushes: true})-[:GH_ProtectedBy]->(:GH_Branch) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [branch-protection-force-pushes.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-force-pushes.json) file. - -## Branch Protection Rules - No Code Owner Reviews - -Finds branches where code owner reviews are not required. Changes to security-critical paths can be merged without authorization from the designated code owners. - -```cypher -MATCH p=(:GH_BranchProtectionRule {require_code_owner_reviews: false})-[:GH_ProtectedBy]->(:GH_Branch) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [branch-protection-no-code-owner-reviews.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-no-code-owner-reviews.json) file. - -## Branch Protection Rules - No Pull Request Reviews Required - -Finds branches where pull request reviews are not required. Code can be merged directly without peer review, increasing the risk of undetected vulnerabilities or malicious changes. - -```cypher -MATCH p=(:GH_BranchProtectionRule {required_pull_request_reviews: false})-[:GH_ProtectedBy]->(:GH_Branch) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [branch-protection-no-pr-reviews.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-no-pr-reviews.json) file. - -## Branch Protection Rules - No Status Checks Required - -Finds branches where CI/CD status checks are not required before merging. Code with failing tests or security scans can be merged into protected branches. - -```cypher -MATCH p=(:GH_BranchProtectionRule {requires_status_checks: false})-[:GH_ProtectedBy]->(:GH_Branch) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [branch-protection-no-status-checks.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-no-status-checks.json) file. - -## Branch Protection Rules - Self-Approval Allowed - -Finds branches where the author of the last push can approve their own pull request. This allows a single person to both write and approve code changes. - -```cypher -MATCH p=(:GH_BranchProtectionRule {require_last_push_approval: false})-[:GH_ProtectedBy]->(:GH_Branch) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [branch-protection-self-approval.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-self-approval.json) file. - -## Branch Protection Rules - Stale Reviews Not Dismissed - -Finds branches where stale reviews are not dismissed when new commits are pushed. An attacker could get a review approved, then push additional malicious commits that inherit the stale approval. - -```cypher -MATCH p=(:GH_BranchProtectionRule {dismisses_stale_reviews: false})-[:GH_ProtectedBy]->(:GH_Branch) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [branch-protection-stale-reviews.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/branch-protection-stale-reviews.json) file. - -## Users Who Can Bypass Pull Request Requirements - -Finds users and teams that can bypass pull request review requirements on protected branches. These actors can merge code without any reviews. - -```cypher -MATCH p=(actor)-[:GH_BypassPullRequestAllowances]->(rule:GH_BranchProtectionRule)-[:GH_ProtectedBy]->(branch:GH_Branch) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [bypass-pr-requirements.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/bypass-pr-requirements.json) file. - -## Dangerous Branch Permissions - -Identifies users with dangerous branch permissions in a GitHub organization, including bypass allowances on protection rules. - -```cypher -MATCH p=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_PushProtectedBranch|GH_BypassBranchProtection]-(r:GH_Repository) -MATCH p1=(:GH_User)-[:GH_BypassPullRequestAllowances|GH_RestrictionsCanPush]->(rule:GH_BranchProtectionRule)-[:GH_ProtectedBy]->(b:GH_Branch) -RETURN p,p1 -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [dangerous-branch-perms.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/dangerous-branch-perms.json) file. - -## Organizations with default repository permission - -Returns organizations that have a default repository permission other than 'none'. - -```cypher -MATCH (o:GH_Organization) -WHERE o.default_repository_permission <> 'none' -RETURN o -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [default-repository-permissions.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/default-repository-permissions.json) file. - -## [Demo] SSO Round-Trip: Azure/Okta → GitHub → Cloud Identity - -The cloud-to-cloud pivot through GitHub: a compromised Azure or Okta identity syncs to a GitHub user via SSO. That GitHub user has write access to repositories configured with OIDC federation to Azure workload identities. The attacker pivots from one cloud identity through GitHub into a completely different Azure identity — crossing cloud boundaries twice in a single attack chain. - -```cypher -MATCH p1=(extUser)-[:SyncedToGHUser]->(ghUser:GH_User) -MATCH p2=(ghUser)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_WriteRepoContents]->(:GH_Repository)-[:GH_CanAssumeIdentity]->(cred:AZFederatedIdentityCredential) -RETURN p1, p2 -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [demo-sso-to-cloud-round-trip.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/demo-sso-to-cloud-round-trip.json) file. - -## Dependabot Alerts Disabled for New Repositories - -Finds organizations where Dependabot alerts are not enabled for new repositories. Vulnerable dependencies in new repositories will go undetected. - -```cypher -MATCH (org:GH_Organization {dependabot_alerts_enabled_for_new_repositories: false}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [dependabot-alerts-disabled-new-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/dependabot-alerts-disabled-new-repos.json) file. - -## Dependabot Security Updates Disabled for New Repositories - -Finds organizations where Dependabot security update PRs are not enabled for new repositories. Known vulnerable dependencies will not receive automated fix PRs. - -```cypher -MATCH (org:GH_Organization {dependabot_security_updates_enabled_for_new_repositories: false}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [dependabot-updates-disabled-new-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/dependabot-updates-disabled-new-repos.json) file. - -## Dependency Graph Disabled for New Repositories - -Finds organizations where the dependency graph is not enabled for new repositories. Without the dependency graph, transitive dependency vulnerabilities cannot be tracked. - -```cypher -MATCH (org:GH_Organization {dependency_graph_enabled_for_new_repositories: false}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [dependency-graph-disabled-new-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/dependency-graph-disabled-new-repos.json) file. - -## Environments Where Admins Can Bypass Protections - -Finds deployment environments where administrators can bypass protection rules such as required reviewers and wait timers. Admins can deploy to these environments without any approval. - -```cypher -MATCH p=(:GH_Repository)-[:GH_HasEnvironment]->(env:GH_Environment {can_admins_bypass: true}) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [environments-admin-bypass.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/environments-admin-bypass.json) file. - -## Expired Personal Access Tokens - -Finds expired personal access tokens that still exist. Expired tokens should be cleaned up to reduce credential inventory and audit noise. - -```cypher -MATCH p=(:GH_User)-[:GH_HasPersonalAccessToken]->(token:GH_PersonalAccessToken {token_expired: true}) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [expired-pats.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/expired-pats.json) file. - -## External Identities Without SCIM Provisioning - -Finds external identities that lack SCIM synchronization. Without SCIM, user deprovisioning in the identity provider will not automatically revoke GitHub access. - -```cypher -MATCH (ei:GH_ExternalIdentity) -WHERE ei.scim_identity_username = '' -RETURN ei -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [external-identities-without-scim.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/external-identities-without-scim.json) file. - -## GitHub-to-Azure Identity Assumptions - -Finds GitHub entities (repositories, branches, environments) that can assume Azure identities via OIDC federation. Verify that each trust relationship is intentional and scoped appropriately. - -```cypher -MATCH p=(src)-[:GH_CanAssumeIdentity]->(cred:AZFederatedIdentityCredential) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [github-to-azure-identity.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/github-to-azure-identity.json) file. - -## Global Repo Permissions - -Returns all users who hold a global repository permission role (i.e., roles that are not default). - -```cypher -MATCH p=(:GH_User)-[:GH_HasBaseRole|GH_HasRole|GH_MemberOf*1..3]->(role:GH_OrgRole) -WHERE role.short_name CONTAINS 'all_repo_' -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [global-repo-perms.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/global-repo-perms.json) file. - -## External Identities - -Returns all external identities (e.g., Azure or Okta users) that are associated with GitHub users. - -```cypher -MATCH p=(s)-[]->(d:GH_User) -WHERE s:AZUser -OR s:Okta_User -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [hybrid-identities.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/hybrid-identities.json) file. - -## Members Can Change Repository Visibility - -Finds organizations where members can change repository visibility. This allows any member to make a private repository public, potentially exposing source code and secrets. - -```cypher -MATCH (org:GH_Organization {members_can_change_repo_visibility: true}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [members-can-change-repo-visibility.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/members-can-change-repo-visibility.json) file. - -## Members Can Create GitHub Pages - -Finds organizations where members can create GitHub Pages sites. Pages can be used to host phishing content, data exfiltration endpoints, or other malicious resources. - -```cypher -MATCH (org:GH_Organization {members_can_create_pages: true}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [members-can-create-pages.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/members-can-create-pages.json) file. - -## Members Can Create Public Repositories - -Finds organizations where members can create internet-facing public repositories. This increases the risk of accidental exposure of proprietary code or secrets. - -```cypher -MATCH (org:GH_Organization {members_can_create_public_repositories: true}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [members-can-create-public-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/members-can-create-public-repos.json) file. - -## Members Can Delete Repositories - -Finds organizations where members can delete repositories. This poses a risk of accidental or malicious destruction of code and audit history. - -```cypher -MATCH (org:GH_Organization {members_can_delete_repositories: true}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [members-can-delete-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/members-can-delete-repos.json) file. - -## Members Can Fork Private Repositories - -Finds organizations where members can fork private repositories to personal accounts. Forked copies leave organizational control and oversight. - -```cypher -MATCH (org:GH_Organization {members_can_fork_private_repositories: true}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [members-can-fork-private-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/members-can-fork-private-repos.json) file. - -## Members Can Invite Outside Collaborators - -Finds organizations where any member can invite external users. This can lead to unauthorized third-party access to repositories without centralized oversight. - -```cypher -MATCH (org:GH_Organization {members_can_invite_outside_collaborators: true}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [members-can-invite-outside-collaborators.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/members-can-invite-outside-collaborators.json) file. - -## Organization Owners - -Returns all users who hold the organization owners role. - -```cypher -MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [org-owners.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/org-owners.json) file. - -## Organizations without 2FA - -Returns organizations that do not require two-factor authentication. - -```cypher -MATCH (o:GH_Organization) -WHERE o.two_factor_requirement_enabled = false -RETURN o -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [orgs-without-2fa.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/orgs-without-2fa.json) file. - -## PATs with Access to All Repositories - -Finds fine-grained personal access tokens scoped to all repositories. A single compromised token grants access to every repository in the organization. - -```cypher -MATCH p=(:GH_User)-[:GH_HasPersonalAccessToken]->(token:GH_PersonalAccessToken {repository_selection: 'all'}) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [pats-all-repo-access.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/pats-all-repo-access.json) file. - -## Pending PAT Requests - -Finds pending fine-grained personal access token requests awaiting approval. Review these to ensure requested permissions are appropriate before granting access. - -```cypher -MATCH p=(:GH_User)-[:GH_HasPersonalAccessTokenRequest]->(req:GH_PersonalAccessTokenRequest) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [pending-pat-requests.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/pending-pat-requests.json) file. - -## Private Repositories with Forking Allowed - -Finds private repositories that allow forking. Forked copies of private repositories can leave organizational governance and visibility. - -```cypher -MATCH (repo:GH_Repository {visibility: 'private', allow_forking: true}) -RETURN repo -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [private-repos-forking-allowed.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/private-repos-forking-allowed.json) file. - -## Privileged Custom Org Roles - -Returns all custom organization roles that are privileged (i.e., have permissions that are not default) - -```cypher -MATCH p=(role:GH_OrgRole {type:'custom'})-[r]->(dest) -WHERE dest:GH_Organization -OR dest:GH_OrgRole -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-custom-org-roles.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/privileged-custom-org-roles.json) file. - -## Privileged Hybrid Identities - -Returns all hybrid identities (e.g., Azure or Okta users) that are associated with GitHub users who hold the organization owners role. - -```cypher -MATCH p=()-[:GH_SyncedTo]->(:GH_User)-[:GH_HasRole]->(:GH_OrgRole {short_name:'owners'}) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-hybrid-identities.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/privileged-hybrid-identities.json) file. - -## Public Repositories - -Returns all public repositories. - -```cypher -MATCH (repo:GH_Repository {private: false}) -RETURN repo -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [public-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/public-repos.json) file. - -## Secret Scanning Push Protection Disabled for New Repositories - -Finds organizations where push protection is not enabled for new repositories. Without push protection, secrets can be committed without being blocked before they reach the repository. - -```cypher -MATCH (org:GH_Organization {secret_scanning_push_protection_enabled_for_new_repositories: false}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [push-protection-disabled-new-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/push-protection-disabled-new-repos.json) file. - -## Users Who Can Push to Protected Branches - -Finds users and teams that are allowed to push directly to protected branches when push restrictions are enabled. These actors bypass the normal pull request workflow. - -```cypher -MATCH p=(actor)-[:GH_RestrictionsCanPush]->(rule:GH_BranchProtectionRule)-[:GH_ProtectedBy]->(branch:GH_Branch) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [push-to-protected-branches.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/push-to-protected-branches.json) file. - -## Repositories with Secret Scanning Disabled - -Finds repositories where secret scanning is disabled. Committed credentials in these repositories will not be detected by GitHub. - -```cypher -MATCH (repo:GH_Repository {secret_scanning: 'disabled'}) -RETURN repo -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [repos-secret-scanning-disabled.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/repos-secret-scanning-disabled.json) file. - -## Repos Vulnerable to Workflow Secret Exfiltration - -Secrets reachable by users who can create new branches. The GH_CanCreateBranch edge accounts for branch protection rules, push restrictions, blocks_creations settings, and all bypass mechanisms (admin, push_protected_branch, pushAllowances). Edges emit from RepoRole in the common case; per-actor edges from User/Team are only present when per-rule allowances grant additional access beyond the role. - -```cypher -MATCH p1=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_CanCreateBranch]->(repo:GH_Repository)-[:GH_HasSecret]->(s) -WHERE (s:GH_RepoSecret -OR s:GH_OrgSecret) -OPTIONAL MATCH p2=(repo)<-[:GH_CanCreateBranch]-(:GH_User) -OPTIONAL MATCH p3=(repo)<-[:GH_CanCreateBranch]-(:GH_Team)<-[:GH_HasRole|GH_MemberOf|GH_AddMember*1..]-(:GH_User) -RETURN p1, p2, p3 -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [repos-vulnerable-to-workflow-secret-exfil.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/repos-vulnerable-to-workflow-secret-exfil.json) file. - -## Repository Workflows - -Returns all repository workflows - -```cypher -MATCH p=(:GH_Repository)-[:GH_HasWorkflow]->(:GH_Workflow) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [repository-workflows.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/repository-workflows.json) file. - -## SAML Configuration Mapping - -Finds SAML Identity Providers, their external identities, and mapped users. - -```cypher -MATCH p=(OIP:GH_SamlIdentityProvider)-[:GH_HasExternalIdentity]->(EI:GH_ExternalIdentity) -MATCH p1=(OIP)<-[:GH_HasSamlIdentityProvider]-(:GH_Organization) -MATCH p2=(EI)-[:GH_MapsToUser]->() -RETURN p,p1,p2 -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [saml-configuration.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/saml-configuration.json) file. - -## Secret Scanning Alerts - -Returns all repositories that have secret scanning alerts. - -```cypher -MATCH p=(repo:GH_Repository)-[:GH_Contains]->(:GH_SecretScanningAlert {state:'open'}) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [secret-scanning-alerts.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/secret-scanning-alerts.json) file. - -## Secret Scanning Disabled for New Repositories - -Finds organizations where secret scanning is not automatically enabled for new repositories. New repositories will not detect committed credentials until manually enabled. - -```cypher -MATCH (org:GH_Organization {secret_scanning_enabled_for_new_repositories: false}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [secret-scanning-disabled-new-repos.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/secret-scanning-disabled-new-repos.json) file. - -## Secrets Reachable by User - -Returns all repo and org secrets reachable by users through write access. Users with write access can create GitHub Actions workflows to access secrets. - -```cypher -MATCH p=(:GH_User)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_WriteRepoContents]->(:GH_Repository)-[:GH_HasSecret]->(s) -WHERE s:GH_RepoSecret -OR s:GH_OrgSecret -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [secrets-reachable-by-user.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/secrets-reachable-by-user.json) file. - -## Team Membership Admins - -Returns all users who hold the maintainer role over a team, this also represents team nesting. - -```cypher -MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_TeamRole)-[:GH_AddMember]->(team:GH_Team) -MATCH p1=(team)<-[:GH_MemberOf]-(:GH_Team)<-[:GH_AddMember]-(:GH_TeamRole)<-[:GH_HasRole]-(:GH_User) -RETURN p,p1 -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [team-membership-admin.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/team-membership-admin.json) file. - -## Team Structure - -Returns the structure of teams within organizations, including team roles and their members. - -```cypher -MATCH p=(:GH_User)-[:GH_HasRole]->(:GH_TeamRole)-[:GH_MemberOf*1..]->(:GH_Team) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [team-structure.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/team-structure.json) file. - -## Unprotected Branches - -Returns all unprotected branches in repositories. - -```cypher -MATCH p=(repo:GH_Repository)-[:GH_HasBranch]-(:GH_Branch {protected: false}) -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [unprotected-branches.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/unprotected-branches.json) file. - -## Repositories with Workflows and Unprotected Default Branch - -Returns all repositories that have GitHub Actions workflows and an unprotected default branch. This means that users with GH_WriteRepoContents to the Repository can overwrite or change the workflow. - -```cypher -MATCH p=(repo:GH_Repository)-[:GH_HasWorkflow]->(:GH_Workflow) -MATCH p1=(repo)-[:GH_HasBranch]->(branch:GH_Branch) -WHERE repo.default_branch = branch.short_name -AND branch.protected = false -RETURN p1 -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [unprotected-default-branch-with-workflow.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/unprotected-default-branch-with-workflow.json) file. - -## Unprotected Default Branches - -Returns all default branches in repositories that are not protected. - -```cypher -MATCH p=(repo:GH_Repository)-[:GH_HasBranch]-(branch:GH_Branch {protected: false}) -WHERE repo.default_branch = branch.short_name -RETURN p -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [unprotected-default-branches.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/unprotected-default-branches.json) file. - -## Web Commit Signoff Not Required - -Finds organizations that do not require sign-off for web-based commits. Without signoff, commit attribution cannot be verified. - -```cypher -MATCH (org:GH_Organization {web_commit_signoff_required: false}) -RETURN org -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [web-commit-signoff-not-required.json](https://github.com/SpecterOps/openhound-github/tree/main/extension/saved_searches/web-commit-signoff-not-required.json) file. - diff --git a/docs/official-docs/opengraph/extensions/github/schema.mdx b/docs/official-docs/opengraph/extensions/github/schema.mdx deleted file mode 100644 index 8c13358..0000000 --- a/docs/official-docs/opengraph/extensions/github/schema.mdx +++ /dev/null @@ -1,169 +0,0 @@ ---- -title: Schema -description: GitHub extension schema definition -icon: circle-nodes ---- - -Applies to BloodHound Enterprise and CE -## Metadata - -**Name:** SOGitHub
-**Display Name:** GitHub Extension (by SpecterOps)
-**Version:** v1.2.2
-**Namespace:** GH
-**Environment Kind:** GH_Organization
-**Source Kind:** GitHub - - -This file is automatically generated from the [extension schema definition file](https://github.com/SpecterOps/openhound-github/blob/main/extension/schema.json). - - -## Nodes - -| Icon | Node Kind | Display Name | -|------|-----------|--------------| -| ![GH_App](/images/extensions/github/gh_app.png) | [GH_App](/opengraph/extensions/github/nodes/gh_app) | GitHub App | -| ![GH_AppInstallation](/images/extensions/github/gh_appinstallation.png) | [GH_AppInstallation](/opengraph/extensions/github/nodes/gh_appinstallation) | GitHub App Installation | -| ![GH_Branch](/images/extensions/github/gh_branch.png) | [GH_Branch](/opengraph/extensions/github/nodes/gh_branch) | GitHub Branch | -| ![GH_BranchProtectionRule](/images/extensions/github/gh_branchprotectionrule.png) | [GH_BranchProtectionRule](/opengraph/extensions/github/nodes/gh_branchprotectionrule) | GitHub Branch Protection Rule | -| ![GH_Environment](/images/extensions/github/gh_environment.png) | [GH_Environment](/opengraph/extensions/github/nodes/gh_environment) | GitHub Environment | -| ![GH_EnvironmentSecret](/images/extensions/github/gh_environmentsecret.png) | [GH_EnvironmentSecret](/opengraph/extensions/github/nodes/gh_environmentsecret) | GitHub Environment Secret | -| ![GH_EnvironmentVariable](/images/extensions/github/gh_environmentvariable.png) | [GH_EnvironmentVariable](/opengraph/extensions/github/nodes/gh_environmentvariable) | GitHub Environment Variable | -| ![GH_ExternalIdentity](/images/extensions/github/gh_externalidentity.png) | [GH_ExternalIdentity](/opengraph/extensions/github/nodes/gh_externalidentity) | GitHub External Identity | -| ![GH_Organization](/images/extensions/github/gh_organization.png) | [GH_Organization](/opengraph/extensions/github/nodes/gh_organization) | GitHub Organization | -| ![GH_OrgRole](/images/extensions/github/gh_orgrole.png) | [GH_OrgRole](/opengraph/extensions/github/nodes/gh_orgrole) | GitHub Org Role | -| ![GH_OrgSecret](/images/extensions/github/gh_orgsecret.png) | [GH_OrgSecret](/opengraph/extensions/github/nodes/gh_orgsecret) | GitHub Org Secret | -| ![GH_OrgVariable](/images/extensions/github/gh_orgvariable.png) | [GH_OrgVariable](/opengraph/extensions/github/nodes/gh_orgvariable) | GitHub Org Variable | -| ![GH_PersonalAccessToken](/images/extensions/github/gh_personalaccesstoken.png) | [GH_PersonalAccessToken](/opengraph/extensions/github/nodes/gh_personalaccesstoken) | GitHub Personal Access Token | -| ![GH_PersonalAccessTokenRequest](/images/extensions/github/gh_personalaccesstokenrequest.png) | [GH_PersonalAccessTokenRequest](/opengraph/extensions/github/nodes/gh_personalaccesstokenrequest) | GitHub Personal Access Token Request | -| ![GH_RepoRole](/images/extensions/github/gh_reporole.png) | [GH_RepoRole](/opengraph/extensions/github/nodes/gh_reporole) | GitHub Repo Role | -| ![GH_RepoSecret](/images/extensions/github/gh_reposecret.png) | [GH_RepoSecret](/opengraph/extensions/github/nodes/gh_reposecret) | GitHub Repo Secret | -| ![GH_Repository](/images/extensions/github/gh_repository.png) | [GH_Repository](/opengraph/extensions/github/nodes/gh_repository) | GitHub Repository | -| ![GH_RepoVariable](/images/extensions/github/gh_repovariable.png) | [GH_RepoVariable](/opengraph/extensions/github/nodes/gh_repovariable) | GitHub Repo Variable | -| ![GH_SamlIdentityProvider](/images/extensions/github/gh_samlidentityprovider.png) | [GH_SamlIdentityProvider](/opengraph/extensions/github/nodes/gh_samlidentityprovider) | GitHub SAML Identity Provider | -| ![GH_SecretScanningAlert](/images/extensions/github/gh_secretscanningalert.png) | [GH_SecretScanningAlert](/opengraph/extensions/github/nodes/gh_secretscanningalert) | GitHub Secret Scanning Alert | -| ![GH_Team](/images/extensions/github/gh_team.png) | [GH_Team](/opengraph/extensions/github/nodes/gh_team) | GitHub Team | -| ![GH_TeamRole](/images/extensions/github/gh_teamrole.png) | [GH_TeamRole](/opengraph/extensions/github/nodes/gh_teamrole) | GitHub Team Role | -| ![GH_User](/images/extensions/github/gh_user.png) | [GH_User](/opengraph/extensions/github/nodes/gh_user) | GitHub User | -| ![GH_Workflow](/images/extensions/github/gh_workflow.png) | [GH_Workflow](/opengraph/extensions/github/nodes/gh_workflow) | GitHub Workflow | -| ![GH_WorkflowJob](/images/extensions/github/gh_workflowjob.png) | [GH_WorkflowJob](/opengraph/extensions/github/nodes/gh_workflowjob) | GitHub Workflow Job | -| ![GH_WorkflowStep](/images/extensions/github/gh_workflowstep.png) | [GH_WorkflowStep](/opengraph/extensions/github/nodes/gh_workflowstep) | GitHub Workflow Step | - -## Edges - -| Relationship Kind | Traversable | Description | -|-------------------|:-----------:|-------------| -| [GH_AddAssignee](/opengraph/extensions/github/edges/gh_addassignee) | ❌ | [Repository] Repo role can assign users to issues and pull requests | -| [GH_AddCollaborator](/opengraph/extensions/github/edges/gh_addcollaborator) | ❌ | [Organization] Org role can add outside collaborators | -| [GH_AddLabel](/opengraph/extensions/github/edges/gh_addlabel) | ❌ | [Repository] Repo role can add labels to issues and pull requests | -| [GH_AddMember](/opengraph/extensions/github/edges/gh_addmember) | ✅ | Team role can add members to the team (maintainer privilege) | -| [GH_AdminTo](/opengraph/extensions/github/edges/gh_adminto) | ❌ | [Repository] Repo role has admin access to the repository. | -| [GH_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) | ❌ | [Repository] Repo role can bypass merge-gate branch protections (PR reviews, lock branch). Suppressed by enforce_admins. | -| [GH_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances) | ❌ | User or team can bypass pull request requirements on a branch protection rule | -| [GH_CallsWorkflow](/opengraph/extensions/github/edges/gh_callsworkflow) | ❌ | [Workflow] Job calls a reusable workflow — GH_WorkflowJob → GH_Workflow | -| [GH_CanAccess](/opengraph/extensions/github/edges/gh_canaccess) | ❌ | Personal access token or app installation can access this repository or organization | -| [GH_CanAssumeIdentity](/opengraph/extensions/github/edges/gh_canassumeidentity) | ✅ | Repository can assume this cloud identity via OIDC federation (Azure workload identity or AWS IAM role) | -| [GH_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch) | ✅ | [Repository - Computed] Role can create new branches in this repository (unprotected branches that bypass the merge gate) | -| [GH_CanEditProtection](/opengraph/extensions/github/edges/gh_caneditprotection) | ✅ | [Repository - Computed] Repo role can modify or remove the branch protection rules governing this branch (computed from GH_EditRepoProtections + GH_ProtectedBy) | -| [GH_CanPwnRequest](/opengraph/extensions/github/edges/gh_canpwnrequest) | ✅ | [Computed] Repo role can exploit a pwn-requestable workflow to execute arbitrary code with the target's secrets and permissions — GH_RepoRole → GH_Repository / GH_Branch | -| [GH_CanReadSecretScanningAlert](/opengraph/extensions/github/edges/gh_canreadsecretscanningalert) | ✅ | [Computed] Role can read secret scanning alerts (computed from GH_ViewSecretScanningAlerts permission + GH_Contains) | -| [GH_CanWriteBranch](/opengraph/extensions/github/edges/gh_canwritebranch) | ✅ | [Repository - Computed] Role can push to this branch after evaluating branch protection rules, push restrictions, and bypass allowances | -| [GH_CloseDiscussion](/opengraph/extensions/github/edges/gh_closediscussion) | ❌ | [Repository] Repo role can close discussions | -| [GH_CloseIssue](/opengraph/extensions/github/edges/gh_closeissue) | ❌ | [Repository] Repo role can close issues | -| [GH_ClosePullRequest](/opengraph/extensions/github/edges/gh_closepullrequest) | ❌ | [Repository] Repo role can close pull requests | -| [GH_Contains](/opengraph/extensions/github/edges/gh_contains) | ❌ | Container relationship for organizational hierarchy (org contains secrets/variables, repo contains secrets/variables, environment contains secrets/variables) | -| [GH_ConvertIssuesToDiscussions](/opengraph/extensions/github/edges/gh_convertissuestodiscussions) | ❌ | [Repository] Repo role can convert issues to discussions | -| [GH_CreateDiscussionCategory](/opengraph/extensions/github/edges/gh_creatediscussioncategory) | ❌ | [Repository] Repo role can create discussion categories | -| [GH_CreateRepository](/opengraph/extensions/github/edges/gh_createrepository) | ❌ | [Organization] Org role can create repositories in the organization | -| [GH_CreateSoloMergeQueueEntry](/opengraph/extensions/github/edges/gh_createsolomergequeueentry) | ❌ | Repo role can create solo merge queue entries | -| [GH_CreateTag](/opengraph/extensions/github/edges/gh_createtag) | ❌ | [Repository] Repo role can create tags and releases | -| [GH_CreateTeam](/opengraph/extensions/github/edges/gh_createteam) | ❌ | [Organization] Org role can create teams in the organization | -| [GH_DeleteAlertsCodeScanning](/opengraph/extensions/github/edges/gh_deletealertscodescanning) | ❌ | [Repository] Repo role can delete code scanning alerts | -| [GH_DeleteDiscussion](/opengraph/extensions/github/edges/gh_deletediscussion) | ❌ | [Repository] Repo role can delete discussions | -| [GH_DeleteDiscussionComment](/opengraph/extensions/github/edges/gh_deletediscussioncomment) | ❌ | [Repository] Repo role can delete discussion comments | -| [GH_DeleteIssue](/opengraph/extensions/github/edges/gh_deleteissue) | ❌ | [Repository] Repo role can delete issues | -| [GH_DeleteTag](/opengraph/extensions/github/edges/gh_deletetag) | ❌ | [Repository] Repo role can delete tags and releases | -| [GH_DependsOn](/opengraph/extensions/github/edges/gh_dependson) | ❌ | [Workflow] Job must run after another job (needs: dependency) — ordering only, not an access path | -| [GH_DeploysTo](/opengraph/extensions/github/edges/gh_deploysto) | ❌ | [Workflow] Job deploys to a GitHub Environment — GH_WorkflowJob → GH_Environment | -| [GH_EditCategoryOnDiscussion](/opengraph/extensions/github/edges/gh_editcategoryondiscussion) | ❌ | [Repository] Repo role can change the category of a discussion | -| [GH_EditDiscussionCategory](/opengraph/extensions/github/edges/gh_editdiscussioncategory) | ❌ | [Repository] Repo role can edit discussion categories | -| [GH_EditDiscussionComment](/opengraph/extensions/github/edges/gh_editdiscussioncomment) | ❌ | [Repository] Repo role can edit discussion comments | -| [GH_EditRepoAnnouncementBanners](/opengraph/extensions/github/edges/gh_editrepoannouncementbanners) | ❌ | [Repository] Repo role can edit repository announcement banners | -| [GH_EditRepoCustomPropertiesValues](/opengraph/extensions/github/edges/gh_editrepocustompropertiesvalues) | ❌ | [Repository] Repo role can edit custom property values on the repository | -| [GH_EditRepoMetadata](/opengraph/extensions/github/edges/gh_editrepometadata) | ❌ | [Repository] Repo role can edit repository metadata | -| [GH_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) | ❌ | Repo role can edit branch protection rules | -| [GH_HasBaseRole](/opengraph/extensions/github/edges/gh_hasbaserole) | ✅ | Role inherits permissions from another role | -| [GH_HasBranch](/opengraph/extensions/github/edges/gh_hasbranch) | ❌ | Repository has this branch | -| [GH_HasEnvironment](/opengraph/extensions/github/edges/gh_hasenvironment) | ❌ | Repository or branch has/can deploy to this environment | -| [GH_HasExternalIdentity](/opengraph/extensions/github/edges/gh_hasexternalidentity) | ❌ | SAML identity provider has this external identity | -| [GH_HasJob](/opengraph/extensions/github/edges/gh_hasjob) | ❌ | [Workflow] Workflow contains this job — GH_Workflow → GH_WorkflowJob | -| [GH_HasMember](/opengraph/extensions/github/edges/gh_hasmember) | ❌ | Enterprise or organization has this user as a member | -| [GH_HasPersonalAccessToken](/opengraph/extensions/github/edges/gh_haspersonalaccesstoken) | ❌ | User owns this personal access token that has been granted access to the organization | -| [GH_HasPersonalAccessTokenRequest](/opengraph/extensions/github/edges/gh_haspersonalaccesstokenrequest) | ❌ | User has a pending personal access token request for the organization | -| [GH_HasRole](/opengraph/extensions/github/edges/gh_hasrole) | ✅ | User or team has a role assignment (org role, team role, or repo role) | -| [GH_HasSamlIdentityProvider](/opengraph/extensions/github/edges/gh_hassamlidentityprovider) | ❌ | Organization has this SAML identity provider configured | -| [GH_HasSecret](/opengraph/extensions/github/edges/gh_hassecret) | ✅ | Repository or environment has access to this secret | -| [GH_HasStep](/opengraph/extensions/github/edges/gh_hasstep) | ❌ | [Workflow] Job contains this step — GH_WorkflowJob → GH_WorkflowStep | -| [GH_HasVariable](/opengraph/extensions/github/edges/gh_hasvariable) | ✅ | Repository has access to this variable (org-level or repo-level) | -| [GH_HasWorkflow](/opengraph/extensions/github/edges/gh_hasworkflow) | ❌ | Repository has this workflow | -| [GH_InstalledAs](/opengraph/extensions/github/edges/gh_installedas) | ✅ | GitHub App is installed as this app installation on an organization | -| [GH_InviteMember](/opengraph/extensions/github/edges/gh_invitemember) | ❌ | [Organization] Org role can invite members to the organization | -| [GH_JumpMergeQueue](/opengraph/extensions/github/edges/gh_jumpmergequeue) | ❌ | Repo role can jump the merge queue | -| [GH_ManageDeployKeys](/opengraph/extensions/github/edges/gh_managedeploykeys) | ❌ | [Repository] Repo role can manage deploy keys | -| [GH_ManageDiscussionBadges](/opengraph/extensions/github/edges/gh_managediscussionbadges) | ❌ | [Repository] Repo role can manage discussion badges | -| [GH_ManageOrganizationWebhooks](/opengraph/extensions/github/edges/gh_manageorganizationwebhooks) | ❌ | [Organization] Org role can manage organization webhooks | -| [GH_ManageRepoSecurityProducts](/opengraph/extensions/github/edges/gh_managereposecurityproducts) | ❌ | Repo role can manage repo-level security products | -| [GH_ManageSecurityProducts](/opengraph/extensions/github/edges/gh_managesecurityproducts) | ❌ | Repo role can manage security products | -| [GH_ManageSettingsMergeTypes](/opengraph/extensions/github/edges/gh_managesettingsmergetypes) | ❌ | [Repository] Repo role can manage allowed merge types | -| [GH_ManageSettingsPages](/opengraph/extensions/github/edges/gh_managesettingspages) | ❌ | [Repository] Repo role can manage GitHub Pages settings | -| [GH_ManageSettingsProjects](/opengraph/extensions/github/edges/gh_managesettingsprojects) | ❌ | [Repository] Repo role can manage project settings | -| [GH_ManageSettingsWiki](/opengraph/extensions/github/edges/gh_managesettingswiki) | ❌ | [Repository] Repo role can manage wiki settings | -| [GH_ManageTopics](/opengraph/extensions/github/edges/gh_managetopics) | ❌ | [Repository] Repo role can manage repository topics | -| [GH_ManageWebhooks](/opengraph/extensions/github/edges/gh_managewebhooks) | ❌ | [Repository] Repo role can manage repository webhooks | -| [GH_MapsToUser](/opengraph/extensions/github/edges/gh_mapstouser) | ❌ | External identity maps to a GitHub user or identity provider user | -| [GH_MarkAsDuplicate](/opengraph/extensions/github/edges/gh_markasduplicate) | ❌ | [Repository] Repo role can mark issues or pull requests as duplicates | -| [GH_MemberOf](/opengraph/extensions/github/edges/gh_memberof) | ✅ | Team role is a member of a team, or team is a nested member of a parent team | -| [GH_OrgBypassCodeScanningDismissalRequests](/opengraph/extensions/github/edges/gh_orgbypasscodescanningdismissalrequests) | ❌ | [Organization] Org role can bypass code scanning dismissal requests | -| [GH_OrgBypassSecretScanningClosureRequests](/opengraph/extensions/github/edges/gh_orgbypasssecretscanningclosurerequests) | ❌ | [Organization] Org role can bypass secret scanning closure requests | -| [GH_OrgReviewAndManageSecretScanningBypassRequests](/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningbypassrequests) | ❌ | [Organization] Org role can review and manage secret scanning bypass requests | -| [GH_OrgReviewAndManageSecretScanningClosureRequests](/opengraph/extensions/github/edges/gh_orgreviewandmanagesecretscanningclosurerequests) | ❌ | [Organization] Org role can review and manage secret scanning closure requests | -| [GH_Owns](/opengraph/extensions/github/edges/gh_owns) | ✅ | Organization owns a repository | -| [GH_ProtectedBy](/opengraph/extensions/github/edges/gh_protectedby) | ❌ | Branch protection rule protects this branch | -| [GH_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch) | ❌ | [Repository] Repo role can push to branches with push restrictions. Not affected by enforce_admins. | -| [GH_ReadCodeScanning](/opengraph/extensions/github/edges/gh_readcodescanning) | ❌ | [Repository] Repo role can read code scanning results | -| [GH_ReadOrganizationActionsUsageMetrics](/opengraph/extensions/github/edges/gh_readorganizationactionsusagemetrics) | ❌ | [Organization] Org role can read Actions usage metrics | -| [GH_ReadOrganizationCustomOrgRole](/opengraph/extensions/github/edges/gh_readorganizationcustomorgrole) | ❌ | [Organization] Org role can read custom org role definitions | -| [GH_ReadOrganizationCustomRepoRole](/opengraph/extensions/github/edges/gh_readorganizationcustomreporole) | ❌ | [Organization] Org role can read custom repo role definitions | -| [GH_ReadRepoContents](/opengraph/extensions/github/edges/gh_readrepocontents) | ❌ | [Repository] Repo role can read repository contents | -| [GH_RemoveAssignee](/opengraph/extensions/github/edges/gh_removeassignee) | ❌ | [Repository] Repo role can remove assignees from issues and pull requests | -| [GH_RemoveLabel](/opengraph/extensions/github/edges/gh_removelabel) | ❌ | [Repository] Repo role can remove labels from issues and pull requests | -| [GH_ReopenDiscussion](/opengraph/extensions/github/edges/gh_reopendiscussion) | ❌ | [Repository] Repo role can reopen discussions | -| [GH_ReopenIssue](/opengraph/extensions/github/edges/gh_reopenissue) | ❌ | [Repository] Repo role can reopen closed issues | -| [GH_ReopenPullRequest](/opengraph/extensions/github/edges/gh_reopenpullrequest) | ❌ | [Repository] Repo role can reopen closed pull requests | -| [GH_RequestPrReview](/opengraph/extensions/github/edges/gh_requestprreview) | ❌ | [Repository] Repo role can request pull request reviews | -| [GH_ResolveDependabotAlerts](/opengraph/extensions/github/edges/gh_resolvedependabotalerts) | ❌ | [Repository] Repo role can resolve Dependabot alerts | -| [GH_ResolveSecretScanningAlerts](/opengraph/extensions/github/edges/gh_resolvesecretscanningalerts) | ❌ | [Organization] Org role can resolve secret scanning alerts | -| [GH_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush) | ❌ | User or team is allowed to push to branches protected by this rule | -| [GH_RunOrgMigration](/opengraph/extensions/github/edges/gh_runorgmigration) | ❌ | [Repository] Repo role can run organization migrations | -| [GH_SetInteractionLimits](/opengraph/extensions/github/edges/gh_setinteractionlimits) | ❌ | [Repository] Repo role can set interaction limits on the repository | -| [GH_SetIssueType](/opengraph/extensions/github/edges/gh_setissuetype) | ❌ | [Repository] Repo role can set issue types | -| [GH_SetMilestone](/opengraph/extensions/github/edges/gh_setmilestone) | ❌ | [Repository] Repo role can set milestones on issues and pull requests | -| [GH_SetSocialPreview](/opengraph/extensions/github/edges/gh_setsocialpreview) | ❌ | [Repository] Repo role can set the repository social preview image | -| [GH_SyncedTo](/opengraph/extensions/github/edges/gh_syncedto) | ✅ | External identity (Azure, Okta, PingOne) is synced to this GitHub user via SSO/SCIM | -| [GH_ToggleDiscussionAnswer](/opengraph/extensions/github/edges/gh_togglediscussionanswer) | ❌ | [Repository] Repo role can toggle discussion answers | -| [GH_ToggleDiscussionCommentMinimize](/opengraph/extensions/github/edges/gh_togglediscussioncommentminimize) | ❌ | [Repository] Repo role can minimize discussion comments | -| [GH_TransferRepository](/opengraph/extensions/github/edges/gh_transferrepository) | ❌ | [Organization] Org role can transfer repositories | -| [GH_UsesSecret](/opengraph/extensions/github/edges/gh_usessecret) | ❌ | [Workflow] Step references a secret by name — GH_WorkflowStep → GH_RepoSecret / GH_OrgSecret (name match) | -| [GH_UsesVariable](/opengraph/extensions/github/edges/gh_usesvariable) | ❌ | [Workflow] Step references a variable by name — GH_WorkflowStep → GH_RepoVariable / GH_OrgVariable (name match) | -| [GH_ValidToken](/opengraph/extensions/github/edges/gh_validtoken) | ✅ | Secret scanning alert contains a valid, active token belonging to this user | -| [GH_ViewDependabotAlerts](/opengraph/extensions/github/edges/gh_viewdependabotalerts) | ❌ | [Repository] Repo role can view Dependabot alerts | -| [GH_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) | ❌ | [Repository] Role can view secret scanning alerts | -| [GH_WriteCodeScanning](/opengraph/extensions/github/edges/gh_writecodescanning) | ❌ | [Repository] Repo role can upload code scanning results | -| [GH_WriteOrganizationActionsSecrets](/opengraph/extensions/github/edges/gh_writeorganizationactionssecrets) | ❌ | [Organization] Org role can write Actions secrets | -| [GH_WriteOrganizationActionsSettings](/opengraph/extensions/github/edges/gh_writeorganizationactionssettings) | ❌ | [Organization] Org role can write Actions settings | -| [GH_WriteOrganizationActionsVariables](/opengraph/extensions/github/edges/gh_writeorganizationactionsvariables) | ❌ | [Organization] Org role can write Actions variables | -| [GH_WriteOrganizationCustomOrgRole](/opengraph/extensions/github/edges/gh_writeorganizationcustomorgrole) | ✅ | [Organization] Org role can write custom org role definitions | -| [GH_WriteOrganizationCustomRepoRole](/opengraph/extensions/github/edges/gh_writeorganizationcustomreporole) | ❌ | [Organization] Org role can write custom repo role definitions | -| [GH_WriteOrganizationNetworkConfigurations](/opengraph/extensions/github/edges/gh_writeorganizationnetworkconfigurations) | ❌ | [Organization] Org role can write network configurations | -| [GH_WriteRepoContents](/opengraph/extensions/github/edges/gh_writerepocontents) | ❌ | [Repository] Repo role can write repository contents | -| [GH_WriteRepoPullRequests](/opengraph/extensions/github/edges/gh_writerepopullrequests) | ❌ | [Repository] Repo role can create and merge pull requests | From 71b06e88e9d9ccaab9a89c02771520c14037b0ea Mon Sep 17 00:00:00 2001 From: JonasBK Date: Mon, 20 Apr 2026 14:02:22 +0200 Subject: [PATCH 16/16] fix em dashes --- .../privilege_zone_rules/t0-app-installations-all-repos.json | 2 +- extension/privilege_zone_rules/t0-pats-all-repos.json | 2 +- .../privilege_zone_rules/t0-privilege-escalation-roles.json | 2 +- .../privilege_zone_rules/t0-privilege-escalation-users.json | 2 +- extension/saved_searches/demo-sso-to-cloud-round-trip.json | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/extension/privilege_zone_rules/t0-app-installations-all-repos.json b/extension/privilege_zone_rules/t0-app-installations-all-repos.json index cf6850e..0ef7811 100644 --- a/extension/privilege_zone_rules/t0-app-installations-all-repos.json +++ b/extension/privilege_zone_rules/t0-app-installations-all-repos.json @@ -1,6 +1,6 @@ { "name": "GitHub: Tier Zero App Installations (All Repositories)", - "description": "GitHub App installations scoped to all repositories in the organization that have at least one write permission. A compromised app credential grants write access to every repository. Installations with only read permissions are excluded \u2014 they pose a data exfiltration risk but do not grant control over the organization.", + "description": "GitHub App installations scoped to all repositories in the organization that have at least one write permission. A compromised app credential grants write access to every repository. Installations with only read permissions are excluded — they pose a data exfiltration risk but do not grant control over the organization.", "cypher": "MATCH (n:GH_AppInstallation {repository_selection:'all'})\nWHERE n.permissions CONTAINS '\"write\"'\nRETURN n", "enabled": true, "zone": "Tier Zero", diff --git a/extension/privilege_zone_rules/t0-pats-all-repos.json b/extension/privilege_zone_rules/t0-pats-all-repos.json index 211536f..7b3deca 100644 --- a/extension/privilege_zone_rules/t0-pats-all-repos.json +++ b/extension/privilege_zone_rules/t0-pats-all-repos.json @@ -1,6 +1,6 @@ { "name": "GitHub: Tier Zero PATs (All Repositories)", - "description": "Fine-grained personal access tokens scoped to all repositories in the organization that have at least one write permission. A single compromised token grants write access to every repository. PATs with only read permissions are excluded \u2014 they pose a data exfiltration risk but do not grant control over the organization.", + "description": "Fine-grained personal access tokens scoped to all repositories in the organization that have at least one write permission. A single compromised token grants write access to every repository. PATs with only read permissions are excluded — they pose a data exfiltration risk but do not grant control over the organization.", "cypher": "MATCH (n:GH_PersonalAccessToken {repository_selection:'all'})\nWHERE n.permissions CONTAINS '\"write\"'\nRETURN n", "enabled": true, "zone": "Tier Zero", diff --git a/extension/privilege_zone_rules/t0-privilege-escalation-roles.json b/extension/privilege_zone_rules/t0-privilege-escalation-roles.json index fab7a43..2ec1095 100644 --- a/extension/privilege_zone_rules/t0-privilege-escalation-roles.json +++ b/extension/privilege_zone_rules/t0-privilege-escalation-roles.json @@ -1,6 +1,6 @@ { "name": "GitHub: Tier Zero Privilege Escalation Roles", - "description": "Custom organization roles with write_organization_custom_org_role permission can modify organization role definitions, including setting the base_role to inherit all_repo_admin. Since this permission only exists on custom organization roles, the holder can escalate the role they already hold \u2014 a guaranteed self-escalation path to full organizational control.", + "description": "Custom organization roles with write_organization_custom_org_role permission can modify organization role definitions, including setting the base_role to inherit all_repo_admin. Since this permission only exists on custom organization roles, the holder can escalate the role they already hold — a guaranteed self-escalation path to full organizational control.", "cypher": "MATCH (n:GH_OrgRole)-[:GH_WriteOrganizationCustomOrgRole]->(:GH_Organization)\nRETURN n", "enabled": true, "zone": "Tier Zero", diff --git a/extension/privilege_zone_rules/t0-privilege-escalation-users.json b/extension/privilege_zone_rules/t0-privilege-escalation-users.json index 330db20..a98cffe 100644 --- a/extension/privilege_zone_rules/t0-privilege-escalation-users.json +++ b/extension/privilege_zone_rules/t0-privilege-escalation-users.json @@ -1,6 +1,6 @@ { "name": "GitHub: Tier Zero Privilege Escalation Users", - "description": "Users who hold custom organization roles with write_organization_custom_org_role permission. These users can modify organization role definitions \u2014 including the role they hold \u2014 to set the base_role to all_repo_admin, granting themselves admin access to every repository in the organization.", + "description": "Users who hold custom organization roles with write_organization_custom_org_role permission. These users can modify organization role definitions — including the role they hold — to set the base_role to all_repo_admin, granting themselves admin access to every repository in the organization.", "cypher": "MATCH (n:GH_User)-[:GH_HasRole|GH_HasBaseRole*1..]->(:GH_OrgRole)-[:GH_WriteOrganizationCustomOrgRole]->(:GH_Organization)\nRETURN n", "enabled": true, "zone": "Tier Zero", diff --git a/extension/saved_searches/demo-sso-to-cloud-round-trip.json b/extension/saved_searches/demo-sso-to-cloud-round-trip.json index 8c30327..85e43d8 100644 --- a/extension/saved_searches/demo-sso-to-cloud-round-trip.json +++ b/extension/saved_searches/demo-sso-to-cloud-round-trip.json @@ -1,5 +1,5 @@ { "name": "[Demo] SSO Round-Trip: Azure/Okta \u2192 GitHub \u2192 Cloud Identity", "query": "MATCH p1=(extUser)-[:SyncedToGHUser]->(ghUser:GH_User)\nMATCH p2=(ghUser)-[:GH_HasRole|GH_HasBaseRole|GH_MemberOf*1..]->(:GH_RepoRole)-[:GH_WriteRepoContents]->(:GH_Repository)-[:GH_CanAssumeIdentity]->(cred:AZFederatedIdentityCredential)\nRETURN p1, p2\nLIMIT 1000", - "description": "The cloud-to-cloud pivot through GitHub: a compromised Azure or Okta identity syncs to a GitHub user via SSO. That GitHub user has write access to repositories configured with OIDC federation to Azure workload identities. The attacker pivots from one cloud identity through GitHub into a completely different Azure identity \u2014 crossing cloud boundaries twice in a single attack chain." + "description": "The cloud-to-cloud pivot through GitHub: a compromised Azure or Okta identity syncs to a GitHub user via SSO. That GitHub user has write access to repositories configured with OIDC federation to Azure workload identities. The attacker pivots from one cloud identity through GitHub into a completely different Azure identity — crossing cloud boundaries twice in a single attack chain." }