From 312c88161d7c70f4f8fc35a9201b1993aec39562 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Tue, 21 Apr 2026 10:41:20 +0200 Subject: [PATCH 1/3] update GH_CanEditProtection.md --- descriptions/edges/GH_CanEditProtection.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/descriptions/edges/GH_CanEditProtection.md b/descriptions/edges/GH_CanEditProtection.md index 455e7eb..d36e4bf 100644 --- a/descriptions/edges/GH_CanEditProtection.md +++ b/descriptions/edges/GH_CanEditProtection.md @@ -1,6 +1,6 @@ ## General Information -The traversable GH_CanEditProtection edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. This edge is emitted when the role has GH_EditRepoProtections or GH_AdminTo permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path. +The traversable GH_CanEditProtection edge is a computed edge indicating that a role can modify or remove branch protection rules in a repository. This edge is emitted when the role has GH_EditRepoProtections or GH_AdminTo permissions and the repository contains at least one protected branch. Repo-targeted edges model the repo-wide security impact for attack path traversal; branch-targeted edges are also emitted as supporting evidence for each protected branch governed by those rules. ## Scenarios @@ -13,6 +13,7 @@ graph LR role("GH_RepoRole admin") -->|GH_AdminTo| repo("GH_Repository") repo -->|GH_HasBranch| branch("GH_Branch main") bpr("GH_BranchProtectionRule") -->|GH_ProtectedBy| branch + role ==>|GH_CanEditProtection| repo role ==>|GH_CanEditProtection| branch ``` @@ -25,5 +26,6 @@ graph LR role("GH_RepoRole custom") -->|GH_EditRepoProtections| repo("GH_Repository") repo -->|GH_HasBranch| branch("GH_Branch main") bpr("GH_BranchProtectionRule") -->|GH_ProtectedBy| branch + role ==>|GH_CanEditProtection| repo role ==>|GH_CanEditProtection| branch ``` From c4c05abde6690d75db9f8048a83a5d97bba3a91f Mon Sep 17 00:00:00 2001 From: JonasBK Date: Tue, 21 Apr 2026 10:41:40 +0200 Subject: [PATCH 2/3] update t0-all-repo-admin-role.json --- extension/privilege_zone_rules/t0-all-repo-admin-role.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extension/privilege_zone_rules/t0-all-repo-admin-role.json b/extension/privilege_zone_rules/t0-all-repo-admin-role.json index eff2bed..4b61324 100644 --- a/extension/privilege_zone_rules/t0-all-repo-admin-role.json +++ b/extension/privilege_zone_rules/t0-all-repo-admin-role.json @@ -1,7 +1,7 @@ { "name": "GitHub: Tier Zero All-Repo Admin Role", "description": "The synthetic all_repo_admin role grants admin access to every repository in the organization. This role is inherited by the owners role via GH_HasBaseRole and cascades admin permissions including branch protection editing, secret access, and deploy key management to all repositories.", - "cypher": "MATCH (n:GH_OrgRole)\nWHERE n.name ENDS\nWITH '/all_repo_admin'\nRETURN n", + "cypher": "MATCH (n:GH_OrgRole)\nWHERE n.name CONTAINS 'ALL_REPO_ADMIN'\nRETURN n", "enabled": true, "zone": "Tier Zero", "allow_disable": true From 600a1f2ffbd091da1557331154e6ce577dddcc6a Mon Sep 17 00:00:00 2001 From: JonasBK Date: Tue, 21 Apr 2026 11:23:32 +0200 Subject: [PATCH 3/3] update edge description --- extension/schema.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extension/schema.json b/extension/schema.json index b0d2b87..026e5b3 100644 --- a/extension/schema.json +++ b/extension/schema.json @@ -2,7 +2,7 @@ "schema": { "name": "SOGitHub", "display_name": "GitHub Extension (by SpecterOps)", - "version": "v1.2.2", + "version": "v1.2.3", "namespace": "GH" }, "node_kinds": [ @@ -648,7 +648,7 @@ }, { "name": "GH_CanEditProtection", - "description": "[Repository - Computed] Repo role can modify or remove the branch protection rules governing this branch (computed from GH_EditRepoProtections + GH_ProtectedBy)", + "description": "[Repository - Computed] Repo role can modify or remove branch protection rules for the repository/branch (computed from GH_EditRepoProtections + GH_ProtectedBy)", "is_traversable": true }, {