Skip to main content Module graph Copy item path Source AuthorityGraph Directed authority graph. Nodes are pipeline elements (steps, secrets,
artifacts, identities, images). Edges model authority/data flow. Edge A directed edge in the authority graph. Node A node in the authority graph. PipelineSource Where the pipeline definition came from. AuthorityCompleteness How complete is this authority graph? Parsers set this based on whether
they could fully resolve all authority relationships in the pipeline YAML. EdgeKind Edge semantics model authority/data flow — not syntactic YAML relations.
Design test: “Can authority propagate along this edge?” IdentityScope How broad is an identity’s scope? Classifies the risk surface of tokens,
service principals, and OIDC identities. NodeKind Semantic kind of a graph node. TrustZone Trust classification. Explicit on every node — not inferred from kind. META_CLI_FLAG_EXPOSED Marks a Secret node whose value is interpolated into a CLI flag argument (e.g. -var "key=$(SECRET)").
CLI flag values appear in pipeline log output even when ADO secret masking is active,
because the command string is logged before masking runs and Terraform itself logs -var values. META_CONTAINER Marks an Image node as a job container (not a uses: action). META_DIGEST META_IDENTITY_SCOPE META_INFERRED META_OIDC Marks an Identity node as OIDC-capable (permissions: id-token: write). META_PERMISSIONS is_docker_digest_pinned Returns true if image is pinned to a Docker digest.
Docker digest format: image@sha256:<64-hex-chars>. is_sha_pinned Returns true if ref_str is a SHA-pinned action reference.
Checks: contains @, part after @ is >= 40 hex chars.
Single source of truth — used by both parser and rules. EdgeId Unique identifier for an edge in the authority graph. NodeId Unique identifier for a node in the authority graph.