> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # GH_CanCreateBranch > [Repository - Computed] Role can create new branches in this repository (unprotected branches that bypass the merge gate) Applies to BloodHound Enterprise and CE ## Edge Schema * Source: [GH\_RepoRole](/opengraph/extensions/github/nodes/gh_reporole), [GH\_User](/opengraph/extensions/github/nodes/gh_user), [GH\_Team](/opengraph/extensions/github/nodes/gh_team) * Destination: [GH\_Repository](/opengraph/extensions/github/nodes/gh_repository) * Traversable: ✅ ## General Information The traversable GH\_CanCreateBranch edge is a computed edge indicating that a role or actor can create new branches in a repository. The computation evaluates whether a wildcard (`*`) BPR with push restrictions and `blocks_creations` exists. If no such BPR exists, any write-capable role can create branches. If one exists, admin or `push_protected_branch` permission is required, or the actor must be listed in pushAllowances. Per-actor edges from [GH\_User](/opengraph/extensions/github/nodes/gh_user) or [GH\_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant branch creation access beyond what the role provides. Each edge includes a `reason` property and a `query_composition` Cypher query showing the underlying graph evidence. ## Scenarios ### `no_protection` — No wildcard BPR blocking creations No wildcard (`*`) BPR with `blocks_creations` exists. Any write-capable role can create new branches. ```mermaid theme={null} graph LR role("GH_RepoRole write") -->|GH_WriteRepoContents| repo("GH_Repository") role ==>|GH_CanCreateBranch| repo ``` ### `admin` — Admin bypasses wildcard BPR A wildcard BPR with `push_restrictions` and `blocks_creations` prevents branch creation. The admin role bypasses this restriction. ```mermaid theme={null} graph LR role("GH_RepoRole admin") -->|GH_AdminTo| repo("GH_Repository") repo -->|GH_HasBranch| branch("GH_Branch main") bpr("GH_BranchProtectionRule\npattern=*\npush_restrictions\nblocks_creations") -->|GH_ProtectedBy| branch role ==>|GH_CanCreateBranch| repo ``` ### `push_protected_branch` — Push-protected role bypasses wildcard BPR A wildcard BPR blocks creations. The [GH\_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch) permission bypasses the push gate regardless of `enforce_admins`. ```mermaid theme={null} graph LR role("GH_RepoRole maintain") -->|GH_WriteRepoContents| repo("GH_Repository") role -->|GH_PushProtectedBranch| repo repo -->|GH_HasBranch| branch("GH_Branch main") bpr("GH_BranchProtectionRule\npattern=*\npush_restrictions\nblocks_creations") -->|GH_ProtectedBy| branch role ==>|GH_CanCreateBranch| repo ``` ### `push_allowance` — Per-actor push restriction bypass User or Team listed in the wildcard BPR's `pushAllowances` can create branches. This is a per-actor delta edge — only emitted when the actor's role doesn't already grant [GH\_CanCreateBranch](/opengraph/extensions/github/edges/gh_cancreatebranch). ```mermaid theme={null} graph LR user("GH_User alice") -->|GH_HasRole| role("GH_RepoRole write") role -->|GH_WriteRepoContents| repo("GH_Repository") repo -->|GH_HasBranch| branch("GH_Branch main") bpr("GH_BranchProtectionRule\npattern=*\npush_restrictions\nblocks_creations") -->|GH_ProtectedBy| branch user -->|GH_RestrictionsCanPush| bpr user ==>|GH_CanCreateBranch| repo ```