> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# GH_CanReadSecretScanningAlert

> [Computed] Role can read secret scanning alerts (computed from GH_ViewSecretScanningAlerts permission + GH_Contains)

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Edge Schema

* Source: [GH\_OrgRole](/opengraph/extensions/github/nodes/gh_orgrole), [GH\_RepoRole](/opengraph/extensions/github/nodes/gh_reporole)
* Destination: [GH\_SecretScanningAlert](/opengraph/extensions/github/nodes/gh_secretscanningalert)
* Traversable: ✅

## General Information

The traversable GH\_CanReadSecretScanningAlert edge is a computed edge indicating that a role can read a specific secret scanning alert, including the leaked secret value. The computation cross-references [GH\_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) permission edges with [GH\_Contains](/opengraph/extensions/github/edges/gh_contains) structural edges (org-level and repo-level) to determine which alerts each role can access. This edge is traversable because reading an alert reveals the leaked secret — if the secret is a valid GitHub Personal Access Token, the [GH\_ValidToken](/opengraph/extensions/github/edges/gh_validtoken) edge enables identity compromise of the token's owner.

Each edge includes a `reason` property (`org_role_permission` or `repo_role_permission`) and a `query_composition` Cypher query showing the underlying graph evidence.

## Scenarios

### `org_role_permission` — Org role views alerts via organization

An org role with [GH\_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) to the organization can read all secret scanning alerts across the entire org. The computation follows [GH\_Contains](/opengraph/extensions/github/edges/gh_contains) edges from the organization to each alert.

```mermaid theme={null}
graph LR
    role("GH_OrgRole security_manager") -->|GH_ViewSecretScanningAlerts| org("GH_Organization")
    org -->|GH_Contains| alert("GH_SecretScanningAlert #42")
    role ==>|GH_CanReadSecretScanningAlert| alert
    alert -.->|GH_ValidToken| user("GH_User jdoe")
```

### `repo_role_permission` — Repo role views alerts via repository

A repo role with [GH\_ViewSecretScanningAlerts](/opengraph/extensions/github/edges/gh_viewsecretscanningalerts) to the repository can read secret scanning alerts in that specific repo. The computation follows [GH\_Contains](/opengraph/extensions/github/edges/gh_contains) edges from the repository to each alert.

```mermaid theme={null}
graph LR
    role("GH_RepoRole admin") -->|GH_ViewSecretScanningAlerts| repo("GH_Repository")
    repo -->|GH_Contains| alert("GH_SecretScanningAlert #17")
    role ==>|GH_CanReadSecretScanningAlert| alert
    alert -.->|GH_ValidToken| user("GH_User jdoe")
```