Static visualizer, based on demo PR #299

See exactly how a risky diff becomes a GauntletCI finding

This before/after view uses the role-based authorization scenario from PR #299 to show the pieces reviewers need: original behavior, changed behavior, diff evidence, rule mapping, and the next action before merge.

Illustrative example

This is a static walkthrough, not a live analyzer. The scenario links to the public demo PR so you can inspect the full baseline and regressed files separately.

Open demo PR #299 Back to live demo

Reviewer summary

src/OrderService/Controllers/AdminPolicyController.Regressed.cs:20

block

GCI0012: Security Risk

Endpoint authorization changed from a framework policy attribute to inline branch logic.

Block findings

Protected file

Suggested fix

Before: framework-level policy

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

[HttpPost("settings")]
[Authorize(Policy = "AdminOnly")]
public async Task<ActionResult> UpdateSystemSettings(
    SystemSettingsRequest request,
    CancellationToken ct)
{
    await _settingsService.UpdateSettingsAsync(request, ct);
    return Ok();
}

After: inline claim branch

using Microsoft.AspNetCore.Mvc;

[HttpPost("settings")]
public async Task<ActionResult> UpdateSystemSettings(
    SystemSettingsRequest request,
    CancellationToken ct)
{
    if (User?.HasClaim("role", "admin") ?? false)
    {
        await _settingsService.UpdateSettingsAsync(request, ct);
    }

    return Ok();
}

Diff evidence

The changed lines explain the risk

The visualizer keeps literal + and - markers so the signal is readable without relying only on red and green highlighting.

- using Microsoft.AspNetCore.Authorization;

using Microsoft.AspNetCore.Mvc;

[HttpPost("settings")]

- [Authorize(Policy = "AdminOnly")]

public async Task<ActionResult> UpdateSystemSettings(

SystemSettingsRequest request,

CancellationToken ct)

{

- await _settingsService.UpdateSettingsAsync(request, ct);

+ if (User?.HasClaim("role", "admin") ?? false)

+ {

+ await _settingsService.UpdateSettingsAsync(request, ct);

+ }

return Ok();

}

Example findings

BlockGCI0012: Security Risk

Authorization logic changed on a protected endpoint. The framework-level policy attribute was removed and replaced with inline claim logic that returns success even when the update does not run.

src/OrderService/Controllers/AdminPolicyController.Regressed.cs:20

BlockGCI0003: Behavioral Change Detection

Runtime behavior changed without a corresponding test update in the diff. The reviewer needs evidence that unauthorized settings updates are rejected rather than silently returning success.

Suggested next action

Restore the AdminOnly policy attribute or return Forbid() when the inline claim check fails.

Add tests that prove non-admin users cannot update system settings through the changed path and do not receive a success-shaped response.

If the bypass is intentional, document the business rule in the PR and update policy tests so the merge decision has durable evidence.

Connect the visualizer to the full workflow

Use this page to understand the finding, then inspect the real demo PR, rule docs, and GitHub output surfaces your team can wire into required checks.

Live demo PRs Checks and SARIF GCI0012 rule Rule library