Preview GauntletCI findings in GitHub Checks and SARIF
See how the same finding can appear in a pull request check run, a line-level annotation, and a SARIF-compatible code scanning view before wiring it into your own repository.
Capability note
These advanced outputs are available through direct CLI invocation today. The published composite GitHub Action currently exposes inline PR comments; use the workflows below when you need Checks API annotations or SARIF upload.
Pull request checks
EricCogen/GauntletCI-Demo #299
GauntletCI Risk Analysis
3 grouped findings (2 block, 1 warn)
GCI0012: Security Risk
Authorization logic changed on a protected endpoint.
src/Orders/OrderController.cs:87
GCI0039: External Service Safety
HTTP call added without cancellation flow in a request path.
src/Billing/PaymentClient.cs:42
GitHub Checks API preview
The CLI flag --github-checks creates a completed check run with grouped findings and up to 50 line annotations. It requires checks: write, a repository token, and a GitHub Actions commit SHA.
GauntletCI Risk Analysis
Conclusion: failure when Block findings exist; neutral for Warn-only findings.
annotation
GCI0012: Security Risk
Message, evidence, why it matters, and suggested action appear in the check run annotation details.
SARIF/code scanning preview
The CLI can write SARIF 2.1.0 with rule IDs, severity levels, messages, and file locations. Uploading that file with GitHub's SARIF action can surface findings in SARIF-compatible code scanning tools.
Security Risk in OrderController.cs
Alert payload includes the rule ID, message, level, URI, and start line.
Copyable workflows
Use direct CLI steps for Checks and SARIF
The composite action is the shortest install path for inline review comments. For GitHub Checks API annotations or SARIF upload, call the CLI directly so the workflow can pass the required permissions, token, commit SHA, and output file.
name: GauntletCI Checks
on:
pull_request:
branches: [main]
permissions:
contents: read
checks: write
jobs:
gauntletci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-dotnet@v5
with:
dotnet-version: 8.0.x
- name: Install GauntletCI
run: dotnet tool install -g GauntletCI --version 2.1.1
- name: Post GitHub Checks annotations
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
run: |
gauntletci analyze \
--commit "$GITHUB_SHA" \
--no-llm \
--github-checksname: GauntletCI SARIF
on:
pull_request:
branches: [main]
permissions:
contents: read
security-events: write
jobs:
gauntletci-sarif:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-dotnet@v5
with:
dotnet-version: 8.0.x
- name: Install GauntletCI
run: dotnet tool install -g GauntletCI --version 2.1.1
- name: Generate SARIF
run: |
gauntletci analyze \
--commit "${{ github.event.pull_request.head.sha || github.sha }}" \
--no-llm \
--output gauntletci.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: gauntletci.sarif
category: gauntletciSARIF shape
The preview uses standard SARIF fields
This shortened example shows the structure GauntletCI emits: a tool driver with GCI rule metadata, plus result entries with rule IDs, severity levels, messages, and source locations.
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [{
"tool": {
"driver": {
"name": "GauntletCI",
"rules": [{
"id": "GCI0012",
"name": "SecurityRisk",
"shortDescription": { "text": "Security Risk" },
"helpUri": "https://gauntletci.com/docs/rules/GCI0012"
}]
}
},
"results": [{
"ruleId": "GCI0012",
"level": "error",
"message": {
"text": "Authorization logic changed on a protected endpoint. Action: keep authorization checks outside optional branches."
},
"locations": [{
"physicalLocation": {
"artifactLocation": { "uri": "src/Orders/OrderController.cs" },
"region": { "startLine": 87 }
}
}]
}]
}]
}Next steps
Start with the public demo PRs, then use the rule docs and configuration docs to decide which output surface fits your team's merge policy.