How does GauntletCI compare to SonarQube?

SonarQube analyzes the entire codebase on a schedule and requires a server, account, and network access. GauntletCI analyzes only the lines that changed in the current diff, runs entirely on the developer's machine in under one second, requires no account or cloud connection, and installs as a pre-commit hook. SonarQube is a full codebase quality platform; GauntletCI is a focused change-risk detector that runs before a commit is ever created.

How does GauntletCI compare to Semgrep?

Semgrep is a pattern-matching engine that scans files or the full codebase. GauntletCI scopes every rule to the changed diff, meaning it only flags risks introduced by the current change, not pre-existing issues in unchanged files. GauntletCI also includes incident correlation, local LLM enrichment, and baseline delta mode, which Semgrep does not offer. GauntletCI's free tier includes all rules with no account required.

How does GauntletCI compare to Snyk?

Snyk is primarily a dependency and container vulnerability scanner that requires cloud connectivity and a Snyk account. GauntletCI detects behavioral, structural, and security risks in first-party code changes, not dependency vulnerabilities, and runs 100% locally with no data transmitted. GauntletCI is suitable for air-gapped environments and organizations with strict data residency requirements; Snyk is not.

How does GauntletCI compare to CodeQL / GitHub Advanced Security?

CodeQL performs deep semantic analysis of the full codebase and requires compilation and significant compute time, typically minutes per run. GauntletCI analyzes only the changed diff in under one second with no compilation step, making it suitable as a pre-commit hook in the developer's local workflow. CodeQL is better for periodic deep security audits; GauntletCI is better for fast, continuous feedback on every commit.

How does GauntletCI compare to Code Climate?

Code Climate is a SaaS platform that analyzes full repositories for maintainability and test coverage trends over time. It requires uploading code to a cloud service. GauntletCI is fully local, diff-scoped, and focused on change risk rather than codebase health metrics. GauntletCI does not require a cloud account, never transmits code, and produces results in under one second, making it a complement to, not a replacement for, Code Climate's longitudinal reporting.

Does GauntletCI work in air-gapped or offline environments?

Yes. GauntletCI runs entirely on the local machine. No diff, finding, file path, or telemetry is transmitted. The optional local LLM enrichment feature (--with-llm) uses a locally hosted Ollama model, with no network call. This makes GauntletCI suitable for classified, regulated, or air-gapped environments where cloud-based analysis tools are prohibited.

What is baseline delta mode and do other tools offer it?

Baseline delta mode (gauntletci baseline capture) snapshots all current findings and suppresses them from future runs. Only net-new findings (risks introduced after the baseline) are reported. This eliminates alert fatigue from pre-existing issues in legacy codebases. SonarQube offers a similar 'new code' concept but requires server setup. Semgrep, Snyk, CodeQL, and Code Climate do not offer equivalent pre-commit baseline suppression.

Real detections

What GauntletCI actually catches

Six annotated examples from real .NET codebases. These are the patterns that pass code review, pass tests, and fail in production. GauntletCI flags them before the commit is created.

GCI0003

Behavioral change: removed null guard

HighBehavioral Correctness

diff --git

public async Task<Order> CreateOrderAsync(CreateOrderRequest request)

{

- if (request is null) throw new ArgumentNullException(nameof(request));

var order = new Order(request.CustomerId, request.Items);

return await _repo.SaveAsync(order);

}

GCI0003: Guard clause removed at line 3 -- ArgumentNullException no longer thrown on null input. Callers relying on this contract will see NullReferenceException deeper in the call stack.

GCI0029

PII leak: customer email in structured log

HighSecurity

diff --git

var customer = await _customerService.GetAsync(customerId);

+ _logger.LogInformation("Processing order for {Email}", customer.Email);

await ProcessOrderAsync(customer, order);

GCI0029: PII field 'Email' logged at line 2. Structured log sinks (Application Insights, Datadog, Splunk) persist this value. Review data retention and access policies.

GCI0016

Concurrency: async void event handler

HighConcurrency

diff --git

-private async Task OnOrderReceived(object sender, OrderEventArgs e)

+private async void OnOrderReceived(object sender, OrderEventArgs e)

{

await ProcessOrderAsync(e.Order);

}

GCI0016: Method changed from async Task to async void at line 1. Exceptions thrown inside async void cannot be caught by the caller and will crash the process in .NET.

GCI0004

Breaking change: public method signature changed

HighAPI Contracts

diff --git

-public IEnumerable<Product> GetProducts(int categoryId)

+public IEnumerable<Product> GetProducts(int categoryId, bool includeArchived)

{

return _repo.Query(categoryId);

}

GCI0004: Required parameter 'includeArchived' added to public method at line 1. Callers in external assemblies compiled against the old signature will throw MissingMethodException at runtime.

GCI0012

Security: hardcoded connection string

HighSecurity

diff --git

private readonly string _connectionString;

- _connectionString = configuration.GetConnectionString("Default");

+ _connectionString = "Server=prod-db.internal;Database=orders;User Id=sa;Password=P@ssw0rd!";

GCI0010: Hardcoded connection string with embedded credentials at line 4. Credentials committed to version control are compromised. Use IConfiguration or a secrets manager.

GCI0007

Error handling: exception swallowed silently

MediumError Handling

diff --git

try

{

await SendNotificationAsync(order);

}

-catch (Exception ex)

- _logger.LogError(ex, "Notification failed for order {OrderId}", order.Id);

+catch { }

GCI0007: Exception handler removed or emptied at line 9. Errors in SendNotificationAsync will be silently swallowed. Failures will not surface in logs or monitoring.

These are not theoretical

Every pattern above is based on a real class of production incident common to .NET services. GauntletCI's detection rules were built by reverse-engineering incident post-mortems to find the structural signatures visible in the diff before the change was merged.

The analysis is deterministic. No training data. No probability threshold. The same diff produces the same findings every time.

Get started free View all detection rules

What GauntletCI actually catches

Behavioral change: removed null guard#

PII leak: customer email in structured log#

Concurrency: async void event handler#

Breaking change: public method signature changed#

Security: hardcoded connection string#

Error handling: exception swallowed silently#

These are not theoretical

Behavioral change: removed null guard

PII leak: customer email in structured log

Concurrency: async void event handler

Breaking change: public method signature changed

Security: hardcoded connection string

Error handling: exception swallowed silently