How does GauntletCI compare to SonarQube?

SonarQube analyzes the entire codebase on a schedule and requires a server, account, and network access. GauntletCI analyzes only the lines that changed in the current diff, runs entirely on the developer's machine in under one second, requires no account or cloud connection, and installs as a pre-commit hook. SonarQube is a full codebase quality platform; GauntletCI is a focused change-risk detector that runs before a commit is ever created.

How does GauntletCI compare to Semgrep?

Semgrep is a pattern-matching engine that scans files or the full codebase. GauntletCI scopes every rule to the changed diff, meaning it only flags risks introduced by the current change, not pre-existing issues in unchanged files. GauntletCI also includes incident correlation, local LLM enrichment, and baseline delta mode, which Semgrep does not offer. GauntletCI's free tier includes all rules with no account required.

How does GauntletCI compare to Snyk?

Snyk is primarily a dependency and container vulnerability scanner that requires cloud connectivity and a Snyk account. GauntletCI detects behavioral, structural, and security risks in first-party code changes, not dependency vulnerabilities, and runs 100% locally with no data transmitted. GauntletCI is suitable for air-gapped environments and organizations with strict data residency requirements; Snyk is not.

How does GauntletCI compare to CodeQL / GitHub Advanced Security?

CodeQL performs deep semantic analysis of the full codebase and requires compilation and significant compute time, typically minutes per run. GauntletCI analyzes only the changed diff in under one second with no compilation step, making it suitable as a pre-commit hook in the developer's local workflow. CodeQL is better for periodic deep security audits; GauntletCI is better for fast, continuous feedback on every commit.

How does GauntletCI compare to Code Climate?

Code Climate is a SaaS platform that analyzes full repositories for maintainability and test coverage trends over time. It requires uploading code to a cloud service. GauntletCI is fully local, diff-scoped, and focused on change risk rather than codebase health metrics. GauntletCI does not require a cloud account, never transmits code, and produces results in under one second, making it a complement to, not a replacement for, Code Climate's longitudinal reporting.

Does GauntletCI work in air-gapped or offline environments?

Yes. GauntletCI runs entirely on the local machine. No diff, finding, file path, or telemetry is transmitted. The optional local LLM enrichment feature (--with-llm) uses a locally hosted Ollama model, with no network call. This makes GauntletCI suitable for classified, regulated, or air-gapped environments where cloud-based analysis tools are prohibited.

What is baseline delta mode and do other tools offer it?

Baseline delta mode (gauntletci baseline capture) snapshots all current findings and suppresses them from future runs. Only net-new findings (risks introduced after the baseline) are reported. This eliminates alert fatigue from pre-existing issues in legacy codebases. SonarQube offers a similar 'new code' concept but requires server setup. Semgrep, Snyk, CodeQL, and Code Climate do not offer equivalent pre-commit baseline suppression.

How do I reduce noise from low-confidence warnings?

Use the --sensitivity flag to filter findings by confidence. The default (balanced) shows all Block findings plus Warn findings with Medium or High confidence. Use --sensitivity strict to show only Block findings with Medium+ confidence. Use --sensitivity permissive to see everything including low-confidence warnings.

How do I analyze staged changes with GauntletCI?

Run gauntletci analyze --staged to analyze your staged changes. The tool exits with code 1 if blocking findings are detected, which will block the commit if used as a pre-commit hook.

What output formats does GauntletCI support?

GauntletCI supports text (default, human-readable terminal output) and json (machine-readable) output formats, controlled with the --output flag. Use --output json to pipe findings to scripts, dashboards, or custom integrations.

What exit codes does GauntletCI return?

Exit code 0 means no findings were detected. Exit code 1 means findings were detected or input was invalid. Exit code 2 means an unhandled error occurred.

How do I emit inline GitHub Actions annotations?

Pass the --github-annotations flag to gauntletci analyze. This emits GitHub Actions workflow commands that create inline diff comments on the exact lines where findings occur.

How do I suppress the GauntletCI banner?

Pass --no-banner to any command, or set the GAUNTLETCI_NO_BANNER environment variable to any non-empty value. The banner is automatically suppressed when CI, GITHUB_ACTIONS, or TF_BUILD environment variables are set.

CLI Reference

Command Reference

All commands, flags, and exit codes for the gauntletci CLI tool.

Exit codes

Code	Meaning
0	Success; no findings detected
1	Findings detected, or invalid input
2	Unhandled error or exception

gauntletci analyze

Analyze a git diff for change-risk. Runs all enabled rules and reports findings. Exactly one diff source should be specified; if none is provided, diff content is read from stdin.

Flag	Type	Description
--diff <path>	file	Path to a .diff file
--commit <sha>	string	Commit SHA to analyze
--staged	bool	Analyze staged changes (git diff --cached)
--unstaged	bool	Analyze unstaged changes (git diff)
--all-changes	bool	Analyze all local changes: staged and unstaged
--repo <path>	directory	Repository root for config loading and git operations. Defaults to CWD.
--output <format>	string	Output format: text (default) or json
--sensitivity <level>	string	Confidence-based noise filter: strict (Block+High/Medium only), balanced (default: Block-all + Warn+High/Medium), permissive (all Block + all Warn)
--severity <level>	string	Minimum severity gate: info, warn (default), block. Applied before --sensitivity.
--verbose	bool	Show Info-severity findings. Equivalent to --severity info.
--with-llm	bool	Enable local LLM enrichment for High-confidence findings
--github-annotations	bool	Emit GitHub Actions workflow commands for inline PR annotations
--no-baseline	bool	Ignore the baseline file and show all findings
--show-context <n>	int	Include N surrounding diff lines around each finding
--no-banner	bool	Suppress the ASCII banner

Examples

# Analyze staged changes before a commit

$ gauntletci analyze --staged

# Analyze all local changes

$ gauntletci analyze --all-changes

# Analyze a specific commit

$ gauntletci analyze --commit abc1234

# Analyze from a saved diff file

$ gauntletci analyze --diff changes.diff

# Pipe from stdin

$ git diff HEAD | gauntletci analyze

# Output JSON for downstream tooling

$ gauntletci analyze --staged --output json

# Enable local LLM enrichment

$ gauntletci analyze --staged --with-llm

# Emit GitHub Actions inline annotations

$ gauntletci analyze --staged --github-annotations

# Strict CI gate: Block severity + High/Medium confidence only

$ gauntletci analyze --staged --sensitivity strict

# Show everything including low-confidence warnings

$ gauntletci analyze --staged --sensitivity permissive

gauntletci init

Install a pre-commit hook in the current repository. The hook runs gauntletci analyze --staged before every commit and blocks the commit if findings are detected.

$ gauntletci init

gauntletci baseline

Manage finding baselines. Capture a snapshot of current findings to suppress them from future runs; only net-new risks introduced after the baseline will be reported.

$ gauntletci baseline capture --staged

# Save current findings to .gauntletci-baseline.json

gauntletci doctor

Validate your installation and configuration. Checks that git, the .NET runtime, and optional dependencies like Ollama are correctly configured.

$ gauntletci doctor

Environment variables

Variable	Description
GITHUB_TOKEN	Personal access token for GitHub API. Required for corpus commands on private repos.
GAUNTLETCI_NO_BANNER	Set to any non-empty value to suppress the ASCII banner.
CI	Suppresses banner and telemetry prompt automatically.
GITHUB_ACTIONS	Suppresses banner and telemetry prompt (set automatically by GitHub Actions runners).
TF_BUILD	Suppresses banner and telemetry prompt (Azure Pipelines).

Next steps

Configuration

Customize rules and severity in .gauntletci.json

CI/CD Integrations

Use GauntletCI in GitHub Actions and Azure Pipelines

Local LLM Setup

Enable offline AI-powered finding explanations

Rule Library

Browse all 30 detection rules