How does GauntletCI compare to SonarQube?

SonarQube analyzes the entire codebase on a schedule and requires a server, account, and network access. GauntletCI analyzes only the lines that changed in the current diff, runs entirely on the developer's machine in under one second, requires no account or cloud connection, and installs as a pre-commit hook. SonarQube is a full codebase quality platform; GauntletCI is a focused change-risk detector that runs before a commit is ever created.

How does GauntletCI compare to Semgrep?

Semgrep is a pattern-matching engine that scans files or the full codebase. GauntletCI scopes every rule to the changed diff, meaning it only flags risks introduced by the current change, not pre-existing issues in unchanged files. GauntletCI also includes incident correlation, local LLM enrichment, and baseline delta mode, which Semgrep does not offer. GauntletCI's free tier includes all rules with no account required.

How does GauntletCI compare to Snyk?

Snyk is primarily a dependency and container vulnerability scanner that requires cloud connectivity and a Snyk account. GauntletCI detects behavioral, structural, and security risks in first-party code changes, not dependency vulnerabilities, and runs 100% locally with no data transmitted. GauntletCI is suitable for air-gapped environments and organizations with strict data residency requirements; Snyk is not.

How does GauntletCI compare to CodeQL / GitHub Advanced Security?

CodeQL performs deep semantic analysis of the full codebase and requires compilation and significant compute time, typically minutes per run. GauntletCI analyzes only the changed diff in under one second with no compilation step, making it suitable as a pre-commit hook in the developer's local workflow. CodeQL is better for periodic deep security audits; GauntletCI is better for fast, continuous feedback on every commit.

How does GauntletCI compare to Code Climate?

Code Climate is a SaaS platform that analyzes full repositories for maintainability and test coverage trends over time. It requires uploading code to a cloud service. GauntletCI is fully local, diff-scoped, and focused on change risk rather than codebase health metrics. GauntletCI does not require a cloud account, never transmits code, and produces results in under one second, making it a complement to, not a replacement for, Code Climate's longitudinal reporting.

Does GauntletCI work in air-gapped or offline environments?

Yes. GauntletCI runs entirely on the local machine. No diff, finding, file path, or telemetry is transmitted. The optional local LLM enrichment feature (--with-llm) uses a locally hosted Ollama model, with no network call. This makes GauntletCI suitable for classified, regulated, or air-gapped environments where cloud-based analysis tools are prohibited.

What is baseline delta mode and do other tools offer it?

Baseline delta mode (gauntletci baseline capture) snapshots all current findings and suppresses them from future runs. Only net-new findings (risks introduced after the baseline) are reported. This eliminates alert fatigue from pre-existing issues in legacy codebases. SonarQube offers a similar 'new code' concept but requires server setup. Semgrep, Snyk, CodeQL, and Code Climate do not offer equivalent pre-commit baseline suppression.

Is GauntletCI zero-config?

Yes. GauntletCI works out of the box with no configuration file required. All 30+ rules are enabled by default. Place a .gauntletci.json file at your repository root to customize behavior.

How do I disable a specific rule?

Set the rule to disabled in .gauntletci.json: { "rules": { "GCI0001": { "enabled": false } } }. Replace GCI0001 with the rule ID you want to disable.

How do I control which severity level fails the build?

Set exitOn in .gauntletci.json. "Block" (default) exits with code 1 only on blocking findings. "Warn" exits with code 1 on warnings too.

How do I suppress pre-existing findings in a legacy codebase?

Run gauntletci baseline capture --staged to snapshot current findings into .gauntletci-baseline.json. Future runs only report net-new risks introduced after the baseline. Commit the baseline file to share it with your team.

Can I change a rule severity without disabling it?

Yes. Set the severity field in .gauntletci.json per rule: { "rules": { "GCI0014": { "enabled": true, "severity": "Warn" } } }. Valid values are Block and Warn.

Configuration

Configuration Reference

GauntletCI is zero-config by default. Place a .gauntletci.json file at your repository root to customize behavior.

Minimal example

{
  "rules": {
    "GCI0001": { "enabled": false }
  },
  "exitOn": "Block"
}

Full example

{
  "rules": {
    "GCI0001": { "enabled": false },
    "GCI0014": { "enabled": true, "severity": "Warn" }
  },
  "exitOn": "Block",
  "llm": {
    "model": "phi4-mini:latest",
    "embeddingOllamaUrl": "http://localhost:11434"
  },
  "experimental": {
    "engineeringPolicy": {
      "enabled": true,
      "path": "docs/engineering-rules.md"
    }
  }
}

Options

rulesobject

Per-rule configuration. Keys are rule IDs (e.g. GCI0001). Each value supports enabled (boolean) and optionally severity (Block or Warn).

exitOnstring - default: "Block"

Controls which finding severity causes a non-zero exit code.Block exits 1 only on blocking findings;Warn exits 1 on warnings too.

llm.modelstring - default: "phi4-mini:latest"

The Ollama model used for both LLM enrichment (--with-llm) and expert-context embeddings. Defaults to phi4-mini:latest.

llm.embeddingOllamaUrlstring

Base URL of the Ollama server. Defaults to http://localhost:11434.

forbiddenImportsobject

Per-layer forbidden import rules for GCI0035. Key: source namespace fragment. Value: list of forbidden target namespace fragments.

"forbiddenImports": {
  "Api": ["Infrastructure", "Data"],
  "Domain": ["Infrastructure"]
}

experimental.engineeringPolicyobject

Enable engineering policy enforcement. Point path at a markdown file containing your team's rules. GauntletCI will evaluate diffs against them using the local LLM.

Suppressing findings with a baseline

To suppress pre-existing findings in a legacy codebase, capture a baseline. Future runs will only report net-new risks introduced after the snapshot.

$ gauntletci baseline capture --staged

This writes .gauntletci-baseline.json to your repo root. Commit it to share the baseline with your team.

Next steps

CLI Reference

All commands, flags, and exit codes

Rule Library

Browse all 30 detection rules by category

CI/CD Integrations

GitHub Actions, Azure Pipelines, and pre-commit hooks