How does GauntletCI compare to SonarQube?

SonarQube analyzes the entire codebase on a schedule and requires a server, account, and network access. GauntletCI analyzes only the lines that changed in the current diff, runs entirely on the developer's machine in under one second, requires no account or cloud connection, and installs as a pre-commit hook. SonarQube is a full codebase quality platform; GauntletCI is a focused change-risk detector that runs before a commit is ever created.

How does GauntletCI compare to Semgrep?

Semgrep is a pattern-matching engine that scans files or the full codebase. GauntletCI scopes every rule to the changed diff, meaning it only flags risks introduced by the current change, not pre-existing issues in unchanged files. GauntletCI also includes incident correlation, local LLM enrichment, and baseline delta mode, which Semgrep does not offer. GauntletCI's free tier includes all rules with no account required.

How does GauntletCI compare to Snyk?

Snyk is primarily a dependency and container vulnerability scanner that requires cloud connectivity and a Snyk account. GauntletCI detects behavioral, structural, and security risks in first-party code changes, not dependency vulnerabilities, and runs 100% locally with no data transmitted. GauntletCI is suitable for air-gapped environments and organizations with strict data residency requirements; Snyk is not.

How does GauntletCI compare to CodeQL / GitHub Advanced Security?

CodeQL performs deep semantic analysis of the full codebase and requires compilation and significant compute time, typically minutes per run. GauntletCI analyzes only the changed diff in under one second with no compilation step, making it suitable as a pre-commit hook in the developer's local workflow. CodeQL is better for periodic deep security audits; GauntletCI is better for fast, continuous feedback on every commit.

How does GauntletCI compare to Code Climate?

Code Climate is a SaaS platform that analyzes full repositories for maintainability and test coverage trends over time. It requires uploading code to a cloud service. GauntletCI is fully local, diff-scoped, and focused on change risk rather than codebase health metrics. GauntletCI does not require a cloud account, never transmits code, and produces results in under one second, making it a complement to, not a replacement for, Code Climate's longitudinal reporting.

Does GauntletCI work in air-gapped or offline environments?

Yes. GauntletCI runs entirely on the local machine. No diff, finding, file path, or telemetry is transmitted. The optional local LLM enrichment feature (--with-llm) uses a locally hosted Ollama model, with no network call. This makes GauntletCI suitable for classified, regulated, or air-gapped environments where cloud-based analysis tools are prohibited.

What is baseline delta mode and do other tools offer it?

Baseline delta mode (gauntletci baseline capture) snapshots all current findings and suppresses them from future runs. Only net-new findings (risks introduced after the baseline) are reported. This eliminates alert fatigue from pre-existing issues in legacy codebases. SonarQube offers a similar 'new code' concept but requires server setup. Semgrep, Snyk, CodeQL, and Code Climate do not offer equivalent pre-commit baseline suppression.

Do I need to register a custom rule anywhere?

No. RuleOrchestrator.CreateDefault() discovers all IRule implementations in the assembly via reflection. Drop the class in src/GauntletCI.Core/Rules/Implementations/ and it runs automatically.

What rule ID should I use for a custom rule?

Check docs/rules.md for the current registry. Pick the next unused GCI00XX ID. Never reuse a retired ID - existing IDs are never renumbered so that baseline fingerprints remain stable.

Can my rule access configuration?

Yes. Implement IConfigurableRule in addition to IRule (or extend RuleBase). The orchestrator calls Configure(GauntletConfig config) before evaluation. See GCI0035_ArchitectureLayerGuard.cs for a real example.

What is the engineering policy feature?

The experimental.engineeringPolicy config block lets teams define plain-English rules in a markdown file. GauntletCI evaluates diffs against them using a local LLM. No code required.

Custom Rules

Writing Custom Rules

GauntletCI is open source. All 35 built-in rules follow the same pattern. Adding a custom rule means implementing one interface, placing the file in one directory, and writing tests. No registration step is needed.

Two paths to custom detection

Code-based rule

Implement IRule in C#, place the file in src/GauntletCI.Core/Rules/Implementations/, run tests. Works for any pattern expressible against the diff or Roslyn AST. Best for precision and performance.

Engineering policy (no code)

Define team rules in a plain-text markdown file. GauntletCI evaluates diffs against them using a local LLM. Enable with experimental.engineeringPolicy in .gauntletci.json. See the configuration reference.

Step 1 - Choose an ID

Check docs/rules.md in the repository for the current ID registry. Pick the next unused GCI00XX slot. Never reuse a retired ID. Existing IDs are never renumbered - gaps in the sequence reflect rules that were retired or merged as the engine evolved.

Step 2 - Create the rule file

Create src/GauntletCI.Core/Rules/Implementations/GCI00XX_YourRuleName.cs. Extend RuleBase (which implements IRule) and override Id, Name, and EvaluateAsync.

// SPDX-License-Identifier: Elastic-2.0
using GauntletCI.Core.Analysis;
using GauntletCI.Core.Model;

namespace GauntletCI.Core.Rules.Implementations;

/// <summary>
/// GCI00XX - Your Rule Name
/// One-sentence description of what this rule detects.
/// </summary>
public class GCI00XX_YourRuleName : RuleBase
{
    public override string Id   => "GCI00XX";
    public override string Name => "Your Rule Name";

    public override Task<List<Finding>> EvaluateAsync(
        AnalysisContext context, CancellationToken ct = default)
    {
        var findings = new List<Finding>();

        foreach (var file in context.Diff.Files)
        {
            foreach (var line in file.AddedLines)
            {
                if (!line.Content.Contains("YOUR_PATTERN", StringComparison.Ordinal))
                    continue;

                findings.Add(CreateFinding(
                    file:            file,
                    line:            line,
                    summary:         "Short description of what was found.",
                    evidence:        line.Content.Trim(),
                    whyItMatters:    "Why this pattern is risky in production.",
                    suggestedAction: "Concrete step the developer can take to fix it.",
                    confidence:      Confidence.Medium));
            }
        }

        return Task.FromResult(findings);
    }
}

No registration needed. RuleOrchestrator.CreateDefault() discovers all IRule implementations in the assembly via reflection. Drop the file and it runs.

Step 3 - Key APIs

AnalysisContext

Passed to every rule. Contains the filtered diff and optional static analysis results.

Property	Type	Description
context.Diff	DiffContext	The full diff, pre-filtered to eligible C# files
context.Diff.Files	IList<DiffFile>	All changed files in the diff
context.EligibleFiles	IReadOnlyList<...>	File classification metadata (path, classification, source text)
context.StaticAnalysis	AnalyzerResult?	Roslyn diagnostics and symbol data (may be null)
context.Syntax	SyntaxContext?	Roslyn syntax trees per file for AST-level analysis
context.TargetFramework	string?	Target framework moniker detected from .csproj (e.g. net8.0)

DiffFile

Property	Description
file.NewPath	File path after the change
file.AddedLines	Lines added in this diff (the + lines)
file.RemovedLines	Lines removed in this diff (the - lines)
file.Hunks	All diff hunks; each hunk has .Lines with +/- and context lines

CreateFinding() overloads

// Diff-wide finding (no file/line attribution)
CreateFinding(summary, evidence, whyItMatters, suggestedAction, confidence);

// File-level finding
CreateFinding(file, summary, evidence, whyItMatters, suggestedAction, confidence);

// Line-level finding (most precise)
CreateFinding(file, summary, evidence, whyItMatters, suggestedAction, confidence, line);

Confidence	Meaning
High	Pattern is almost certainly a problem; reviewer should block
Medium	Likely a problem; reviewer should verify before merging
Low	Possible concern; reviewer should be aware

Step 4 - Configurable rules (optional)

If your rule needs access to .gauntletci.json values at evaluation time, implement IConfigurableRule. The orchestrator calls Configure() once after discovery.

public class GCI00XX_YourRuleName : RuleBase, IConfigurableRule
{
    private GauntletConfig _config = new();

    public void Configure(GauntletConfig config) => _config = config;

    public override Task<List<Finding>> EvaluateAsync(
        AnalysisContext context, CancellationToken ct = default)
    {
        // Access _config.Rules["GCI00XX"], _config.ForbiddenImports, etc.
    }
}

See GCI0035_ArchitectureLayerGuard.cs for a complete example using ForbiddenImports from config.

Step 5 - Write tests

Create src/GauntletCI.Tests/Rules/GCI00XXTests.cs. Cover at minimum: one true positive, one false positive, and one edge case (empty diff, test-file exclusion, etc.).

public class GCI00XXTests
{
    private static Task<List<Finding>> Run(string rawDiff)
    {
        var rule = new GCI00XX_YourRuleName();
        var diff = DiffParser.Parse(rawDiff);
        var context = new AnalysisContext { Diff = diff };
        return rule.EvaluateAsync(context);
    }

    [Fact]
    public async Task TruePositive_PatternPresent_ShouldFlag()
    {
        var findings = await Run("""
            diff --git a/src/MyFile.cs b/src/MyFile.cs
            index abc..def 100644
            --- a/src/MyFile.cs
            +++ b/src/MyFile.cs
            @@ -1,3 +1,4 @@
             namespace MyApp;
            +YOUR_PATTERN_HERE
            """);

        Assert.Single(findings);
        Assert.Equal("GCI00XX", findings[0].RuleId);
    }

    [Fact]
    public async Task FalsePositive_SafePattern_ShouldNotFlag()
    {
        var findings = await Run("""
            diff --git a/src/MyFile.cs b/src/MyFile.cs
            index abc..def 100644
            --- a/src/MyFile.cs
            +++ b/src/MyFile.cs
            @@ -1,3 +1,4 @@
             namespace MyApp;
            +SAFE_EQUIVALENT_HERE
            """);

        Assert.Empty(findings);
    }
}

Rule inclusion criteria

GauntletCI rules detect behavioral risk in diffs, not style. A rule is eligible for inclusion if it meets all of the following criteria from CHARTER.md:

+The pattern has caused production incidents in real systems
+It is detectable from the diff alone (no runtime information required)
+It produces a low false-positive rate on typical PRs
+The finding is actionable - a developer can fix it immediately

Rules that check formatting, naming conventions, or code style are not eligible.

Contributing your rule

Once your rule has tests and passes the inclusion criteria, open a pull request. See the CONTRIBUTING.md for the full workflow, commit conventions, and step-by-step rule writing guide.

Next steps

Rule Library

Browse all 30 built-in detection rules

Configuration

Engineering policy and .gauntletci.json options

CLI Reference

All commands, flags, and exit codes