How does GauntletCI compare to SonarQube?

SonarQube analyzes the entire codebase on a schedule and requires a server, account, and network access. GauntletCI analyzes only the lines that changed in the current diff, runs entirely on the developer's machine in under one second, requires no account or cloud connection, and installs as a pre-commit hook. SonarQube is a full codebase quality platform; GauntletCI is a focused change-risk detector that runs before a commit is ever created.

How does GauntletCI compare to Semgrep?

Semgrep is a pattern-matching engine that scans files or the full codebase. GauntletCI scopes every rule to the changed diff, meaning it only flags risks introduced by the current change, not pre-existing issues in unchanged files. GauntletCI also includes incident correlation, local LLM enrichment, and baseline delta mode, which Semgrep does not offer. GauntletCI's free tier includes all rules with no account required.

How does GauntletCI compare to Snyk?

Snyk is primarily a dependency and container vulnerability scanner that requires cloud connectivity and a Snyk account. GauntletCI detects behavioral, structural, and security risks in first-party code changes, not dependency vulnerabilities, and runs 100% locally with no data transmitted. GauntletCI is suitable for air-gapped environments and organizations with strict data residency requirements; Snyk is not.

How does GauntletCI compare to CodeQL / GitHub Advanced Security?

CodeQL performs deep semantic analysis of the full codebase and requires compilation and significant compute time, typically minutes per run. GauntletCI analyzes only the changed diff in under one second with no compilation step, making it suitable as a pre-commit hook in the developer's local workflow. CodeQL is better for periodic deep security audits; GauntletCI is better for fast, continuous feedback on every commit.

How does GauntletCI compare to Code Climate?

Code Climate is a SaaS platform that analyzes full repositories for maintainability and test coverage trends over time. It requires uploading code to a cloud service. GauntletCI is fully local, diff-scoped, and focused on change risk rather than codebase health metrics. GauntletCI does not require a cloud account, never transmits code, and produces results in under one second, making it a complement to, not a replacement for, Code Climate's longitudinal reporting.

Does GauntletCI work in air-gapped or offline environments?

Yes. GauntletCI runs entirely on the local machine. No diff, finding, file path, or telemetry is transmitted. The optional local LLM enrichment feature (--with-llm) uses a locally hosted Ollama model, with no network call. This makes GauntletCI suitable for classified, regulated, or air-gapped environments where cloud-based analysis tools are prohibited.

What is baseline delta mode and do other tools offer it?

Baseline delta mode (gauntletci baseline capture) snapshots all current findings and suppresses them from future runs. Only net-new findings (risks introduced after the baseline) are reported. This eliminates alert fatigue from pre-existing issues in legacy codebases. SonarQube offers a similar 'new code' concept but requires server setup. Semgrep, Snyk, CodeQL, and Code Climate do not offer equivalent pre-commit baseline suppression.

How do I integrate GauntletCI with GitLab CI?

Add a job with the mcr.microsoft.com/dotnet/sdk:8.0 image. Install the tool with dotnet tool install -g GauntletCI (then export PATH to include $HOME/.dotnet/tools), fetch the target branch, generate a diff with git diff origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME...HEAD > pr.diff, and run gauntletci analyze --diff pr.diff --no-banner.

How do I integrate GauntletCI with Bitbucket Pipelines?

Use the mcr.microsoft.com/dotnet/sdk:8.0 image. Install with dotnet tool install -g GauntletCI, fetch the destination branch, generate the diff with git diff origin/$BITBUCKET_PR_DESTINATION_BRANCH...HEAD > pr.diff, and run gauntletci analyze --diff pr.diff --no-banner.

How do I integrate GauntletCI with GitHub Actions?

Add a workflow that checks out the repo with fetch-depth: 0, installs the .NET 8 tool, then runs: git diff origin/${{ github.base_ref }}...HEAD > pr.diff and gauntletci analyze --diff pr.diff --github-annotations. The step exits with code 1 if blocking findings are detected, failing the check.

Does GauntletCI work with Azure Pipelines?

Yes. Add a pipeline step that installs GauntletCI with dotnet tool install -g GauntletCI, then runs git diff to generate a diff file and passes it to gauntletci analyze --diff pr.diff --no-banner.

Can GauntletCI run as a pre-commit hook instead of in CI?

Yes, and this is the fastest setup. Run gauntletci init in your repository to install a .git/hooks/pre-commit script. It runs gauntletci analyze --staged before every commit with no CI configuration required.

What does GauntletCI exit code 1 mean in a CI pipeline?

Exit code 1 means blocking findings were detected. This fails the CI check and blocks the PR merge. Developers must address the findings or update the baseline before the check passes.

Can I use GauntletCI with LLM enrichment in CI?

The built-in ONNX engine is not available in CI because loading a 2 GB model in an ephemeral runner is impractical. Configure a remote OpenAI-compatible endpoint via llm.ciEndpoint in .gauntletci.json to use LLM enrichment in CI.

CI/CD Integrations | GauntletCI Docs

CI/CD Integrations

GauntletCI runs anywhere that can execute a .NET tool. Install it with dotnet tool install -g GauntletCI on any runner that has .NET 8 available - GitHub Actions, GitLab CI, Azure Pipelines, Bitbucket Pipelines, or your local machine.

GitHub Actions

The simplest setup uses the published Marketplace action. Add this workflow to analyze every pull request:

name: GauntletCI Analysis

on:
  pull_request:
    branches: [main]

permissions:
  pull-requests: write   # required for inline-comments: 'true'

jobs:
  analyze:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: EricCogen/GauntletCI@v2.1.0
        with:
          sensitivity: 'balanced'
          inline-comments: 'true'
          fail-on-findings: 'true'

The action installs .NET, installs GauntletCI, runs analysis against the PR commit, and optionally posts findings as inline review comments. Set inline-comments: 'false' to write findings to the Actions log only.

Manual install (without the Marketplace action)

Use this approach if you need full control over the workflow steps or are pinning to a specific tool version.

name: GauntletCI Analysis

on:
  pull_request:
    branches: [main]

jobs:
  analyze:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '8.0.x'

      - name: Install GauntletCI
        run: dotnet tool install -g GauntletCI

      - name: Analyze PR diff
        run: |
          git diff origin/${{ github.base_ref }}...HEAD > pr.diff
          gauntletci analyze --diff pr.diff --github-annotations
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

The workflow exits with code 1 if blocking findings are detected, failing the check and blocking the merge until findings are addressed or accepted.

GitLab CI

Add this job to your .gitlab-ci.yml. The job runs only on merge request pipelines and uses the official Microsoft .NET SDK Docker image.

gauntletci-analysis:
  image: mcr.microsoft.com/dotnet/sdk:8.0
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - export PATH="$PATH:$HOME/.dotnet/tools"
    - dotnet tool install -g GauntletCI
    - git fetch origin $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
    - git diff origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME...HEAD > pr.diff
    - gauntletci analyze --diff pr.diff --no-banner --ascii
  allow_failure: false

GitLab CI exposes $CI_MERGE_REQUEST_TARGET_BRANCH_NAME automatically on merge request pipelines. The allow_failure: false line blocks the merge if findings are detected. Set it to true to make the job advisory only.

Azure Pipelines

trigger: none
pr:
  branches:
    include: [main]

pool:
  vmImage: ubuntu-latest

steps:
  - task: UseDotNet@2
    inputs:
      version: '8.0.x'

  - script: dotnet tool install -g GauntletCI
    displayName: Install GauntletCI

  - script: |
      git diff origin/$(System.PullRequest.TargetBranch)...HEAD > pr.diff
      gauntletci analyze --diff pr.diff --no-banner
    displayName: Analyze PR diff

Bitbucket Pipelines

Add this to your bitbucket-pipelines.yml. The job runs on all pull request branches using the Microsoft .NET SDK image.

image: mcr.microsoft.com/dotnet/sdk:8.0

pipelines:
  pull-requests:
    '**':
      - step:
          name: GauntletCI Analysis
          script:
            - export PATH="$PATH:$HOME/.dotnet/tools"
            - dotnet tool install -g GauntletCI
            - git fetch origin $BITBUCKET_PR_DESTINATION_BRANCH
            - git diff origin/$BITBUCKET_PR_DESTINATION_BRANCH...HEAD > pr.diff
            - gauntletci analyze --diff pr.diff --no-banner --ascii

Bitbucket exposes $BITBUCKET_PR_DESTINATION_BRANCH automatically on pull request pipelines. The step fails (blocking merge) if GauntletCI exits with code 1.

Pre-commit hook (local)

The fastest setup. Runs automatically before every commit; no CI required.

$ cd your-repo

$ gauntletci init

This installs a .git/hooks/pre-commit script that runs gauntletci analyze --staged on every commit attempt. The commit is blocked if exit code 1 is returned.

Exit code behavior

Exit code	Meaning	CI result
0	No findings	Pass
1	Findings detected	Fail / block merge
2	Unhandled error	Fail

Control which severity triggers a failure via exitOn in your .gauntletci.json.

JSON output for downstream tooling

Use --output json to consume findings in scripts, dashboards, or custom integrations.

With jq

$ gauntletci analyze --staged --output json | jq .findings

With PowerShell (no jq required)

PS> gauntletci analyze --staged --output json | ConvertFrom-Json | Select-Object -ExpandProperty findings

With Python (no jq required)

$ gauntletci analyze --staged --output json | python -c "import sys,json; data=json.load(sys.stdin); print(json.dumps(data['findings'], indent=2))"

Save to file

$ gauntletci analyze --staged --output json > report.json

Writing to a file works with any downstream tool: upload to S3, attach to a Slack notification, parse in a build script, or archive as a CI artifact.

LLM enrichment in CI/CD

The built-in ONNX engine (Option 1 in the Local LLM Setup docs) is not available in CI. Loading a 2 GB model in an ephemeral runner is impractical. To use --with-llm in CI, configure a remote OpenAI-compatible endpoint:

# In your CI environment secrets
GAUNTLETCI_LLM_API_KEY=sk-...

# In .gauntletci.json
{
  "llm": {
    "ciEndpoint": "https://api.openai.com/v1",
    "ciModel": "gpt-4o-mini"
  }
}

If --with-llm is passed in CI with no endpoint configured, GauntletCI prints a loud warning to stderr and skips enrichment. Detection findings are still reported normally.