Extensions - GitHub Action
GitHub Action
The GauntletCI GitHub Action analyzes every pull request against your repository rules and optionally posts findings as inline review comments - without any runner setup or credentials beyond the default GITHUB_TOKEN.
Quickstart
Add this workflow to .github/workflows/gauntletci.yml in your repository. No additional configuration is required.
name: GauntletCI
on:
pull_request:
branches: [main]
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: EricCogen/GauntletCI@v2.8.1This runs with all defaults: sensitivity: balanced filters noise while keeping Block and Warn findings visible, and fail-on-findings: true fails the check only when GauntletCI exits non-zero — Block-severity findings by default (set exitOn: Warn in .gauntletci.json to also fail on warnings). Inline comments are off unless enabled. To post findings as inline PR review comments, add pull-requests: write and set inline-comments: 'true'.
Full example with inline comments
name: GauntletCI
on:
pull_request:
branches: [main]
permissions:
pull-requests: write # required for inline-comments: 'true'
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: EricCogen/GauntletCI@v2.8.1
id: gauntlet
with:
sensitivity: 'balanced'
inline-comments: 'true'
fail-on-findings: 'true'
- name: Upload findings artifact
if: always()
run: |
echo "Findings count: ${{ steps.gauntlet.outputs.findings-count }}"How inline comments look
When inline-comments: 'true' is set, GauntletCI posts each finding as a GitHub review comment on the exact diff line it originated from.
gauntletci-bot commented
[Block] GCI0001 - Behavior Change Without Test Coverage
Summary: SaveAsync was modified but no test file covering OrderService was updated.
Suggested action: Add or update a test that exercises the new behavior before merging.
Inputs
| Input | Default | Description |
|---|---|---|
| sensitivity | "balanced" | strict | balanced | permissive. Controls which confidence levels trigger findings. |
| fail-on-findings | "true" | Pass through GauntletCI exit code. Block-severity findings fail by default; set exitOn to Warn in .gauntletci.json to also fail on warnings. |
| inline-comments | "false" | Post findings as inline PR review comments. Requires pull-requests: write. |
| no-llm | "true" | Disable LLM enrichment. Recommended for CI - keeps the step deterministic and fast. |
| ascii | "true" | Use ASCII-only output. Recommended for CI logs - avoids encoding issues. |
| commit | "" | Commit SHA to analyze. Defaults to the PR head commit (github.event.pull_request.head.sha). |
| dotnet-version | "8.0.x" | The .NET SDK version to install on the runner. |
| gauntletci-version | "2.8.1" | The GauntletCI NuGet tool version to install. |
Outputs
| Output | Description |
|---|---|
| findings-count | Number of findings detected. Reference as ${{ steps.<id>.outputs.findings-count }} in downstream steps. |
Permissions required
| Feature | Permission needed |
|---|---|
| Basic analysis (no comments) | None - uses default runner permissions |
| Inline PR review comments | pull-requests: write (must be set explicitly) |
| Direct CLI GitHub Checks | checks: write plus GITHUB_TOKEN in the step environment |
| Direct CLI SARIF upload | security-events: write for github/codeql-action/upload-sarif |
GitHub Checks and SARIF preview
The composite action is the shortest path for inline PR review comments. If you want GitHub Checks API annotations or SARIF upload, use direct CLI workflow steps so you can pass the required token, commit SHA, and permissions explicitly.
Preview Checks and SARIF output →Advisory-only mode
To run GauntletCI as an informational check that never blocks merges, set fail-on-findings: 'false'. Findings still appear in the job log and as inline comments (if enabled), but the check always passes.
- uses: EricCogen/GauntletCI@v2.8.1
with:
fail-on-findings: 'false'
inline-comments: 'true'
sensitivity: 'permissive'