How does GauntletCI compare to SonarQube?

SonarQube analyzes the entire codebase on a schedule and requires a server, account, and network access. GauntletCI analyzes only the lines that changed in the current diff, runs entirely on the developer's machine in under one second, requires no account or cloud connection, and installs as a pre-commit hook. SonarQube is a full codebase quality platform; GauntletCI is a focused change-risk detector that runs before a commit is ever created.

How does GauntletCI compare to Semgrep?

Semgrep is a pattern-matching engine that scans files or the full codebase. GauntletCI scopes every rule to the changed diff, meaning it only flags risks introduced by the current change, not pre-existing issues in unchanged files. GauntletCI also includes incident correlation, local LLM enrichment, and baseline delta mode, which Semgrep does not offer. GauntletCI's free tier includes all rules with no account required.

How does GauntletCI compare to Snyk?

Snyk is primarily a dependency and container vulnerability scanner that requires cloud connectivity and a Snyk account. GauntletCI detects behavioral, structural, and security risks in first-party code changes, not dependency vulnerabilities, and runs 100% locally with no data transmitted. GauntletCI is suitable for air-gapped environments and organizations with strict data residency requirements; Snyk is not.

How does GauntletCI compare to CodeQL / GitHub Advanced Security?

CodeQL performs deep semantic analysis of the full codebase and requires compilation and significant compute time, typically minutes per run. GauntletCI analyzes only the changed diff in under one second with no compilation step, making it suitable as a pre-commit hook in the developer's local workflow. CodeQL is better for periodic deep security audits; GauntletCI is better for fast, continuous feedback on every commit.

How does GauntletCI compare to Code Climate?

Code Climate is a SaaS platform that analyzes full repositories for maintainability and test coverage trends over time. It requires uploading code to a cloud service. GauntletCI is fully local, diff-scoped, and focused on change risk rather than codebase health metrics. GauntletCI does not require a cloud account, never transmits code, and produces results in under one second, making it a complement to, not a replacement for, Code Climate's longitudinal reporting.

Does GauntletCI work in air-gapped or offline environments?

Yes. GauntletCI runs entirely on the local machine. No diff, finding, file path, or telemetry is transmitted. The optional local LLM enrichment feature (--with-llm) uses a locally hosted Ollama model, with no network call. This makes GauntletCI suitable for classified, regulated, or air-gapped environments where cloud-based analysis tools are prohibited.

What is baseline delta mode and do other tools offer it?

Baseline delta mode (gauntletci baseline capture) snapshots all current findings and suppresses them from future runs. Only net-new findings (risks introduced after the baseline) are reported. This eliminates alert fatigue from pre-existing issues in legacy codebases. SonarQube offers a similar 'new code' concept but requires server setup. Semgrep, Snyk, CodeQL, and Code Climate do not offer equivalent pre-commit baseline suppression.

What is the GauntletCI MCP server?

The MCP server exposes GauntletCI analysis as tools that any MCP-compatible AI assistant can call. When you ask your AI to check for risks in the current commit, it calls GauntletCI locally and returns the structured findings.

Does the MCP server send my code anywhere?

No. The MCP server calls the local GauntletCI CLI, which analyzes your diff entirely on your machine. Nothing is sent to any external service - not to the MCP server host, not to any GauntletCI cloud endpoint.

Which AI assistants support MCP?

Claude Desktop, GitHub Copilot (VS Code), Cursor, and any other assistant that implements the Model Context Protocol. The configuration format differs slightly per client - see the setup sections below.

What tools does the GauntletCI MCP server expose?

Three tools: analyze_commit returns findings as readable text, get_findings_json returns raw structured JSON for programmatic use, and get_sarif returns a SARIF 2.1.0 report compatible with GitHub Advanced Security and the VS Code SARIF viewer.

Extensions - MCP Server

MCP Server

The GauntletCI MCP server gives your AI coding assistant direct access to behavioral change risk analysis. Ask Claude, Copilot, or Cursor to check your current commit for risks - the assistant calls GauntletCI locally and explains the findings in context with your question.

How it works

The Model Context Protocol is an open standard that lets AI assistants call external tools. The GauntletCI MCP server is a local Node.js process that listens on stdin/stdout. When your assistant calls the analyze_commit tool, the server runs gauntletci analyze in the directory you specify and returns the findings as structured text.

AI Assistant

Claude / Copilot / Cursor

MCP (stdio)

gauntletci-mcp

Node.js (local)

CLI spawn

GauntletCI CLI

.NET tool (local)

All processing is local. No code or diff content leaves your machine.

Prerequisites

+Node.js 20 or later
+GauntletCI CLI: dotnet tool install -g GauntletCI
+An MCP-compatible AI assistant (Claude Desktop, Copilot, or Cursor)

Install the MCP server

$ npm install -g @ericcogen/gauntletci-mcp

Or clone and build from source for the latest changes:

$ git clone https://github.com/EricCogen/GauntletCI-MCP

$ cd GauntletCI-MCP && npm install && npm run build

Setup: Claude Desktop

Add the server to your Claude Desktop config file. On macOS the file is at ~/Library/Application Support/Claude/claude_desktop_config.json. On Windows it is at %APPDATA%\Claude\claude_desktop_config.json.

{
  "mcpServers": {
    "gauntletci": {
      "command": "node",
      "args": ["/path/to/gauntletci-mcp/dist/index.js"]
    }
  }
}

Replace /path/to/gauntletci-mcp/dist/index.js with the absolute path to the built server. Restart Claude Desktop after saving.

Setup: GitHub Copilot (VS Code)

Create or update .vscode/mcp.json in your workspace. This scopes the server to projects that use it.

{
  "servers": {
    "gauntletci": {
      "type": "stdio",
      "command": "node",
      "args": ["${workspaceFolder}/node_modules/.bin/gauntletci-mcp"]
    }
  }
}

Setup: Cursor

In Cursor, open Settings > MCP and add the server configuration, or add it directly to ~/.cursor/mcp.json:

{
  "mcpServers": {
    "gauntletci": {
      "command": "npx",
      "args": ["-y", "@ericcogen/gauntletci-mcp"]
    }
  }
}

Available tools

Tool	Description	Parameters
analyze_commit	Run GauntletCI on HEAD and return findings as readable structured text.	workingDirectory (required), sensitivity (optional)
get_findings_json	Run GauntletCI and return the raw JSON result for programmatic processing.	workingDirectory (required), sensitivity (optional)
get_sarif	Run GauntletCI and return a SARIF 2.1.0 report for ingestion into GHAS or the VS Code SARIF viewer.	workingDirectory (required)

The sensitivity parameter accepts strict, balanced (default), or permissive.

Example prompts

Once the MCP server is connected, you can ask your AI assistant directly about your commit. The assistant calls GauntletCI, parses the results, and responds in natural language.

You

Run GauntletCI on the repo at /Users/eric/projects/myapp and tell me what risks it found.

AI Assistant

I ran GauntletCI on the current HEAD commit. It found 3 issues: [Block] GCI0001 in OrderService.cs:44 - Behavior change without test coverage. SaveAsync was modified but no test file covering OrderService was updated. Add a test covering the new behavior before merging. [Block] GCI0003 in PaymentService.cs:112 - A new exception path was introduced but no call sites were updated to handle it. This may cause unhandled exceptions in production. [Warn] GCI0004 in Models/Order.cs:23 - Return type semantics changed from non-nullable to nullable. Callers may not be checking for null.

You

Can you explain why the GCI0003 finding is a problem?

AI Assistant

GCI0003 fires when a method now throws a new exception type that no existing call sites are prepared to catch. In this case, PaymentService.ProcessPayment now throws InvalidOperationException under a condition that didn't exist before. If callers swallow all exceptions or only catch specific types, this new exception will propagate up as an unhandled crash at runtime - even if all existing tests pass, because the tests exercise the happy path that doesn't trigger the new branch.

Suggested prompts

"Are there any block-level risks in my current commit?"

"Get the GauntletCI SARIF report for this repo and summarize the top issues."

"Run GauntletCI in strict mode and explain any findings related to async code."

"What does finding GCI0003 mean and how do I fix it?"