How does GauntletCI compare to SonarQube?

SonarQube analyzes the entire codebase on a schedule and requires a server, account, and network access. GauntletCI analyzes only the lines that changed in the current diff, runs entirely on the developer's machine in under one second, requires no account or cloud connection, and installs as a pre-commit hook. SonarQube is a full codebase quality platform; GauntletCI is a focused change-risk detector that runs before a commit is ever created.

How does GauntletCI compare to Semgrep?

Semgrep is a pattern-matching engine that scans files or the full codebase. GauntletCI scopes every rule to the changed diff, meaning it only flags risks introduced by the current change, not pre-existing issues in unchanged files. GauntletCI also includes incident correlation, local LLM enrichment, and baseline delta mode, which Semgrep does not offer. GauntletCI's free tier includes all rules with no account required.

How does GauntletCI compare to Snyk?

Snyk is primarily a dependency and container vulnerability scanner that requires cloud connectivity and a Snyk account. GauntletCI detects behavioral, structural, and security risks in first-party code changes, not dependency vulnerabilities, and runs 100% locally with no data transmitted. GauntletCI is suitable for air-gapped environments and organizations with strict data residency requirements; Snyk is not.

How does GauntletCI compare to CodeQL / GitHub Advanced Security?

CodeQL performs deep semantic analysis of the full codebase and requires compilation and significant compute time, typically minutes per run. GauntletCI analyzes only the changed diff in under one second with no compilation step, making it suitable as a pre-commit hook in the developer's local workflow. CodeQL is better for periodic deep security audits; GauntletCI is better for fast, continuous feedback on every commit.

How does GauntletCI compare to Code Climate?

Code Climate is a SaaS platform that analyzes full repositories for maintainability and test coverage trends over time. It requires uploading code to a cloud service. GauntletCI is fully local, diff-scoped, and focused on change risk rather than codebase health metrics. GauntletCI does not require a cloud account, never transmits code, and produces results in under one second, making it a complement to, not a replacement for, Code Climate's longitudinal reporting.

Does GauntletCI work in air-gapped or offline environments?

Yes. GauntletCI runs entirely on the local machine. No diff, finding, file path, or telemetry is transmitted. The optional local LLM enrichment feature (--with-llm) uses a locally hosted Ollama model, with no network call. This makes GauntletCI suitable for classified, regulated, or air-gapped environments where cloud-based analysis tools are prohibited.

What is baseline delta mode and do other tools offer it?

Baseline delta mode (gauntletci baseline capture) snapshots all current findings and suppresses them from future runs. Only net-new findings (risks introduced after the baseline) are reported. This eliminates alert fatigue from pre-existing issues in legacy codebases. SonarQube offers a similar 'new code' concept but requires server setup. Semgrep, Snyk, CodeQL, and Code Climate do not offer equivalent pre-commit baseline suppression.

Does GauntletCI require an internet connection for LLM features?

No. Both the built-in ONNX engine and the Ollama path run entirely on your local machine. No code, diff content, or findings are transmitted to any external service. Both options are safe for air-gapped environments.

What model does GauntletCI use for LLM enrichment?

GauntletCI uses Phi-4 Mini INT4 by default, downloaded from HuggingFace and cached locally at ~/.gauntletci/models/phi4-mini/. You can also use any Ollama-hosted model by configuring an Ollama endpoint in .gauntletci.json.

Do I need to install Ollama to use LLM features?

No. GauntletCI includes a built-in ONNX inference engine. Run gauntletci model download to download Phi-4 Mini (~2 GB) once, then use --with-llm with no other setup required.

Can I use --with-llm in CI/CD?

The built-in ONNX engine is not available in CI because loading a 2 GB model in an ephemeral runner is impractical. To use --with-llm in CI, configure a remote OpenAI-compatible endpoint: set llm.ciEndpoint and llm.ciModel in .gauntletci.json and provide GAUNTLETCI_LLM_API_KEY as a secret.

Is LLM enrichment required for GauntletCI to work?

No. LLM enrichment is opt-in. The detection engine is fully deterministic and does not require a model to function. The --with-llm flag only adds plain-English explanations to findings - the rule analysis runs the same either way.

Local LLM Setup | GauntletCI Docs

Local LLM Setup

GauntletCI can enrich high-confidence findings with plain-English explanations using a locally hosted model. No code is sent to any external service. The model runs entirely on your machine.

Optional feature

LLM enrichment is opt-in. The detection engine is fully deterministic and does not require a model to function. LLM only adds plain-English explanations to findings.

Option 1: Built-in ONNX engine

No external runtime required. GauntletCI ships with a built-in ONNX inference engine powered by Microsoft.ML.OnnxRuntimeGenAI. You only need to download the model once.

Step 1: Download the model

# Downloads Phi-4 Mini INT4 (~2 GB) from HuggingFace

$ gauntletci model download

The model is cached to ~/.gauntletci/models/phi4-mini/ and only needs to be downloaded once. Subsequent runs load from the local cache.

Step 2: Run analysis with enrichment

$ gauntletci analyze --staged --with-llm

High-confidence findings include a plain-English explanation of the risk and a suggested action. The ONNX engine runs fully in-process - no external runtime or service is required.

How the daemon works (and when it does not matter)

On a developer machine, GauntletCI keeps the model loaded in a background daemon between runs. This avoids a 2-3 second reload on each invocation when you run gauntletci analyze multiple times in a session.

The daemon is a local-dev optimization only. If it cannot be started, GauntletCI loadsLocalLlmEngine directly in-process as a fallback. The daemon is never used in CI/CD - see the section below on CI/CD usage.

Hardware acceleration

On Windows the ONNX engine uses DirectML to run on the GPU automatically. On macOS and Linux it falls back to CPU. No driver or CUDA setup required.

Custom model path (optional)

Override the default model directory in .gauntletci.json:

{
  "llm": {
    "modelPath": "~/.gauntletci/models/phi4-mini"
  }
}

Option 2: Ollama (if you already run Ollama)

If you already have an Ollama instance running locally or on your network, GauntletCI can use it instead of the built-in ONNX engine. This is useful for teams that share a single Ollama server or prefer to manage models via Ollama.

Step 1: Pull the model in Ollama

# Start Ollama if not already running

$ ollama serve

# Pull the default model

$ ollama pull phi4-mini:latest

Step 2: Configure the Ollama endpoint

Add an Ollama endpoint to .gauntletci.json. When this is set, GauntletCI uses Ollama instead of the local ONNX engine.

{
  "llm": {
    "model": "phi4-mini:latest"
  },
  "corpus": {
    "ollamaEndpoints": [
      { "url": "http://localhost:11434", "enabled": true }
    ]
  }
}

Any Ollama-hosted model can be used. phi4-mini:latest is the recommended default. For Ollama installation, see ollama.com/download.

Using --with-llm in CI/CD

ONNX is not available in CI/CD

Loading a 2 GB model in an ephemeral CI runner is impractical. GauntletCI enforces this: when CI environment variables are detected (CI, GITHUB_ACTIONS, TF_BUILD, etc.), the ONNX engine is bypassed entirely. Only remote LLM endpoints are used in CI.

To use --with-llm in a CI pipeline, configure a remote OpenAI-compatible endpoint and a license key in your repository config or as environment variables:

{
  "llm": {
    "ciEndpoint": "https://api.openai.com/v1",
    "ciModel": "gpt-4o-mini"
  }
}

Set the API key as a secret in your CI environment:

$ GAUNTLETCI_LLM_API_KEY=sk-...

Loud warning if misconfigured

If --with-llm is passed in CI but no endpoint or API key is configured, GauntletCI prints a structured warning to stderr and skips enrichment. It does not silently no-op. Analysis still completes and all deterministic findings are still reported.

Privacy

Neither engine makes network calls at analysis time. The ONNX engine runs entirely in-process. The Ollama path calls only your configured local host. No diff content, file paths, or findings are transmitted to any external service. Both options are safe for air-gapped environments and codebases with strict data residency requirements.

Next steps

CI/CD Integrations

Configure a remote LLM endpoint for GitHub Actions

CLI Reference

All --with-llm flags and options

Configuration

Set llm.ciEndpoint and other settings in .gauntletci.json