GauntletCI logoGauntletCI

Rule Library

39 deterministic detection rules — and growing

Every rule targets a specific class of behavioral, security, or structural risk in your diff. Rules run locally; typical staged diffs complete in seconds. Core detection does not send code to external services unless you enable optional integrations.

Showing 39 of 39 rules

Severity

Category

GCI0001Behavior and Contracts
Warn

Diff Integrity

Detects unrelated changes, formatting churn, and mixed scope within a single diff.

GCI0003Behavior and Contracts
Block

Behavioral Change Detection

Detects removed logic (Warn), incompatible method signature changes (Block), backward-compatible extensions (Info), and cryptographic boundary changes (Block).

GCI0004Behavior and Contracts
Warn

Breaking Change Risk

Detects [Obsolete] attribute additions and removals on public APIs. Removing a deprecation guard is Block-severity; adding one is a Warn-level review signal.

GCI0006Behavior and Contracts
Warn

Edge Case Handling

Detects potential null dereferences and missing validation in added code.

GCI0007Observability and Error Handling
Block

Error Handling Integrity

Detects swallowed exceptions (empty catch blocks) and exception handling patterns that hide failures from callers and operators.

GCI0010Security
Block

Hardcoding and Configuration

Detects hardcoded IPs, URLs, connection strings, secrets, and environment names committed to source.

GCI0012Security
Block

Security Risk

Detects SQL injection patterns, weak crypto algorithms (MD5, SHA1, DES), dangerous APIs (Assembly.Load, Process.Start), and credential exposure.

GCI0015Data Integrity
Block

Data Integrity Risk

Detects unchecked casts, mass assignment without validation, and SQL ON CONFLICT IGNORE patterns that silently discard errors.

GCI0016Async and Concurrency
Block

Concurrency and State Risk

Detects async void methods, blocking async calls (.Result, .Wait(), .GetAwaiter().GetResult()), lock(this), and Thread.Sleep in production code. Uses ForPatternScan to ignore matches inside // comments and string literals.

GCI0019Code Quality and Test Gaps
Info

Confidence and Evidence

Flags binary files that cannot be text-scanned and warns when large diffs produce no other findings.

GCI0021Behavior and Contracts
Block

Data and Schema Compatibility

Detects removed serialization attributes and enum member removals that may break wire formats or persisted data.

GCI0022Data Integrity
Warn

Idempotency and Retry Safety

Detects HTTP POST endpoints without idempotency keys and raw INSERT statements without upsert guards, which are unsafe under retry logic.

GCI0024Async and Concurrency
Warn

Resource Lifecycle

Detects disposable resources allocated without a using statement or try/finally disposal, leading to connection and handle leaks.

GCI0029Security
Warn

PII Entity Logging Leak

Detects PII-sensitive terms (email, SSN, password, etc.) appearing inside log calls in added lines.

GCI0032Async and Concurrency
Warn

Uncaught Exception Path

Fires when throw new is added without a corresponding Assert.Throws or Should().Throw assertion in the test suite.

GCI0035Architecture and Design
Warn

Architecture Layer Guard

Checks added using directives against configured forbidden import pairs, enforcing architectural boundaries at commit time.

GCI0036Behavior and Contracts
Block

Pure Context Mutation

Detects assignment operators inside property getter blocks or methods decorated with [Pure], indicating unexpected side effects.

GCI0038Architecture and Design
Warn

Dependency Injection Safety

Detects DI anti-patterns: service locator usage, direct instantiation of injectable types, and captive dependency violations.

GCI0039Async and Concurrency
Block

External Service Safety

Detects unsafe HTTP client usage and external service call patterns that lack timeout, cancellation, or retry configuration.

GCI0041Code Quality and Test Gaps
Warn

Test Quality Gaps

Detects low-quality test patterns: silenced tests ([Ignore]/[Skip]), uninformative method names, and test methods missing any assertions.

GCI0042Code Quality and Test Gaps
Info

TODO and Stub Detection

Fires when added lines in non-test files contain TODO, FIXME, HACK markers, or throw new NotImplementedException, indicating unfinished work.

GCI0043Observability and Error Handling
Info

Nullability and Type Safety

Detects null-forgiving operator (!) overuse, pragma warning disables for nullable, and unchecked as-casts that bypass the type system.

GCI0044Code Quality and Test Gaps
Info

Performance Hotpath Risk

Detects Thread.Sleep, LINQ queries inside loops, and unbounded collection growth inside loops that degrade throughput in hot paths.

GCI0045Architecture and Design
Info

Complexity Control

Detects over-engineering: single-use interfaces, abstract classes without abstract members, and unnecessary indirection added in the diff.

GCI0046Architecture and Design
Info

Pattern Consistency Deviation

Detects mixed sync/async naming conventions and service locator anti-patterns introduced inconsistently within the same file.

GCI0047Behavior and Contracts
Info

Naming and Contract Alignment

Detects method renames where the new CRUD verb semantically contradicts the old verb, signaling an intent mismatch.

GCI0048Security
Warn

Insecure Random in Security Context

Detects System.Random instantiation within 5 lines of security-sensitive identifiers such as token, apikey, salt, or password. System.Random is not cryptographically secure.

GCI0049Data Integrity
Info

Float and Double Equality Comparison

Detects direct equality (== / !=) comparisons involving floating-point values, which produce unreliable results due to precision loss.

GCI0050Data Integrity
Warn

SQL Column Truncation Risk

Detects short nvarchar(N) or varchar(N) column definitions that may silently truncate data when real-world values exceed the column width.

GCI0052Architecture and Design
Block

Dependency Bot API Drift

Fires when a dependency bot PR (Dependabot, Renovate, Snyk) contains both a lockfile change and a public API method signature change in C# files.

GCI0053Security
Warn

Lockfile Changed Without Source Review

Fires when a diff contains only lockfile changes with no accompanying source-file edits, which can hide malicious dependency upgrades.

GCI0020Security
Block

Resource Exhaustion Pattern Detection

Detects patterns that lead to resource exhaustion vulnerabilities: timeout removal, iteration limit removal, resource limit increases, cleanup removal, and unbounded async operations.

GCI0051Data Integrity
Warn

Numeric Coercion Risks

Detects implicit numeric conversions that risk truncation, overflow, or loss of precision. Flags unchecked downcasts, float-to-int conversions, and assignments from large types to small types.

GCI0055Behavior and Contracts
Info

Method Signature Change Risk

Disabled by default (severity None). Regex-based signature detection superseded by GCI0003. Re-enable in .gauntletci.json if needed.

GCI0054Async and Concurrency
Info

Async Void Abuse

Disabled by default (severity None). Public async void detection superseded by GCI0016. Re-enable for the stricter public-only filter.

GCI0056Code Quality and Test Gaps
Info

Missing Test Framework

Detects production code changes when the repository has no evidence of a test framework in project files.

GCI0057Async and Concurrency
Warn

Synchronous File I/O

Detects synchronous File.ReadAllText/WriteAllText and similar calls. Blocking async patterns are covered by GCI0016.

GCI0058Behavior and Contracts
Block

Paired Implementation Consistency

Compares sibling class implementations for opposite boolean polarity on the same predicate.

GCI0059Behavior and Contracts
Block

Guard Deletion Remote Use

Detects removed null or validation guards where the guarded symbol is still used later in the same method.

Rules are implemented in GauntletCI.Core/Rules/Implementations/. All rules are enabled by default and can be individually disabled or reconfigured in .gauntletci.json. See the Configuration docs for details.