Rule Library
30 deterministic detection rules
Every rule targets a specific class of behavioral, security, or structural risk in your diff. Rules run locally in under one second. No rule sends code to any external service.
Behavior and Contracts
Logic changes, API contracts, and behavioral shifts that tests may not exercise
Diff Integrity
Detects unrelated changes, formatting churn, and mixed scope within a single diff.
Behavioral Change Detection
Detects removed logic lines and changed method signatures that alter runtime behavior without corresponding test updates.
Breaking Change Risk
Detects removed public APIs and changed public method signatures that may break callers.
Edge Case Handling
Detects potential null dereferences and missing validation in added code.
Data and Schema Compatibility
Detects removed serialization attributes and enum member removals that may break wire formats or persisted data.
Pure Context Mutation
Detects assignment operators inside property getter blocks or methods decorated with [Pure], indicating unexpected side effects.
Naming and Contract Alignment
Detects method renames where the new CRUD verb semantically contradicts the old verb, signaling an intent mismatch.
Security
Credential exposure, unsafe APIs, PII leaks, and supply chain risks
Hardcoding and Configuration
Detects hardcoded IPs, URLs, connection strings, secrets, and environment names committed to source.
Security Risk
Detects SQL injection patterns, weak crypto algorithms (MD5, SHA1, DES), dangerous APIs (Assembly.Load, Process.Start), and credential exposure.
PII Entity Logging Leak
Detects PII-sensitive terms (email, SSN, password, etc.) appearing inside log calls in added lines.
Insecure Random in Security Context
Detects System.Random instantiation within 5 lines of security-sensitive identifiers such as token, apikey, salt, or password. System.Random is not cryptographically secure.
Lockfile Changed Without Source Review
Fires when a diff contains only lockfile changes with no accompanying source-file edits, which can hide malicious dependency upgrades.
Data Integrity
Truncation risks, idempotency gaps, and unsafe data operations
Data Integrity Risk
Detects unchecked casts, mass assignment without validation, and SQL ON CONFLICT IGNORE patterns that silently discard errors.
Idempotency and Retry Safety
Detects HTTP POST endpoints without idempotency keys and raw INSERT statements without upsert guards, which are unsafe under retry logic.
Float and Double Equality Comparison
Detects direct equality (== / !=) comparisons involving floating-point values, which produce unreliable results due to precision loss.
SQL Column Truncation Risk
Detects short nvarchar(N) or varchar(N) column definitions that may silently truncate data when real-world values exceed the column width.
Async and Concurrency
Blocking calls, resource leaks, deadlock risks, and unsafe async patterns
Concurrency and State Risk
Detects async void methods, blocking async calls (.Result, .Wait()), static mutable state, and patterns that introduce deadlock risk.
Resource Lifecycle
Detects disposable resources allocated without a using statement or try/finally disposal, leading to connection and handle leaks.
Uncaught Exception Path
Fires when throw new is added without a corresponding Assert.Throws or Should().Throw assertion in the test suite.
External Service Safety
Detects unsafe HTTP client usage and external service call patterns that lack timeout, cancellation, or retry configuration.
Observability and Error Handling
Swallowed exceptions, silent failures, and nullable contract violations
Error Handling Integrity
Detects swallowed exceptions (empty catch blocks) and exception handling patterns that hide failures from callers and operators.
Nullability and Type Safety
Detects null-forgiving operator (!) overuse, pragma warning disables for nullable, and unchecked as-casts that bypass the type system.
Architecture and Design
DI anti-patterns, layer violations, complexity, and supply chain drift
Architecture Layer Guard
Checks added using directives against configured forbidden import pairs, enforcing architectural boundaries at commit time.
Dependency Injection Safety
Detects DI anti-patterns: service locator usage, direct instantiation of injectable types, and captive dependency violations.
Complexity Control
Detects over-engineering: single-use interfaces, abstract classes without abstract members, and unnecessary indirection added in the diff.
Pattern Consistency Deviation
Detects mixed sync/async naming conventions and service locator anti-patterns introduced inconsistently within the same file.
Dependency Bot API Drift
Fires when a dependency bot PR (Dependabot, Renovate, Snyk) contains both a lockfile change and a public API method signature change in C# files.
Code Quality and Test Gaps
TODO stubs, test assertion gaps, and performance regressions
Test Quality Gaps
Detects low-quality test patterns: silenced tests ([Ignore]/[Skip]), uninformative method names, and test methods missing any assertions.
TODO and Stub Detection
Fires when added lines in non-test files contain TODO, FIXME, HACK markers, or throw new NotImplementedException, indicating unfinished work.
Performance Hotpath Risk
Detects Thread.Sleep, LINQ queries inside loops, and unbounded collection growth inside loops that degrade throughput in hot paths.
Rules are implemented in GauntletCI.Core/Rules/Implementations/. All rules are enabled by default and can be individually disabled or reconfigured in .gauntletci.json. See the Configuration docs for details.