How does GauntletCI compare to SonarQube?

SonarQube analyzes the entire codebase on a schedule and requires a server, account, and network access. GauntletCI analyzes only the lines that changed in the current diff, runs entirely on the developer's machine in under one second, requires no account or cloud connection, and installs as a pre-commit hook. SonarQube is a full codebase quality platform; GauntletCI is a focused change-risk detector that runs before a commit is ever created.

How does GauntletCI compare to Semgrep?

Semgrep is a pattern-matching engine that scans files or the full codebase. GauntletCI scopes every rule to the changed diff, meaning it only flags risks introduced by the current change, not pre-existing issues in unchanged files. GauntletCI also includes incident correlation, local LLM enrichment, and baseline delta mode, which Semgrep does not offer. GauntletCI's free tier includes all rules with no account required.

How does GauntletCI compare to Snyk?

Snyk is primarily a dependency and container vulnerability scanner that requires cloud connectivity and a Snyk account. GauntletCI detects behavioral, structural, and security risks in first-party code changes, not dependency vulnerabilities, and runs 100% locally with no data transmitted. GauntletCI is suitable for air-gapped environments and organizations with strict data residency requirements; Snyk is not.

How does GauntletCI compare to CodeQL / GitHub Advanced Security?

CodeQL performs deep semantic analysis of the full codebase and requires compilation and significant compute time, typically minutes per run. GauntletCI analyzes only the changed diff in under one second with no compilation step, making it suitable as a pre-commit hook in the developer's local workflow. CodeQL is better for periodic deep security audits; GauntletCI is better for fast, continuous feedback on every commit.

How does GauntletCI compare to Code Climate?

Code Climate is a SaaS platform that analyzes full repositories for maintainability and test coverage trends over time. It requires uploading code to a cloud service. GauntletCI is fully local, diff-scoped, and focused on change risk rather than codebase health metrics. GauntletCI does not require a cloud account, never transmits code, and produces results in under one second, making it a complement to, not a replacement for, Code Climate's longitudinal reporting.

Does GauntletCI work in air-gapped or offline environments?

Yes. GauntletCI runs entirely on the local machine. No diff, finding, file path, or telemetry is transmitted. The optional local LLM enrichment feature (--with-llm) uses a locally hosted Ollama model, with no network call. This makes GauntletCI suitable for classified, regulated, or air-gapped environments where cloud-based analysis tools are prohibited.

What is baseline delta mode and do other tools offer it?

Baseline delta mode (gauntletci baseline capture) snapshots all current findings and suppresses them from future runs. Only net-new findings (risks introduced after the baseline) are reported. This eliminates alert fatigue from pre-existing issues in legacy codebases. SonarQube offers a similar 'new code' concept but requires server setup. Semgrep, Snyk, CodeQL, and Code Climate do not offer equivalent pre-commit baseline suppression.

What severity is GCI0003?

GCI0003 is a Block severity rule. Block rules cause GauntletCI to exit with code 1, stopping the commit or CI pipeline step.

How do I disable GCI0003?

Add the rule to .gauntletci.json: { "rules": { "GCI0003": { "enabled": false } } }. You can also override the severity to Block or Warn without disabling the rule. See the Configuration docs at https://gauntletci.com/docs/configuration for the full schema.

All rules

GCI0003BlockBehavior and Contracts

Behavioral Change Detection

Detects removed logic lines and changed method signatures that alter runtime behavior without corresponding test updates.

Why this rule exists

A line removed from production code is a behavior change. If no test changed in the same diff, either the removed line was untested (silent regression risk) or the test it broke was deleted to make CI green.

Code example

Triggers the rule

// Removes a guard clause without touching tests
- if (user is null) throw new ArgumentNullException(nameof(user));
  return user.Email;

Passes the rule

// Removes the guard AND adds a test asserting the new contract
- if (user is null) throw new ArgumentNullException(nameof(user));
  return user.Email;
+ // tests/UserTests.cs
+ [Fact] public void GetEmail_NullUser_Throws_NullReference() { ... }

Configuration

Disable or adjust the severity of this rule in .gauntletci.json:

{
  "rules": {
    "GCI0003": { "enabled": true, "severity": "Block" }
  }
}

See Configuration for the full schema.

Related rules

GCI0004Block

Breaking Change Risk

Detects removed public APIs and changed public method signatures that may break callers.

GCI0006Warn

Edge Case Handling

Detects potential null dereferences and missing validation in added code.

GCI0036Block

Pure Context Mutation

Detects assignment operators inside property getter blocks or methods decorated with [Pure], indicating unexpected side effects.

Discussed in

Why Tests Miss Bugs

Tests pass but bugs still reach production. The categories of risk that escape test suites and why a green build is not the same as safe code.

Why Code Review Misses Bugs

Code review catches style and obvious logic errors. It routinely misses behavioral drift, contract changes, and implicit assumptions.

A Formal Framework for Behavioral Change Risk

A structured taxonomy for behavioral, contract, concurrency, and side-effect risk in code diffs.

What Is Diff-Based Analysis?

Diff-based analysis evaluates only what changed in a commit. Why that scope is the right unit of risk for pre-commit checks.

Real-world evidence

dotnet/efcorePR#38024

Breaking API Removal in EF Core

Public API removed without Obsolete - breaks all EF Core provider authors.

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnetPR#3410

Hardcoded Authority URL - Azure AD

Hardcoded authority URL in production identity model code.

Implemented in src/GauntletCI.Core/Rules/Implementations/GCI0003_*.cs.

About the author

Eric Cogen -- Founder, GauntletCI

Twenty years in .NET production. Most of those years, the bugs that hurt me were not the ones tests caught. They were the assumptions I did not know I was making: a removed guard clause, a renamed method that still did the old thing, a catch {} that turned a page into a silent dashboard lie. GauntletCI is the checklist I wish I had run before every commit. It runs the rules I learned the hard way, so you do not have to.

@EricCogen/GauntletCI on GitHub/More about Eric