GauntletCI logoGauntletCI
All rules
GCI0010BlockSecurity

Hardcoding and Configuration

Detects hardcoded IPs, URLs, connection strings, secrets, and environment names committed to source.

Why this rule exists

Secrets in source code leak through forks, mirrors, search indexes, and logs. Hardcoded environment URLs cause prod traffic to hit staging the moment a config flag flips wrong.

Code example

Triggers the rule
+ var conn = "Server=10.0.0.5;Database=Prod;User Id=admin;Password=hunter2";
Passes the rule
+ var conn = _config.GetConnectionString("Orders")
+     ?? throw new InvalidOperationException("Orders connection string missing");

Configuration

Disable or adjust the severity of this rule in .gauntletci.json:

{
  "rules": {
    "GCI0010": { "enabled": true, "severity": "Block" }
  }
}

See Configuration for the full schema.

Related rules

GCI0012Block

Security Risk

Detects SQL injection patterns, weak crypto algorithms (MD5, SHA1, DES), dangerous APIs (Assembly.Load, Process.Start), and credential exposure.

GCI0048Warn

Insecure Random in Security Context

Detects System.Random instantiation within 5 lines of security-sensitive identifiers such as token, apikey, salt, or password. System.Random is not cryptographically secure.

Discussed in

State of Behavioral Change Risk in .NET

A field report from 610 merged C# PRs across 61 repositories, with raw findings, high-confidence findings, and outlier disclosure.

Implemented in src/GauntletCI.Core/Rules/Implementations/GCI0010_*.cs.

About the author

Eric Cogen -- Founder, GauntletCI

Twenty years as a senior technical consultant building and modernizing enterprise platforms across .NET, AWS, serverless, microservices, and AI-driven systems.

@EricCogen/GauntletCI on GitHub/More about Eric