Your tests passed. Your PR was approved. Your change still broke production.
Tests confirm existing behavior. Code review confirms intent. Neither validates what your change actually does.
GauntletCI detects Behavioral Change Risk in pull request diffs: logic shifts, missing validations, and hidden regressions that compile cleanly, pass every test, and survive code review — before the commit is created.
- The Missing Layer
- Quick Start
- What GauntletCI Detects
- How It Compares
- See It Live
- GitHub Actions
- Documentation
- Community
- License
Modern pipelines answer different questions:
| Layer | Question answered |
|---|---|
| Static analysis | Is this code well-formed? |
| Security scanning | Does this code contain known vulnerabilities? |
| Tests | Does this code match expected behavior? |
| Code review | Does this change match intended behavior? |
| GauntletCI | Is the behavioral impact of this change verified? |
GauntletCI doesn't replace any of these. It closes the gap none of them cover.
dotnet tool install -g GauntletCI
# Run against staged changes before committing
gauntletci analyze --stagedFive minutes from install to first finding. No configuration required.
→ Full install guide | CLI reference
35 deterministic rules across 8 production risk tiers:
| Tier | Category | Example |
|---|---|---|
| 1 | Structural & Scope Integrity | Visibility changes, signature drift |
| 2 | Behavioral & Correctness Risk | Control flow changes, removed guard clauses |
| 3 | Security & Compliance | Secrets in diffs, SQL injection exposure, PII logging |
| 4 | Resource & Concurrency | Async deadlocks, undisposed resources, shared state |
| 5 | Observability & Failure | Swallowed exceptions, removed logging from error paths |
| 6 | Evidence & Test Completeness | Behavior change with no corresponding test delta |
| 7 | Architecture & Structural Contracts | Interface violations, coupling changes |
| 8 | Dependency & Integration Safety | Version conflicts, breaking API surface changes |
Detection is fully deterministic. Same diff, same findings, every time. No LLM evaluates whether a rule fires.
| GauntletCI | CodeRabbit | Copilot Code Review | SonarQube | |
|---|---|---|---|---|
| Deterministic findings | ✅ | ❌ | ❌ | ✅ |
| Behavioral change detection | ✅ | Partial | Partial | ❌ |
| Test coverage gap detection | ✅ | ❌ | ❌ | ❌ |
| Runs pre-commit (local) | ✅ | ❌ | ❌ | ❌ |
| 100% local / no data egress | ✅ | ❌ | ❌ | ✅ |
| .NET-native | ✅ | ❌ | ❌ | ✅ |
| AI explanations available | ✅ opt-in | ✅ | ✅ | ❌ |
LLM explanations are available as an opt-in layer. The detection logic itself never involves one.
The GauntletCI-Demo repo contains 36 scenarios across 3 tiers — each compiling cleanly, passing all tests, and passing traditional SAST gates, while introducing behavioral risk only visible at the diff level.
Start in advisory mode. Inline comments surface findings without blocking merges:
name: GauntletCI
on:
pull_request:
permissions:
contents: read
pull-requests: write
jobs:
risk-analysis:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: EricCogen/GauntletCI@main
with:
fail-on-findings: "false"
inline-comments: "true"Once signal quality is tuned for your codebase, set fail-on-findings: "true" to block risky merges.
| Documentation Hub | Full documentation index |
| CLI Reference | Complete command-line usage |
| Architecture Guide | How detection works |
| Technical FAQ | Common questions |
| Troubleshooting | Common problems and solutions |
| Contributing | How to contribute |
| Security Policy | Vulnerability reporting |
Questions? Ideas? Found a false positive?
- GitHub Issues: Report bugs or request features
- GitHub Discussions: Ask questions and share ideas
- Twitter: @GauntletCI_BCRV
Elastic License 2.0 — free for personal and internal use.