A live, runnable showcase of GauntletCI - a deterministic pre-commit risk detector for .NET - operating on real GitHub pull requests.
π Main repository: https://github.com/EricCogen/GauntletCI π Website: https://gauntletci.com
This repo is not a working application. It is a controlled demonstration environment whose only purpose is to let you see GauntletCI's output on realistic code changes - without installing anything yourself.
It contains:
- A small but realistic .NET 8 sample app (
OrderService- a payment processing service with a payment client and an order processor), so the diffs being analyzed look like code you'd actually write. - A GitHub Actions workflow (
.github/workflows/gauntlet.yml) that installs the published GauntletCI tool from NuGet on every PR and runs it against the PR diff, posting findings as inline annotations, PR review comments, and a Checks API verdict. - A library of canonical demo scenarios under
scenarios/. Each scenario is a deliberate code change (silent exception swallow, hardcoded secret, breaking API change, PII in logs, concurrency race, and a no-op control) that exercises a different GauntletCI rule. - A
workflow_dispatchaction (.github/workflows/reopen-scenarios.yml) that rebuilds every scenario branch and reopens its PR on demand. This lets the demo regenerate itself against the latest published tool version without manual git work.
- β Not a production-quality reference architecture for
OrderService. - β Not a place to file GauntletCI bugs or feature requests - please use the main repo's issues.
- β Not a substitute for real-world testing on your own codebase. Run
gauntletci analyzeon your own diffs to see findings tuned to your code.
A note on fake secrets in this repo. Demo scenarios that need to embed a credential-shaped literal (e.g.
03-hardcoded-secret) use the namespaced patterngci_demo_{hex}. This format is intentionally chosen so it does not match any real provider's secret-scanning rules, while still being exactly the shape GauntletCI'sGCI0012rule looks for. There are no real credentials anywhere in this repository.
GauntletCI detects behavioral change risks within your git diff during pre-commit analysis. This is fundamentally different from whole-project snapshot SAST tools.
SAST Tools (CodeQL, Semgrep, SonarQube, etc.):
- Scan the entire codebase during CI (multi-minute process)
- Look for known vulnerability signatures and code quality patterns
- Excellent at finding hardcoded secrets, SQL injection patterns, standard anti-patterns like
.Resultdeadlocks - Run during compilation/packaging phase as CI gates
GauntletCI:
- Analyzes only the git diff during pre-commit (sub-second)
- Detects structural mutations, execution sequence changes, boundary drifts within the specific change delta
- Catches behavioral regressions that compile cleanly, pass all tests, but break production systems
- Runs before you commit, before code review, before CI
These 18 behavioral scenarios show what GauntletCI detects that whole-project snapshot tools cannot see:
| Category | Scenarios | What It Shows |
|---|---|---|
| Architectural Access Control | S19, S23, S24 | Removal/modification of access boundaries in the diff without corresponding validation changes |
| Execution Sequence Changes | S20, S28-S30 | State mutations or external calls reordered in ways that are syntactically clean but execution-order dependent |
| Async Propagation Drops | S21, S25-S27 | Loss of CancellationToken context, fire-and-forget task patterns, propagation failures across method boundaries in the diff |
| Public Contract Drift | S22, S31-S32 | Method signature, default parameter, or API contract changes that compile but break callers in the specific change |
| Performance & Resource | S33-S34 | Configuration changes, pooling disablement, cache lookup removal that are invisible to style checkers |
| Dependency Injection Scope | S35-S36 | Scope boundary mismatches in DI configuration within the specific change |
Each scenario:
- Compiles successfully and passes unit tests
- Would pass both SAST and linting gates
- Introduces behavioral risk that only diff-level analysis can catch before production
All tools run live via GitHub Actions:
- DEMO_FINDINGS.md - Detailed tool-by-tool comparison across all 18 scenarios
- Live PRs - Each scenario runs CodeQL, Semgrep, SonarQube, StyleCop, Snyk, and GauntletCI
- The Verdict - See the 18/18 vs 0/18 scorecard in action
- 36 Total Scenarios - Tier 1 (6), Tier 2 (12), Tier 3 (18)
Fastest way: Fork this repo, enable Actions, run workflow Reopen demo scenarios
All analysis tools run live on every PR via GitHub Actions in .github/workflows/:
codeql.yml- runs CodeQL on every PRsemgrep.yml- runs Semgrep on every PRstylecop.yml- runs StyleCop enforcement on every PRsnyk.yml- runs Snyk on every PRgauntletci.yml- runs GauntletCI on every PR
You'll see the findings (or lack thereof) in real time. No downloads, no local setup requiredβjust fork, enable workflows, and watch the PRs.
ed77da6aade0590fd43ac0bd0a4d980dd9b17810
Why we recommend running it yourself. This repo's canonical PRs are intentionally read-only - we keep them as a stable, predictable showcase rather than letting visitors mutate them. To experiment freely (try your own diffs, edit scenarios, see what triggers what), clone or fork and run the demo on your own copy. The two paths below cover both styles.
This is the headline experience: you own the repo state, you control the runs, you can poke at anything without breaking the demo for the next visitor.
Prerequisites (both paths):
- .NET 8 SDK - install from https://dotnet.microsoft.com/download/dotnet/8.0 (the demo CI uses
8.0.x)- Git - any recent version
- A GitHub account - only required for the fork path
- Fork
EricCogen/GauntletCI-Demoto your account. β οΈ Enable Actions on your fork. GitHub disables workflows on new forks by default. In your fork, click the Actions tab. If you see the banner "Workflows aren't being run on this forked repository", click "I understand my workflows, go ahead and enable them". The reopen-scenarios workflow will not appear until you do this.- Go to Actions β Reopen demo scenarios β Run workflow.
- Type
all(or a single scenario folder name like03-hardcoded-secret) into the input and click Run workflow. - Expect ~2 minutes for the first run: the workflow rebuilds the
demo/*branches and opens one PR per scenario. Each PR then triggersgauntlet.yml, which installs the published GauntletCI tool from NuGet (~30 s) and runs it on the diff (~5 s). - Open any of the new PRs in your fork to see the Files Changed annotations, Conversation review summary, and Checks verdict.
Note:
secrets.DEMO_PR_TOKENis optional. If your fork doesn't have it, the workflow falls back to the built-inGITHUB_TOKENand PRs are authored bygithub-actions[bot]instead of a custom identity.
Did it work?
- β
Expected: a fresh batch of PRs titled
demo: <scenario-id>appears in your fork's Pull requests tab, each with a green or red GauntletCI check (matching the verdict inscenarios/<id>/README.md). - β No PRs appeared - most often the Actions tab still has the disable banner. Re-check step 2.
- β Workflow failed in
Install GauntletCIstep - usually a transient NuGet outage. Re-run from the Actions tab. - β Workflow failed in
Open PRstep with 403 - your fork has branch protection onmainthat blocks the bot. Either remove the rule or setDEMO_PR_TOKENto a PAT that can bypass it.
This path is fastest if you already have the .NET 8 SDK on your machine.
bash / macOS / Linux:
git clone https://github.com/EricCogen/GauntletCI-Demo.git
cd GauntletCI-Demo
# Install the published tool
dotnet tool install -g GauntletCI
# Build the sample app
dotnet build
# Apply a scenario locally and analyze the staged diff
cp -r scenarios/02-silent-catch/files/. .
git add -A
gauntletci analyze --stagedPowerShell / Windows:
git clone https://github.com/EricCogen/GauntletCI-Demo.git
Set-Location GauntletCI-Demo
# Install the published tool
dotnet tool install -g GauntletCI
# Build the sample app
dotnet build
# Apply a scenario locally and analyze the staged diff
Copy-Item -Recurse -Force scenarios/02-silent-catch/files/* .
git add -A
gauntletci analyze --stagedYou'll get the same findings GauntletCI would produce in CI, in under a second, on your own machine.
Did it work?
- β
Expected: console output ending in
π Blockwith a[GCI0007] Error Handling Integrityfinding pointing at the silentcatch { }block that the scenario introduces. - β
gauntletci: command not found- the dotnet global tools folder isn't on yourPATH. Either restart your shell or add$HOME/.dotnet/tools(Unix) /%USERPROFILE%\.dotnet\tools(Windows) toPATH. - β
error: pathspec 'scenarios/02-silent-catch/files/.' did not match any file(s)- you're not in the repo root. Runcd GauntletCI-Demofirst. - β Tool installs but
analyze --stagedreports0 findings- the scenario files weren't actually staged. Checkgit statusand re-rungit add -A.
If you just want to see what the tool produces without setting anything up:
- Open the Pull Requests tab.
- Pick any open PR labelled
demo:*. - Look at:
- The Files Changed tab - GauntletCI's inline annotations appear alongside the diff lines that triggered them.
- The Conversation tab - GauntletCI posts a PR review summarising the findings, severity, and rationale.
- The Checks tab - a GauntletCI check run shows the overall pass/fail verdict.
The expected verdict for each scenario is documented in its
scenarios/<id>/README.md so you can compare what you see
against what the tool was meant to catch.
The canonical PRs in this repo auto-heal: reopen-scenarios.yml runs on a
weekly schedule and on every push to main, so the showcase stays in sync
with the latest published GauntletCI version. To force a rebuild manually,
go to Actions β Reopen demo scenarios β Run workflow.
| # | Scenario | Expected verdict | Rule(s) demonstrated |
|---|---|---|---|
| 01 | safe-typo-fix | β Clean | (none - low-noise control) |
| 02 | silent-catch | π Block | GCI0007 Error Handling Integrity |
| 03 | hardcoded-secret | π Block | GCI0012 Security Risk |
| 04 | breaking-api-change | π Block | GCI0004 Breaking Change Risk |
| 05 | pii-logging | GCI0029 PII Logging Leak |
|
| 06 | concurrency-race | π Block | GCI0016 Concurrency & State Risk |
A second wave of scenarios, each isolating a single GauntletCI rule on
the same OrderService sample app. Verdict for every Tier 2 entry is
β Fails (the change exists to trip exactly one rule).
| # | Scenario | Rule demonstrated |
|---|---|---|
| 07 | magic-connection-string | GCI0010 Hardcoding and Configuration |
| 08 | undisposed-httpclient | GCI0024 Resource Lifecycle |
| 09 | insecure-random-token | GCI0048 Insecure Random in Security Context |
| 10 | sql-column-truncation | GCI0050 SQL Column Truncation Risk |
| 11 | float-money-equality | GCI0049 Float/Double Equality Comparison |
| 12 | missing-null-guard | GCI0006 Edge Case Handling |
| 13 | throw-bare-exception | GCI0032 Uncaught Exception Path |
| 14 | todo-in-payment-flow | GCI0042 TODO/Stub Detection |
| 15 | non-idempotent-retry | GCI0022 Idempotency & Retry Safety |
| 16 | tolist-in-loop | GCI0044 Performance Hotpath Risk |
| 17 | captive-dependency | GCI0038 Dependency Injection Safety |
| 18 | dependabot-api-drift | GCI0052 Dependency Bot API Drift |
18 advanced behavioral regression scenarios designed to demonstrate GauntletCI's unique ability to detect changes that pass traditional analysis tools (SonarQube, CodeQL, Semgrep, StyleCop, Snyk). Each scenario shows a realistic production bug that compiles successfully but represents a critical regression.
Key finding: GauntletCI detects all 18 Tier 3 scenarios; competitors detect 0/18 on average. See DEMO_FINDINGS.md for the complete comparison.
| # | Scenario | Production Impact |
|---|---|---|
| 19 | access-control-drop | Security attribute stripped during refactoring |
| 23 | role-based-bypass | Authorization check moved inside conditional branch |
| 24 | encryption-key-rotation-removal | Decryption logic simplified, breaking old encrypted data |
| # | Scenario | Production Impact |
|---|---|---|
| 21 | static-mutation-async | Unsynchronized static mutation in async context |
| 25 | async-without-await | Async method called without await, losing exceptions |
| 26 | lock-scope-reduction | Critical section narrowed, exposing race conditions |
| 27 | task-result-deadlock | Sync-over-async pattern causes hangs |
| # | Scenario | Production Impact |
|---|---|---|
| 20 | audit-log-inversion | Execution order mutation breaks compliance logging |
| 28 | transaction-rollback-repositioning | Rollback point moved, committing partial changes |
| 29 | idempotency-key-removed | Duplicate detection removed, enabling duplicate charges |
| 30 | cascade-delete-to-restrict | Delete behavior changed, orphaning related records |
| # | Scenario | Production Impact |
|---|---|---|
| 22 | breaking-api-contract | Public API parameter removed without version bump |
| 31 | exception-contract-violation | Documented exception no longer thrown, breaking consumers |
| 32 | implicit-type-coercion-change | Conversion logic simplified, changing edge case behavior |
| # | Scenario | Production Impact |
|---|---|---|
| 33 | cache-lookup-removed | Cache bypass added, causing database load spike |
| 34 | connection-pooling-disabled | Connection pooling disabled, connection storm |
| # | Scenario | Production Impact |
|---|---|---|
| 35 | service-locator-anti-pattern | Dependency resolved from service locator, untestable |
| 36 | singleton-captures-scoped | Scoped dependency captured by singleton, data leakage |
Each scenario folder contains:
README.md- what the change is and what verdict to expectfiles/- the overlay files that get copied ontomainto construct the demo branch
The demo now includes automated CI/CD workflows that run 5 complementary analysis tools on every PR. This hybrid approach lets you see real findings from free tools and compare them against GauntletCI's behavior detection.
Tier 3 expansion: Now testing 18 behavioral regression scenarios against all 5 tools to maximize evidence of GauntletCI's competitive advantage.
| Tool | Type | Purpose | Free | Runs in CI |
|---|---|---|---|---|
| CodeQL | Data flow | Security taint tracking | β | β |
| Semgrep | Pattern-based | Custom rule matching | β | β |
| StyleCop | Enforcement | C# style rules | β | β |
| Snyk | Dependency | Vulnerability scanning | β | β |
| GauntletCI | Behavioral | Regression detection | β | β |
See DEMO_FINDINGS.md for the complete breakdown of what each tool finds (or misses) on the Tier 3 scenarios.
Quick summary: On behavioral regressions (Tier 3 scenarios - now 18 scenarios across 6 categories):
- GauntletCI: β Detects behavioral changes in all scenarios
- CodeQL, Semgrep, SonarQube, Snyk, StyleCop: β Miss behavioral regressions consistently
Coverage:
- Security & Access Control: 3 scenarios
- Concurrency & Async: 4 scenarios
- Data Integrity & Business Logic: 4 scenarios
- API Contracts & Versioning: 3 scenarios
- Performance & Resource Management: 2 scenarios
- Dependency Injection & Scoping: 2 scenarios
This demonstrates why teams use multiple tools in a unified CI/CD pipeline: each specializes in different risk categories, and GauntletCI fills the critical gap in behavioral regression detection.
The workflows in .github/workflows/ run automatically on every PR:
# Create a test PR
git checkout -b test/try-scenarios main
cp -r scenarios/19-access-control-drop/files/. .
git add -A && git commit -m "test: behavioral regression scenario"
git push origin test/try-scenariosThen open a PR to main. GitHub Actions will run all 5 tools and post findings
in the Checks tab. Compare the results against DEMO_FINDINGS.md.
The CI workflow uses the same install path real users follow, so the demo also serves as a smoke test of the published tool:
- run: dotnet tool install -g GauntletCI
- run: |
gauntletci analyze \
--commit ${{ github.event.pull_request.head.sha }} \
--no-banner \
--github-annotations \
--github-pr-comments \
--github-checksNo build-from-source, no pre-release feeds - just dotnet tool install
from NuGet.
GauntletCI-Demo/
βββ src/OrderService/ # sample .NET 8 app
βββ tests/OrderService.Tests/ # xUnit tests for the sample app
βββ scenarios/ # canonical demo scenarios (22 total)
β βββ 01-safe-typo-fix/ # tier 1 - control + 5 headline rules
β βββ 02-silent-catch/
β βββ 03-hardcoded-secret/
β βββ 04-breaking-api-change/
β βββ 05-pii-logging/
β βββ 06-concurrency-race/
β βββ 07-magic-connection-string/ # tier 2 - one rule per scenario
β βββ 08-undisposed-httpclient/
β βββ 09-insecure-random-token/
β βββ 10-sql-column-truncation/
β βββ 11-float-money-equality/
β βββ 12-missing-null-guard/
β βββ 13-throw-bare-exception/
β βββ 14-todo-in-payment-flow/
β βββ 15-non-idempotent-retry/
β βββ 16-tolist-in-loop/
β βββ 17-captive-dependency/
β βββ 18-dependabot-api-drift/
β βββ 19-access-control-drop/ # tier 3 - behavioral regressions
β βββ 20-audit-log-inversion/
β βββ 21-static-mutation-async/
β βββ 22-breaking-api-contract/
βββ .github/workflows/
β βββ gauntlet.yml # PR check that runs GauntletCI
β βββ reopen-scenarios.yml # rebuilds scenario branches on demand
β βββ codeql.yml # CodeQL security analysis
β βββ semgrep.yml # Semgrep pattern scanning
β βββ stylecop.yml # StyleCop enforcement
β βββ snyk.yml # Snyk dependency scanning
β βββ gauntletci.yml # GauntletCI behavioral analysis
βββ scripts/reopen-scenarios.sh # logic for the rebuild workflow
βββ DEMO_FINDINGS.md # multi-tool findings comparison
βββ COMPETITOR_COMPARISON.md # detailed tool analysis
βββ HYBRID_DEMO_IMPLEMENTATION.md # CI/CD pipeline documentation
βββ .gauntletci.json # GauntletCI rule configuration
βββ .gauntletci-ignore # path-scoped rule suppressions
βββ OrderService.sln
- π Website: https://gauntletci.com
- π¦ Source: https://github.com/EricCogen/GauntletCI
- π Docs: https://gauntletci.com/docs
- π¬ Issues / questions: https://github.com/EricCogen/GauntletCI/issues
MIT - see LICENSE.