A live, runnable showcase of GauntletCI β a deterministic pre-commit risk detector for .NET β operating on real GitHub pull requests.
π Main repository: https://github.com/EricCogen/GauntletCI π Website: https://gauntletci.com
This repo is not a working application. It is a controlled demonstration environment whose only purpose is to let you see GauntletCI's output on realistic code changes β without installing anything yourself.
It contains:
- A small but realistic .NET 8 sample app (
OrderServiceβ a payment processing service with a payment client and an order processor), so the diffs being analyzed look like code you'd actually write. - A GitHub Actions workflow (
.github/workflows/gauntlet.yml) that installs the published GauntletCI tool from NuGet on every PR and runs it against the PR diff, posting findings as inline annotations, PR review comments, and a Checks API verdict. - A library of canonical demo scenarios under
scenarios/. Each scenario is a deliberate code change (silent exception swallow, hardcoded secret, breaking API change, PII in logs, concurrency race, and a no-op control) that exercises a different GauntletCI rule. - A
workflow_dispatchaction (.github/workflows/reopen-scenarios.yml) that rebuilds every scenario branch and reopens its PR on demand. This lets the demo regenerate itself against the latest published tool version without manual git work.
- β Not a production-quality reference architecture for
OrderService. - β Not a place to file GauntletCI bugs or feature requests β please use the main repo's issues.
- β Not a substitute for real-world testing on your own codebase. Run
gauntletci analyzeon your own diffs to see findings tuned to your code.
A note on fake secrets in this repo. Demo scenarios that need to embed a credential-shaped literal (e.g.
03-hardcoded-secret) use the namespaced patterngci_demo_{hex}. This format is intentionally chosen so it does not match any real provider's secret-scanning rules, while still being exactly the shape GauntletCI'sGCI0012rule looks for. There are no real credentials anywhere in this repository.
Why we recommend running it yourself. This repo's canonical PRs are intentionally read-only β we keep them as a stable, predictable showcase rather than letting visitors mutate them. To experiment freely (try your own diffs, edit scenarios, see what triggers what), clone or fork and run the demo on your own copy. The two paths below cover both styles.
This is the headline experience: you own the repo state, you control the runs, you can poke at anything without breaking the demo for the next visitor.
Prerequisites (both paths):
- .NET 8 SDK β install from https://dotnet.microsoft.com/download/dotnet/8.0 (the demo CI uses
8.0.x)- Git β any recent version
- A GitHub account β only required for the fork path
- Fork
EricCogen/GauntletCI-Demoto your account. β οΈ Enable Actions on your fork. GitHub disables workflows on new forks by default. In your fork, click the Actions tab. If you see the banner "Workflows aren't being run on this forked repository", click "I understand my workflows, go ahead and enable them". The reopen-scenarios workflow will not appear until you do this.- Go to Actions β Reopen demo scenarios β Run workflow.
- Type
all(or a single scenario folder name like03-hardcoded-secret) into the input and click Run workflow. - Expect ~2 minutes for the first run: the workflow rebuilds the
demo/*branches and opens one PR per scenario. Each PR then triggersgauntlet.yml, which installs the published GauntletCI tool from NuGet (~30 s) and runs it on the diff (~5 s). - Open any of the new PRs in your fork to see the Files Changed annotations, Conversation review summary, and Checks verdict.
Note:
secrets.DEMO_PR_TOKENis optional. If your fork doesn't have it, the workflow falls back to the built-inGITHUB_TOKENand PRs are authored bygithub-actions[bot]instead of a custom identity.
Did it work?
- β
Expected: a fresh batch of PRs titled
demo: <scenario-id>appears in your fork's Pull requests tab, each with a green or red GauntletCI check (matching the verdict inscenarios/<id>/README.md). - β No PRs appeared β most often the Actions tab still has the disable banner. Re-check step 2.
- β Workflow failed in
Install GauntletCIstep β usually a transient NuGet outage. Re-run from the Actions tab. - β Workflow failed in
Open PRstep with 403 β your fork has branch protection onmainthat blocks the bot. Either remove the rule or setDEMO_PR_TOKENto a PAT that can bypass it.
This path is fastest if you already have the .NET 8 SDK on your machine.
bash / macOS / Linux:
git clone https://github.com/EricCogen/GauntletCI-Demo.git
cd GauntletCI-Demo
# Install the published tool
dotnet tool install -g GauntletCI
# Build the sample app
dotnet build
# Apply a scenario locally and analyze the staged diff
cp -r scenarios/02-silent-catch/files/. .
git add -A
gauntletci analyze --stagedPowerShell / Windows:
git clone https://github.com/EricCogen/GauntletCI-Demo.git
Set-Location GauntletCI-Demo
# Install the published tool
dotnet tool install -g GauntletCI
# Build the sample app
dotnet build
# Apply a scenario locally and analyze the staged diff
Copy-Item -Recurse -Force scenarios/02-silent-catch/files/* .
git add -A
gauntletci analyze --stagedYou'll get the same findings GauntletCI would produce in CI, in under a second, on your own machine.
Did it work?
- β
Expected: console output ending in
π Blockwith a[GCI0007] Error Handling Integrityfinding pointing at the silentcatch { }block that the scenario introduces. - β
gauntletci: command not foundβ the dotnet global tools folder isn't on yourPATH. Either restart your shell or add$HOME/.dotnet/tools(Unix) /%USERPROFILE%\.dotnet\tools(Windows) toPATH. - β
error: pathspec 'scenarios/02-silent-catch/files/.' did not match any file(s)β you're not in the repo root. Runcd GauntletCI-Demofirst. - β Tool installs but
analyze --stagedreports0 findingsβ the scenario files weren't actually staged. Checkgit statusand re-rungit add -A.
If you just want to see what the tool produces without setting anything up:
- Open the Pull Requests tab.
- Pick any open PR labelled
demo:*. - Look at:
- The Files Changed tab β GauntletCI's inline annotations appear alongside the diff lines that triggered them.
- The Conversation tab β GauntletCI posts a PR review summarising the findings, severity, and rationale.
- The Checks tab β a GauntletCI check run shows the overall pass/fail verdict.
The expected verdict for each scenario is documented in its
scenarios/<id>/README.md so you can compare what you see
against what the tool was meant to catch.
The canonical PRs in this repo auto-heal: reopen-scenarios.yml runs on a
weekly schedule and on every push to main, so the showcase stays in sync
with the latest published GauntletCI version. To force a rebuild manually,
go to Actions β Reopen demo scenarios β Run workflow.
| # | Scenario | Expected verdict | Rule(s) demonstrated |
|---|---|---|---|
| 01 | safe-typo-fix | β Clean | (none β low-noise control) |
| 02 | silent-catch | π Block | GCI0007 Error Handling Integrity |
| 03 | hardcoded-secret | π Block | GCI0012 Security Risk |
| 04 | breaking-api-change | π Block | GCI0004 Breaking Change Risk |
| 05 | pii-logging | GCI0029 PII Logging Leak |
|
| 06 | concurrency-race | π Block | GCI0016 Concurrency & State Risk |
A second wave of scenarios, each isolating a single GauntletCI rule on
the same OrderService sample app. Verdict for every Tier 2 entry is
β Fails (the change exists to trip exactly one rule).
| # | Scenario | Rule demonstrated |
|---|---|---|
| 07 | magic-connection-string | GCI0010 Hardcoding and Configuration |
| 08 | undisposed-httpclient | GCI0024 Resource Lifecycle |
| 09 | insecure-random-token | GCI0048 Insecure Random in Security Context |
| 10 | sql-column-truncation | GCI0050 SQL Column Truncation Risk |
| 11 | float-money-equality | GCI0049 Float/Double Equality Comparison |
| 12 | missing-null-guard | GCI0006 Edge Case Handling |
| 13 | throw-bare-exception | GCI0032 Uncaught Exception Path |
| 14 | todo-in-payment-flow | GCI0042 TODO/Stub Detection |
| 15 | non-idempotent-retry | GCI0022 Idempotency & Retry Safety |
| 16 | tolist-in-loop | GCI0044 Performance Hotpath Risk |
| 17 | captive-dependency | GCI0038 Dependency Injection Safety |
| 18 | dependabot-api-drift | GCI0052 Dependency Bot API Drift |
Each scenario folder contains:
README.mdβ what the change is and what verdict to expectfiles/β the overlay files that get copied ontomainto construct the demo branch
The CI workflow uses the same install path real users follow, so the demo also serves as a smoke test of the published tool:
- run: dotnet tool install -g GauntletCI
- run: |
gauntletci analyze \
--commit ${{ github.event.pull_request.head.sha }} \
--no-banner \
--github-annotations \
--github-pr-comments \
--github-checksNo build-from-source, no pre-release feeds β just dotnet tool install
from NuGet.
GauntletCI-Demo/
βββ src/OrderService/ # sample .NET 8 app
βββ tests/OrderService.Tests/ # xUnit tests for the sample app
βββ scenarios/ # canonical demo scenarios (18 total)
β βββ 01-safe-typo-fix/ # tier 1 β control + 5 headline rules
β βββ 02-silent-catch/
β βββ 03-hardcoded-secret/
β βββ 04-breaking-api-change/
β βββ 05-pii-logging/
β βββ 06-concurrency-race/
β βββ 07-magic-connection-string/ # tier 2 β one rule per scenario
β βββ 08-undisposed-httpclient/
β βββ 09-insecure-random-token/
β βββ 10-sql-column-truncation/
β βββ 11-float-money-equality/
β βββ 12-missing-null-guard/
β βββ 13-throw-bare-exception/
β βββ 14-todo-in-payment-flow/
β βββ 15-non-idempotent-retry/
β βββ 16-tolist-in-loop/
β βββ 17-captive-dependency/
β βββ 18-dependabot-api-drift/
βββ .github/workflows/
β βββ gauntlet.yml # PR check that runs GauntletCI
β βββ reopen-scenarios.yml # rebuilds scenario branches on demand
βββ scripts/reopen-scenarios.sh # logic for the rebuild workflow
βββ .gauntletci.json # GauntletCI rule configuration
βββ .gauntletci-ignore # path-scoped rule suppressions
βββ OrderService.sln
- π Website: https://gauntletci.com
- π¦ Source: https://github.com/EricCogen/GauntletCI
- π Docs: https://gauntletci.com/docs
- π¬ Issues / questions: https://github.com/EricCogen/GauntletCI/issues
MIT β see LICENSE.