SonarLint for Visual Studio CodeSonarLint is a free IDE extension that lets you fix coding issues before they exist! Like a spell checker, SonarLint highlights Bugs and Security Vulnerabilities as you write code, with clear remediation guidance so you can fix them before the code is even committed. SonarLint in VS Code supports analysis of C, C++, HTML, Java, JavaScript, PHP, Python and TypeScript, and you can install it directly from the VS Code Marketplace! How it worksSimply open any source file, start coding, and you will start seeing issues reported by SonarLint. Issues are highlighted in your code, and also listed in the 'Problems' panel. You can access the detailed rule description directly from your editor, using the provided contextual menu. Static Analysis RulesOut of the box, SonarLint automatically checks your code against the following rules:
The full list of available rules is visible in the SONARLINT RULES view in the SonarLint view container, where you can activate and deactivate rules to match your conventions. SonarLint will also show a code action on each issue to quickly deactivate the corresponding rule. RequirementsThe SonarLint language server needs a Java Runtime (JRE) 11+. On the following platforms, SonarLint comes with its own Java runtime:
On other platforms and if a Java runtime is already installed on your computer, SonarLint should automatically find and use it. Here is how SonarLint will search for an installed JRE (in priority order):
SonarLint then uses the first JRE found in these steps to check its version. If a suitable JRE cannot be found at those places, SonarLint will ask for your permission to download and manage its own version. JS/TS analysis specific requirementsTo analyze JavaScript and TypeScript code, SonarLint requires Node.js executable. The minimal supported version is
Analysis of TypeScript in Connected Mode with SonarQube requires the server to use version 8.1 or above. C and C++ analysis specific requirementsTo analyze C and C++ code, SonarLint requires compile commands json file:
Note: if you are using Microsoft compiler, the environment should be ready to build the code. For example, by launching VS Code from your Visual Studio Command Prompt Java analysis specific requirementsTo enable the support for Java analysis, you need the Language support for Java VSCode extension (version 0.56.0 or higher). You also need to be in standard mode. Apex analysis specific requirementsThe support for Apex analysis is only available together with SonarQube Enterprise Edition or SonarCloud (see Connected Mode below). You also need the Salesforce Extension Pack VSCode extension. PL/SQL analysis specific requirementsThe support for PL/SQL analysis is only available together with SonarQube Developer Edition or SonarCloud (see Connected Mode below). You also need the Oracle Developer Tools for VS Code extension. Jupyter notebooksSonarLint for VS Code v3.16+ supports analysis of Python code inside Jupyter notebooks. See the documentation page for details. Injection vulnerabilities specific requirementsSecurity vulnerabilities requiring taint engine analysis (taint vulnerabilities) are only available in Connected Mode because SonarLint pulls them from SonarQube or SonarCloud following a project analysis. To browse injection vulnerabilities in SonarLint for VSCode, establish Connected Mode with your SonarQube Developer Edition (and above) or SonarCloud instance. Once a Project Binding is configured, SonarLint will synchronize with the SonarQube or SonarCloud server to report the detected injection vulnerabilities. More information about security-related rules is available in the SonarQube or SonarCloud documentation. Security Hotspots in SonarLint In SonarLint for VS Code 3.14 and above, local detection of Security Hotspots is enabled if you are using Connected Mode with SonarQube 9.7 or above. From version 3.18+, Security Hotspots are also found when bound to a project in SonarCloud. Please see the documentation for more details. Secrets detectionSecrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. SonarLint detects exposed Secrets in your source code and language-agnostic config files. When running in Connected Mode, the SonarQube or SonarCloud Quality Profiles are applied to locally detected Secrets. Connected ModeYou can connect SonarLint to SonarQube 7.9+/SonarCloud by binding your VSCode workspace folder to your SonarQube/SonarCloud project(s), and benefit from the same rules and settings that are used to inspect your project on the server. SonarLint in VSCode then hides Won’t Fix and False Positive issues in any file from a bound folder. While in Connected Mode, SonarLint receives notifications from SonarQube/SonarCloud about your Quality Gate changes and new issues. Notifications can be enabled or disabled from the UI while creating or editing the connection settings. For editing notifications in previous versions, please see SonarLint Versions 3.5.4 and Lower. Note that Connected Mode notifications are not available in the SonarQube Community Editions 8.6 and earlier. When running in Connected Mode with SonarQube 8.6 and above, and browsing a security hotspot, a button will be available offering to open the hotspot in SonarLint (with SonarLint already running in VSCode). Limitation: this feature relies on local communication between your web browser and SonarLint, and consequently is not available in some remote environments such as GitPod, or GitHub CodeSpaces. Connected Mode will also unlock your analysis of these languages: When configuring Connected Mode, follow the Connection Setup instructions below. Connection SetupIn SonarLint v3.6 and above for VSCode, to set up SonarQube/SonarCloud connections, open a SONARLINT CONNECTED MODE view in VSCode. ![]() Select either Add SonarQube Connection or Add SonarCloud Connection, and complete the fields. ![]() For SonarQube connections, provide your SonarQube Server URL and User Token. For SonarCloud connections, provide your Organization Key and User Token. User Tokens should be generated on the SonarQube/SonarCloud side and pasted in the User Token field. User Token can be generated using these pages:
Connection Name is a friendly name for your connections. In the case of multiple connections, it also acts as a In SonarLint for VSCode v3.6 and above, notifications can be enabled or disabled here, or from the UI while creating or editing the connection setting. Action buttons in the UI used to edit/delete existing, or create additional connections will be revealed when hovering over each connection (see next image). Select Save Connection and verify that the new connection was set up successfully in the Connected Mode view. To set up a Connected Mode for SonarLint v3.5.4 and lower, please see the relevant wiki for Connection Setup. Project BindingSonarLint keeps server-side data in a local storage. If you change something on the server such as the Quality Profile, SonarLint will automatically attempt to synchronize with configured servers at startup & once every hour, and will do its best to synchronize with the most appropriate branch from the server. Additionally, you can trigger an update of the local storage using the "SonarLint: Update all project bindings to SonarQube/SonarCloud" command on the command palette (search for "sonarlint"). Project Binding SetupFrom v3.10, SonarLint for VSCode tries to automatically detect a remote SonarQube/SonarCloud project to bind with the locally opened workspace folder. If the locally opened folder contains a If no remote match is found, you will be prompted to configure binding manually. To manually configure a project binding, navigate to the SONARLINT CONNECTED MODE view in the VSCode Explorer and select Add Project Binding to add the desired connection. ![]() If your open workspace contains multiple folders, you will be prompted to choose a specific folder. ![]() After selecting the folder, choose the remote SonarQube/SonarCloud project you would like to bind. ![]() Select the desired project and enjoy Connected Mode! You can also edit/delete bindings from the SONARLINT CONNECTED MODE view. ![]() Action buttons in the UI used to edit/delete existing, or create additional bindings will be revealed when hovering over each connection. Connected Mode and Bindings in SonarLint Version 3.7 or earlierFor earlier versions, please see the relevant wiki to configure your Connection Setup. Other settingsIt is possible to specify extra analyzer properties that will be used for analysis. Example:
ContributionsHave a need in SonarLint that’s not being met? Or not being met well? Ever wish you could talk directly to the Product Manager? Well now’s your chance! Congratulations, you are SonarLint’s Product Manager for a day. If you would like to see a new feature, please create a new thread in the Community Forum here, under "Product Manager for a Day". Please read here about why we deprecated the "Suggest New Features" category on the Community Forum. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. With that in mind, if you would like to submit a code contribution, please create a pull request for this repository. Please explain your motives to contribute: what problem you are trying to fix, what improvement you are trying to make. Make sure that you follow our code style and all tests are passing. Have Questions or Feedback?For SonarLint support questions ("How do I?", "I got this error, why?", ...), please first read the FAQ and then head to the SonarSource forum. There are chances that a question similar to yours has already been answered. Be aware that this forum is a community, so the standard pleasantries ("Hi", "Thanks", ...) are expected. And if you don't get an answer to your thread, you should sit on your hands for at least three days before bumping it. Operators are not standing by. :-) Issue tracker (read-only): https://jira.sonarsource.com/browse/SLVSCODE LicenseCopyright 2017-2023 SonarSource. Licensed under the GNU Lesser General Public License, Version 3.0 Data and telemetryThis extension collects anonymous usage data and sends it to SonarSource to help improve SonarLint functionality. No source code nor IP address is collected, and SonarSource does not share the data with anyone else. Collection of telemetry is controlled via the setting: |