• Stars
    star
    498
  • Rank 88,494 (Top 2 %)
  • Language
    CSS
  • License
    GNU Lesser Genera...
  • Created over 7 years ago
  • Updated 11 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SonarLint for Visual Studio Code

SonarLint for Visual Studio Code

SonarLint is a free IDE extension that empowers you to fix coding issues before they exist. More than a linter, SonarLint detects and highlights issues that can lead to bugs, vulnerabilities, and code smells as you create your code. It offers clear remediation guidance and educational help, so you can fix issues before the code is committed. SonarLint in VS Code supports analysis of JS/TS, Python, PHP, Java, C, C++, Go, and IaC code locally in your IDE. Use with SonarQube & SonarCloud for optimal team performance, and additional benefits.

Check the SonarLint for VS Code documentation for the most up-to-date requirements, installation instructions, and feature details.

How it works

Simply open any source file, start coding, and you will start seeing issues reported by SonarLint. Issues are highlighted in your code, and also listed in the 'Problems' panel.

sonarlint on-the-fly

You can access the detailed rule description directly from your editor, using the provided contextual menu.

rule description

Static Analysis Rules

Out of the box, SonarLint automatically checks your code against the following rules:

The full list of available rules is visible in the SONARLINT RULES view in the SonarLint view container, where you can activate and deactivate rules to match your conventions. SonarLint will also show a code action on each issue to quickly deactivate the corresponding rule.

Requirements

The SonarLint language server needs a Java Runtime (JRE) 11+.

On the following platforms, SonarLint comes with its own Java runtime:

  • Windows x86-64
  • Linux x86-64
  • macOS x86-64 (Intel Macs) and arm-64 (Apple Silicon Macs)

On other platforms and if a Java runtime is already installed on your computer, SonarLint should automatically find and use it. Here is how SonarLint will search for an installed JRE (in priority order):

  1. the sonarlint.ls.javaHome variable in VS Code settings if set. For instance:

    {
      "sonarlint.ls.javaHome": "C:\\Program Files\\Java\\jre-11.0.11"
    }
  2. embedded JRE for platform-specific installations

  3. the value of the JDK_HOME environment variable if set

  4. the value of the JAVA_HOME environment variable if set

  5. on Windows the registry is queried

  6. if a JRE is still not found then:

    1. the PATH is scanned for javac
    2. on macOS, the parent directory of javac is checked for a java_home binary. If that binary exists then it is executed and the result is used
    3. the grandparent directory of javac is used. This is similar to $(dirname $(dirname $(readlink $(which javac))))

SonarLint then uses the first JRE found in these steps to check its version.

If a suitable JRE cannot be found at those places, SonarLint will ask for your permission to download and manage its own version.

JS/TS analysis specific requirements

To analyze JavaScript and TypeScript code, SonarLint requires Node.js executable. The minimal supported version is 14.17.0 for standalone analysis or Connected Mode with SonarCloud. For Connected Mode with SonarQube, it depends on the version of the JS/TS analyzer on your SonarQube server. SonarLint will attempt to automatically locate node, or you can force the location using:

{
  "sonarlint.pathToNodeExecutable": "/home/yourname/.nvm/versions/node/v14.17.0/bin/node"
}

Analysis of TypeScript in Connected Mode with SonarQube requires the server to use version 8.1 or above.

C and C++ analysis specific requirements

To analyze C and C++ code, SonarLint requires compile commands json file:

{
  "sonarlint.pathToCompileCommands": "/home/yourname/repos/proj/compile_commands.json"
}

Note: if you are using Microsoft compiler, the environment should be ready to build the code. For example, by launching VS Code from your Visual Studio Command Prompt

Java analysis specific requirements

To enable the support for Java analysis, you need the Language support for Java VSCode extension (version 0.56.0 or higher). You also need to be in standard mode.

Apex analysis specific requirements

The support for Apex analysis is only available together with SonarQube Enterprise Edition or SonarCloud (see Connected Mode below). You also need the Salesforce Extension Pack VSCode extension.

PL/SQL analysis specific requirements

The support for PL/SQL analysis is only available together with SonarQube Developer Edition or SonarCloud (see Connected Mode below). You also need the Oracle Developer Tools for VS Code extension.

COBOL analysis specific requirements

The support for COBOL analysis is only available together with SonarQube Enterprise Edition or SonarCloud (see Connected Mode below). You also need an extension that declares the COBOL language; SonarLint has been tested with the IBM Z Open Editor and Micro Focus COBOL extensions.

Jupyter notebooks

SonarLint for VS Code v3.16+ supports analysis of Python code inside Jupyter notebooks. See the documentation page for details.

Injection vulnerabilities specific requirements

Security vulnerabilities requiring taint engine analysis (taint vulnerabilities) are only available in Connected Mode because SonarLint pulls them from SonarQube or SonarCloud following a project analysis.

To browse injection vulnerabilities in SonarLint for VSCode, establish Connected Mode with your SonarQube Developer Edition (and above) or SonarCloud instance. Once a Project Binding is configured, SonarLint will synchronize with the SonarQube or SonarCloud server to report the detected injection vulnerabilities.

More information about security-related rules is available in the SonarQube or SonarCloud documentation.

Security Hotspots in SonarLint

In SonarLint for VS Code 3.14 and above, local detection of Security Hotspots is enabled if you are using Connected Mode with SonarQube 9.7 or above. From version 3.18+, Security Hotspots are also found when bound to a project in SonarCloud.

Please see the documentation for more details.

Secrets detection

Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. SonarLint detects exposed Secrets in your source code and language-agnostic config files. When running in Connected Mode, the SonarQube or SonarCloud Quality Profiles are applied to locally detected Secrets.

Connected Mode

You can connect SonarLint to SonarQube 7.9+/SonarCloud by binding your VSCode workspace folder to your SonarQube/SonarCloud project(s), and benefit from the same rules and settings that are used to inspect your project on the server. SonarLint in VSCode then hides Won’t Fix and False Positive issues in any file from a bound folder.

While in Connected Mode, SonarLint receives notifications from SonarQube/SonarCloud about your Quality Gate changes and new issues. Notifications can be enabled or disabled from the UI while creating or editing the connection settings. For editing notifications in previous versions, please see SonarLint Versions 3.5.4 and Lower. Note that Connected Mode notifications are not available in the SonarQube Community Editions 8.6 and earlier.

When running in Connected Mode with SonarQube 8.6 and above, and browsing a security hotspot, a button will be available offering to open the hotspot in SonarLint (with SonarLint already running in VSCode). Limitation: this feature relies on local communication between your web browser and SonarLint, and consequently is not available in some remote environments such as GitPod, or GitHub CodeSpaces.

Connected Mode will also unlock your analysis of these languages:

When configuring Connected Mode, follow the Connection Setup instructions below.

Connection Setup

In v3.8 and above of SonarLint for VSCode, to set up SonarQube/SonarCloud connections, navigate to the SONARLINT > CONNECTED MODE view container in the VS Code Activity Bar.

Empty Connected Mode View

Select either Add SonarQube Connection or Add SonarCloud Connection, and complete the fields.

Create Connection View

For SonarQube connections, provide your SonarQube Server URL and User Token. For SonarCloud connections, provide your Organization Key and User Token. User Tokens should be generated on the SonarQube/SonarCloud side and pasted in the User Token field.

User Token can be generated using these pages:

  • SonarQube - https://<your-sonarqube-url>/account/security/
  • SonarCloud - https://sonarcloud.io/account/security/

Connection Name is a friendly name for your connections. In the case of multiple connections, it also acts as a connectionId.

In SonarLint for VSCode v3.6 and above, notifications can be enabled or disabled here, or from the UI while creating or editing the connection setting. Action buttons in the UI used to edit/delete existing, or create additional connections will be revealed when hovering over each connection (see next image).

Select Save Connection and verify that the new connection was set up successfully in the Connected Mode view.

To set up a Connected Mode for SonarLint v3.5.4 and lower, please see the relevant wiki for Connection Setup.

Project Binding

SonarLint keeps server-side data in a local storage. If you change something on the server such as the Quality Profile, SonarLint will automatically attempt to synchronize with configured servers at startup & once every hour, and will do its best to synchronize with the most appropriate branch from the server. Additionally, you can trigger an update of the local storage using the "SonarLint: Update all project bindings to SonarQube/SonarCloud" command on the command palette (search for "sonarlint").

Project Binding Setup

From v3.10, SonarLint for VSCode tries to automatically detect a remote SonarQube/SonarCloud project to bind with the locally opened workspace folder. If the locally opened folder contains a sonar-project.properties or a .sonarcloud.properties file, SonarLint will try to configure the binding with the remote project defined in that configuration file.

If no remote match is found, you will be prompted to configure binding manually.

To manually configure a project binding, open the CONNECTED MODE view and select Add Project Binding for the desired connection.

Add Project Binding

If your open workspace contains multiple folders, you will be prompted to choose a specific folder.

Select Folder

After selecting the folder, choose the remote SonarQube/SonarCloud project you would like to bind.

Select Project

Select the desired project and enjoy Connected Mode! You can also edit or delete bindings from the CONNECTED MODE view.

Edit Binding

Edit Binding

Action buttons in the UI used to edit/delete existing, or create additional bindings will be revealed when hovering over each connection.

Connected Mode and Bindings in SonarLint Version 3.7 or earlier

For earlier versions, please see the relevant wiki to configure your Connection Setup.

Other settings

It is possible to specify extra analyzer properties that will be used for analysis. Example:

// In project/.vscode/settings.json
{
  "sonarlint.analyzerProperties": {
    "sonar.javascript.node.maxspace": "4096"
  }
}

Contributions

Have a need in SonarLint that’s not being met? Or not being met well? Ever wish you could talk directly to the Product Manager? Well now’s your chance! Congratulations, you are SonarLint’s Product Manager for a day. If you would like to see a new feature, please create a new thread in the Community Forum here, under "Product Manager for a Day".

Please read here about why we deprecated the "Suggest New Features" category on the Community Forum. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes.

With that in mind, if you would like to submit a code contribution, please create a pull request for this repository. Please explain your motives to contribute: what problem you are trying to fix, what improvement you are trying to make.

Make sure that you follow our code style and all tests are passing.

Have Questions or Feedback?

For SonarLint support questions ("How do I?", "I got this error, why?", ...), please first read the FAQ and then head to the SonarSource forum. There are chances that a question similar to yours has already been answered.

Be aware that this forum is a community, so the standard pleasantries ("Hi", "Thanks", ...) are expected. And if you don't get an answer to your thread, you should sit on your hands for at least three days before bumping it. Operators are not standing by. :-)

Issue tracker (read-only): https://jira.sonarsource.com/browse/SLVSCODE

License

Copyright 2017-2023 SonarSource.

Licensed under the GNU Lesser General Public License, Version 3.0

Data and telemetry

This extension collects anonymous usage data and sends it to SonarSource to help improve SonarLint functionality. No source code nor IP address is collected, and SonarSource does not share the data with anyone else. Collection of telemetry is controlled via the setting: sonarlint.disableTelemetry. Click here to see a sample of the data that are collected.

More Repositories

1

sonarqube

Continuous Inspection
Java
8,163
star
2

docker-sonarqube

🐳 SonarQube in Docker
Dockerfile
1,287
star
3

eslint-plugin-sonarjs

SonarJS rules for ESLint
TypeScript
1,148
star
4

sonar-java

☕ SonarSource Static Analyzer for Java Code Quality and Security
Java
1,042
star
5

SonarJS

SonarSource Static Analyzer for JavaScript and TypeScript
TypeScript
958
star
6

sonar-scanning-examples

Shows how to use the Scanners
COBOL
809
star
7

SonarTS

Static code analyzer for TypeScript
Shell
763
star
8

sonar-dotnet

Code analyzer for C# and VB.NET projects https://redirect.sonarsource.com/plugins/vbnet.html
C#
664
star
9

sonarcloud-github-action

Integrate SonarCloud code analysis to GitHub Actions
Shell
571
star
10

sonarlint-intellij

SonarLint for IntelliJ
Java
553
star
11

sonarlint-visualstudio

SonarLint extension for VisualStudio
C#
426
star
12

sonar-php

🐘 SonarPHP: PHP static analyzer for SonarQube & SonarLint
Java
360
star
13

sonar-scanner-msbuild

SonarScanner for .NET
C#
335
star
14

sonar-scanner-cli

Scanner CLI for SonarQube and SonarCloud
Java
331
star
15

sonarlint-eclipse

SonarLint for Eclipse
Java
256
star
16

helm-chart-sonarqube

Mustache
221
star
17

sonar-custom-rules-examples

Shows how to bootstrap a project to write custom rules for PHP, Python, Cobol, RPG
Java
217
star
18

sonar-python

🐍 SonarQube Python plugin
Java
214
star
19

sonarlint-core

Core library to run SonarLint analysis
Java
210
star
20

sonar-scanner-cli-docker

Docker image for SonarScanner CLI
Shell
182
star
21

sonar-scanner-jenkins

SonarQube Scanner for Jenkins
Java
173
star
22

sonarqube-scan-action

Shell
165
star
23

sonar-scanner-gradle

SonarQube Scanner for Gradle
Java
162
star
24

sonar-scanner-maven

SonarQube Scanner for Maven
Java
135
star
25

sonar-custom-plugin-example

Shows how to write a SonarQube plugin
JavaScript
121
star
26

sonar-go

SonarGo: Go Analyzer for SonarQube
Java
119
star
27

sonar-scanner-commons

Common Java library used by many SonarScanners
Java
107
star
28

sonar-kotlin

SonarSource Static Analyzer for Kotlin Code Quality and Security
Kotlin
93
star
29

sonar-scanner-vsts

SonarQube TFS/VSTS Marketplace Extension
TypeScript
91
star
30

slang

Java
86
star
31

sonarqube-roslyn-sdk

SDK for SonarQube Roslyn Analyzer Plugins
C#
77
star
32

sonarlint-cli

SonarLint for CLI
Java
76
star
33

sonar-github

SonarQube GitHub Plugin (deprecated)
Java
72
star
34

sslr

SonarSource Language Recognizer
Java
71
star
35

sonarlint-language-server

Language Server for SonarLint VSCode
Java
69
star
36

sonarqube-quality-gate-action

Shell
61
star
37

sonar-.net-documentation

Documentation targeting the .Net community explaining how to install and use SonarQube to analyse .Net projects
50
star
38

sonar-html

Static analyzer for HTML used in Sonar ecosystem
Java
47
star
39

mysql-migrator

Command line tool to migrate MySQL database of SonarQube 6.7-7.8 to non-MySQL
Java
38
star
40

sonar-training-examples

Java
38
star
41

sonar-loc-count

PowerShell
37
star
42

local-travis

🐳 Run travis builds on a developer workstation
Shell
37
star
43

sonar-jacoco

SonarQube JaCoCo Plugin
Java
36
star
44

sonar-developer-toolset

Developer Toolset for Sonar-* Projects
Shell
35
star
45

rspec

Rule Specification
TypeScript
34
star
46

argument-injection-vectors

A curated list of argument injection vectors
HTML
32
star
47

sonar-ldap

🏬 LDAP Plugin for SonarQube
Java
31
star
48

sonar-xml

Java
30
star
49

SonarTS-example

TypeScript
27
star
50

sq-com_example_standard-sqscanner-travis

Standard SQ-Scanner-based project analyzed on SonarCloud using Travis
PHP
26
star
51

sonar-update-center-properties

Shell
25
star
52

sonar-auth-bitbucket

Bitbucket Authentication for SonarQube
Java
24
star
53

sonar-css

SonarCSS: CSS Analyzer for SonarQube
Java
23
star
54

sonar-analyzer-commons

Logic useful for a language plugin
Java
22
star
55

ebcdic-to-ascii-converter

Java
21
star
56

sonarlint-atom

SonarLint for Atom.io
JavaScript
21
star
57

sonar-plugin-api

API to develop plugins for SonarQube, SonarCloud and SonarLint
Java
19
star
58

sonar-auth-github

GitHub Authentication for SonarQube
Java
18
star
59

sq-com_example_java-maven-travis

Java Maven-based project analyzed on SonarCloud using Travis
Java
17
star
60

sonar-iac

Static Code Analyser for Infrastructure-as-Code languages such as CloudFormation and Terraform as well as DevOps like Docker and Kubernetes
Java
17
star
61

sonar-classloader

Toolbox for Java classloaders
Java
15
star
62

sonar-scm-git

Java
14
star
63

sonar-scanner-ant

SonarQube Scanner for Ant
Java
14
star
64

eslint-config-sonarqube

ESLint configuration for SonarQube and its plugins.
JavaScript
13
star
65

sq-com_example_c-sqscanner-travis

C SQ-Scanner-based project analyzed on SonarCloud using Travis
C
12
star
66

sonar-flex

ActionScript
12
star
67

sonarqube-webclient-dotnet

C#
11
star
68

sonarcloud-github-action-samples

Sample projects for the configuration of SonarCloud on GitHub Actions
11
star
69

sonar-scm-svn

SonarQube Plugin for SVN
Java
9
star
70

sonarcloud_examples

Listing of example projects analyzed on SonarCloud
9
star
71

sonarcloud-circleci-orb

Support of SonarScanner CLI in CircleCI
9
star
72

orchestrator

Java library for running SonarQube in tests
Java
9
star
73

sonar-update-center

Java
7
star
74

sonar-dev-maven-plugin

DEPRECATED - Maven plugin to deploy a plugin to a local SonarQube installation
Java
7
star
75

sq-com_example_java-gradle-travis

Java Gradle-based project analyzed on SonarCloud using Travis
Java
7
star
76

parent-oss

Parent file of public Maven projects
Shell
7
star
77

sslr-squid-bridge

Java
7
star
78

sonarcloud_example_go-sqscanner-travis

Go project analyzed on SonarCloud using Travis
Go
7
star
79

sonarjs-cli

[ ⛔️DEPRECATED] CLI for SonarJS
Java
7
star
80

travis-utils

Toolset for SonarSource jobs on Travis
Shell
7
star
81

pycon-sonar-workshop

PyCon US Sonar Workshop
Python
6
star
82

git-files-blame

A git command implemented with JGit that blames multiple files simultaneously
Java
6
star
83

sonar-text

sonar-text
Java
6
star
84

sonar-ui-common

Common UI lib for SonarQube and SonarCloud
TypeScript
5
star
85

sonar-auth-saml

SAML 2.0 Authentication for SonarQube
Java
5
star
86

websites

Deprecated - customers page of old wordpress website
HTML
5
star
87

python-test-sources

Python
5
star
88

sonarcloud_example_cpp-cmake-linux-travis

C++
5
star
89

sync-jira-github-action

Change status of JIRA tickets when opening and merging pull requests
JavaScript
5
star
90

sonar-dummy-oss

Java
4
star
91

sonarlint-website

HTML
4
star
92

sonarcloud-github-c-cpp

Integrate SonarCloud code analysis to GitHub Actions when build wrapper or relative paths support is required. Use https://github.com/SonarSource/sonarcloud-github-action otherwise
Shell
4
star
93

php-test-sources

PHP
3
star
94

public-git-sync

Private to public Git repository synchronization
Shell
3
star
95

sonarlint-omnisharp

Java
3
star
96

chocolatey-packages

PowerShell
3
star
97

javascript-test-sources

Used for https://github.com/SonarSource/SonarJS ruling
JavaScript
3
star
98

jsts-test-sources

TypeScript
3
star
99

license-headers

Source file headers of SonarSource projects
Shell
3
star
100

echoes-react

A React implementation of Echoes, Sonar's design system.
TypeScript
3
star