Catching Issues in the IDE with SonarLint

SonarLint is your first line of defense in keeping your code clean. It catches issues immediately, before you even commit them, right in the IDE.

SonarLint is a free IDE extension that integrates with SonarCloud. Like a spell checker, SonarLint highlights issues as you type. When an issue is identified, SonarLint provides you with clear remediation guidance so you can fix it before the code is even committed. In many cases, it also provides a quick fix that can automatically fix the issue for you.

Supported IDEs

SonarLint is available for:

Installing SonarLint

To install SonarLint, click the download link above for your IDE and follow the instructions.

Next, set up the connection between SonarLint and your SonarCloud account:

Though SonarLint can run in standalone mode, we highly recommend that you configure the connection to SonarCloud. The connected mode provides a number of additional valuable features .

Using SonarLint

Simply open a file of a supported language and start coding, and you will start seeing issues highlighted in your code. For example, here is SonarLint in VSCode:

Supported languages vary by IDE, see the details linked above for your IDE.

Rules and issues

SonarLint identifies issues using an analysis process similar to that used by SonarCloud, using the same library of rules. Because SonarLint only looks at one file at a time, there are some complex issues that it cannot identify. Such issues have to wait until a later stage in the development cycle before SonarCloud can find them (that is, during pull request analysis or main branch analysis). But, SonarLint can still find many issues even before you commit your code, fixing issues before they exist!

When it finds an issue, it highlights it in your code with a "squiggle" and lets you open a panel to view detailed information about the issue and how to fix it.

Quick fixes

For some languages, SonarLint also offers quick fixes right at the issue location (the squiggle) in your code, offering to fix it for you immediately. You just need to confirm and SonarLint will make the change for you. See the documentation for your specific IDE extension for details on which languages are supported.

Secrets detection

In addition to supporting many programming languages, SonarLint also analyzes the configuration files used by the major cloud computing providers (AWS, Google, IBM, Azure, and Alibaba). In these files, SonarLint can identify cases where a secret is being hard coded into the file and alert you to the error.

Share quality profiles

SonarLint will take into account the quality profiles from your SonarCloud project. This means your in-IDE issue detection will use the same set of rules as your regular SonarCloud analysis, ensuring that the standards established by your team are consistently enforced throughout the development cycle.

This feature requires connected mode.

Share project settings

SonarLint will take into account project settings from your SonarCloud project. For example, file exclusions and inclusions defining the scope of analysis in your SonarCloud project will be reflected in the in-IDE analysis provided by SonarLint.

This feature requires connected mode. Currently only available for VSCode, JetBrains (IntelliJ, etc.), and Eclipse. Coming soon for Visual Studio.

Issue status changes

Issue status changes (like, Won’t Fix or False Positive) made in SonarCloud are reflected in SonarLint.

This feature requires connected mode. Currently only available for VSCode, JetBrains (IntelliJ, etc.), and Eclipse. Coming soon for Visual Studio.

Security vulnerabilities

Regular vulnerabilities are detected and displayed directly by SonarLint in both connected and standalone mode. Security vulnerabilities requiring taint engine analysis (taint vulnerabilities) are only available in connected mode because SonarLint pulls them from SonarCloud following project analysis. Currently, taint vulnerabilities are only pulled from the project main branch. Expansion of this capability to non-main branches is coming soon.

Notifications

SonarLint will surface notifications of quality gate status changes and issue assignment from SonarCloud.

This feature requires connected mode.

Additional languages

SonarLint can analyze additional languages, beyond those supported in standalone mode. See the documentation for your specific IDE extension for details on which additional languages are supported.

This feature requires connected mode.

© 2008-2022, SonarCloud by SonarSource SA. All rights reserved.