SonarLint is a free IDE extension that lets you fix coding issues before they exist! Like a spell checker, SonarLint highlights Bugs and Security Vulnerabilities as you write code, with clear remediation guidance so you can fix them before the code is even committed. SonarLint in VS Code supports analysis of C, C++, HTML, Java, JavaScript, PHP, Python and TypeScript, and you can install it directly from the VS Code Marketplace!

Simply open any source file, start coding, and you will start seeing issues reported by SonarLint. Issues are highlighted in your code, and also listed in the 'Problems' panel.

You can access the detailed rule description directly from your editor, using the provided contextual menu.

Out of the box, SonarLint automatically checks your code against the following rules:

• JavaScript rules
• TypeScript rules
• C rules
• C++ rules
• Python rules
• Java rules
• HTML rules
• PHP rules
• Secrets rules

The full list of available rules is visible in the "SonarLint Rules" view in the explorer, where you can activate and deactivate rules to match your conventions. SonarLint will also show a code action on each issue to quickly deactivate the corresponding rule.

The SonarLint language server needs a Java Runtime (JRE) 11+.

On the following platforms, SonarLint comes with its own Java runtime:

• Windows x86-64
• Linux x86-64
• macOS x86-64 (Intel Macs) and arm-64 (Apple Silicon Macs)

On other platforms and if a Java runtime is already installed on your computer, SonarLint should automatically find and use it. Here is how SonarLint will search for an installed JRE (in priority order):

1. the sonarlint.ls.javaHome variable in VS Code settings if set. For instance:

   { "sonarlint.ls.javaHome": "C:\Program Files\Java\jre-11.0.11" }

2. the value of the JDK_HOME environment variable if set

3. the value of the JAVA_HOME environment variable if set

4. on Windows the registry is queried

5. if a JRE is still not found then:

   1. the PATH is scanned for javac
   2. on macOS, the parent directory of javac is checked for a java_home binary. If that binary exists then it is executed and the result is used
   3. the grandparent directory of javac is used. This is similar to $(dirname $(dirname $(readlink $(which javac))))

SonarLint then uses the first JRE found in these steps to check its version.

If a suitable JRE cannot be found at those places, SonarLint will ask for your permission to download and manage its own version.

To analyze JavaScript and TypeScript code, SonarLint requires Node.js executable. The minimal supported version is 12.22.0 for standalone analysis or connected mode with SonarCloud. For connected mode with SonarQube, it depends on the version of the JS/TS analyzer on your SonarQube server. SonarLint will attempt to automatically locate node, or you can force the location using:

{
    "sonarlint.pathToNodeExecutable": "/home/yourname/.nvm/versions/node/v12.22.0/bin/node"
}

To analyze C and C++ code, SonarLint requires compile commands json file: { "sonarlint.pathToCompileCommands": "/home/yourname/repos/proj/compile_commands.json" } Note: if you are using Microsoft compiler, the environment should be ready to build the code. For example, by launching VS Code from your Visual Studio Command Prompt

To enable the support for Java analysis, you need the Language support for Java VSCode extension (version 0.56.0 or higher). You also need to be in standard mode.

The support for Apex analysis is only available together with SonarQube Enterprise Edition or SonarCloud (see connected mode below). You also need the Salesforce Extension Pack VSCode extension.

The support for PL/SQL analysis is only available together with SonarQube Developer Edition or SonarCloud (see connected mode below). You also need the Oracle Developer Tools for VSCode extension.

You can connect SonarLint to SonarQube >= 7.9 or SonarCloud and bind your workspace folders to a SonarQube/SonarCloud project to benefit from the same rules and settings that are used to inspect your project on the server. SonarLint then hides in VSCode the issues that are marked as Won’t Fix or False Positive.

Connected mode will also allow to unlock analysis of those languages:

• Apex rules
• PL/SQL rules.

Starting from v3.6 of SonarLint for VSCode, to set up SonarQube/SonarCloud connections, open up a SONARLINT CONNECTED MODE view in VSCode.

Click on the relevant button to start setting up SonarQube/SonarCloud connection and fill in the details.

For SonarQube connections, you need to provide your SonarQube Server URL and Token. Provide Organization Key and Token for SonarCloud connections. A User Token should be generated on the SonarQube/SonarCloud side and pasted in the User Token field.

User Token can be generated from:

• SonarQube - https://<your-sonarqube-url>/sonarqube/account/security/ page
• SonarCloud - https://sonarcloud.io/account/security/ page

Connection Name is a friendly name for your connections. In case of multiple connections, it also acts as a connectionId.

Click Save Connection and verify that the new connection was set up successfully in the Connected Mode view.

If needed, you can edit/delete existing, or create additional connections. Action buttons will be revealed when hovering over the relevant item.

For instructions on setting up a Connected Mode for SonarLint v3.5.4 and lower, see Wiki

Configuring a project binding at the workspace level mutes Won’t Fix and False Positive issues in any of the project's sub-folders added to the workspace. SonarLint will do its best to synchronize with the most appropriate branch from the server.

In connected mode with SonarCloud or any commercial edition of SonarQube, SonarLint receives notifications about Quality Gate changes and new issues. This feature can be toggled using the disableNotifications field in a server connection definition.

When using SonarQube >= 8.6 and browsing a security hotspot there will be a button offering to open the hotspot in SonarLint if you have already SonarLint running in VSCode. Limitation: this feature relies on local communication between your web browser and SonarLint, and consequently is not available in CodeSpaces.

SonarLint keeps server side data in a local storage. If you change something on the server such as the quality profile, you can trigger an update of the local storage using the "SonarLint: Update all project bindings to SonarQube/SonarCloud" command on the command palette (search for "sonarlint"). SonarLint will also automatically attempt to synchronize with configured servers at startup and every hour.

It is possible to specify extra analyzer properties that will be used for analysis. Example:

// In project/.vscode/settings.json
{
    "sonarlint.analyzerProperties": {
        "sonar.javascript.node.maxspace": "4096"
    }
}

If you would like to see a new feature, please create a new thread in the forum "Suggest new features".

Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes.

With that in mind, if you would like to submit a code contribution, please create a pull request for this repository. Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make.

Make sure that you follow our code style and all tests are passing.

For SonarLint support questions ("How do I?", "I got this error, why?", ...), please first read the FAQ and then head to the SonarSource forum. There are chances that a question similar to yours has already been answered.

Be aware that this forum is a community, so the standard pleasantries ("Hi", "Thanks", ...) are expected. And if you don't get an answer to your thread, you should sit on your hands for at least three days before bumping it. Operators are not standing by. :-)

Issue tracker (readonly): https://jira.sonarsource.com/browse/SLVSCODE

Copyright 2017-2022 SonarSource.

Licensed under the GNU Lesser General Public License, Version 3.0

This extension collects anonymous usage data and sends it to SonarSource to help improve SonarLint functionality. No source code nor IP address is collected, and SonarSource does not share the data with anyone else. Collection of telemetry is controlled via the setting: sonarlint.disableTelemetry. Click here to see a sample of the data that are collected.