Catching issues with SonarQube for IDE

SonarQube for IDE is your first line of defense in keeping your code clean. Connected Mode binds your SonarQube Cloud project to a local project so that SonarQube for IDE can catch issues immediately, right in the IDE, before you even commit them.

SonarQube for IDE is a free IDE extension that integrates with SonarQube Cloud using Connected Mode. Like a spell checker, SonarQube for IDE highlights issues as you type. When an issue is identified, SonarQube for IDE provides you with clear remediation guidance so you can fix it before the code is even committed. In many cases, it also provides a quick fix that can automatically fix the issue for you.

Supported IDEs

INTELLIJ

VISUAL STUDIO

VS CODE

ECLIPSE

SonarLint integrates with most JetBrains IDEs including IntelliJ IDEA, CLion, GoLand, WebStorm, PHPStorm, PyCharm, Rider, Android Studio & RubyMine.

• Feature overview
• Installation instructions
• Supported Rules and languages
• Connected Mode setup and list of Connected Mode benefits.
• Download

SonarLint provides Visual Studio developers with a comprehensive in-IDE solution for improving the quality and security of the code they deliver.

• Feature overview
• Installation instructions
• Supported Rules and languages
• Connected Mode setup and list of Connected Mode benefits.
• Downloads for:
  • VS-2022
  • VS-2019
  • VS-2017

SonarLint for VS Code will automatically identify and fix quality and security issues as you code with enhanced linting capabilities directly in your VS Code IDE.

• Feature overview
• Installation instructions
• Supported Rules and languages
• Connected Mode setup and list of Connected Mode benefits.
• Download

SonarLint for Eclipse will automatically identify and fix quality and security issues as you code with enhanced linting capabilities right in your Eclipse IDE.

• Feature overview
• Installation instructions
• Supported Rules and languages
• Connected Mode setup and list of Connected Mode benefits.
• Download

Supported languages vary by IDE, check the Rules page for your IDE to learn which languages are supported out-of-the-box, and which require the use of Connected Mode.

Though SonarQube for IDE can run local analyses in standalone mode, we highly recommend that you set up Connected Mode with SonarQube Cloud. Running SonarQube Cloud and SonarQube for IDE in Connected Mode provides an additional number of valuable features.

Connected Mode benefits

• Analyze more languages and detect more issues by combining SonarQube for IDE supported rules with those rules supported by SonarQube Cloud.
• Highlight advanced issues (in the IDE) like injection vulnerabilities, detected by SonarQube Cloud. 
• Use the same quality profile locally as is defined on SonarQube Cloud.  
• Apply settings, such as rule selection and file exclusion defined on SonarQube Cloud, to your local analysis. 
• Define specific analyzer parameters on SonarQube Cloud, and have those parameters applied locally.
• Automatically suppress issues that are marked as Accepted or False Positive on SonarQube Cloud so that locally reported issues match those found on the server.
• Use the SonarQube for IDE focus on new code features to concentrate detection of issues only in new code.
• Changes in your SonarQube Cloud quality gate will arrive in your IDE when you accept Smart notifications.

Using the Open in IDE feature

If you’re using SonarQube for IntelliJ, Visual Studio, VS Code, or Eclipse, it’s possible to use the Open in IDE button to open most all issues in the code editor, speeding up the time it takes to find and fix the issue. Simply click the Open in IDE button from SonarQube Cloud to view it in your IDE; you’ll be prompted to set up Connected Mode if the project is not already bound. 

Opening Security hotspots using the Open in IDE feature is available for all of the SonarQube IDEs. See Opening issues in your IDE for more details. 

Using SonarQube for IDE

Simply open a file of a supported language and start coding, and you will start seeing issues highlighted in your code. For example, here is SonarQube for VSCode:

Rules and issues

SonarQube for IDE identifies issues using an analysis process similar to that used by SonarQube Cloud, using the same library of rules. Because SonarQube for IDE only looks at one file at a time, there are some complex issues that it cannot identify. Such issues have to wait until a later stage in the development cycle before SonarQube Cloud can find them, that is, during pull request analysis or main branch analysis. But, SonarQube for IDE can still find many issues even before you commit your code, fixing issues before they exist!

When it finds an issue, it highlights it in your code with a "squiggle" and lets you open a panel to view detailed information about the issue and how to fix it.

Quick fixes

For some languages, SonarQube for IDE also offers quick fixes right at the issue location (the squiggle) in your code, offering to fix it for you immediately. You just need to confirm and SonarQube for IDE will make the change for you. See the documentation for your specific IDE extension for details on which languages are supported.

Secrets detection

In addition to supporting many programming languages, SonarQube for IDE also analyzes the configuration files used by major cloud computing providers such as AWS, Google, IBM, Azure, and Alibaba. In these files, SonarQube for IDE can identify cases where a secret is being hard coded into the file and alert you to the error.

Share quality profiles

This feature requires Connected Mode. SonarQube for IDE will take into account the quality profiles from your SonarQube Cloud project. This means that your in-IDE issue detection uses the same set of rules as your SonarQube Cloud analysis, ensuring that the standards defined by your team are consistently enforced throughout the development cycle.

Share project settings

This feature requires Connected Mode. SonarQube for IDE will take into account project settings from your SonarQube Cloud project. For example, file exclusions and inclusions defining the scope of analysis in your SonarQube Cloud project will be reflected in the in-IDE analysis provided by SonarQube for IDE.

Issue status changes

This feature requires Connected Mode. Issue status changes (like, Accepted or False Positive) made in SonarQube Cloud are reflected in SonarQube for IDE.

Security-vulnerabilities

Issues are tied to Clean Code attributes and software qualities impacted. See the page about Clean Code for more details.

Regular vulnerabilities are detected and displayed directly by SonarQube for IDE in both Connected Mode and standalone mode but injection vulnerabilities are a type of security-related rules, that can only be raised by SonarQube Cloud. Injection vulnerabilities require taint engine analysis and are only available in Connected Mode because SonarQube for IDE pulls them from SonarQube Cloud following project analysis. 

Currently, injection vulnerabilities are only pulled from the project's main branch as analyzed by SonarQube Cloud. Expansion of this capability to non-main branches is coming soon.

Smart notifications

Smart notifications allow developers using Connected mode in SonarQube for IDE to receive in-IDE notifications from SonarQube Cloud. Events are pushed from SonarQube Cloud to SonarQube for IDE when:

• the quality gate status (Failed / Passed) of a project or solution open in the IDE changes. 
• a SonarQube Cloud analysis raises new issues introduced by the developer in a project or solution open in the IDE.

Activate and deactivate notifications

The activation or deactivation of SonarQube for IDE smart notifications must be done individually, by each developer directly in SonarQube for IDE, on the IDE side. There's a box to check when setting up Connected Mode to decide whether or not you want to receive Smart Notifications from SonarQube Cloud in your IDE.

For all the details about managing notifications, check the SonarQube for IDE documentation that matches your IDE:

• Notifications in SonarQube for IntelliJ
• Notifications in SonarQube for Visual Studio
• Notifications in SonarQube for VS Code
• Notifications in SonarQube for Eclipse

Additional languages

SonarQube for IDE can analyze additional languages, beyond those supported in standalone mode. See the documentation for your specific IDE extension for details on which additional languages are supported out-of-the-box, and which require the use of Connected Mode.