Catching Issues in the IDE with SonarLint
SonarLint is your first line of defense in keeping your code clean. It catches issues immediately, before you even commit them, right in the IDE.
SonarLint is a free IDE extension that integrates with SonarCloud. Like a spell checker, SonarLint highlights issues as you type. When an issue is identified, SonarLint provides you with clear remediation guidance so you can fix it before the code is even committed. In many cases, it also provides a quick fix that can automatically fix the issue for you.
SonarLint is available for these IDEs:
- JetBrains IDEs: Feature overview for Intellij IDEA, CLion, PyCharm, and others, Documentation, Download
- Visual Studio: Feature overview, Documentation, Download for VS-2022, VS-2019, and VS-2017
- VS Code: Feature overview, Documentation, Download
- Eclipse: Feature overview, Documentation, Download
To install SonarLint, select the download link above for your IDE and follow the instructions on the respective Getting started > Installation page. All IDEs offer a direct download & install via the IDE's marketplace page.
Next, set up the connection between SonarLint and your SonarCloud account using Connected Mode:
Though SonarLint can run local analyses in standalone mode, we highly recommend that you configure the connection to SonarCloud. Running SonarCloud and SonarLint in Connected Mode provides an additional number of valuable features.
Simply open a file of a supported language and start coding, and you will start seeing issues highlighted in your code. For example, here is SonarLint in VSCode:
Supported languages vary by IDE, see the Rules page for each of the IDEs to learn which languages are supported out-of-the-box, and which require the use of Connected Mode:
- Supported rules for IntelliJ
- Supported rules for Visual Studio
- Supported rules for VS Code
- Supported rules for Eclipse
SonarLint identifies issues using an analysis process similar to that used by SonarCloud, using the same library of rules. Because SonarLint only looks at one file at a time, there are some complex issues that it cannot identify. Such issues have to wait until a later stage in the development cycle before SonarCloud can find them (that is, during pull request analysis or main branch analysis). But, SonarLint can still find many issues even before you commit your code, fixing issues before they exist!
When it finds an issue, it highlights it in your code with a "squiggle" and lets you open a panel to view detailed information about the issue and how to fix it.
For some languages, SonarLint also offers quick fixes right at the issue location (the squiggle) in your code, offering to fix it for you immediately. You just need to confirm and SonarLint will make the change for you. See the documentation for your specific IDE extension for details on which languages are supported.
In addition to supporting many programming languages, SonarLint also analyzes the configuration files used by the major cloud computing providers such as AWS, Google, IBM, Azure, and Alibaba. In these files, SonarLint can identify cases where a secret is being hard coded into the file and alert you to the error.
SonarLint will take into account the quality profiles from your SonarCloud project. This means your in-IDE issue detection will use the same set of rules as your regular SonarCloud analysis, ensuring that the standards established by your team are consistently enforced throughout the development cycle.
This feature requires Connected Mode. Please see the Connected Mode links above.
SonarLint will take into account project settings from your SonarCloud project. For example, file exclusions and inclusions defining the scope of analysis in your SonarCloud project will be reflected in the in-IDE analysis provided by SonarLint.
This feature Connected Mode. Currently only available for VSCode, JetBrains (IntelliJ, etc.), and Eclipse. Coming soon for Visual Studio.
Issue status changes (like, Won’t Fix or False Positive) made in SonarCloud are reflected in SonarLint.
This feature requires Connected Mode. Currently only available for IntelliJ, VSCode, and Eclipse. Coming soon for Visual Studio.
Issue types (bug, vulnerability, and code smell) are deprecated. Issues are now tied to Clean Code attributes and software qualities impacted. See Clean Code for more details.
Regular vulnerabilities are detected and displayed directly by SonarLint in both Connected Mode and standalone mode. Taint vulnerabilities are a type of security-related rules, that can only be raised by SonarCloud. Security vulnerabilities requiring taint engine analysis (taint vulnerabilities) are only available in connected mode because SonarLint pulls them from SonarCloud following project analysis.
Currently, taint vulnerabilities are only pulled from the project main branch. Expansion of this capability to non-main branches is coming soon.
SonarLint will surface notifications of quality gate status changes and issue assignment from SonarCloud.
SonarLint can analyze additional languages, beyond those supported in standalone mode. See the documentation for your specific IDE extension for details on which additional languages are supported out-of-the-box, and which require the use of Connected Mode.