Start FreeLog in
SonarCloud | Improving your code | SonarLint

Catching Issues in the IDE with SonarLint

On this page

SonarLint is your first line of defense in keeping your code clean. Connected Mode binds your SonarCloud project to a local project so that SonarLint can catch issues immediately, right in the IDE, before you even commit them.

SonarLint is a free IDE extension that integrates with SonarCloud using Connected Mode. Like a spell checker, SonarLint highlights issues as you type. When an issue is identified, SonarLint provides you with clear remediation guidance so you can fix it before the code is even committed. In many cases, it also provides a quick fix that can automatically fix the issue for you.

Supported IDEs

SonarLint integrates with most JetBrains IDEs including IntelliJ IDEA, CLion, GoLand, WebStorm, PHPStorm, PyCharm, Rider, Android Studio & RubyMine.

SonarLint provides Visual Studio developers with a comprehensive in-IDE solution for improving the quality and security of the code they deliver.

SonarLint for VS Code will automatically identify and fix quality and security issues as you code with enhanced linting capabilities directly in your VS Code IDE.

SonarLint for Eclipse will automatically identify and fix quality and security issues as you code with enhanced linting capabilities right in your Eclipse IDE.

Supported languages vary by IDE, check the Rules page for your IDE to learn which languages are supported out-of-the-box, and which require the use of Connected Mode.

Though SonarLint can run local analyses in standalone mode, we highly recommend that you set up Connected Mode with SonarCloud. Running SonarCloud and SonarLint in Connected Mode provides an additional number of valuable features.

Connected Mode benefits

  • Analyze more languages and detect more issues by combining Sonarlint’s supported rules with those rules supported by SonarCloud.
  • Highlight advanced issues (in the IDE) like taint vulnerabilities, detected by SonarCloud. 
  • Use the same quality profile locally as is defined on SonarCloud.  
  • Apply settings, such as rule selection and file exclusion defined on SonarCloud, to your local analysis. 
  • Define specific analyzer parameters on SonarCloud, and have those parameters applied locally.
  • Automatically suppress issues that are marked as Accepted or False Positive on SonarCloud so that locally reported issues match those found on the server.
  • Use the SonarLint focus on new code feature to concentrate detection of issues only in new code.
  • Changes in your SonarCloud quality gate will arrive in your IDE when you accept Smart notifications.

Using the Open in IDE feature

If you’re using SonarLint for IntelliJ, Visual Studio, VS Code, or Eclipse, it’s possible to use the Open in IDE button to open most all issues in the code editor, speeding up the time it takes to find and fix the issue. Simply click the Open in IDE button from SonarQube to view it in your IDE; you’ll be prompted to set up Connected Mode if the project is not already bound. 

Opening Security hotspots using the Open in IDE feature is available for all of the SonarLint IDEs. See Opening issues in your IDE for more details. 

Using SonarLint

Simply open a file of a supported language and start coding, and you will start seeing issues highlighted in your code. For example, here is SonarLint in VSCode:

Rules and issues

SonarLint identifies issues using an analysis process similar to that used by SonarCloud, using the same library of rules. Because SonarLint only looks at one file at a time, there are some complex issues that it cannot identify. Such issues have to wait until a later stage in the development cycle before SonarCloud can find them (that is, during pull request analysis or main branch analysis). But, SonarLint can still find many issues even before you commit your code, fixing issues before they exist!

When it finds an issue, it highlights it in your code with a "squiggle" and lets you open a panel to view detailed information about the issue and how to fix it.

Quick fixes

For some languages, SonarLint also offers quick fixes right at the issue location (the squiggle) in your code, offering to fix it for you immediately. You just need to confirm and SonarLint will make the change for you. See the documentation for your specific IDE extension for details on which languages are supported.

Secrets detection

In addition to supporting many programming languages, SonarLint also analyzes the configuration files used by major cloud computing providers such as AWS, Google, IBM, Azure, and Alibaba. In these files, SonarLint can identify cases where a secret is being hard coded into the file and alert you to the error.

Share quality profiles

This feature requires Connected Mode. SonarLint will take into account the quality profiles from your SonarCloud project. This means that your in-IDE issue detection uses the same set of rules as your SonarCloud analysis, ensuring that the standards defined by your team are consistently enforced throughout the development cycle.

Share project settings

This feature requires Connected Mode. SonarLint will take into account project settings from your SonarCloud project. For example, file exclusions and inclusions defining the scope of analysis in your SonarCloud project will be reflected in the in-IDE analysis provided by SonarLint.

Issue status changes

This feature requires Connected Mode. Issue status changes (like, Accepted or False Positive) made in SonarCloud are reflected in SonarLint.

Security-vulnerabilities

Issues are tied to Clean Code attributes and software qualities impacted. See the page about Clean Code for more details.

Regular vulnerabilities are detected and displayed directly by SonarLint in both Connected Mode and standalone mode but taint vulnerabilities are a type of security-related rules, that can only be raised by SonarCloud. Security vulnerabilities requiring taint engine analysis (taint vulnerabilities) are only available in Connected Mode because SonarLint pulls them from SonarCloud following project analysis. 

Currently, taint vulnerabilities are only pulled from the project's main branch as analyzed by SonarCloud. Expansion of this capability to non-main branches is coming soon.

Smart notifications

Smart notifications allow developers using Connected Mode in SonarLint to receive in-IDE notifications from SonarCloud. Events are pushed from SonarCloud to SonarLint when:

  • the quality gate status (Failed / Passed) of a project or solution open in the IDE changes. 
  • a SonarCloud analysis raises new issues introduced by the developer in a project or solution open in the IDE.

Activate and deactivate notifications

The activation or deactivation of SonarLint smart notifications must be done individually, by each developer directly in SonarLint, on the IDE side. There's a box to check when setting up Connected Mode to decide whether or not you want to receive Smart Notifications from SonarCloud in your IDE.

For all the details about managing notifications, check the SonarLint documentation that matches your IDE:

Additional languages

SonarLint can analyze additional languages, beyond those supported in standalone mode. See the documentation for your specific IDE extension for details on which additional languages are supported out-of-the-box, and which require the use of Connected Mode.


Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License