VS Code | Getting started | Requirements

Was this page helpful?

On this page

Install Free


Each IDE extension of SonarLint has its own requirements to work properly with the most recent releases.


SonarLint needs a Java Runtime (JRE) 17+.

On the following platforms, SonarLint comes with its own Java runtime:

  • Windows x86-64
  • Linux x86-64
  • macOS x86-64 (Intel Macs) and arm-64 (Apple Silicon Macs)

On other platforms and if a Java runtime is already installed on your computer, SonarLint should automatically find and use it. Here is how SonarLint will search for an installed JRE (in priority order):

  1. the sonarlint.ls.javaHome variable in VS Code settings if set. For instance: { "sonarlint.ls.javaHome": "C:\Program Files\Java\jdk-17" }
  2. embedded JRE for platform-specific installations
  3. the value of the JDK_HOME environment variable if set
  4. the value of the JAVA_HOME environment variable if set
  5. on Windows the registry is queried
  6. if a JRE is still not found then:
    1. the PATH is scanned for javac
    2. on macOS, the parent directory of javac is checked for a java_home binary. If that binary exists then it is executed and the result is used
    3. the grandparent directory of javac is used. This is similar to $(dirname $(dirname $(readlink $(which javac))))

SonarLint then uses the first JRE found in these steps to check its version.

If a suitable JRE cannot be found at those places, SonarLint will ask for your permission to download and manage its own version.

Language-specific requirements

JS/TS/CSS analysis

To analyze JavaScript, TypeScript, or CSS code, SonarLint requires Node.js executable. The minimal supported version is 18.18 for standalone analysis or in Connected Mode with SonarCloud. For Connected Mode with SonarQube, it depends on the version of the JS/TS analyzer on your SonarQube server. SonarLint will attempt to automatically locate node, or you can force the location using:

        "sonarlint.pathToNodeExecutable": "/home/yourname/.nvm/versions/node/v18.18/bin/node"

Analysis of TypeScript in Connected Mode with SonarQube requires the server to use version 8.1 or above.

C and C++ analysis-specific requirements

To analyze C and C++ code, SonarLint requires that you define a path to your compile commands json file:

        "sonarlint.pathToCompileCommands": "/home/yourname/repos/proj/compile_commands.json"

Search for Path To Compile Commands in the VS Code Settings (or go to VS Code > Settings > Settings > Extensions > SonarLint > User and scroll to the entry); then enter the full path to your active compilation database:

SonarLint needs to know where your C and C++ code is being compiled to in order to complete the analysis.

Note: if you are using Microsoft Visual C++ compiler, the environment should be ready to build the code. For example, by launching VS Code from your Visual Studio Command Prompt. 

More information about supported environments and troubleshooting C & C++ analysis can be found on the Running an analysis page.

COBOL analysis

COBOL analysis is a feature available in SonarLint for VS Code v3.19+ when running in Connected Mode with SonarQube Enterprise edition+ or SonarCloud. In addition, the VS Code Language Mode must be set to COBOL independent of your file type. If your extension doesn’t set the language automatically, please see the VS Code documentation to learn how to manually change the language for the selected file.

By default, SonarLint takes the analysis configuration from the SonarQube or SonarCloud server therefore it is required that your project has already been analyzed by SonarQube or SonarCloud. The following COBOL analyzer properties are synced by default unless previously overridden locally. Note that all properties found on the server will be synced locally, not just this selection:

  • sonar.cobol.dialect
  • sonar.cobol.file.suffixes
  • sonar.cobol.sourceFormat
  • sonar.cobol.copy.suffixes
  • sonar.cobol.copy.directories

In case copybooks are in different location locally, the analyzer property sonar.cobol.copy.directories should be defined in the /project/.vscode/settings.json file.

If working with COBOL files via Zowe explorer, it is recommended to update your Zowe workspace settings in VS Code by modifying the temporary file location; temporary files should be saved to your project folder which is bound to SonarQube or SonarCloud. With the correct configuration, the analysis will be executed normally and you should see detected problems.

C# analysis

C# analysis is available in SonarLint for VS Code v4.0+. More information will be found in the C# configuration collapsible below:

C# configuration

When available, SonarLint will reuse your existing C# extension settings in the workspace. Namely, these parameters:

  • omnisharp.useModernNet
  • omnisharp.enableMsBuildLoadProjectsOnDemand
  • omnisharp.projectLoadTimeout
  • dotnet.defaultSolution

SonarLint for VS Code targets the modern .NET versions which can be adjusted in your workspace settings: VS Code > Settings > Settings > User > C#.

The default values as laid out in the Advanced configuration section below can be modified if they do not match your configuration.

C# Advanced configuration

To edit these properties, go to C# Extension settings and modify the respective values.  


  • Default value: true
  • Description: Use the modern Net 6 build of OmniSharp. If you are working with a Mono solution on Linux/Unix, or with an old NET Framework solution on Windows (< 4), set it to false.


  • Default value: false
  • Description: By default the all projects of the solution will be loaded. This ensure maximum rules accuracy. For very big solutions that take too long to load, change this to true.


  • Default value: automatically detected
  • Description: The path of the solution that will be used for analysis.


  • Default value: 60
  • Description: Maximum waiting time (in seconds) for OmniSharp to load all projects (not relevant if sonar.cs.internal.loadProjectsOnDemand is set to true).

Infrastructure as Code

SonarLint for VS Code 3.17+ supports analysis of Infrastructure as Code (IaC) to help you secure your deployments. See the Sonar Rules pages as linked below for complete details:

Java analysis

To enable the support for Java analysis, you need the Language support for Java VSCode extension (version 0.56.0 or higher). You also need to be in standard mode.

Apex analysis

The support for Apex analysis is only available together with SonarQube Enterprise Edition or SonarCloud when running in Connected Mode. You will also need the Salesforce Extension Pack VS Code extension.

PL/SQL analysis

The support for PL/SQL analysis is only available together with Commercial Editions of SonarQube or with SonarCloud when running in Connected Mode. You also need the Oracle Developer Tools for VSCode VS Code extension.


Jupyter Notebooks in VS Code

SonarLint for VS Code v3.16+ supports analysis of Python code inside Jupyter notebooks. When opening an .ipynb file, SonarLint analyzes the Python code and Python cells inside your Jupyter Notebooks.

There is nothing special to do to run a SonarLint analysis; simply open a Jupyter Notebook file. As with any Jupyter Notebook, you must set up your VS Code environment to run a project. The usual Quick Fix and issue investigation options you are accustomed to are available.

Managing rules

IPython Notebooks is a new rules category in the SonarLint explorer. Go to SONARLINT RULES > IPython Notebooks in the SonarLint view container to enable/disable rules, just as you would any rule for other languages.

The following rules have been disabled by default for Jupyter documents because they tend to be noisy in the notebook environment:

Connected Mode

Connected Mode will be ignored when working with Jupyter Notebooks. You will only have local analysis; this is because analysis of Jupyter Notebooks is not yet supported by SonarQube or SonarCloud.

Magic commands

All Magic commands are ignored by SonarLint (for example, %matplotlib inline and %%timeit). When a line magic command is found, that line will be ignored. Similarly, when a cell magic command is found, the entire cell will be ignored. The next image below shows a normal Jupyter cell; the second image illustrates the same cell with a cell magic command. Note how SonarLint ignores issues in the cell with the magic command.

SonarLint without a cell magic command. 
SonarLint with a cell magic command. 


T-SQL analysis is available running with Connected Mode with Commercial Editions of SonarQube, or with SonarCloud. 

Some configuration may be required on the server side; please see the SonarQube and SonarCloud documentation pages about T-SQL analysis for complete details.

Injection vulnerabilities

Security vulnerabilities requiring taint engine analysis (taint vulnerabilities) are only available in Connected Mode because SonarLint pulls them from SonarQube or SonarCloud following a project analysis.

To browse injection vulnerabilities in SonarLint for VSCode, establish Connected Mode with your SonarQube Developer Edition (and above) or SonarCloud instance. Once a Project Binding is configured, SonarLint will synchronize with the SonarQube or SonarCloud server to report the detected injection vulnerabilities.

More information about security-related rules is available in the SonarQube or SonarCloud documentation.

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License