The Sonar Rules catalog is the entry point where you can discover all the existing rules. While running an analysis, SonarLint raises an issue every time a piece of code breaks a coding rule.
Issues in your code are linked to Clean Code code attributes. When an issue is detected, it signifies that this part of your code is not consistent, intentional, adaptable, or responsible enough and that it impacts one or multiple software qualities.
For more information about Clean Code attributes and software qualities, check out the Clean Code page.
Issue types (bug, vulnerability, and code smell) are deprecated. Issues are now tied to Clean Code attributes and software qualities impacted. See the Clean Code page details.
Out of the box, SonarLint for VS Code automatically checks your code in the following languages and formats:
- Azure Resource Manager rules
- C rules
- C++ rules
- Cloud formation
- C# rules
- CSS rules
- Go rules
- HTML rules
- Java rules
- Python and IPython notebook rules
- PHP rules
- Secrets rules
- TypeScript rules
Using Connected Mode with SonarQube or SonarCloud will also unlock analysis for these languages:
- Apex rules
- COBOL rules. See also the COBOL Analysis specific requirements section below for extra details.
- PL/SQL rules
- T-SQL rules
The full list of available rules can be found in the VS Code UI. Go to the SONARLINT RULES view of the SonarLint view container; here you can activate and deactivate rules to match your conventions. SonarLint will also offer a code action on each issue to quickly deactivate the corresponding rule.
Connected Mode syncs your SonarQube or SonarCloud Quality Profile with the local analysis to suppress issues reported in the IDE; as a general rule, the server settings will override any settings defined in the IDE. Look at the Connected Mode documentation for more information.
For more details about languages and new features under consideration for VS Code, check out the SonarLint roadmap where we list our coming soon and newly released features.
Sonar Rules can individually be turned on or off while running SonarLint in standalone mode. Simply go to SonarLint > RULES view in the VS Code Activity Bar and deactivate or activate rules at will. Each rule is clearly marked as on or off, and it's possible to filter the visible list by an Active, All, and Inactive status.
When your project is bound to SonarQube or SonarCloud using Connected Mode, the rule set is managed on the server side as defined by the quality profile.
Simply right-click an issue in the PROBLEMS Panel, and choose SonarLint: Open description of rule `...` to open the SonarLint Rule Description webview. Here you will find a brief explanation of the rule, along with a noncompliant and compliant code example.
For some SonarLint Rule Descriptions, you are able to visualize a diff view for the noncompliant and compliant code sample which should help you fix your issue.
Connected Mode syncs your SonarQube or SonarCloud Quality Profile with the local analysis to suppress issues reported in the IDE. See the Connected Mode documentation for more information.
14.17.0 for standalone analysis or in Connected Mode with SonarCloud. For Connected Mode with SonarQube, it depends on the version of the JS/TS analyzer on your SonarQube server. SonarLint will attempt to automatically locate node, or you can force the location using:
Analysis of TypeScript in Connected Mode with SonarQube requires the server to use version 8.1 or above.
To analyze C and C++ code, SonarLint requires that you define a path to your compile commands json file:
Search for Path To Compile Commands in the VS Code Settings (or go to VS Code > Settings > Settings > Extensions > SonarLint > User and scroll to the entry); then enter the full path to your active compilation database:
Note: if you are using Microsoft Visual C++ compiler, the environment should be ready to build the code. For example, by launching VS Code from your Visual Studio Command Prompt.
More information about supported environments and troubleshooting C & C++ analysis can be found on the Running an analysis page.
COBOL analysis is a feature available in SonarLint for VS Code v3.19+ when running in Connected Mode with SonarQube Enterprise edition+ or SonarCloud. In addition, the VS Code Language Mode must be set to COBOL independent of your file type. If your extension doesn’t set the language automatically, please see the VS Code documentation to learn how to manually change the language for the selected file.
By default, SonarLint takes the analysis configuration from the SonarQube or SonarCloud server therefore it is required that your project has already been analyzed by SonarQube or SonarCloud. The following COBOL analyzer properties are synced by default unless previously overridden locally. Note that all properties found on the server will be synced locally, not just this selection:
In case copybooks are in different location locally, the analyzer property
sonar.cobol.copy.directories should be defined in the
If working with COBOL files via Zowe explorer, it is recommended to update your Zowe workspace settings in VS Code by modifying the temporary file location; temporary files should be saved to your project folder which is bound to SonarQube or SonarCloud. With the correct configuration, the analysis will be executed normally and you should see detected problems.
C# analysis is available in SonarLint for VS Code v4.0+. More information will be found in the C# configuration collapsible below:
When available, SonarLint will reuse your existing C# extension settings in the workspace. Namely, these parameters:
SonarLint for VS Code targets the modern .NET versions which can be adjusted in your workspace settings: VS Code > Settings > Settings > User > C#.
The default values as laid out in the Advanced configuration section below can be modified if they do not match your configuration.
To edit these properties, go to C# Extension settings and modify the respective values.
- Default value:
- Description: Use the modern Net 6 build of OmniSharp. If you are working with a Mono solution on Linux/Unix, or with an old NET Framework solution on Windows (< 4), set it to false.
- Default value:
- Description: By default the all projects of the solution will be loaded. This ensure maximum rules accuracy. For very big solutions that take too long to load, change this to true.
- Default value: automatically detected
- Description: The path of the solution that will be used for analysis.
- Default value:
- Description: Maximum waiting time (in seconds) for OmniSharp to load all projects (not relevant if
sonar.cs.internal.loadProjectsOnDemandis set to
SonarLint for VS Code 3.17+ supports analysis of Infrastructure as Code (IaC) to help you secure your deployments. See the Sonar Rules pages as linked below for complete details:
The support for Apex analysis is only available together with SonarQube Enterprise Edition or SonarCloud when running in Connected Mode. You will also need the Salesforce Extension Pack VS Code extension.
The support for PL/SQL analysis is only available together with SonarQube Developer Edition or SonarCloud when running in Connected Mode. You also need the Oracle Developer Tools for VSCode VS Code extension.
Jupyter Notebooks in VS Code
SonarLint for VS Code v3.16+ supports analysis of Python code inside Jupyter notebooks. When opening an
.ipynb file, SonarLint analyzes the Python code and Python cells inside your Jupyter Notebooks.
There is nothing special to do to run a SonarLint analysis; simply open a Jupyter Notebook file. As with any Jupyter Notebook, you must set up your VS Code environment to run a project. The usual Quick Fix and issue investigation options you are accustomed to are available.
IPython Notebooks is a new rules category in the SonarLint explorer. Go to SONARLINT RULES > IPython Notebooks in the SonarLint view container to enable/disable rules, just as you would any rule for other languages.
The following rules have been disabled by default for Jupyter documents because they tend to be noisy in the notebook environment:
Connected Mode will be ignored when working with Jupyter Notebooks. You will only have local analysis; this is because analysis of Jupyter Notebooks is not yet supported by SonarQube or SonarCloud.
All Magic commands are ignored by SonarLint (for example,
%matplotlib inline and
%%timeit). When a line magic command is found, that line will be ignored. Similarly, when a cell magic command is found, the entire cell will be ignored. The next image below shows a normal Jupyter cell; the second image illustrates the same cell with a cell magic command. Note how SonarLint ignores issues in the cell with the magic command.
T-SQL analysis is available running with Connected Mode with Commercial Editions of SonarQube, or with SonarCloud.
Security vulnerabilities requiring taint engine analysis (taint vulnerabilities) are only available in Connected Mode because SonarLint pulls them from SonarQube or SonarCloud following a project analysis.
To browse injection vulnerabilities in SonarLint for VSCode, configure Connected Mode with your SonarQube Developer Edition (and above) or SonarCloud instance. Once a Project Binding is configured, SonarLint will synchronize with the SonarQube or SonarCloud server to report the detected injection vulnerabilities.
In SonarLint for VS Code 3.14 and above, local detection of Security Hotspots is enabled if you are using Connected Mode with SonarQube 9.7+.
Please see the SonarLint documentation on Security hotspots for more details.
Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. SonarLint detects exposed Secrets in your source code and language-agnostic config files. When running in Connected Mode, the SonarQube or SonarCloud Quality Profiles are applied to locally detected Secrets.
© 2015-2023, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under the GNU Lesser General Public License, Version 3.0. SONARLINT is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners. See SonarSource.com for everything you need to know about the Sonar Solution.