Install Free
IntelliJ | Using SonarQube for IDE | Rules and languages

Rules and languages

On this page

The Sonar Rules catalog is the entry point where you can discover all the existing rules. While running an analysis, SonarQube for IDE raises an issue every time a piece of code breaks a coding rule. 

Issues in your code are linked to Clean Code code attributes. When an issue is detected, it signifies that this part of your code is not consistent, intentional, adaptable, or responsible enough and that it impacts one or multiple software qualities. 

For more information about Clean Code attributes and software qualities, check out the Clean Code introduction page.

Overview

SonarQube for the JetBrains family IDEs currently supports the following programming languages:

 Supported out of the box
Connected Mode required

Language                      IntelliJ IDEA & Android Studio CLion Rider (DataGrip, Php Storm, PyCharm, RubyMine, and WebStorm) 
C#


C/C++


CSS
Go (Go extension)

(GoLand)
HTML
Java


JavaScript
Kotlin

PHP

PL/SQL
(Database Tools extension)

(Database Tools extension)


(Database Tools extension)
Python

Ruby

Scala

Secrets
Swift

TypeScript
XML

In addition, SonarQube for IntelliJ supports the IaC domains for:

Language                        IntelliJ IDEA & Android Studio CLion Rider (DataGrip, Php Storm, PyCharm, RubyMine, and WebStorm) 
Cloud formation

Docker

Kubernetes

Terraform

Supported language versions

Supported language versions

SonarQube for intelliJ provides analysis for several languages. Support for your language may vary depending on the SonarQube for IntelliJ version you're running. 

The table below lists the supported language and language versions. For each language version, the level of support is defined as follows: 

  • Fully supported: Analysis will complete. All the language features are understood and examined.
  • Not supported: Analysis might break, there is no guarantee it will complete.
  • Supported: Everything between fully supported and not supported.

For language-specific properties, refer to the relevant language page in SonarQube Server and SonarQube Cloud directly, as the same Sonar language analyzers are used by SonarQube for IntelliJ.

r Supported out of the box: SonarQube for intelliJ automatically checks your code in these languages and formats.
a Connected Mode required: Running in Connected Mode with SonarQube Server or SonarQube Cloud unlocks analysis for these languages and formats.

Language
Supported version
Cr

C89, C99, C11, C17: Fully supported

C23: Supported

GNU extensions: Supported

C#rC#1 to C#12: Fully supported
C++r

C++20, C++23: Supported

C++03,  C++11, C++14, C++17: Fully supported 

GNU extensions: Supported

CloudFormationr2010-09-09: Supported
CSSr-
Dockerr-
Gor-
HTMLr-
JavarJava LTS versions 8 to 21, and all intermediate versions: Fully supported
JavascriptrECMAScript 2022 and all previous versions: Supported.
Kotlinr1.3 to 2.0: Supported
Kubernetesr-
PHPr5.x, 7.x, and 8.4: Fully supported
PL/SQLa-
Pythonr

2.7: supported

3.0 to 3.12: Fully supported

Rubyr3.0 to 3.2: Supported
Scalaa-
Secretsr-
Swifta

5.9: supported

3.x, 4.x, 5.7, and 5.8: Fully supported

Terraformr-
TypeScriptrTypeScript 5.6 and all previous versions: Supported
XMLr-

For more details about languages and new features under consideration for the JetBrains family IDEs, you can refer to the SonarQube for IDE roadmap where we list all of our coming soon and newly released features.

Rule selection

The full list of available rules is found by navigating to the IntelliJ Settings... > Tools > SonarQube for IDE> Rules tab. There, Sonar Rules can individually be turned on or off while running SonarQube for IDE in standalone mode; simply select or deselect the appropriate checkbox. 

When your project is bound to SonarQube Server or SonarQube Cloud using Connected Mode, the rule set is managed on the server side as defined by the quality profile. 

Sonar Rule Descriptions

Simply select an issue in the SonarQube for IDE view or choose SonarQube for IDE: Show rule description from the tooltip to open the Rule tab. Here, you will find a brief explanation of the rule as well as Noncompliant and Compliant code samples.

The SonarLint rule description will give you compliant rule sample, show here in green, when available.

SonarQube for IntelliJ supports syntax highlighting. In addition, users are able to visualize a diff view for the non & compliant code samples which should help you fix your issue. Note that diff highlighting is only available for rules descriptions migrated to the new format, and we're progressively migrating all existing rules to the new format.

An issue’s Clean Code attribute, software qualities, and severity are presented to you when opening the SonarQube for IDE > Rule tab. Below the rule title, you will find the Clean Code issue badges that highlight an Issue’s Clean Code classification. 

Clean Code attributes and software qualities as they appear in the SonarLint Rule view tab.

Check the Clean Code definition page for details about Clean Code attributes, and the Clean Code benefits page to better understand software qualities for more details about how they help classify your issue. 

Be sure to check out the Investigating issues page for more details about how issues appear in your IDE. 

Applying rules while in Connected Mode

Connected Mode syncs your SonarQube Server or SonarQube Cloud Quality Profile with the local analysis to suppress issues reported in the IDE. Therefore, when running in Connected Mode, SonarQube for intelliJ will ignore rule settings that are defined locally. See the Connected Mode page for more information about running Connected Mode.

C# analysis

The SonarSource C# analyzer is written as a Roslyn analyzer and requires the use of the JetBrains Rider IDE.  Please see the Supported features in Rider article for more information.

Go

SonarQube for IntelliJ will check your code against Go rules using either GoLand or the Go plugin extension for IntelliJ.

JS/TS/CSS analysis

The analysis of JavaScript, TypeScript, and CSS code requires Node.js >= 16; Node.js >= 18 is recommended.

PL/SQL analysis

The support for PL/SQL analysis is only available together with Commercial Editions of SonarQube Server or with SonarQube Cloud when running in Connected Mode. In addition, the Database Tools extension is required to complete the local analysis in IntelliJ IDEA, CLion, or WebStorm.

Other rule types

DBD rules

Dataflow bugs are what Sonar calls a series of advanced Python and Java bugs using symbolic execution. This type of issue can cause runtime errors and crashes in Python and Java. If you want to learn more, check out our blog post for a good explanation with an example.

Dataflow Bug Detection (DBD) rules for Python and Java are supported in Commercial Editions of SonarQube Server. At this time, SonarQube for IntelliJ supports DBD detection for Python and Java when running in Connected Mode with SonarQube Server Active versions.

Injection vulnerabilities

Security vulnerabilities requiring taint engine analysis (injection vulnerabilities) are only available in Connected Mode because SonarQube for IDE pulls them from SonarQube Server or SonarQube Cloud following a project analysis.

To browse injection vulnerabilities in SonarQube for VSCode, configure Connected Mode with your SonarQube Developer Edition (and above) or SonarCloud instance. Once a Project Binding is configured, SonarQube for IDE will synchronize with the SonarQube Server instance or SonarQube Cloud server to report the detected injection vulnerabilities.

More information about security-related rules is available in the SonarQube Server or SonarQube Cloud documentation.

Security hotspots

In SonarQube for IntelliJ, local detection of Security Hotspots is enabled if you are using Connected Mode with SonarQube Server or SonarQube Cloud.

Please see the SonarQube Server documentation on Security hotspots for more details.

Secrets detection

Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. SonarQube for IDE detects exposed Secrets in your source code and language-agnostic config files. When running in Connected Mode, the SonarQube Server or SonarQube Cloud Quality Profiles are applied to locally detected Secrets.


Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License