SonarLint Connected Mode
SonarLint is your first line of defense in keeping your code clean. Connected Mode binds your SonarQube project to a local project so that SonarLint can catch issues immediately, right in the IDE, before you even commit them.
SonarLint is a free IDE extension that integrates with SonarQube using Connected Mode. Like a spell checker, SonarLint highlights issues as you type. When an issue is identified, SonarLint provides you with clear remediation guidance so you can fix it before the code is even committed. In many cases, it also provides a quick fix that can automatically fix the issue for you.
SonarLint integrates with most JetBrains IDEs including IntelliJ IDEA, CLion, GoLand, WebStorm, PHPStorm, PyCharm, Rider, Android Studio & RubyMine.
SonarLint provides Visual Studio developers with a comprehensive in-IDE solution for improving the quality and security of the code they deliver.
SonarLint for VS Code will automatically identify and fix quality and security issues as you code with enhanced linting capabilities directly in your VS Code IDE.
When using SonarLint, the Sonar Quality Profile is used by default and users can customize their ruleset. If you're using a different quality profile in SonarQube, new issues might be raised in SonarQube even though your commit looked clean in SonarLint. With Connected Mode, the same quality profile is applied in both your IDE and in SonarQube, and you're notified in your IDE when your local instance isn't meeting the project's quality gate standards.
When using SonarLint alone, taint analysis issues found by commercial editions of SonarQube aren't raised in SonarLint for performance reasons (we don't want to slow down your editing). In Connected Mode, you'll see the taint analysis issues SonarQube raised in your project. You'll get all of the context in your IDE that you need to triage and fix security problems thereby making sure the code you commit is safe.
If you’re using SonarLint for IntelliJ, VS Code, or Eclipse, it’s possible to use the Open in IDE button to open most all issues in the code editor, speeding up the time it takes to find and fix the issue. Simply click the Open in IDE button from SonarQube to view it in your IDE; you’ll be prompted to set up Connected Mode if the project is not already bound.
SonarLint enables users to establish a connection to the latest SonarQube version and to the latest LTS version. When a new LTS version is released (approximately every 18 months), we still enable connecting SonarLint to the previous LTS version for a certain period of time (currently 12 months after the latest LTS release) to allow enough time for organizations to upgrade their SonarQube version.
For more information about long-term support of SonarQube, check out our page describing "what is an LTS". And, to review IDE-specific requirements, please check the respective pages of the documentation as listed in the next paragraph.
⚠️ The 8.9LTS reached its support expiration date (in November ’23).
See the following links for instructions on setting up Connected Mode for each supported IDE:
SonarQube administrators can get an overview of SonarLint usage among users by going to Administration > Security > Users.
The Last SonarLint connection column indicates the last time the user used SonarLint in connected mode.
You can filter users based on their activity. The available options are:
- All users
- Active users with SonarLint: Users that used SonarLint in connected mode at least once in the past 30 days.
- Active users without SonarLint: Users that connected to SonarQube at least once in the past 30 days.
- Inactive users: Users that did not connect to SonarQube or use SonarLint in connected mode in the past 30 days.
Connected Mode allows SonarQube to send smart alerts to individuals or teams when new issues are discovered. With everyone in the loop, issues can be addressed promptly, improving the overall software quality and delivery. You'll receive smart notifications in your IDE when:
- the quality gate status of a project open in your IDE changes
- a SonarQube analysis raises new issues that you've introduced in a project open in your IDE
You can activate or deactivate smart notifications in SonarLint on the IDE side on a server-by-server basis.
Seeing an issue directly in the IDE can help you better understand its context. This is the purpose of the Open in IDE button that you'll see as an authenticated user.
This feature is available if you're using a compatible version and flavor of SonarLint. The project must be open in the appropriate IDE and bound to the server through SonarLint's Connected Mode. To set up SonarLint in Connected Mode, please check the SonarLint documentation for your IDE:
Keep in mind that the revision or branch analyzed by SonarQube may not be the same as what you have opened in the IDE. In this case, SonarLint will do its best to locate the issue in your local code.
Unexpected analysis results
Observing different analysis results between SonarQube/SonarCloud and SonarLint can have different causes.
Due to extensive resource requirements, taint vulnerability and some advanced bug detection rules are ignored by SonarLint. Please check the analyzer (PMD, Checkstyle, ESLint, PyLint, …). SonarLint will only run rules from SonarSource analyzers including custom rules extending SonarSource analyzers. Third-party analyzers usually have their own IDE integration, so we have no plan to run them in SonarLint.
Test files can be defined on the server or in the IDE and when running in Connected Mode, these test sources will be used by SonarLint. Each SonarLint flavor has its own way of detecting which file is considered a test file; in SonarLint for IntelliJ, you must define your test files as a Test Sources Root. To define test files on the server, please see the Analysis scope page to set the scope of your analysis.
Due to extensive resource requirements, taint vulnerabilities and some advanced bug detection rules are ignored by SonarLint. Please check the SonarLint roadmap for a list of features and enhancements on the horizon.
Some rules are able to report issues at the project level. Such issues, are not displayed in SonarLint, only in SonarQube.
In IntelliJ, there is no incremental compilation of the .class files found in the compiler output folder; these are only produced or refreshed when the project is built. The workaround is to simply build your project with the green hammer (when using IntelliJ) in the top-right toolbar. The project should be built on a regular basis to keep the compiled files up-to-date and overcome this known limitation.