Scan my project

Scanning your project in SonarQube for Visual Studio is a simple, easy process.

SonarQube for IDE, a core component of the SonarQube solution, is a developer’s first line of defense to find and fix coding issues in real-time. The results of a SonarQube for IDE scan provide rich contextual guidance to help you improve your skills while enhancing productivity to help you resolve issues in code.

SonarQube for IDE scans your project to provide instant feedback against hundreds of language-specific rules. When running in connected mode with SonarQube Server or SonarQube Cloud, you can benefit from additional rules that identify security vulnerabilities and security hotspots as well as take advantage of team features that help your organization achieve high-quality code.

Every organization has custom policies and procedures; the SonarQube for IDE analyzer offers a level of customization to help you achieve those practices.

First steps

By default, SonarQube for Visual Studio will automatically analyze your open files. In addition, scanning your full project or your entire solution is possible for C# and VB; see the C# and VB collapsible below for more details.

For languages other than C# and VB, SonarQube for Visual Studio will only analyze current files when a file is opened or saved. It is not possible to manually trigger an analysis.

Check the Running an analysis page for more information about triggering and refining the analysis process.

Language-specific information

C# and VB

Scanning C# and VB.NET

SonarQube for Visual Studio uses Visual Studio’s background analysis mechanism to scan your C# and VB code while you’re working on source files in the editor.

By default, Visual Studio is configured to only run Roslyn analyzers on files that are currently open. You can customize the scope of analysis to include the current document, all opened documents, or the entire solution; it’s also possible to configure the Roslyn analysis to run in a separate process in the same options window. Note that running analyses on the entire solution is more processor-intensive.

C and C++ analysis

Supported project types

See the Analyzing CMake projects Requirements page for more information about supported project types.

vcxproj projects: SonarQube for Visual Studio can analyze .vcxproj projects that use the standard Visual Studio compilation tools. Projects that use Makefile are not supported. Projects that use third-party tools (such as Unity projects) are not supported.

CMake projects: CMake projects are supported in SonarLint v4.38 and later. Starting with v4.38, SonarQube for Visual Studio can analyze a subset of CMake project types that meet all of the following requirements:

  • Visual Studio 2017 Update 3 or later is used

  • Visual Studio is configured to use the Ninja generator (the default), and

  • the CMakeLists.txt file contains the following command: set(CMAKE_EXPORT_COMPILE_COMMANDS ON).

Triggering analysis

C or C++ analyses are triggered when a file is opened or saved. Any existing issues for the document will immediately be removed from the Error List. New issues will be added to the Error List incrementally as they are detected.

The status bar will be updated to show the file is being analyzed:

SonarQube for Visual Studio is analyzing your project and will report CFamily issues as it discovers them.

and again when the analysis has finished:

SonarQube for Visual Studio has finished the analysis. The state of the analysis is reported in the Visual Studio Status Bar

Additional detailed information will be shown in the SonarQube for Visual Studio pane of the Output window.

Note: SonarQube for Visual Studio only displays status information in the status bar, as shown in the above screen shots. Some versions of Visual Studio provide other C++ analysis rules from Microsoft that display progress information in the background tasks pop-up window. These messages do not relate to SonarQube for Visual Studio analysis. See here or more information on the Microsoft C++ rules.

C/C++ analysis performance

Sonar has 450+ rules for C++ and 280+ rules for C. Most run very quickly and will return issues in under a second. However, some of the more advanced rules that involve semantic analysis can take more than ten seconds to run.

The analysis is performed in the background in a separate process. It should not have a noticeable impact on the user experience in Visual Studio. If the analysis is taking too long for a particular file, the analysis process will be terminated. If an analysis is being re-triggered (e.g. via a re-save of the file), the previous analysis will be cancelled and a new analysis will start.

Prior to v4.22, issues were only displayed in the Error List after all rules had finished processing. As of v4.23, issues are displayed in the Error List as soon as they are available; this means that most issues will appear within a few seconds. However, the status bar may still continue to display the analyzing xxx.cpp message for some time until all of the rules have finished processing.

Analysis timeout

By default, an analysis that has not been completed within one minute will be stopped and a message logged in the Output Window. We expect such timeouts to be very rare and probably indicates that there is a problem with one of our analysis rules. If you do encounter timeouts when analyzing files, please open an issue in the SonarQube for IDE section of the Community Forum and tag it with cfamily.

Specify additional analyzer properties

It is possible to specify extra analyzer properties and solution exclusions that will be used in advanced use cases during the analysis of your solutions. Both settings are accessible via the SonarQube for Visual Studio UI as described below.

settings.json file format and location

The properties and solution exclusions are saved in a settings.json file stored in your user’s roaming profile %AppData%\Roaming\SonarLint for Visual Studio\SolutionSettings\<YOUR_SOLUTION>.

See this example as a format sample of your settings.json file. It changes the parameters on analyzing C# code and excludes, and at the end, excludes any C# files matching the *Class? wildcard.

{
  "sonarlint.analyzerProperties": {
    "sonar.cs.analyzeGeneratedCode": "false"
  },
  "sonarlint.analysisExcludesStandalone": "*Class?.cs"
}

Add analysis properties for your solution

It is possible to specify extra analyzer properties that will be used for analysis in advanced use cases. Navigate to Extensions > SonarQube > Solution Settings > Analysis Properties and select Add.

Defining solution exclusions

Navigate to Extensions > SonarQube > Solution Settings > File Exclusions and select Add to configure the file names and/or wild card patterns you want to exclude from the analysis. Any acceptable wildcard pattern can be used. Note that the values you define here will override the global values defined in your File exclusions. Remember that when running SonarQube for Visual Studio in Connected mode, all locally defined exclusion values will be ignored.

Please see the File exclusions page for more detail about using global exclusions and to learn which Wildcard patterns are accepted.

PreviousFixing issuesNextNew code

Last updated

Was this helpful?