-
Notifications
You must be signed in to change notification settings - Fork 82
Languages and rules
Out of the box, SonarLint automatically checks your code against the following rules:
- C rules
- C++ rules
- Cloud formation
- CSS rules
- Docker
- Go rules
- HTML rules
- Java rules
- JavaScript rules
- Kubernetes
- Python and IPython notebook rules
- PHP rules
- Secrets rules
- Terraform
- TypeScript rules
In addition, SonarLint for VS Code supports the following analysis when running in Connected Mode.
- Apex rules See below for more details.
- PL/SQL rules See below for more details.
- Secrets detection See below for more details.
The full list of available rules is visible in the SONARLINT RULES view of the SonarLint view container, where you can activate and deactivate rules to match your conventions. SonarLint will also show a code action on each issue to quickly deactivate the corresponding rule.
The SonarLint language server requires a Java Runtime (JRE) 11+.
On the following platforms, SonarLint comes with its own Java runtime:
- Windows x86-64
- Linux x86-64
- macOS x86-64 (Intel Macs) and arm-64 (Apple Silicon Macs)
On other platforms and if a Java runtime is already installed on your computer, SonarLint should automatically find and use it. Here is how SonarLint will search for an installed JRE (in priority order):
-
the
sonarlint.ls.javaHome
variable in VS Code settings if set. For instance:{ "sonarlint.ls.javaHome": "C:\Program Files\Java\jre-11.0.11" }
-
embedded JRE for platform-specific installations
-
the value of the
JDK_HOME
environment variable if set -
the value of the
JAVA_HOME
environment variable if set -
on Windows the registry is queried
-
if a JRE is still not found then:
- the
PATH
is scanned forjavac
- on macOS, the parent directory of
javac
is checked for ajava_home
binary. If that binary exists then it is executed and the result is used - the grandparent directory of
javac
is used. This is similar to$(dirname $(dirname $(readlink $(which javac))))
- the
SonarLint then uses the first JRE found in these steps to check its version.
If a suitable JRE cannot be found at those places, SonarLint will ask for your permission to download and manage its own version.
The support for Apex analysis is only available together with SonarQube Enterprise Edition or SonarCloud when running in Connected Mode. You will also need the Salesforce Extension Pack VS Code extension.
To analyze C and C++ code, SonarLint requires that you define a path to your compile commands.
Search for Path To Compile Commands in the VS Code Settings (or go to VS Code Settings > Extensions > SonarLint > User and scroll to the entry); then enter the full path to your active compilation database:
Note: if you are using Microsoft Visual C++ compiler, the environment should be ready to build the code. For example, by launching VS Code from your Visual Studio Command Prompt.
More information about supported environments and troubleshooting tips can be found on the C and CPP analysis page.
SonarLint for VS Code 3.17+ supports analysis of Infrastructure as Code (IaC) to help you secure your deployments. See the Sonar Rules pages as linked below for complete details:
To enable the support for Java analysis, you need the Language support for Java VSCode extension (version 0.56.0 or higher). You also need to be in standard mode.
To analyze JavaScript and TypeScript code, SonarLint requires Node.js executable. The minimal supported version is 14.17.0
for standalone analysis or in Connected Mode with SonarCloud. For Connected Mode with SonarQube, it depends on the version of the JS/TS analyzer on your SonarQube server. SonarLint will attempt to automatically locate node, or you can force the location using:
{
"sonarlint.pathToNodeExecutable": "/home/yourname/.nvm/versions/node/v14.17.0/bin/node"
}
Analysis of TypeScript in Connected Mode with SonarQube requires the server to use version 8.1 or above.
SonarLint for VS Code v3.16+ supports analysis of Python code inside Jupyter notebooks. See the documentation page for details.
The support for PL/SQL analysis is only available together with SonarQube Developer Edition or SonarCloud when running in Connected Mode. You also need the Oracle Developer Tools for VSCode VS Code extension.
Security vulnerabilities requiring taint engine analysis (taint vulnerabilities) are only available in Connected Mode because SonarLint pulls them from SonarQube or SonarCloud following a project analysis.
To browse injection vulnerabilities in SonarLint for VSCode, establish Connected Mode with your SonarQube Developer Edition (and above) or SonarCloud instance. Once a Project Binding is configured, SonarLint will synchronize with the SonarQube or SonarCloud server to report the detected injection vulnerabilities.
More information about security-related rules are available in the SonarQube or SonarCloud documentation.
In SonarLint for VS Code 3.14 and above, local detection of Security Hotspots is enabled if you are using Connected Mode with SonarQube 9.7 or above.
Please see the documentation for more details.
Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. SonarLint detects exposed Secrets in your source code and language agnostic config files. When running in Connected Mode, the SonarQube or SonarCloud Quality Profiles are applied to locally detected Secrets.
Simply right-click an issue in the PROBLEMS Panel, and choose SonarLint: Open description of rule ...
to open the SonarLint Rule Description Webview. Here you will find a brief explanation of the rule, along with a noncompliant and compliant code example.
For some SonarLint Rule Descriptions, you are able to visualize a diff view for the noncompliant and compliant code sample which should help you fix your issue.