Rules and languages
The Sonar Rules catalog is the entry point where you can discover all the existing rules. While running an analysis, SonarLint raises an issue every time a piece of code breaks a coding rule.
Issues in your code are linked to Clean Code code attributes. When an issue is detected, it signifies that this part of your code is not consistent, intentional, adaptable, or responsible enough and that it impacts one or multiple software qualities.
For more information about Clean Code attributes and software qualities, check out the Clean Code introduction page.
Issue types (bug, vulnerability, and code smell) are deprecated. Issues are now tied to Clean Code attributes and software qualities. See the Clean Code page for details.
Overview
SonarLint for the JetBrains family IDEs currently supports the following programming languages:
Supported out of the box
Connected Mode required
| Language | IntelliJ IDEA & Android Studio | CLion | Rider | (DataGrip, Php Storm, PyCharm, RubyMine, and WebStorm) |
|---|---|---|---|---|
| C# | | |||
| C/C++ | | |||
| CSS | | | | |
| Go | (Go extension) | (GoLand) | ||
| HTML | | | | |
| Java | | |||
| JavaScript | | | | |
| Kotlin | | | ||
| PHP | | | ||
| PL/SQL | (Database Tools extension) | (Database Tools extension) | (Database Tools extension) | |
| Python | | | ||
| Ruby | | | ||
| Scala | | | ||
| Secrets | | | | |
| Swift | | | ||
| TypeScript | | | | |
| XML | | |
In addition, SonarLint for IntelliJ supports the IaC domains for:
| Language | IntelliJ IDEA & Android Studio | CLion | Rider | (DataGrip, Php Storm, PyCharm, RubyMine, and WebStorm) |
|---|---|---|---|---|
| Cloud formation | | | ||
| Docker | | | ||
| Kubernetes | | | ||
| Terraform | | |
Supported language versions
Supported language versions
SonarLint provides analysis for several languages. Support for your language may vary depending on the SonarLint version you're running.
The table below lists the supported language and language versions. For each language version, the level of support is defined as follows:
- Fully supported: Analysis will complete. All the language features are understood and examined.
- Not supported: Analysis might break, there is no guarantee it will complete.
- Supported: Everything between fully supported and not supported.
For language-specific properties, refer to the relevant language page in SonarQube and SonarCloud directly, as the same Sonar language analyzers are used by SonarLint.
Supported out of the box: SonarLint automatically checks your code in these languages and formats.
Connected Mode required: Running in Connected Mode with SonarQube or SonarCloud unlocks analysis for these languages and formats.
| Language | Supported version | |
|---|---|---|
| C | | C89, C99, C11, C17: Fully supported C23: Supported GNU extensions: Supported |
| C# | | C#1 to C#12: Fully supported |
| C++ | | C++20, C++23: Supported C++03, C++11, C++14, C++17: Fully supported GNU extensions: Supported |
| CloudFormation | | 2010-09-09: Supported |
| CSS | | - |
| Docker | | - |
| Go | | - |
| HTML | | - |
| Java | | Java LTS versions 8 to 21, and all intermediate versions: Fully supported |
| Javascript | | ECMAScript 2022 and all previous versions: Supported. |
| Kotlin | | 1.3 to 1.9: Supported |
| Kubernetes | | - |
| PHP | | 5.x, 7.x, and 8.3: Fully supported |
| PL/SQL | | - |
| Python | | 2.7: supported 3.0 to 3.12: Fully supported |
| Ruby | | 3.0 to 3.2: Supported |
| Scala | | - |
| Secrets | | - |
| Swift | | 5.9: supported 3.x, 4.x, 5.7, and 5.8: Fully supported |
| Terraform | | - |
| TypeScript | | TypeScript 5.3 and all previous versions: Supported |
| XML | | - |
For more details about languages and new features under consideration for the JetBrains family IDEs, you can refer to the SonarLint roadmap where we list all of our coming soon and newly released features.
Rule selection
The full list of available rules is found by navigating to the IntelliJ Settings... > Tools > SonarLint > Rules tab. There, Sonar Rules can individually be turned on or off while running SonarLint in standalone mode; simply select or deselect the appropriate checkbox.
When your project is bound to SonarQube or SonarCloud using Connected Mode, the rule set is managed on the server side as defined by the quality profile.
When a project is bound to a SonarQube server or SonarCloud, the configuration in this UI location is ignored. In this case, rules configuration from the server applies. See the SonarQube and SonarCloud documentation about quality profiles for more information.
Sonar Rule Descriptions
Simply select an issue in the SonarLint view or choose SonarLint: Show rule description from the tooltip to open the Rule tab. Here, you will find a brief explanation of the rule as well as Noncompliant and Compliant code samples.
SonarLint for IntelliJ supports syntax highlighting. In addition, users are able to visualize a diff view for the non & compliant code samples which should help you fix your issue. Note that diff highlighting is only available for rules descriptions migrated to the new format, and we're progressively migrating all existing rules to the new format.
An issue’s Clean Code attribute, software qualities, and severity are presented to you when opening the SonarLint > Rule tab. Below the rule title, you will find the Clean Code issue badges that highlight an Issue’s Clean Code classification.
Check the Clean Code definition page for details about Clean Code attributes, and the Clean Code benefits page to better understand software qualities for more details about how they help classify your issue.
Be sure to check out the Investigating issues page for more details about how issues appear in your IDE.
Applying rules while in Connected Mode
Connected Mode syncs your SonarQube or SonarCloud Quality Profile with the local analysis to suppress issues reported in the IDE. Therefore, when running in Connected Mode, SonarLint will ignore rule settings that are defined locally. See the Connected Mode page for more information about running Connected Mode.
C# analysis
The SonarSource C# analyzer is written as a Roslyn analyzer and requires the use of the JetBrains Rider IDE. Please see the Supported features in Rider article for more information.
Go
SonarLint for IntelliJ will check your code against Go rules using either GoLand or the Go plugin extension for IntelliJ.
JS/TS/CSS analysis
The analysis of JavaScript, TypeScript, and CSS code requires Node.js >= 16; Node.js >= 18 is recommended.
PL/SQL analysis
The support for PL/SQL analysis is only available together with Commercial Editions of SonarQube or with SonarCloud when running in Connected Mode. In addition, the Database Tools extension is required to complete the local analysis in IntelliJ IDEA, CLion, or WebStorm.
Other rule types
DBD rules
Dataflow bugs (DBD) are what Sonar calls a series of advanced Python and Java bugs using symbolic execution. This type of issue can cause runtime errors and crashes in Python and Java. If you want to learn more, check out our blog post for a good explanation with an example.
DBD rules for Python and Java are supported in Commercial Editions of SonarQube. At this time, SonarLint for IntelliJ supports DBD detection for Python and Java when running in Connected Mode with SonarQube Active versions.
Injection vulnerabilities
Security vulnerabilities requiring taint engine analysis (taint vulnerabilities) are only available in Connected Mode because SonarLint pulls them from SonarQube or SonarCloud following a project analysis.
To browse injection vulnerabilities in SonarLint for VSCode, configure Connected Mode with your SonarQube Developer Edition (and above) or SonarCloud instance. Once a Project Binding is configured, SonarLint will synchronize with the SonarQube or SonarCloud server to report the detected injection vulnerabilities.
More information about security-related rules is available in the SonarQube or SonarCloud documentation.
Security hotspots
In SonarLint for IntelliJ, local detection of Security Hotspots is enabled if you are using Connected Mode with SonarQube or SonarCloud.
Please see the SonarLint documentation on Security hotspots for more details.
Secrets detection
Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. SonarLint detects exposed Secrets in your source code and language-agnostic config files. When running in Connected Mode, the SonarQube or SonarCloud Quality Profiles are applied to locally detected Secrets.
Was this page helpful?
© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
