How to Configure SonarLint in Visual Studio Code

June 22, 2022

Every day, countless lines of code are written, deployed, and committed to the production environment by millions of software developers worldwide. Besides the bug fixes and updates, maintaining security vulnerabilities in source code is one of the biggest challenges that software developers encounter. A vulnerability in source code will eventually become a vulnerability in any application using that code. To solve this challenge regularly and effectively manage the DevSecOps process, software companies should make use of several proven methods used throughout the industry. One of these methods is Static Application Security Testing (SAST). This testing methodology helps the companies analyze source code to find security vulnerabilities before an attacker finds them. Today we will talk about SonarLint in detail, which will help your SAST processes. Let’s start together!

What is SonarLint and How Does it Work?

SonarLint is a free IDE extension that locates security vulnerabilities while you’re coding in your IDE. This includes Visual Studio, JetBrains, Eclipse, and Visual Studio Code. SonarLint also supports several popular programming languages including Java, JavaScript, TypeScript, Python, C++, C, C#, PHP, Ruby, and Kotlin. SonarLint is similar to the code spellchecker, as they both automatically locate problems in real-time.

SonarLint Logo and Banner

SonarLint also provides detailed documentation that allows you to easily understand any vulnerabilities in detail. It also provides an example of the code, as well as methods to resolve the issue. With this feature, while developers are writing code, they’re also learning to write clean and secure code.

Besides writing clean code, SonarLint also helps prevent credential leaks such as API keys, DB passwords, AWS Access Keys, etc. 

Image shows SonarLint Credential Leak Detection

What is the difference between SonarLint and SonarQube?

First of all, SonarLint is focused on you, whereas SonarQube is focused on your team. Additionally, SonarLint acts as an extension for your IDE. It helps you to increase your code quality while fixing any security vulnerabilities and bugs before they can be exploited or cause damage. On the other hand, SonarQube is a server that you must manage yourself. You’ll need to configure all of the required steps before scanning your project code. It’s a bit more complicated than SonarLint. In SonarQube, there are several features including GitHub actions, Quality Gates, Webhooks, etc. Both SonarLint and SonarQube use the same static source code analyzers, so combining and using them together would be very helpful for you and your team.

Configure SonarLint in Visual Studio Code


  • SonarLint needs Java Runtime (JRE) 8 or 11.
  1. You first need to install Language Support for Java(TM) by Red Hat extension to VSCode. To do this, you can search for it from the extension tab and install it.

Image shows Language Support for Java(TM) by Red Hat extension

  1. Next you need to download the SonarLint extension to Visual Studio Code.

Image shows SonarLint extension to VSCode.

  1. If you get an error that looks like the picture below, please select “Let SonarLint download the JRE”.

Image shows Java Runtime Error.

  1. We can now test SonarLint locally. A Python file is created for test purposes. SonarLint automatically scans the entirety of the code and detects any issues.

Image shows example vulnerable python script

Image shows SonarLint detects the issue.

  1. You can see the rule details below.

Image shows SonarLint rule details.

  1. You can read all the details relating to the rule for every programming language that SonarLint supports here.

Optional but Useful: Binding to SonarQube Server

Connecting to your SonarQube server from Visual Studio Code allows us to use the same code analyzers, rules, and configurations that are already defined in the server. To do this, please follow the steps below:

  1. From the settings, search SonarLint. Select “edit settings.json” in Connected Mode: Project.

Image shows SonarLint Connected Mode settings.

{“connectionId”: “”,“projectKey”: “” // Replace with project key your SonarQube server

* You can find your connectionID (serverID) from Administration 🡪 System on SonarQube.

Image shows SonarQube Connection ID part.

* You can find your project key in your project information.

Image shows finding SonarQube project key.

  1. From the settings, search SonarLint. Select “edit settings.json” in Connected Mode: Connections: Sonarqube.
[{“connectionId”: “”, // id of your sonarqube server
“serverUrl”: “”, // url of your sonarqube server
“token”: “” // token to authenticate with sonarqube}],

* You can find your token from My Account 🡪 Security. Enter a name for the token and then generate the token.

  1. Open the command palette with CTRL + Shift + P. Then enter SonarLint: Update all bindings to SonarQube/SonarCloud and select. You should see a message that looks like this:

Image shows SonarLint bindings successfully updated.

Why does PurpleBox recommend SonarLint?

  • Easy to set up: With just a few clicks, you can install and enable your SonarLint extension.
  • Free to use: There are no subscription fees required for use.
  • Supports lots of programming languages: In complex applications, several programming languages are used together. SonarLint supports most of them, meaning you will likely never need to install another extension to scan your code.

Scan before committing: Using SonarLint, you can prevent the all too familiar “fixing vulnerability - commit - fixing vulnerability” loop.


In this blog, we’ve discussed what SonarLint is and why it’s important. We also compared SonarQube and SonarLint, detailing their unique features and how they can be used in combination. Finally, we shared a SonarLint configuration guide for your Visual Studio Code. We hope you enjoyed our blog and hope you take advantage of this incredibly valuable tool! 

Check out our DevOps services to start your digital transformation today!