Every day, countless lines of code are written, deployed, and committed to the production environment by millions of software developers worldwide. Besides the bug fixes and updates, maintaining security vulnerabilities in source code is one of the biggest challenges that software developers encounter. A vulnerability in source code will eventually become a vulnerability in any application using that code. To solve this challenge regularly and effectively manage the DevSecOps process, software companies should make use of several proven methods used throughout the industry. One of these methods is Static Application Security Testing (SAST). This testing methodology helps the companies analyze source code to find security vulnerabilities before an attacker finds them. Today we will talk about SonarLint in detail, which will help your SAST processes. Let’s start together!

What is SonarLint and How Does it Work?

SonarLint is a free IDE extension that locates security vulnerabilities while you’re coding in your IDE. This includes Visual StudioJetBrainsEclipse, and Visual Studio Code. SonarLint also supports several popular programming languages including Java, JavaScript, TypeScript, Python, C++, C, C#, PHP, Ruby, and Kotlin. SonarLint is similar to the code spellchecker, as they both automatically locate problems in real-time.

SonarLint also provides detailed documentation that allows you to easily understand any vulnerabilities in detail. It also provides an example of the code, as well as methods to resolve the issue. With this feature, while developers are writing code, they’re also learning to write clean and secure code.

Besides writing clean code, SonarLint also helps prevent credential leaks such as API keys, DB passwords, AWS Access Keys, etc.

What is the difference between SonarLint and SonarQube?

First of all, SonarLint is focused on you, whereas SonarQube is focused on your team. Additionally, SonarLint acts as an extension for your IDE. It helps you to increase your code quality while fixing any security vulnerabilities and bugs before they can be exploited or cause damage. On the other hand, SonarQube is a server that you must manage yourself. You’ll need to configure all of the required steps before scanning your project code. It’s a bit more complicated than SonarLint. In SonarQube, there are several features including GitHub actions, Quality Gates, Webhooks, etc. Both SonarLint and SonarQube use the same static source code analyzers, so combining and using them together would be very helpful for you and your team.

Configure SonarLint in Visual Studio Code

Prerequisites:

  • SonarLint needs Java Runtime (JRE) 8 or 11.
  1. You first need to install Language Support for Java(TM) by Red Hat extension to VSCode. To do this, you can search for it from the extension tab and install it.
  1. Next you need to download the SonarLint extension to Visual Studio Code.

  1. If you get an error that looks like the picture below, please select “Let SonarLint download the JRE”.

  1. We can now test SonarLint locally. A Python file is created for test purposes. SonarLint automatically scans the entirety of the code and detects any issues.

  1. You can see the rule details below.

  1. You can read all the details relating to the rule for every programming language that SonarLint supports here.

Optional but Useful: Binding to SonarQube Server

Connecting to your SonarQube server from Visual Studio Code allows us to use the same code analyzers, rules, and configurations that are already defined in the server. To do this, please follow the steps below:

  1. From the settings, search SonarLint. Select “edit settings.json” in Connected Mode: Project.


“sonarlint.connectedMode.project”: 
{“connectionId”: “”,“projectKey”: “” // Replace with project key your SonarQube server
},

* You can find your connectionID (serverID) from Administration 🡪 System on SonarQube.

* You can find your project key in your project information.

  1. From the settings, search SonarLint. Select “edit settings.json” in Connected Mode: Connections: Sonarqube.
“sonarlint.connectedMode.connections.sonarqube”: 
[{“connectionId”: “”, // id of your sonarqube server
“serverUrl”: “”, // url of your sonarqube server
“token”: “” // token to authenticate with sonarqube}],

* You can find your token from My Account 🡪 Security. Enter a name for the token and then generate the token.

  1. Open the command palette with CTRL + Shift + P. Then enter SonarLint: Update all bindings to SonarQube/SonarCloud and select. You should see a message that looks like this:

Why does PurpleBox recommend SonarLint?

  • Easy to set up: With just a few clicks, you can install and enable your SonarLint extension.
  • Free to use: There are no subscription fees required for use.
  • Supports lots of programming languages: In complex applications, several programming languages are used together. SonarLint supports most of them, meaning you will likely never need to install another extension to scan your code.
  • Scan before committing: Using SonarLint, you can prevent the all too familiar “fixing vulnerability – commit – fixing vulnerability” loop.

Conclusion

In this blog, we’ve discussed what SonarLint is and why it’s important. We also compared SonarQube and SonarLint, detailing their unique features and how they can be used in combination. Finally, we shared a SonarLint configuration guide for your Visual Studio Code. We hope you enjoyed our blog and hope you take advantage of this incredibly valuable tool!

Check out our DevSecOps services to start your digital transformation today!

Cloud Security DevOps Technical Guide