Today we will talk about SonarLint in detail, how to configure SonarLint in Visual Studio Code, and how it will help your SAST processes. Let’s start together!
Every day, countless lines of code are written, deployed, and committed to the production environment by millions of software developers worldwide. Besides bug fixes and updates, maintaining security vulnerabilities in source code is one of the biggest challenges that software developers encounter. A vulnerability in source code will eventually become a vulnerability in any application using that code.
To solve this challenge regularly and effectively manage the DevSecOps process, software companies should make use of several proven methods used throughout the industry.
One of these methods is Static Application Security Testing (SAST). This testing methodology helps companies analyze source code to find security vulnerabilities before an attacker finds them.
What is SonarLint and How Does it Work?
SonarLint is a free IDE extension that locates security vulnerabilities while you’re coding in your IDE. This includes Visual Studio, JetBrains, Eclipse, and Visual Studio Code. SonarLint also supports several popular programming languages including:
- Java, JavaScript,
- TypeScript,
- Python,
- C++, C, C#,
- PHP,
- Ruby, and Kotlin.
SonarLint is similar to the code spellchecker, as they both automatically locate problems in real-time.
SonarLint also provides detailed documentation that allows you to understand any vulnerabilities in detail easily. It also provides an example of the code, as well as methods to resolve the issue. With this feature, while developers are writing code, they’re also learning to write clean and secure code.
Besides writing clean code, SonarLint also helps prevent credential leaks such as API keys, DB passwords, AWS Access Keys, etc.
What is the difference between SonarLint and SonarQube?
SonarLint is focused on you, whereas SonarQube is focused on your team.
Additionally, SonarLint acts as an extension for your IDE. It helps you to increase your code quality while fixing any security vulnerabilities and bugs before they can be exploited or cause damage. On the other hand, SonarQube is a server that you must manage yourself. You’ll need to configure all of the required steps before scanning your project code. It’s a bit more complicated than SonarLint.
SonarQube comes with several features including GitHub actions, Quality Gates, Webhooks, etc. Both SonarLint and SonarQube use the same static source code analyzers, so combining and using them together would be very helpful for you and your team.
Configure SonarLint in Visual Studio Code
Prerequisites:
SonarLint needs Java Runtime (JRE) 8 or 11.
- You first need to install Language Support for Java(TM) by the Red Hat extension to VSCode. To do this, you can search for it from the extension tab and install it.
- Next, you need to download the SonarLint extension to Visual Studio Code.
- If you get an error that looks like the picture below, please select “Let SonarLint download the JRE”.
- We can now test SonarLint locally. A Python file is created for test purposes. SonarLint automatically scans the entirety of the code and detects any issues.
- You can see the rule details below.
- You can read all the details relating to the rule for every programming language that SonarLint supports here.
Optional but Useful: Binding to SonarQube Server
Connecting to your SonarQube server from Visual Studio Code allows us to use the same code analyzers, rules, and configurations that are already defined in the server. To do this, please follow the steps below:
- From the settings, search SonarLint. Select “edit settings.json” in Connected Mode: Project.
“sonarlint.connectedMode.project”:
{“connectionId”: “”,“projectKey”: “” // Replace with project key your SonarQube server
},
* You can find your connectionID (serverID) from Administration 🡪 System on SonarQube.
* You can find your project key in your project information.
- From the settings, search SonarLint. Select “edit settings.json” in Connected Mode: Connections: Sonarqube.
“sonarlint.connectedMode.connections.sonarqube”:
[{“connectionId”: “”, // id of your sonarqube server
“serverUrl”: “”, // url of your sonarqube server
“token”: “” // token to authenticate with sonarqube}],
* You can find your token from My Account 🡪 Security. Enter a name for the token and then generate the token.
- Open the command palette with CTRL + Shift + P. Then enter SonarLint: Update all bindings to SonarQube/SonarCloud and select. You should see a message that looks like this:
Why does PurpleBox recommend SonarLint?
- Easy to set up: With just a few clicks, you can install and enable your SonarLint extension.
- Free to use: There are no subscription fees required for use.
- Supports lots of programming languages: In complex applications, several programming languages are used together. SonarLint supports most of them, meaning you will likely never need to install another extension to scan your code.
- Scan before committing: Using SonarLint, you can prevent the all too familiar “fixing vulnerability – commit – fixing vulnerability” loop.
Conclusion
Configuring SonarLint in Visual Studio Code is a simple and effective way to improve the quality of your code. The benefits of using SonarLint include:
- catching potential errors and bugs in your code,
- improving code consistency,
- and ultimately producing higher-quality software.
By following the steps outlined in this guide, you should now have a working setup of SonarLint in Visual Studio Code. Remember to regularly run SonarLint on your code and address any issues it identifies to ensure your code is the best it can be.
Check out our DevSecOps services to start your digital transformation today! If you need more information, please do not hesitate to contact us.