SonarLint - Fix Issues Before They Exist

SonarLint is an IDE extension that helps you detect and fix quality issues as you write code. Like a spell checker, SonarLint squiggles flaws so that they can be fixed before committing code.

Why it matters

Code Quality is an integral part of any software pipeline nowadays. It's about preventing bugs from impacting end users, preventing security vulnerabilities from making it to the open world, and also easing the maintainability of your code. Static Code Analysis plays an essential role here.

Static code analysis typically happens as part of a Continuous Integration (CI) pipeline. All standard CI engines (e.g. Jenkins, Travis CI, Azure DevOps etc.) allow for many different build/test/analysis tools to be part of the pipeline. But that means the code must be committed into the repository and submitted to the CI server before it can be analysed.

At SonarSource, we've been writing code analyzers for more than a decade. And along the journey of offering CI-friendly tools (SonarQube and SonarCloud, enabling Continuous Code Quality across more than 25 languages), we rapidly wondered: what if we could provide code quality feedback to developers earlier in the process? We envisioned a spell-checker type tool that would instantaneously report quality issues when you write code! That's how SonarLint was born.

SonarLint to the rescue

SonarLint is an IDE extension that helps you detect and fix quality issues as you write code. It is open source, totally free and supports multiple IDE flavors. For Eclipse, you can get it directly from the Eclipse Marketplace, and it will then detect new bugs and quality issues as you code (in Java, JavaScript, PHP and Python).

Getting started with SonarLint in Eclipse is very simple: you install it from the Eclipse Marketplace, keep on coding, and SonarLint will let you know whenever it sees a bug/vulnerability in the file being edited.

SonarLint provides a fully integrated experience. When an issue is found, it is reported and explained in-line:

A dedicated view also gives you the big picture on all issues in the file::

And in case you wish to understand more about the rule being violated, detailed documentation is available right in Eclipse. In fact, let's take a closer look at how SonarLint can really serve as a great learning tool to discover coding best practices.

Learn from your mistakes

Over ten years of building code analyzers, we've developed a solid quality model split between 3 domains:

  • Reliability: avoiding bugs and undefined behavior
  • Security: avoid vulnerabilities, breaches and attacks
  • Maintainability: Ease code updates and increase developer velocity

When SonarLint reports an issue, it will always tell you if it's a bug (reliability), a vulnerability (security) or a code smell (maintainability). This allows you to rapidly understand the risks involved, and provides a true learning opportunity with the rule description:

The content there is a constant opportunity to learn more about common coding pitfalls along with tricky issues that you've possibly never considered. Each rule comes with its own detailed description, examples and even references. You'll often have fun digging into the specifics of an issue.

To top it all off, SonarLint provides Issues Locations when needed: guiding you through the different steps and different data manipulation, that lead to a bug.

Such in-code insights, together with rich rule descriptions, let you gain a profound understanding of how your code might behave, while continuously improving your coding skills.

The start of a journey

There's much more to say about SonarLint, and this post is just a starting point. It's the start of a Continuous Code Quality journey, where you'll discover how static code analysis can be simple and yet powerful in its positive impact and learning opportunity.

Throughout that journey you'll also discover that SonarLint offers additional features to always stay in control (e.g. configuring active rules, excluding files), and also to share the good vibes with your team (Connecting with SonarQube or SonarCloud, to share a common team definition of code quality and expand it to more coding languages and setups).

We're confident you'll fully enjoy the ride, and by all means give us feedback! Our products are open, our static analysis rules are open, and our community is open:

About the Author

Nicolas Bontoux

Nicolas Bontoux