SonarLint

Analyzes code as the user types by parsing source files into abstract syntax trees and matching against a curated ruleset of 400+ quality rules covering bugs, code smells, and maintainability issues. Issues are highlighted directly in the editor gutter and Problems panel with line-level precision, triggering on file save and keystroke events without requiring manual invocation or build steps.

Performs static security analysis using dataflow tracing to identify vulnerabilities including SQL injection, cross-site scripting (XSS), insecure deserialization, and hardcoded secrets. In Connected Mode (linked to SonarQube Server/Cloud), analysis depth increases with access to project-wide context and additional security rules, enabling detection of 'deeply hidden' vulnerabilities that require cross-file taint tracking.

Generates fix suggestions for detected issues using an AI model (provider and version unknown) that understands the code context and applies transformations to resolve bugs, security issues, and code smells. Fixes are presented as inline QuickFix actions in the editor; users can accept or reject each suggestion. The same AI system provides detailed explanations of issues, functioning as a 'personal coding tutor' by contextualizing rules and patterns.

Enables optional connection to SonarQube Cloud or a self-hosted SonarQube Server instance to synchronize language-specific rulesets, quality profiles, and project settings across team members. When connected, the extension downloads the configured ruleset for each language and applies it locally, ensuring consistent analysis results across all developers' IDEs. Connected Mode also unlocks additional language support (COBOL, Apex, PL/SQL, T-SQL, Ansible) and deeper security analysis.

Explicitly supports analysis of code written by AI code generators (e.g., GitHub Copilot, ChatGPT) by applying the same quality and security rules to AI-generated code as human-written code. The extension detects issues in AI-generated snippets without special handling, treating them as regular source code, and provides fixes and explanations for any detected problems.

Provides detailed contextual information about each detected issue by displaying rule descriptions, code examples, and remediation guidance directly in the editor via hover tooltips and the Problems panel. The explanations are designed to educate developers about code quality patterns and best practices, functioning as inline documentation that contextualizes why a rule exists and how to fix violations.

Supports analysis of 13+ languages in standalone mode (C, C++, Java, Go, JavaScript, TypeScript, Python, C#, HTML, CSS, PHP, Kubernetes, Docker, PL/SQL) with language-specific rulesets and AST parsers. Each language has a curated set of rules optimized for its syntax and common pitfalls. Connected Mode adds support for COBOL, Apex, T-SQL, and Ansible, bringing total supported languages to 17+. Language detection is automatic based on file extension.

Aggregates all detected issues from real-time analysis into VS Code's native Problems panel, displaying issues with severity levels (error, warning, info), rule IDs, and file locations. Issues can be filtered by severity, language, or rule type. The Problems panel provides a centralized view of all quality and security issues across the open workspace, enabling developers to prioritize fixes by severity.

Offers a free standalone tier with real-time analysis, issue detection, and fix suggestions for 13+ languages. Premium features (deeper security analysis, additional languages, AI CodeFix) are available through optional connection to SonarQube Cloud (free tier available) or a paid SonarQube Server instance. The extension itself is free; monetization occurs through SonarQube Cloud subscriptions for teams requiring advanced features.