SonarQube for IDE

Analyzes code as it is written or opened in the editor, using static analysis rules to identify quality and security issues. Issues are highlighted directly in the editor at the line level and also aggregated in VS Code's Problems panel. The analysis runs automatically on file open and during editing without requiring manual trigger, providing immediate feedback on code quality violations across 10+ supported languages.

Provides inline quick-fix actions (accessible via VS Code's lightbulb UI) that automatically resolve detected issues by modifying code. QuickFix actions are context-aware and rule-specific, applying targeted transformations to fix issues like unused imports, style violations, or security anti-patterns. Users can apply fixes individually or batch-apply across a file.

Identifies code quality and security issues before code is committed to version control, enabling developers to fix issues locally before pushing. The extension analyzes code in real-time as it is written, providing feedback before the commit stage. Integration with SCM (git, etc.) is implicit — the extension can detect issues before SCM push, but no direct SCM API access or git-specific features are documented.

Offers a free tier with core static analysis capabilities (real-time issue detection, QuickFix, basic rules) and optional premium features via SonarQube Cloud or Server subscription. The free tier includes standalone analysis for 7 primary languages and basic security rules. Premium features (Connected Mode, extended language support, advanced security analysis, AI CodeFix) require a SonarQube Cloud or Server account. SonarQube Cloud offers a free tier for public projects.

Generates automated fixes for detected issues using an AI model, providing intelligent remediation beyond rule-based QuickFix. The AI CodeFix feature is mentioned as a capability but implementation details are unknown — it is unclear whether fixes are generated locally or via cloud API, which model is used, or how the feature handles complex refactoring scenarios. Users can apply AI-generated fixes inline similar to QuickFix actions.

Provides detailed explanations of detected issues directly in the editor, framed as a 'personal coding tutor.' When users hover over or select an issue, the extension displays rule description, severity, and contextual guidance explaining why the issue matters and how to avoid it. This capability is designed to help developers understand coding best practices, not just fix issues mechanically.

Classifies detected issues into distinct categories (security vulnerabilities, code quality problems, maintainability issues) and assigns severity levels (blocker, critical, major, minor, info). This categorization enables developers to prioritize fixes and understand the impact of each issue. Severity is determined by rule configuration and can be customized via SonarQube Server/Cloud connection.

Detects hardcoded secrets, API keys, passwords, and other sensitive credentials in source code. The capability is mentioned in documentation but implementation details are unknown — scope, detection patterns, and false-positive rates are not documented. Detected secrets are flagged as security issues in the editor.

Enables optional connection to SonarQube Server (self-hosted) or SonarQube Cloud (managed) to synchronize project-specific rulesets, quality gates, and configuration across a team. When Connected Mode is enabled, the extension downloads and applies the team's shared ruleset instead of using default rules, ensuring consistent analysis across all developers. Configuration is managed centrally in SonarQube, eliminating the need for per-developer configuration files.

Unlocks analysis for additional languages (COBOL, Apex, T-SQL, Ansible) and enables 'deeply hidden security issues' detection that is not available in standalone mode. The extension claims that Connected Mode provides deeper security analysis, implying that standalone mode has reduced security detection depth. Implementation details of the advanced security analysis are unknown.

Explicitly supports analysis of code generated by AI models (e.g., GitHub Copilot, ChatGPT) to detect quality and security issues in AI-generated code. The extension can identify issues in AI-generated code that developers may not catch manually, helping teams maintain code quality standards even when using AI coding assistants. Implementation details of AI-generated code detection are unknown.

Provides language-specific static analysis engines for 10+ programming languages and infrastructure-as-code formats (JavaScript/TypeScript, Python, Java, C#, C/C++, Go, PHP, HTML, CSS, Kubernetes, Docker, PL/SQL). Each language has its own rule engine optimized for language-specific patterns and idioms. Analysis is performed locally in standalone mode, with optional server-side analysis in Connected Mode for extended language support.