Real-time verification for better, more secure code

SonarQube for IDE is a free developer companion that brings real-time static analysis, quick-fix guidance, and security issue detection directly into your coding editor. It surfaces issues as you code, explains why they matter, and suggests clear next steps, so you can improve quality at the source without breaking your flow. This helps teams reduce rework, prevent defects early, and keep quality consistent across contributors.

Beyond inline issue highlighting, SonarQube for IDE supports a focus on new code, encouraging new code quality practices that prevent the introduction of fresh issues. By catching bugs, vulnerabilities, and code smells during editing, it shortens feedback loops and complements your SonarQube or SonarQube Cloud project gates to keep overall health trending up.

SonarQube for IDE (formerly known as SonarLint) is broadly supported across the most popular development environments. SonarQube for IDE supports Visual Studio, VS Code, Eclipse, and the JetBrains family (including IntelliJ, PyCharm, and WebStorm). It also extends to AI-native editors built on the VS Code architecture, such as Cursor, Windsurf, and Trae. It provides real-time analysis for over 20 languages including Java, JavaScript, TypeScript, Python, C#, C++, PHP, and Go, with additional support for languages like COBOL, Apex, and PL/SQL when used in Connected Mode.

Support spans the major desktop IDEs used in professional development, enabling consistent patterns for issue highlighting, rule explanations, and quick-fix suggestions. This consistency helps organizations roll out quality at the source across diverse teams and tech stacks with minimal friction.

You can use Connected Mode to integrate SonarQube for IDE with SonarQube Server or SonarQube Cloud to align local analysis with the rules, quality profiles, and policies used on your central projects. This ensures the same standards and baselines apply in the IDE and in CI, reducing surprises when code is reviewed or merged.

Once connected, issues detected locally reflect the same rule configuration as your server-side analysis. This supports a focus on new code workflows: developers see exactly what will matter at merge, fix issues early, and reliably pass quality gates governed by your project configuration.

SonarQube for IDE covers a broad set of languages, including popular backend, frontend, and infrastructure languages, and it continues to evolve with ecosystem needs. It has support for over 20 languages including Java, JavaScript, TypeScript, Python, C#, C++, PHP, and Go, with additional support for languages like COBOL, Apex, and PL/SQL when used in Connected Mode. Coverage includes rules for reliability, security, maintainability, and test-related guidance to help you deliver quality code continuously.

Framework-specific checks help flag pitfalls common to certain stacks, while general best-practice rules apply across languages. This combination provides actionable findings for both seasoned engineers and newcomers, enabling quality at the source in mixed repositories and monorepos.

To enable focus on new code, you can toggle the setting directly within your IDE. This feature filters the issue list to show only the problems introduced in your current development cycle (the "New Code Period"). You can also set up your project’s new code definition in SonarQube Server or SonarQube Cloud, then connect your IDE so the same definition and rules apply locally. With this, SonarQube for IDE highlights issues in changed files, promoting new code quality habits that steadily raise standards without massive refactors.

This approach encourages teams to improve quality incrementally, preventing new problems from entering the codebase while allowing planned remediation of older parts. The result is a practical path to quality at the source that aligns developer workflows with team quality gates and organizational expectations.

The issues you see in SonarQube for IDE are driven by the rules active in your project’s quality profile on SonarQube Server or SonarQube Cloud if you are in Connected Mode. When your organization updates rules, your IDE analysis reflects those changes, ensuring your local findings match CI and code review expectations.

You can tailor profiles to your tech stack and risk tolerance, enabling or disabling rules as needed. This centralized governance helps teams standardize on quality code practices while giving developers precise, up-to-date feedback inside their editor.

Yes—SonarQube for IDE flags vulnerabilities, security hotspots, and patterns that can lead to injection, insecure configurations, and other risks. Findings include contextual explanations and remediation guidance to help you fix problems early, reducing the chance of security debt accumulating.

While some security issues require full-project or build-context analysis, early indications in the IDE steer you toward safer patterns as you write code. Some advanced security findings (e.g., dependency‑aware Advanced SAST or SCA) are evaluated on the server side depending on your edition/features, complementing IDE feedback. Combined with server-side analysis, this layered approach supports a focus on new code and strengthens your overall security posture.

Yes, SonarQube for IDE includes robust Secrets Detection as a core security feature. It acts like a real-time spellchecker for sensitive data, catching credentials the moment they are typed or pasted into your editor. It flags potential secrets (like API keys, database passwords, or private keys) before you commit them to your repository, preventing the need for costly "secret rotation”.

SonarQube for IDE provides instant feedback before you commit, aligning with the rules and gates that your CI will enforce. Fixing issues locally reduces PR churn, speeds reviews, and increases the likelihood that your branch will pass project quality gates on the first try.

When combined with branch and pull request analysis in SonarQube Server or SonarQube Cloud, teams get a cohesive experience: developers prevent issues in the IDE, and CI validates changes against the same standards. This end-to-end loop operationalizes quality at the source throughout the lifecycle.

You can use SonarQube for IDE independently without SonarQube Community Build, Server, or Cloud for local feedback, but connecting it to SonarQube Community Build, Server or Cloud unlocks additional features and provides more value. Many organizations start with the Community Build of SonarQube and then adopt additional capabilities as governance needs expand.

A server connection ensures your IDE reflects the exact rule set and quality profiles used centrally, which is important for teams that rely on consistent quality gates. This helps developers maintain new code quality and avoid mismatches between local development and CI results.

Install SonarQube for IDE in your editor, then open your repository and run a local analysis to see initial findings. If your team uses SonarQube Server or SonarQube Cloud, configure the connection so your local checks match the project’s rules and quality profiles.

Next, confirm your project’s new code definition and quality gate standards on the server so your IDE focuses on the most relevant changes. Encourage the team to fix issues as they code, leveraging quick fixes and explanations to build consistent quality code habits that scale across contributors.