Analyzing only the new code with SonarLint

hi Community,

we are running the developer edition of SonarQube with pull request decoration on Azure DevOps.
each new PR gets analyzed and comments appear on the PR directly. the only problem with that is it’s overwhelming our CI pipeline as each PR would require at least 2 builds.
is there a way to run an analysis locally using SonarLint and only show problems with the new code as would the PR analysis do?

thanks in advance!

Hi @iaboud, welcome to the SonarSource Community!

In its current feature set, SonarLint will always show you all the issues that exist in a file that you’ve opened. This is quite deliberate; you might want to resolve issues beyond merely the code that you’ve most recently modified or added while you’re in there.

You should also keep in mind that SonarLint, while powerful, cannot yet find everything that might concern your PR’s code quality and security: specifically security vulnerabilities may not be detected except via a SonarQube analysis. The security engine does not currently run within SonarLint, although each IDE supports a mechanism for viewing the vulnerabilities previously discovered by SonarQube. So it’s still strongly recommended to analyze the PR with SonarQube.

thanks for the reply @Jeff_Zapotoczny.
We are not looking for replacing the analysis done by SonarQube as you’ve explained, it comes with much more than what SonarLint can do, we are only trying to be more productive and reduce the iteration cycle.
What we need is a way to see the have a first idea of the errors on the new code before queuing a job on the CI pipeline.

Hello @iaboud,
what IDE are you using? In IntelliJ and Eclipse for example SonarLint enables to run the analysis (if you use the IDE to commit) only in the set of modified files. Of course this is far from being optimal, as such analysis would detect ALL issues (not only newly introduced ones) within the set of modified files - moreover the results are limited to the kind of issues that SonarLint can detect. Still, you can use this functionality to have a “second line of defense” and review issues that SonarLint detecting while you were coding but you did not fix at that time.
We already received a few requests to implement this feature in IDEs where it is currently unsupported, and to improve it by focusing on newly added code only, see here for example. Do you feel such improvement will help you as well? To be transparent, this is not in our short term roadmap, and at the same time we value the feedback of our users and we are always open to revisit our roadmap if we realize many users have similar needs that are not yet fulfilled by SonarLint.

1 Like

thanks for the reply @Marco_Comi,
we are using Visual Studio.

  • 1 for implementing the feature in IDEs where it is currently unsupported, and to improve it by focusing on newly added code only