Can I run sonarlint check from command line (without sonarqube)

Is there a way to run sonarlint in command line and check if any rule has breached ?

The context it that I want the same checks to be run in my IDE, by local dev before pushing and on the CI.

I also don’t want every dev to install a SonarQube locally

Hi @fabich and welcome to the SonarSource community!
Let me ask you a few questions to understand your context and needs a little more in details:

  • which IDE are you (or the developers in your organization) using?
  • do you have one SonarQube instance in your team/company, integrated with your CI flows?
  • you said you want the same checks locally in the IDE: what is your goal exactly? do you expect SonarLint to provide you with a full list of issues affecting your project (same issues that SonarQube would find later on?), or do you expect to have a list of new issues only (those you are introducing with this commit/push for example) so that you can review and fix them before pushing the new code?
  • which IDE are you (or the developers in your organization) using?
    We are using VS Code, Eclipse and Intellij

  • do you have one SonarQube instance in your team/company, integrated with your CI flows?
    No we don’t have a SonarQube instance.

  • what is your goal exactly?
    I want to force the project to 0 issue so no body add new issues.
    We already have several CLI tools we use on the CI that any user can also run locally.
    I’d like to the same with SonarLint checks

Thanks @fabich for the clarifications.

The quick answer: it is not possible to run SonarLint checks from command line, and still, with SonarQube or SonarCloud, there is a way to reach your goal “nobody adds new issues” without requiring “forcing the project to 0 issues”

The long answer: SonarLint goal is to catch issues directly in the IDE as developers code; the idea is to detect issues as soon as possible (=in the very moment you write a line code). We do not see SonarLint as a tool to review the whole list of issues in your project, nor to “force the project to 0 total issues”. This is why we do not propose a CLI for SonarLint to scan the whole project and report issues.
You say “I want to force the project to 0 issues so no body add new issues”: actually, we have tools that allow you to avoid adding new issues, without the precondition to reach 0 total issues in your project; moreover, your project may have many existing issues, and this should not prevent you from starting enforcing better code quality and security policies. To this extent, we promote the Clean As You Code approach to achieve Code Quality and Security by focusing on issues on the New Code Period while avoiding removing all existing issues. I invite you to read the blog post and our documentation for a full explanation of our rationale and methodology.
Following this methodology, here is why we propose to associate SonarLint with a SonarQube or SonarCloud instance:

  • SonarLint focus on catching issues as you code, just like a spell checker, directly in your IDE
  • SonarQube or SonarCloud analyze your whole project (every time you push new code for example), and run quality gates check to enforce your policy about Code Quality and Security: for example, block code changes adding new issues that slipped through SonarLint detection or were not fixed in the IDE. Of course, if you wish you can also review the full issue list for your project there (including old issues on old code).
    Please also note that some complex issues (for example security vulnerability issues involving taint analysis) are only detectable in SonarQube/SonarCloud and not in SonarLint.

How would a dev check if he is adding new errors if he does not have access to the CI SonarQube ?

From SonarLint itself (not via CLI), at least in Eclipse and IntelliJ it is possible to list and review issues in modified files when you commit. For example in IntelliJ IDEA, if SonarLint detects some issues in the files I am about to commit, I will get such a popup:

and then I can review those issues.
To be noted though, this feature will detect ALL issues in the changeset files - not only newly added issues - at least for now.

Ok, I think it’s a bit weird to have a full IDE integration but no simple CLI to do the checks.

We already have ten tools (checkers, linters, formatters…) running with command line. For example for Java checkstyles we can see them in any IDE (with the corresponding extension) but we also have the possibility to run mvn checkstyle:check to see if the code is clean, which is also the command run on CI before merging a PR.

All this tools also have configuration (the list of rules we want to enforce, the current number of violations, the exact tool version…) that is merged into the project. The maven plugin (or equivalent for other languages) is all the user really need and it is easily installed with the package manager.

As far as I understand Sonar, it is not possible to run this kind of workflow :confused:

1 Like

It is very weird. The architecture is flawed at best at-least for the UI projects where Sonar uses opensource linters, enforces its own rules on a server instead of exposing the same functionality command line. I have been trying to use ESLint plugin:sonar/recommend but the rules are not synchronized with your server (they don;t tell you if it is running Sonar Way or Sonar Way Recommended)

Hello @bhantol, welcome to the community and thank you for your feedback.

I understand how the architecture might appear as “flawed” to someone new to the ecosystem and used to UNIX-style, CLI-first tools.

The analyzers available in SonarQube, SonarCloud and SonarLint started their lives as plugins for SonarQube (née Sonar), when it was marketed as an open platform for code quality.

Their tight integration within the 4 supported IDE families through SonarLint allows for a user experience that goes beyond what most linters offer - with detailed rule descriptions, explanation of complex issues through multiple locations, and synchronization with the server quality profile and settings in connected mode.

Said otherwise, the analyzers were never meant to be run as standalone products, but rather to power a larger ecosystem.

With SonarLint in the IDE to catch issues while you code, and branch analysis / PR decoration in SonarCloud or SonarQube, it seems that your project’s quality and security should be pretty well covered.

This is the developer experience currently offered by our ecosystem. It can be really powerful if you embrace it, and I understand that it can appear as frustrating if you don’t want to.