Constant popup in Visual Code about Sonarsource certificate

ffwander · October 1, 2025, 8:02am

Please provide

Operating system: Windows 11 24H2 26100.6584
SonarQube for VS Code plugin version: 4.31.0
Programming language you’re coding in: any (powershell, c#, etc)
Is connected mode used:
- SonarQube Cloud, SonarQube Server, or SonarQube Community Build? (if one of the latter two, which version?): just installed without connecting to sonar cloud or sonar server.

And a thorough description of the problem / question:

the sonarQube for VS code used along with ZScaler Client Connector 4.6.0.200 causes daily popup warnings in Visual Code.

[Window Title]
Visual Studio Code

[Content]

SonarQube for VS Code found untrusted server's certificate

Issued to:

OU=Zscaler Inc.,O=Zscaler Inc.,CN=telemetry.sonarsource.com

Issued by:

CN=Zscaler Intermediate Root CA (zscaler.net) (t)\ ,OU=Zscaler Inc.,O=Zscaler Inc.,ST=California,C=US

VALIDITY PERIOD

Valid from: Mon Sep 29 07:25:49 BST 2025

Valid to: Sat Oct 11 06:11:56 BST 2025

FINGERPRINTS

SHA-256:

F0 F3 93 C8 BE 6B 8F 23 59 B9 05 68 E9 24 9F D9
F1 64 C0 E2 98 41 7A 62 E4 38 41 6C 1C F4 8B 94

SHA-1:

B6 68 26 61 B3 81 2E 1F 0A 21 B3 C5 38 D0 4D BA 6C 93 F6 18

If you trust the certificate, by default it will be saved in truststore 'undefined'

Default password: sonarlint

For actual values of truststore path and password, check the 'sonarlint.ls.vmargs' setting.

Consider removing connection if you don't trust the certificate

[Don’t trust] [Trust] [Cancel]

Colin · October 1, 2025, 8:41am

ffwander · October 2, 2025, 4:07pm

click Trust every day: again and again and again

Colin · October 2, 2025, 4:59pm

Is that what’s happening? Sorry; it wasn’t clear to me if so!

ffwander · October 3, 2025, 12:06pm

no worries, I just clicked Trust yesterday and today. I think I will need to uninstall this extension from Visual Code since it seems to trigger certificate popups daily. the assessment from our security engineer was:

The recurring certificate popup in Visual Studio Code is caused by Zscaler SSL inspection, which replaces certificates during HTTPS traffic inspection. Although trusting the certificate may temporarily suppress the warning, Zscaler issues certificates with short lifespans as shown in the log (valid from Sep 22 to Oct 4) so the popup reappears frequently.

Colin · October 3, 2025, 1:02pm

Oooh, hope you don’t uninstall just because of that!

I think you can stop getting this error by disabling telemetry all together.

“sonarlint.disableTelemetry”: true

JB.L · October 6, 2025, 6:57am

A more robust solution would be too add Zscaler’s root certificate to the language server’s JVM trust store, this way all the temporary certificates would be trusted.

If I’m not mistaken, the popup should mention the file that the JVM uses as its trust store.

[edit]

More info in the docs: Advanced configuration | Sonar Documentation

Topic		Replies	Views
Untrusted Server's Certificate Issue SonarQube for IDE	3	410	June 2, 2025
Sonarlint visual studio code self signed certificate problem with sonarqube connection VS Code ssl	1	2265	January 2, 2023
Sonar Lint manage Connection Failed VS 2022 SonarQube for IDE me-too	7	736	March 14, 2025
SonarLint error using SonarLint plugin for VsCode: No storage for server 'mySonarQube'. Please update VS Code vscode , ssl	4	5834	December 13, 2019
Server Certificate error in Visual Studio 2022 Visual Studio connected_mode	12	226	August 13, 2025

Constant popup in Visual Code about Sonarsource certificate

Related topics