SonarLint to check JS on VSCode not reporting vulnerabilities

Must-share information (formatted with Markdown):

  • SonarLint for VSCode 1.21.0
  • checking JS source for security issues
  • I have the following code with hardcoded password. SonarLint does not report this!
    var mysql = require(‘mysql’);

var connection = mysql.createConnection(
user: “admin”,
database: “project”,
password: “mypassword”, // sensitive
multipleStatements: true


Any suggestions?

Hi @khopdee, welcome to the SonarSource Community!

This situation is covered by one of our Security Hotspot rules for Javascript and Security Hotspots are not currently raised directly by SonarLint in standalone mode. If you also have a SonarQube instance and analyze the project containing this code, the hotspot would be raised there and the “Open in IDE” feature available since the last few SonarQube releases would allow you to review it within VS Code.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.