I would like to use SonarLint mainly for Bugs and Security Vulnerabilities.
Before using SonarLint, I would like understand can SonarLint detect all types Vulnerabilities such as password, keys/tokens, CreditCard numbers, vulnerable dependency, secrets, etc. in the code when using IDE.
I am not sure as I found this post* stating that SonarLint cannot detect high level security risk in IDE, it can only be detected in SonarQube or SonarCloud.
Hello, welcome to the community! And thank you for your question.
For the time being there are currently 2 main types of vulnerabilities detected by SonarLint:
“Standard” vulnerabilities: those detect code constructs which are known to be vulnerable and require immediate attention; they should be detected out of the box by SonarLint (availability for a given language depends on the IDE).
“Taint” vulnerabilities: those are detected through a taint analysis algorithm that finds application paths where user controlled data reaches sensitive code; these are available in connected mode with SonarCloud or one of the commercial editions of SonarQube.
A third category, “Secrets” is just around the corner (should be available in the next few months).
So in comparison to GitHub’s security features, at the moment SonarLint is not 100% there yet. However, detection of secrets in the IDE is shifted left compared to the analysis GitHub does on your already pushed code. So in my opinion, both tools have complementary value.
Which IDE(s) and language(s) are you interested in?
As a side note, let’s make something very clear: there is no SLA on this community forum (operators are not standing by), especially during weekends. As a rule of thumb, please make sure that you wait ~1 week before bumping a topic if you don’t get any answer.
This will help us to analyse if SonarLint would fit our requirement. We do use Enterprise SonarQube in our organisation.
The question was because to identify which tool would be better in analysing security vulnerabilities which are mentioned in my first post and in comparison with Github Advance Security.
My other question would be, if SonarLint is not yet matured, can SonarQube scan and detect vulnerabilities similar to Github Advance Security.
SonarQube Enterprise Edition will flag vulnerabilities of the first 2 types I mentioned earlier (standard + taint), not secrets.
On top of those, it will raise Security Hotspots in places where a human intervention is needed to decide whether a given code construct is safe or a real vulnerability.
I see that GitHub Advanced security also does dependency analysis, which is completely out of the scopes of SonarQube.
Again, I believe that GitHub Advanced Security can be used to complement SonarQube’s static application security testing capabilities: there does not seem to be much overlap in what these tools bring.
(should be available in the next few months).