SonarQube displays suggestions for file outside the workspace when using GitHub Copilot code review

• Operating system: Windows 11
• SonarQube for VS Code plugin version: 4.43.0 (latest)
• Programming language: Python
• Is connected mode used: No.

Steps to reproduce:

1. Open a clean installation or new profile of VS Code.
2. Download the following extensions: Python (it will also download Pylance), GitHub Copilot Chat, and SonarQube for IDE.

image375×637 38.9 KB

3. Create a test project with a Python file.
4. Check that SonarQube works correctly. It should only show suggestions for the test file.
5. Clear the SonarQube output (logs)
6. Right click some code and choose “Generate Code > Review”. This will trigger the ”Chat: Review” action.
7. Notice how SonarQube suddenly starts analyzing an internal file of the Pylance extension that is not part of this workspace.

Screenshot 2026-02-19 160806973×312 33 KB

Screenshot 2026-02-19 1608341002×317 22.6 KB

I am also including the extension output that was printed upon running the Copilot review:

2026-02-19 16:07:05.277 [info] [Info - 16:07:05.272] [sonarlint : sonarlint-analysis-scheduler] Starting analysis with configuration: [
  baseDir: c:\Users\REDACTED\.vscode\extensions\ms-python.vscode-pylance-2026.1.1\dist\typeshed-fallback\stdlib
  extraProperties: {sonar.cfamily.compile-commands=, sonar.js.internal.bundlePath=c:\Users\REDACTED\.vscode\extensions\sonarsource.sonarlint-vscode-4.43.0-win32-x64\eslint-bridge}
  activeRules: [15 kubernetes, 300 python, 493 cpp, 28 css, 232 c, 22 go, 296 ipython, 30 secrets, 361 javascript, 14 docker, 565 java, 56 Web, 15 xml, 297 csharpsquid, 167 php, 7 terraform, 378 typescript, 18 azureresourcemanager, 7 cloudformation]
  inputFiles: [
    file:///c:/Users/REDACTED/.vscode/extensions/ms-python.vscode-pylance-2026.1.1/dist/typeshed-fallback/stdlib/builtins.pyi (UTF-8) [py]
  ]
]

2026-02-19 16:07:05.584 [info] [Info - 16:07:05.583] [sonarlint : sonarlint-analysis-scheduler] Index files
2026-02-19 16:07:05.587 [info] [Info - 16:07:05.584] [sonarlint : Report about progress of file indexation] 1 file indexed
2026-02-19 16:07:05.891 [info] [Info - 16:07:05.890] [org.reflections.Reflections : sonarlint-analysis-scheduler] Reflections took 38 ms to scan 1 urls, producing 24 keys and 257 values
2026-02-19 16:07:05.942 [info] [Warn - 16:07:05.941] [sonarlint : sonarlint-analysis-scheduler] No workDir in SonarLint
2026-02-19 16:07:05.945 [info] [Info - 16:07:05.944] [org.sonar.plugins.python.Scanner : sonarlint-analysis-scheduler] Starting rules execution
2026-02-19 16:07:05.946 [info] [Info - 16:07:05.945] [org.sonar.plugins.python.MultiFileProgressReport : rules execution] 1 source file to be analyzed
2026-02-19 16:07:07.995 [info] [Info - 16:07:07.993] [org.sonar.plugins.python.MultiFileProgressReport : rules execution] 1/1 source file has been analyzed
2026-02-19 16:07:07.995 [info] [Info - 16:07:07.994] [org.sonar.plugins.python.MultiFileProgressReport : sonarlint-analysis-scheduler] Finished step rules execution in 2049ms
2026-02-19 16:07:07.996 [info] [Info - 16:07:07.994] [org.sonar.plugins.python.PythonScanner : sonarlint-analysis-scheduler] The Python analyzer was able to leverage cached data from previous analyses for 0 out of 1 files. These files were not parsed.
2026-02-19 16:07:07.997 [info] [Info - 16:07:07.994] [org.sonar.iac.common.extension.IacSensor : sonarlint-analysis-scheduler] There are no files to be analyzed for the Java language
2026-02-19 16:07:07.997 [info] [Info - 16:07:07.995] [org.sonar.iac.common.extension.IacSensor : sonarlint-analysis-scheduler] There are no files to be analyzed for the Docker language
2026-02-19 16:07:07.997 [info] [Info - 16:07:07.995] [org.sonar.plugins.javascript.analysis.CssRuleSensor : sonarlint-analysis-scheduler] No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
2026-02-19 16:07:07.999 [info] [Info - 16:07:07.997] [org.sonar.plugins.common.TextAndSecretsSensor : sonarlint-analysis-scheduler] Available processors: 16
2026-02-19 16:07:07.999 [info] [Info - 16:07:07.998] [org.sonar.plugins.common.TextAndSecretsSensor : sonarlint-analysis-scheduler] Using 16 threads for analysis.
2026-02-19 16:07:08.003 [info] [Info - 16:07:08.000] [org.sonar.plugins.common.TextAndSecretsSensor : sonarlint-analysis-scheduler] Start fetching files for the text and secrets analysis
2026-02-19 16:07:08.003 [info] [Info - 16:07:08.000] [org.sonar.plugins.common.TextAndSecretsSensor : sonarlint-analysis-scheduler] Retrieving all except binary files
2026-02-19 16:07:08.004 [info] [Info - 16:07:08.000] [org.sonar.plugins.common.analyzer.Analyzer : sonarlint-analysis-scheduler] Starting the text and secrets analysis
2026-02-19 16:07:08.004 [info] [Info - 16:07:08.000] [org.sonar.plugins.common.MultiFileProgressReport : Progress of the text and secrets analysis] 1 source file to be analyzed for the text and secrets analysis
2026-02-19 16:07:08.015 [info] [Info - 16:07:08.014] [org.sonar.plugins.common.MultiFileProgressReport : Progress of the text and secrets analysis] 1/1 source file has been analyzed for the text and secrets analysis
2026-02-19 16:07:08.017 [info] [Info - 16:07:08.016] [sonarlint : sonarlint-analysis-scheduler] Analysis detected 69 issues and 0 Security Hotspots in 2743ms

After a few minutes, the suggestions for the incorrect file disappear. But the same issue can be retriggered by starting another Copilot review.

Hey @hb20007, I apologize for the late reply!

This is a very valid concern, and I created this bug ticket, for reference.

We have had a similar issue in the past, and the solution is not straight forward, as we sometimes want to analyze files that are not in the scope of the workspace. We will try to reconsider this approach.

Thank you!