Code Quality and Security for C# and VB.NET
Static analysis of C# and VB.NET languages in SonarQube, SonarCloud and SonarLint code quality and security products. These analyzers allow you to produce safe, reliable and maintainable code by helping you find and correct bugs, vulnerabilities and code smells in your codebase.
- 380+ C# rules and 130+ VB.NET rules
- Metrics (complexity, duplications, number of lines etc.)
- Import of unit test results from VSTest, NUnit and xUnit
- Import of test coverage reports from Visual Studio Code Coverage, dotCover, OpenCover, Coverlet and NCover 3.
- Support for custom rules
Integration with SonarQube and SonarCloud
Do you have a question or feedback?
- Contact us on our Community Forum to provide feedback, ask for help, request new rules or features.
- Create a GitHub Issue if you've found a bug, False-Positive or False-Negative.
- Building, testing and debugging the Java plugin
- Building, testing and debugging the .NET analyzer
- Using the rspec.ps1 script
How to contribute
There are many ways you can contribute to the
When contributing, please respect our Code of Conduct.
Join the discussions
One of the easiest ways to contribute is to share your feedback with us (see give feedback) and also answer questions from our community forum. You can also monitor the activity on this repository (opened issues, opened PRs) to get more acquainted with what we do.
Pull Request (PR)
Before submitting the PR, make sure all tests are passing (all checks must be green).
- We suggest you do not pick issues with the
Area: CFGlabel (they are difficult, can have many side effects and are less likely to be accepted).
- We suggest you do not implement new rules unless they are already specified for C# and/or VB.NET on our rules repository.
Note: Our CI does not get automatically triggered on the PRs from external contributors. A member of our team will review the code and trigger the CI on demand by adding a comment on the PR (see Azure Pipelines Comment triggers docs):
/azp run Sonar.Net.External- unit and integration tests for the analyzer (optional; can be done before the review)
/azp run Sonar.Net- full pipeline, including plugin tests and promotion (must be done before merging)
If you would like to work on this project full-time, we are hiring!
To request new rules, Contact us on our Community Forum.
If you have an idea for a rule but you are not sure that everyone needs it, you can implement your own Roslyn analyzer.
- You can start with this tutorial from Microsoft to write an analyzer.
- All Roslyn-based issues are picked up by the Scanner for MSBuild and pushed to SonarQube / SonarCloud as external issues.
- Also check out SonarQube Roslyn SDK to embed your Roslyn analyzer in a SonarQube plugin, if you want to manage your rules from SonarQube.
Copyright 2014-2020 SonarSource.
Licensed under the GNU Lesser General Public License, Version 3.0