PS Product SecurityKnowledge Base

๐Ÿง  Catch It Before Commit: IDE Security Linters and Pre-Commit SAST

Intro: The cheapest security bug is the one a developer never commits. That is the whole point of IDE-side security linting: keep developers inside the editor, show them a precise issue, and let them fix it while the code is still warm in their head.

What this page includes

  • a practical comparison of five strong options for IDE-side security feedback
  • installation and launch patterns
  • pre-commit wiring so the editor signal actually turns into a source-control control
  • where each tool tends to fit well or fit badly

Working assumptions

  • the best developer tool is the one people actually keep enabled
  • local signal must be fast, credible, and explainable
  • CI is still the source of record; the IDE is where you shorten the feedback loop

What "linter" means in this context

Some of these tools are literal IDE linters. Some are full SAST clients with IDE integrations. In practice, the distinction matters less than the developer experience:

  • issue shows up before commit;
  • the tool points to the exact file and line;
  • the remediation guidance is usable;
  • the signal aligns reasonably well with what CI will report later.

That is the bar.

Top 5 tools worth knowing

Tool Best fit Why teams like it Watch-outs
SonarQube for IDE Broad language coverage, mixed quality + security programs Strong IDE experience, connected mode, fast local feedback Best value comes when it is connected to SonarQube or SonarQube Cloud
Semgrep Security-first teams that want portable rules and pre-commit hooks Great rule ecosystem, easy CI parity, works well with pre-commit Rule quality varies, so curation matters
Snyk IDE / Snyk Code Teams already on Snyk for SCA/container/code One vendor surface for code and dependency findings Best experience often assumes a paid platform relationship
Checkmarx One IDE plugin Enterprises using Checkmarx as the primary AppSec platform Pulls SAST, SCA, IaC, and secret detection into the IDE Can feel heavy if the broader platform is not already in place
Bearer CLI API-heavy and privacy-aware teams, especially modern web stacks Good code/data-flow signal, light CLI ergonomics, good for editor tasks and hooks More natural as CLI + tasks + hooks than as a "traditional IDE linter"

How I would choose in the real world

  • If the company already runs SonarQube, start with SonarQube for IDE.
  • If the team wants security-first rules and pre-commit control, start with Semgrep.
  • If the team already lives in Snyk, use the Snyk IDE extension and keep the workflow unified.
  • If the organization is standardized on Checkmarx One, use the IDE plugin so local work matches enterprise triage.
  • If the team is small, API-heavy, and wants something scriptable, Bearer CLI is often a clean fit.

1) SonarQube for IDE

What it is good at

SonarQube for IDE acts like a continuous code review companion in the editor. The big win is not just static findings. The big win is connected mode, where local feedback aligns more closely with the server-side project configuration.

Installation pattern

  • install SonarQube for IDE from the IDE marketplace;
  • open the extension panel;
  • connect it to SonarQube Server, SonarQube Community Build, or SonarQube Cloud;
  • bind the local repository to the correct project.

VS Code mental model

  • install the extension;
  • open the command palette;
  • sign in or bind the project;
  • let local analysis run while editing.

What I like

The feedback is usually understandable by developers without a security background. That matters.

2) Semgrep

What it is good at

Semgrep is one of the best tools for consistent local + CI behavior. It is especially good when you want the exact same rules in:

  • the IDE;
  • a local CLI run;
  • pre-commit;
  • CI.

Installation

python3 -m pip install --user semgrep
semgrep --version

Quick local run

semgrep scan --config p/security-audit .

Pre-commit example

repos:
  - repo: https://github.com/semgrep/pre-commit
    rev: v1.91.0
    hooks:
      - id: semgrep
        args:
          - --config
          - p/security-audit

Why it works well

It is very easy to explain to a team:

  • run locally;
  • see the same class of findings in CI;
  • tune rules once;
  • keep moving.

3) Snyk IDE / Snyk Code

Installation

  • install the Snyk IDE extension from the marketplace for VS Code, JetBrains, Eclipse, or Visual Studio;
  • authenticate the IDE plugin;
  • choose the organization/project context if needed.

Useful local CLI pairing

snyk auth
snyk code test

Where it shines

If the team already uses Snyk for OSS dependencies and containers, keeping code findings in the same ecosystem lowers friction.

4) Checkmarx One IDE plugin

Installation

  • install the Checkmarx One extension/plugin for the IDE in use;
  • authenticate with Checkmarx One;
  • run an on-demand scan or import platform results;
  • filter by SAST, SCA, IaC, or secrets as needed.

Where it fits

Large organizations that already treat Checkmarx One as the system of record usually get the most value here.

5) Bearer CLI

Installation

curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh
bearer version

Local run

bearer scan .

Why I still include it

Even though it is more CLI-first than marketplace-first, it is a practical fit for VS Code tasks, Git hooks, and developer shell workflows. For some teams that is more maintainable than another heavy plugin.

A simple comparison

Dimension SonarQube for IDE Semgrep Snyk IDE Checkmarx One IDE Bearer CLI
Local speed High High Medium Medium High
Best with platform backend Yes Optional Yes Yes Optional
Pre-commit story Indirect Strong Moderate Moderate Strong
Rule portability Medium High Medium Medium Medium
Good for security champions High High High Medium High
Good for enterprise standardization High High High High Medium

The workflow I recommend

  1. IDE extension for fast feedback
  2. Local CLI for reproducibility
  3. pre-commit hook for stopping obvious mistakes
  4. CI scan as the source of truth
  5. platform ingestion for triage and tracking

That layered model is what keeps one missed local warning from becoming a production finding.

VS Code example: practical setup

SonarQube for IDE

{
  "sonarlint.connectedMode.project": {
    "connectionId": "prod-security",
    "projectKey": "payments-service"
  }
}

Semgrep task

{
  "version": "2.0.0",
  "tasks": [
    {
      "label": "semgrep-security-audit",
      "type": "shell",
      "command": "semgrep scan --config p/security-audit .",
      "problemMatcher": []
    }
  ]
}

Example: pre-commit stack that actually works

repos:
  - repo: https://github.com/semgrep/pre-commit
    rev: v1.91.0
    hooks:
      - id: semgrep
        args: ["--config", "p/security-audit"]

  - repo: local
    hooks:
      - id: bearer-scan
        name: bearer-scan
        entry: bearer scan .
        language: system
        pass_filenames: false

Why this stack is sane

  • Semgrep covers a broad set of code-level security patterns;
  • Bearer adds a second code/data-flow lens for teams that care about API and data misuse;
  • both can run before commit without requiring a heavyweight central platform round trip.

A development-environment baseline worth copying into real programs

A useful planning lens from the public DevSecOps Playbook is that the developer environment itself should have a minimum security baseline, not just the CI system.

A practical baseline looks like this:

  1. secure code training so developers understand why the tool is shouting at them;
  2. version control and .gitignore hygiene so local junk and debug material do not get committed;
  3. pre-commit hook scans for cheap high-signal checks;
  4. verified author identity through commit signing or equivalent trusted identity controls;
  5. IDE plugins for line-of-code feedback;
  6. local SCA / SAST / secret scanning for reproducible CLI checks;
  7. an application baseline recipe that tells a new service what โ€œsecure by defaultโ€ means in that organization.

The key lesson is not โ€œrun every scanner locally.โ€ The key lesson is to keep the cheapest and most explainable checks close to the developer and leave heavier, noisier, or environment-dependent checks for CI.

What belongs local first

  • secrets detection;
  • dependency delta checks;
  • fast rule-based code checks;
  • framework misuse patterns with clear remediations.

What usually belongs in CI or later lanes

  • heavyweight whole-repo analysis;
  • DAST;
  • complex image and environment checks;
  • controls that depend on staged infrastructure or protected credentials.

Common rollout mistakes

  1. Enabling everything at once
  2. No local suppression guidance
  3. Tool mismatch with the language stack
  4. No CI parity
  5. No quick-start docs for developers
  6. Using block-on-anything as the default
  7. No feedback loop from false positives

The gate logic that usually works

A good pre-commit or IDE policy is:

  • educate first for medium-confidence rules;
  • block locally only for obvious high-value findings;
  • enforce in CI where the project-level policy is authoritative.

That is how you keep developers engaged instead of trained to ignore the tool.