Skip to main content

Sonatype for VS Code

Sonatype for VS Code extension allows you to surface and remediate issues in your workspace dependencies, a true Shift Left in application security for development teams.

Supported Languages and Ecosystems

  • Java (Maven and Gradle)

  • JavaScript (npm and Yarn)

  • Go (Go modules)

  • Python (Poetry, Pip)

  • Rust (Cargo)

  • PHP (Composer)

  • C (Conan (1.x only))

Installing Sonatype for VS Code

Sonatype for VS Code can be installed from within VS Code using the Extensions Manager or via the Microsoft Marketplace.

Configuring Sonatype for VS Code

At a minimum, the extension requires the IQ Server URL and the credentials to be set.

You can set up the URL and username by opening the extension settings in VS Code: Settings > Extensions > Sonatype for VS Code

The password can be entered in two ways:

  • Open the command palette by pressing Command + Shift + P on Mac or Control + Shift + P on Windows, and then enter the Sonatype: Set IQ Server Password command after the > prefix. If you want to clear the stored password, you can use the Sonatype: Clear IQ Server Password command.

  • You can also use the SONATYPE_IQ_PASSWORD environmental variable. This method requires the "Use Environment Variable for Password" checkbox to be selected in the extension settings. You might need to restart VS Code for the changes to be recognized.

VS Code UI screenshot

In the extension settings, enter the Default Application ID before running the component analysis. This is required to use the appropriately scoped policy set for your application.

You can configure additional settings such as:

  • Including or excluding development dependencies from the overall analysis.

  • Parallelization - higher values mean the component analysis will be faster, but it requires more resources from VS Code; lower values mean the component analysis will be slower, but it will have less impact on VS Code's performance.

  • Starting the Analysis on VS Code Startup for the opened workspace.

Overriding the Configuration At Project Level

You can override the properties by including a Sonatype configuration file in the project's root folder with one of the following filenames:

  • .sonatype-config

  • .sonatype-config.yml

  • .sonatype-config.yaml

In this file, you can choose at per project (workspace folder) level which Lifecycle application is used for analysis; whether to include or exclude development dependencies; and you can also enforce the ecosystem for the current project (you may want to do this to exclude analysis of a certain ecosystem in a given folder or to specify only certain ecosystems to be analyzed).

Syntax with examples is as follows:

  applicationId: application-id-in-lifecycle
  includeDev: false
  type: ['maven', 'npm']

Possible values for the type field above are: 'maven', 'gradle', 'npm', 'yarn', 'go', 'pip', 'poetry', 'cargo', 'composer', and 'conan'.

For Maven, the settings.xml to be used can also be overridden. The path to the settings.xml can be specified as follows:

    settingsXmlPath: '/.m2/alternative-settings.xml'

Using Sonatype for VS Code

Running the Analysis

Component analysis provides detailed information on the components of the projects opened in the workspace of the VS Code.

If “Start Component Analysis On Load” is selected in the extension settings, analysis will run once the workspace has loaded in VS Code.

If it’s not selected, you can start the analysis by clicking the Run Component Analysis button in the Sonatype panel. This action will trigger the analysis against the default application configured in the settings.

VS Code UI screenshot

Language and Ecosystem Identification



pom.xml must exist in the project's root folder and an installation of mvn must be present.


One of settings.gradle, build.gradle or build.gradle.kts must exist in the project's root folder and an installation of gradle must be present.



package.json and package-lock.json must exist in the project's root folder and an installation of npm must be present.


package.json and yarn.lock must exist in the project's root folder and an installation of yarn must be present.


go.mod and go.sum must exist in the project's root folder and an installation of go must be present.


  • pyproject.toml and poetry.lock must exist in the project's root folder.

  • requirements.txt must exist in the project's root folder and an installation of pip, pip2 or pip3 must be present.


  • cargo.toml and cargo.lock must exist in the project's root folder.


  • composer.lock must exist in the project's root folder.


  • conan.lock must exist in the project's root folder.

Inspecting the Results

Once the analysis is complete, dependencies for each project opened in the workspace will appear in the Component Tree tab under the Sonatype panel.

VS Code UI screenshot

You can select a component to see its details in a new tab. The Component Versions view will list all versions of this component together with their highest policy violation scores, and the recommended version for the given project.

Component Filters

Both the Component Tree view and the Version History view can be filtered by Threat Levels using the filter icon on the menu bar of each view.

VS Code UI screenshot

Re-Running the Analysis

After required actions are taken, you can run the analysis again by clicking on the ⟳ icon on the menu bar of Component Tree view.

Known Limitations

The extension has support for resolving transitive dependencies and including/excluding development dependencies, with the following exceptions:

  • A dependency tree cannot be built for Pip; all dependencies are shown in a flat list.

  • Dependency scope information is not supported for Pip and Go