​Microsoft's new open source tool can scan your website for security and performance headaches

Microsoft's Sonar checks accessibility, interoperability, performance, Progressive Web Apps, and security.
Written by Liam Tung, Contributing Writer

Microsoft's Edge browser team has released an open source 'linting' tool and a site scanner to help web developers secure their sites and keep up with evolving web standards.

According to Microsoft, Sonar improves on available static site scanners by executing website code, while integrating with other scanning services such as Qualys' SSL certificate configuration testing service SSL Server Test, aXe for testing a site's accessibility support, the Google-founded AMP Project, and snyk.io, which is Sonar's scanner for vulnerable JavaScript libraries.

Sonar currently supports five key rules categories to check a site for accessibility, interoperability with different browsers, performance for fast page load times, Progressive Web Apps, and security.

Microsoft earlier this year donated the Sonar project to the JS Foundation to "remove any possible doubt that this project has the community's best interest in mind".


Sonar's "Nellie the narwhal" logo


The project builds on earlier scanning tools Microsoft released to fix site coding problems caused by the need to support various versions of Internet Explorer.

Sonar was originally a command-line tool but it now has a 'Nellie the narwhal'-branded online site scanner hosted on Azure, which allows developers to take a quick site health check.

According to Snyk, by default Sonar checks for the presence of JavaScript libraries with known vulnerabilities. Sonar scans for libraries and versions being used, then checks Snyk's client-side JavaScript vulnerabilities and produces report with links to issues on Snyk, which has information to remedy the vulnerability. Snyk notes developers will still need to check server side code for similar bugs.

Following a study last year that found 37 percent of 133,000 websites had at least one JavaScript library with a known vulnerability, Snyk ran its own scan of the top 5,000 URLs and found that 76.6 percent were running a JavaScript library with at least one buggy library.

Cloudinary is supporting Sonar's performance check with its website speed assessment tool, which shows how image size, format and other factors can reduce file size without compromising the experience.

Other features coming to Sonar in the future include a plug-in for Visual Studio Code, the ability to customize rule configuration in the scanner, and more rules to assess performance, accessibility, security, and Progressive Web Apps.

Related coverage

Portability and AI accessibility are Microsoft's new mantras

Growing support for Linux and opening new paths to machine learning were the overriding themes of Microsoft's Ignite conference this week.

An insecure mess: How flawed JavaScript is turning web into a hacker's playground

Researchers say tens of thousands of sites are using JavaScript libraries that are years old and contain publicly known vulnerabilities.

Read more on Microsoft

Editorial standards