Skip to content
PMD

PMD

Category: SAST
License: Free/OSS
Visit PMD GitHub (5300โ˜…)
Suphi Cankurt
Suphi Cankurt
+8 Years in AppSec
Updated May 19, 2026
5 min read
Key Takeaways
  • Free, BSD-licensed SAST tool with 5,300+ GitHub stars and 312 contributors, supporting 400+ built-in rules across 16 languages โ€” Java alone has 294 rules.
  • Includes CPD (Copy/Paste Detector) for duplicate code detection across 33+ languages using Karp-Rabin string matching.
  • Powers Salesforce Code Analyzer as the core engine for Apex development, making it the de facto standard for Salesforce security analysis.
  • Supports custom rules via XPath expressions or Java classes, with Maven, Gradle, and Ant integration plus SARIF output for GitHub Code Scanning.
Latest Updates
  • PMD 7.24.0 added two new rules โ€” Apex AvoidInterfaceAsMapKey (catches duplicated map entries from interface keys that have abstract implementers defining equals/hashCode) and Java OverridingThreadRun. source
  • PMD 7.23.0 fixed InsecureCryptoIv false negatives when IVs come from array initializers, plus a core report HTML link regression. source
  • PMD 7.22.0 shipped a minor release with bundled security fixes. source

PMD is an open-source SAST tool that scans source code for common programming flaws, including potential bugs, dead code, and security vulnerabilities.

With over 5,300 GitHub stars and 312 contributors, it’s one of the most mature code analysis projects in the Java ecosystem.

Originally built for Java, PMD now supports 16 languages for rule-based analysis and ships with CPD (Copy/Paste Detector) for finding duplicated code across 33+ languages.

400+ Built-in Rules
Java has 294 rules alone, with Apex at 69, PL/SQL at 22, and JavaScript at 18. Rules cover code style, design, error-prone patterns, performance, and security.
CPD (Copy/Paste Detector)
Finds duplicated code across 33+ languages using the Karp-Rabin string matching algorithm. Supports configurable token thresholds and can ignore comments, literals, and identifiers.
Custom XPath & Java Rules
Write rules as XPath expressions against the AST for quick checks, or implement Java classes for complex analysis logic. Organizations can encode their specific standards into automated checks.
PMD CPD command-line output showing two duplicate code blocks detected across Java service files
PMD CPD finds duplicated blocks by token count โ€” here catching a 23-line validation method copied between UserService and AdminService.

What is PMD?

PMD analyzes source code without executing it, applying configurable rules to identify problematic patterns.

According to NIST’s Software Assurance guidelines, static analysis tools that detect coding standard violations contribute to reducing security vulnerabilities in production code.

PMD earned its reputation in the Java community for catching issues that compilers miss but that lead to bugs, maintainability problems, or security vulnerabilities in production.

The name PMD does not officially stand for anything, though the community has proposed various backronyms including “Programming Mistake Detector.” The latest version is 7.21.0, released January 30, 2026.

PMD is used by Salesforce Code Analyzer as a core analysis engine for Apex development, making it the de facto standard for Salesforce security and code quality analysis.

Salesforce also ships a custom variant called pmd-appexchange for AppExchange security review.

Language support

PMD supports 16 languages for rule-based analysis, with the bulk of rules targeting Java:

LanguageRule CountNotes
Java~294Across 8 categories (best practices, code style, design, documentation, error prone, multithreading, performance, security)
Salesforce Apex697 categories
PL/SQL225 categories
JavaScript184 categories (ECMAScript)
Swift42 categories
Kotlin22 categories
XML22 categories
Scala0Language supported but no built-in rules yet

Additional languages with rules: Visualforce, HTML, JSP, XSL, Modelica, Maven POM, Velocity Template Language (VTL), and WSDL.

CPD supports 33+ languages for duplicate detection, including C/C++, C#, Go, Python, Ruby, Rust, PHP, Dart, Fortran, Lua, and more.

PMD Rule Designer showing XPath attributes panel, Java source editor, and Abstract Syntax Tree for writing custom rules
The PMD Rule Designer lets you navigate the AST interactively โ€” write an XPath expression on the left and immediately see which nodes it matches in your source code.

What are PMD’s key features?

Incremental analysis

For large codebases, PMD supports incremental analysis that caches results from previous runs (available since v5.6.0).

On subsequent runs, it uses file checksums to detect changes and only re-processes modified files. Activate it with the --cache CLI argument.

PMD incremental analysis output showing 312 of 318 files served from cache, with 3 violations found in 6 changed files in 1.2 seconds
With incremental analysis, PMD re-analyzes only modified files โ€” here cutting a 47-second full scan down to 1.2 seconds for a 318-file project.

Output formats

PMD supports 15 output formats including SARIF (since v6.31.0), JSON, HTML, XML, CSV, and CodeClimate. SARIF output integrates with GitHub Code Scanning and other SARIF-compatible dashboards.

Salesforce integration
PMD powers the Salesforce Code Analyzer for Apex and Visualforce analysis. If you’re building Salesforce applications, PMD rules are already integrated into the Salesforce development workflow.

PMD rulesets and CPD

PMD groups its 400+ rules into seven ruleset categories, and each rule belongs to exactly one. Knowing the categories is the difference between running PMD as a quality gate and running it as configuration noise.

  • bestpractices โ€” idiomatic Java patterns that Effective Java and the Java Language Specification recommend.
  • codestyle โ€” naming, formatting, brace style. Overlaps with Checkstyle’s territory.
  • design โ€” class size, method cyclomatic complexity, coupling. Architectural smells.
  • errorprone โ€” common bug patterns: null checks, equals/hashCode mismatches, suspicious comparisons.
  • multithreading โ€” synchronized-block correctness, volatile usage, race-condition prone patterns.
  • performance โ€” string concatenation in loops, unnecessary object creation, boxing.
  • security โ€” limited but real: insecure random, hardcoded crypto keys, SSL bypass patterns. PMD is not a full SAST, but the security ruleset catches the common Java mistakes.

The second component most teams discover late is CPD (Copy-Paste Detector). CPD ships in the same binary and finds duplicated code blocks across files using a token-stream algorithm. It supports the same languages as PMD’s main analyzer and is what most teams reach for before adopting SonarQube’s duplicate detection โ€” pmd cpd --minimum-tokens 100 --files src/ on a codebase usually surfaces the worst offenders within a minute.

How do I get started with PMD?

1
Install PMD โ€” Download the latest release from GitHub (pmd-dist-7.21.0-bin.zip) or install via Homebrew (brew install pmd).
2
Run your first scan โ€” Execute pmd check -d /path/to/source -R rulesets/java/quickstart.xml to analyze your codebase with the quickstart ruleset.
3
Add to your build โ€” PMD integrates with Maven (maven-pmd-plugin), Gradle (built-in pmd plugin), and Ant. Run mvn pmd:check or ./gradlew pmdMain as part of your build.
4
Customize rules โ€” Create a custom ruleset XML that enables, disables, or adjusts rule properties to match your team’s standards. Use XPath or Java to write organization-specific rules.

When to use PMD

PMD fits Java projects that want comprehensive code quality and security analysis without licensing costs. For Salesforce teams, it’s effectively mandatory through the Code Analyzer.

For deeper security analysis, consider pairing PMD with Semgrep , CodeQL , or a commercial SAST tool.

PMD excels at code quality and style enforcement; dedicated security scanners go deeper on vulnerability detection.

Best for
Java and Salesforce Apex teams that want free, mature code analysis with 400+ built-in rules, custom rule support, and tight build tool integration.

PMD vs SpotBugs vs Checkstyle

Most mature Java projects run all three. They overlap by design โ€” each was built to enforce a different layer of code quality and they catch different categories of issues.

PMD โ€” source-code static analysis. Reads the AST, runs rule queries (XPath or Java visitors), and finds style + design + errorprone + lightweight security issues. Strongest on Java, supports Apex, JavaScript, JSP, and a handful of others. Catches the broadest mix of issues per scan.

SpotBugs โ€” bytecode static analysis. Reads compiled .class files, not source, and finds runtime-correctness bugs (null dereferences, infinite recursion, equals/hashCode mismatches, broken concurrency patterns). Pairs with the FindSecBugs plugin to add a CWE-aligned security ruleset that PMD’s security category does not match for depth. Best when source is unavailable or when bug-finding precision matters more than style coverage.

Checkstyle โ€” line-by-line style enforcement. Smaller scope than PMD on purpose: indentation, brace placement, Javadoc presence, package layout. Faster to run than PMD because it does not build an AST or evaluate XPath queries.

In practice the stack is: Checkstyle for style policy, PMD for design + errorprone + light security, SpotBugs (with FindSecBugs) for bytecode-level bugs and the deeper security checks. For a wider view of static analysis options, the SAST tools hub lists every active scanner I have reviewed.

Visit PMD View source on GitHub (5300โ˜…)

Frequently Asked Questions

What is PMD?
PMD is a free, open-source static analysis tool that scans source code for common programming flaws including potential bugs, dead code, suboptimal code, and security vulnerabilities. It supports 16 languages for rule-based analysis and 33+ languages for copy-paste detection (CPD). The name PMD does not officially stand for anything. PMD has over 5,300 GitHub stars and 312 contributors.
What languages does PMD support?
PMD supports 16 languages for rule-based analysis: Java (294 rules), Apex (69), JavaScript/ECMAScript (18), PL/SQL (22), Swift (4), Kotlin (2), XML (2), plus Visualforce, HTML, JSP, XSL, Modelica, Maven POM, Velocity Template Language, and WSDL. Scala is supported but has no built-in rules yet. CPD (copy-paste detection) supports 33+ languages including C/C++, C#, Go, Python, Ruby, Rust, PHP, and more.
Is PMD free?
Yes. PMD is free and open-source under a BSD-style license. It is maintained by a community of 312 contributors with over 30,000 commits.
How do I write custom PMD rules?
PMD supports two approaches for custom rules: XPath rules (write XPath expressions against the Abstract Syntax Tree) and Java rules (implement complex logic in Java classes). XPath rules are faster to create and suit most needs. Java rules give full programmatic control for sophisticated analysis. Rules can also reference and modify properties of existing built-in rules.
How I review tools Suggest an edit

Other SAST Tools

Veracode
Veracode

Binary Analysis AppSec Platform

Corgea
Corgea

AI-native SAST with automatic vulnerability detection and code fix generation

Parasoft
Parasoft

Compliance-first SAST for automotive, aerospace & medical device software

Infer
Infer

Meta's Inter-Procedural Static Analyzer

PHPStan
PHPStan

PHP Static Analysis with Progressive Strictness

Psalm
Psalm

PHP Type Safety + Security Taint Analysis

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

Mend
Mend

Renovate-powered SCA + Agentic SAST in one platform

cdxgen
cdxgen

CycloneDX SBOM generator for 20+ languages

See all SCA tools

Learn More

Best SAST Tools for C# in 2026 Best SAST Tools for Go in 2026 Best SAST Tools for Java in 2026 Best SAST Tools for PHP in 2026 Best SAST Tools for JavaScript and TypeScript in 2026 Best SAST Tools for Python in 2026

Explore all SAST guides and tools