Skip to content
Home SAST Tools PMD
PMD

PMD

Category: SAST
License: Free/OSS
GitHub (5300★)
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 12, 2026
3 min read
Key Takeaways
  • Free, BSD-licensed SAST tool with 5,300+ GitHub stars and 312 contributors, supporting 400+ built-in rules across 16 languages — Java alone has 294 rules.
  • Includes CPD (Copy/Paste Detector) for duplicate code detection across 33+ languages using Karp-Rabin string matching.
  • Powers Salesforce Code Analyzer as the core engine for Apex development, making it the de facto standard for Salesforce security analysis.
  • Supports custom rules via XPath expressions or Java classes, with Maven, Gradle, and Ant integration plus SARIF output for GitHub Code Scanning.

PMD is an open-source SAST tool that scans source code for common programming flaws, including potential bugs, dead code, and security vulnerabilities. With over 5,300 GitHub stars and 312 contributors, it’s one of the most mature code analysis projects in the Java ecosystem.

Originally built for Java, PMD now supports 16 languages for rule-based analysis and ships with CPD (Copy/Paste Detector) for finding duplicated code across 33+ languages.

400+ Built-in Rules
Java has 294 rules alone, with Apex at 69, PL/SQL at 22, and JavaScript at 18. Rules cover code style, design, error-prone patterns, performance, and security.
CPD (Copy/Paste Detector)
Finds duplicated code across 33+ languages using the Karp-Rabin string matching algorithm. Supports configurable token thresholds and can ignore comments, literals, and identifiers.
Custom XPath & Java Rules
Write rules as XPath expressions against the AST for quick checks, or implement Java classes for complex analysis logic. Organizations can encode their specific standards into automated checks.

PMD Copy/Paste Detector showing duplicate code detection results

What is PMD?

PMD analyzes source code without executing it, applying configurable rules to identify problematic patterns. According to NIST’s Software Assurance guidelines, static analysis tools that detect coding standard violations contribute to reducing security vulnerabilities in production code. PMD earned its reputation in the Java community for catching issues that compilers miss but that lead to bugs, maintainability problems, or security vulnerabilities in production.

The name PMD does not officially stand for anything, though the community has proposed various backronyms including “Programming Mistake Detector.” The latest version is 7.21.0, released January 30, 2026.

PMD is used by Salesforce Code Analyzer as a core analysis engine for Apex development, making it the de facto standard for Salesforce security and code quality analysis. Salesforce also ships a custom variant called pmd-appexchange for AppExchange security review.

Language support

PMD supports 16 languages for rule-based analysis, with the bulk of rules targeting Java:

LanguageRule CountNotes
Java~294Across 8 categories (best practices, code style, design, documentation, error prone, multithreading, performance, security)
Salesforce Apex697 categories
PL/SQL225 categories
JavaScript184 categories (ECMAScript)
Swift42 categories
Kotlin22 categories
XML22 categories
Scala0Language supported but no built-in rules yet

Additional languages with rules: Visualforce, HTML, JSP, XSL, Modelica, Maven POM, Velocity Template Language (VTL), and WSDL.

CPD supports 33+ languages for duplicate detection, including C/C++, C#, Go, Python, Ruby, Rust, PHP, Dart, Fortran, Lua, and more.

PMD Rule Designer showing source code editor and AST tree view for writing custom rules

Key features

Incremental analysis

For large codebases, PMD supports incremental analysis that caches results from previous runs (available since v5.6.0). On subsequent runs, it uses file checksums to detect changes and only re-processes modified files. Activate it with the --cache CLI argument.

Output formats

PMD supports 15 output formats including SARIF (since v6.31.0), JSON, HTML, XML, CSV, and CodeClimate. SARIF output integrates with GitHub Code Scanning and other SARIF-compatible dashboards.

Salesforce integration
PMD powers the Salesforce Code Analyzer for Apex and Visualforce analysis. If you’re building Salesforce applications, PMD rules are already integrated into the Salesforce development workflow.

Getting started

1
Install PMD — Download the latest release from GitHub (pmd-dist-7.21.0-bin.zip) or install via Homebrew (brew install pmd).
2
Run your first scan — Execute pmd check -d /path/to/source -R rulesets/java/quickstart.xml to analyze your codebase with the quickstart ruleset.
3
Add to your build — PMD integrates with Maven (maven-pmd-plugin), Gradle (built-in pmd plugin), and Ant. Run mvn pmd:check or ./gradlew pmdMain as part of your build.
4
Customize rules — Create a custom ruleset XML that enables, disables, or adjusts rule properties to match your team’s standards. Use XPath or Java to write organization-specific rules.

When to use PMD

PMD fits Java projects that want comprehensive code quality and security analysis without licensing costs. For Salesforce teams, it’s effectively mandatory through the Code Analyzer.

For deeper security analysis, consider pairing PMD with Semgrep, CodeQL, or a commercial SAST tool. PMD excels at code quality and style enforcement; dedicated security scanners go deeper on vulnerability detection.

Best for
Java and Salesforce Apex teams that want free, mature code analysis with 400+ built-in rules, custom rule support, and tight build tool integration.

Frequently Asked Questions

What is PMD?
PMD is a free, open-source static analysis tool that scans source code for common programming flaws including potential bugs, dead code, suboptimal code, and security vulnerabilities. It supports 16 languages for rule-based analysis and 33+ languages for copy-paste detection (CPD). The name PMD does not officially stand for anything. PMD has over 5,300 GitHub stars and 312 contributors.
What languages does PMD support?
PMD supports 16 languages for rule-based analysis: Java (294 rules), Apex (69), JavaScript/ECMAScript (18), PL/SQL (22), Swift (4), Kotlin (2), XML (2), plus Visualforce, HTML, JSP, XSL, Modelica, Maven POM, Velocity Template Language, and WSDL. Scala is supported but has no built-in rules yet. CPD (copy-paste detection) supports 33+ languages including C/C++, C#, Go, Python, Ruby, Rust, PHP, and more.
Is PMD free?
Yes. PMD is free and open-source under a BSD-style license. It is maintained by a community of 312 contributors with over 30,000 commits.
How do I write custom PMD rules?
PMD supports two approaches for custom rules: XPath rules (write XPath expressions against the Abstract Syntax Tree) and Java rules (implement complex logic in Java classes). XPath rules are faster to create and suit most needs. Java rules give full programmatic control for sophisticated analysis. Rules can also reference and modify properties of existing built-in rules.
How we review tools Suggest an edit

Other SAST Tools

Bandit
Bandit

Open-Source Python Scanner

Codacy
Codacy

40+ Languages with AI Code Protection

detect-secrets
detect-secrets

Baseline secret management

Gitleaks
Gitleaks

Git secret scanner

Semgrep
Semgrep

Fast Open-Source with Custom Rules

SonarLint
SonarLint

Real-time IDE analysis

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

AN
Anchore

SBOM-First Container Security Platform

Anchore Grype
Anchore Grype

Fast Container Vulnerability Scanner

See all SCA tools

Learn More

What is SAST? What is DAST? What is IAST? What is RASP? SAST vs DAST vs IAST SAST vs SCA

Explore our Application Security Testing resource hub