PMD logo

PMD

Open Source

Open-source static analyzer detecting common programming flaws across Java, JavaScript, Apex, and more.

Visit websiteGitHub

Pricing

Free / Open source

Type

Automation

Languages

Java, JavaScript

// VERDICT

Reach for PMD when you want free static analysis of Java/JVM (and more) code via configurable rulesets, in builds and CI. Skip it when you want a JS/TS linter (ESLint), a managed platform (SonarQube), or dynamic analysis.

Best for

An open-source static source-code analyzer (strong on Java and the JVM, plus other languages) - finding bugs, dead code, overcomplexity and bad patterns via rulesets, runnable in CI.

Avoid when

You want a JS/TS-first linter (ESLint), a managed quality platform, or runtime/dynamic analysis.

CI/CD fit

CLI / Maven / Gradle · ruleset config · CI quality gate

Languages

Java · JavaScript

Team fit

Java/JVM teams · Teams enforcing code rules in builds · QA-minded engineering

Setup

Medium

Maintenance

Low

Learning

Intermediate

Licence

Free / Open source

// BEST FOR

  • Static analysis of Java/JVM and other languages
  • Finding bugs, dead code and overly complex code
  • Configurable rulesets for your standards
  • Copy-paste detection (CPD)
  • Running in Maven/Gradle builds and CI
  • A free, scriptable quality gate

// AVOID WHEN

  • You want a JS/TS-first linter (ESLint)
  • A managed quality+security platform is preferred (SonarQube)
  • Runtime/dynamic analysis is the need
  • Minimal setup is the priority
  • You don't want to maintain rulesets
  • Multi-language dashboards are required

// QUICK START

Add PMD via Maven/Gradle (or the CLI) -> choose/author a ruleset -> run in the
build/CI and fail on violations; use CPD for duplication.

// ALTERNATIVES TO CONSIDER

ToolChoose it when
ESLintYou need linting for JavaScript/TypeScript.
SonarQubeYou want a multi-language quality+security platform with gates.
CheckmarxYou need deep security-focused SAST.

// FEATURES

  • Hundreds of built-in rules covering bugs, dead code, and complexity
  • Custom rule authoring via XPath or Java visitors
  • Cyclomatic complexity, cognitive complexity, and code-size metrics
  • Copy-paste detector (CPD) for finding duplicated blocks
  • Maven, Gradle, and CLI integrations

// PROS

  • Long history of stable, predictable rules on JVM stacks
  • Fast — fits comfortably into pre-commit and CI pipelines
  • Permissive licence and no vendor coupling
  • CPD catches duplication that diff tools miss

// CONS

  • JS, Kotlin, and Scala support trails the Java story
  • Rule defaults can be noisy without per-team tuning
  • UI tooling weaker than commercial SAST platforms

// EXAMPLE QA WORKFLOW

  1. Add PMD via Maven/Gradle or CLI

  2. Choose or author a ruleset

  3. Run analysis in the build

  4. Use CPD for duplication detection

  5. Gate CI on violations

  6. Tune rulesets to reduce noise