What is PMD?

PMD is a source code analyzer that allows for static analysis of code written in a number of supported languages, including Java, Apex, and Visualforce. Its built-in rules detect common flaws in code, such as empty catch blocks or unused variables.

How does Salesforce Code Analyzer (code Analyzer) use PMD?

By default, the Code Analyzer scanner run command executes PMD’s default Apex and Visualforce rules against compatible files.

You can change which rules are executed by using the flags described in the Code Analyzer Command Reference.

Refer to our FAQ for info on how to enable PMD’s built-in rules for other languages.

How do I use pmd-appexchange to prepare my solution for an AppExchange security review?#

In addition to the base PMD engine, Code Analyzer also includes a custom PMD variant, pmd-appexchange. The rules included in pmd-appexchange may help AppExchange partners prepare their managed packages for security review.

The pmd-appexchange engine is disabled by default. To run a PMD scan with the AppExchange-specific ruleset, run sf scanner run with the --engine pmd-appexchange flag.


sf scanner run --engine pmd-appexchange --target ./

For more information on the pmd-appexchange rules, read the pmd-appexchange command reference.

If you’d like to include an optional PMD scan with the AppExchange-specific ruleset in your AppExchange security review submission, run sf scanner run --engine pmd-appexchange, and name the output file CodeAnalyzerPmdAppExchange.csv.


sf scanner run --engine pmd-appexchange --format=csv --outfile=CodeAnalyzerPmdAppExchange.csv --target="./"

For full instructions on preparing for the AppExchange security review with Code Analyzer, read Scan Your Solution with Salesforce Code Analyzer in the ISVforce Guide.

See Also

Feedback or Bugs | Edit this Article