Skip to content

pmd/pmd-github-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

GitHub Action for PMD

pmd-github-action-status Coverage release

This action runs PMD static code analysis checks.

It can execute PMD with your own ruleset against your project. It creates a SARIF report which is uploaded as a build artifact. Furthermore the build can be failed based on the number of violations (see the extended examples).

The action can also be used as a code scanner to create "Code scanning alerts".

Usage

The input rulesets is mandatory.

Basic

steps:
  - uses: actions/checkout@v4
  - uses: actions/setup-java@v4
    with:
      distribution: 'temurin'
      java-version: '11'
  - uses: pmd/pmd-github-action@v2
    with:
      rulesets: 'ruleset.xml'

Extended

Use a specific PMD version (6.55.0) and fail the build based on the number of violations:

steps:
  - uses: actions/checkout@v4
  - uses: actions/setup-java@v4
    with:
      distribution: 'temurin'
      java-version: '11'
  - uses: pmd/pmd-github-action@v2
    id: pmd
    with:
      version: '6.55.0'
      sourcePath: 'src/main/java'
      rulesets: 'rulesets/java/quickstart.xml,ruleset.xml'
  - name: Fail build if there are violations
    if: steps.pmd.outputs.violations != 0
    run: exit 1

Create Code scanning alerts by uploading a SARIF file to GitHub:

steps:
  - uses: actions/checkout@v4
  - uses: actions/setup-java@v4
    with:
      distribution: 'temurin'
      java-version: '11'
  - uses: pmd/pmd-github-action@v2
    with:
      rulesets: 'ruleset.xml'
      analyzeModifiedFilesOnly: false
  - name: Upload SARIF file
    uses: github/codeql-action/upload-sarif@v3
    with:
      sarif_file: pmd-report.sarif

The created alerts are available in the project under "Security" / "Code scanning alerts". See also Uploading a SARIF file to GitHub.

Inputs

input required default description
token no "github.token" Personal access token (PAT) used to query the latest PMD release via api.github.com and to determine the modified files of a push/pull request (see option "analyzeModifiedFilesOnly").
By default the automatic token for GitHub Actions is used.
If this action is used in GHES environment (e.g. the baseUrl is not "api.github.com"), then the token is only used for querying the modified files of a push/pull request. The token won't be used to query the latest PMD release.
Learn more about automatic token authentication
Learn more about creating and using encrypted secrets
version no "latest" PMD version to use. Using "latest" automatically downloads the latest version.
Available versions: https://github.com/pmd/pmd/releases
Note: Only PMD 6.31.0 and later is supported due to required support for Sarif report format.
downloadUrl no "" Manually specify the download URL from where the PMD binary distribution will be downloaded. By default, this parameter is empty and the download URL is automatically determined by querying the PMD releases at https://github.com/pmd/pmd/releases.
This can be used to test PMD versions that are not official releases.
If a downloadUrl is specified, then the version must not be "latest". You need to specify a concrete version. The downloaded PMD won't be cached and will always be downloaded again.
sourcePath no "." Root directory for sources. Uses by default the current directory
rulesets yes Comma separated list of ruleset names to use.
analyzeModifiedFilesOnly no "true" Instead of analyze all files under "sourcePath", only the files that have been touched in a pull request or push will be analyzed. This makes the analysis faster and helps especially bigger projects which gradually want to introduce PMD. This helps in enforcing that no new code violation is introduced.
Depending on the analyzed language, the results might be less accurate results. At the moment, this is not a problem, as PMD mostly analyzes each file individually, but that might change in the future.
If the change is very big, not all files might be analyzed. Currently the maximum number of modified files is 300.
Note: When using PMD as a code scanner in order to create "Code scanning alerts" on GitHub, all files should be analyzed in order to produce a complete picture of the project. Otherwise alerts might get closed too soon.
createGitHubAnnotations no "true" By default, all detected violations are added as annotations to the pull request. You can disable this by setting FALSE. This can be useful if you are using another tool for this purpose.
uploadSarifReport no "true" By default, the generated SARIF report will be uploaded as an artifact named "PMD Report". This can be disabled, e.g. if there are multiple executions on multiple os of this action.

Outputs

output description
violations Number of detected violations. Can be used to fail the build.

Limitations

Below are a list of known limitations for the PMD GitHub Action:

  • You can analyze Java sources. But this actions current lacks the ability to configure the auxclasspath hence the results won't be as good as they could be. For Java projects, integrating PMD via maven or gradle is recommended. Furthermore, the project is analyzed as is. No build is initiated before by this action. For Java this means, that the project is not compiled.

  • While you can provide a custom ruleset, you can only use custom rules entirely defined within your ruleset. This means that this action is limited to XPath rules for custom rules. In order to support custom Java based rules, the accompanying jar file containing the custom rule implementation would need to be provided.

  • Setting additional environment variables is not possible. This might be needed for some languages, e.g. Visualforce.

Other similar actions for PMD

Github Marketplace PMD Actions:

Marketplace Github License
https://github.com/marketplace/actions/pmd-analyser https://github.com/synergy-au/pmd-analyser-action MIT
https://github.com/marketplace/actions/push-pmd-report https://github.com/jwgmeligmeyling/pmd-github-action MIT
https://github.com/marketplace/actions/pmd-automatic-reviewer https://github.com/krukmat/setup-pmd MIT
https://github.com/marketplace/actions/pmd-code-analyzer-action https://github.com/billyan2018/setup-pmd MIT
https://github.com/marketplace/actions/pmd-analyzer-action https://github.com/RTJL/pmd-analyzer-action ?
https://github.com/marketplace/actions/pmd-source-code-analyzer-action https://github.com/sfdx-actions/setup-pmd MIT
https://github.com/marketplace/actions/pmd-source-code-analyzer-action-for-sap https://github.com/ashkumar-wtc/setup-pmd MIT
https://github.com/marketplace/actions/pmd-salesforce-apex-code-analyzer-action https://github.com/legetz/setup-pmd MIT
https://github.com/marketplace/actions/powermode-scan https://github.com/ncino/powermode-scan
https://github.com/marketplace/actions/sfdx-scan-pull-request https://github.com/mitchspano/sfdx-scan-pull-request Apache 2.0

License

The scripts and documentation in this project are released under the MIT License