🛡️ How to Apply PMD as a SAST Tool to Your Application

In the modern development world, where cyberattacks are increasing every day, security can no longer be left for the end. One of the most effective ways to protect your applications is to apply SAST (Static Application Security Testing) from the start of development. In this article, I’ll show you how to use PMD, a free static analysis tool that will help keep your code clean, efficient, and with fewer security risks.

🔍 What is PMD?

PMD is an open-source tool that analyzes source code (mainly in Java, but also supports Apex, JavaScript, XML, among others) and detects:

  • Duplicated code
  • Unused variables
  • Poorly structured statements
  • Excessively complex code
  • Bad programming practices

Although it is not solely focused on security, its ability to identify risky patterns makes it ideal for improving code health from a security perspective.

🛠️ How to Apply PMD to Your Application?

Step 1: Install PMD

You can download the tool from its official website:

👉 https://pmd.github.io

  • Download the .zip file corresponding to your operating system.
  • Extract the files to a folder of your choice.
  • (Optional) Add the bin/ folder to your system's environment variables to use it from any terminal.

Step 2: Prepare Your Application

Make sure you have a Java application with a clear structure (such as src/main/java). PMD will directly analyze the .java files, so no need to compile the app.

Step 3: Run the Analysis

Open your terminal and run the following command:

pmd check -d src -R rulesets/java/quickstart.xml -f html > reporte.html

🧩 Practical Example

Want to see a real example of how PMD was applied to a Java application? You can check out this GitHub repository where the analysis was executed, and an HTML report was generated with the findings:

🔗 See example on GitHub

Conclusion

Applying SAST tools like PMD early in the development process not only improves code quality but also strengthens the overall security of the application. Although PMD is not exclusively focused on finding security vulnerabilities, it does allow you to detect dangerous patterns, unnecessary complexities, and bad practices that could lead to more severe issues.

Integrating it into your workflow is straightforward, and with minimal effort, you can start automating reviews that might otherwise go unnoticed. Whether you're working on a personal project or in a professional environment, using PMD is a smart step toward more robust and reliable development.