{"id":28708313,"url":"https://github.com/pmd/pmd-github-action","last_synced_at":"2026-03-17T11:34:10.107Z","repository":{"id":37053207,"uuid":"432141772","full_name":"pmd/pmd-github-action","owner":"pmd","description":"GitHub Action for PMD","archived":false,"fork":false,"pushed_at":"2024-10-07T23:27:00.000Z","size":4749,"stargazers_count":46,"open_issues_count":20,"forks_count":27,"subscribers_count":6,"default_branch":"main","last_synced_at":"2026-02-24T14:59:38.525Z","etag":null,"topics":["github-actions","linter"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pmd.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-26T10:39:27.000Z","updated_at":"2026-01-02T10:08:04.000Z","dependencies_parsed_at":"2023-09-27T06:13:14.430Z","dependency_job_id":"f5b3c32b-f1be-4d46-a419-fd3f4615a4f0","html_url":"https://github.com/pmd/pmd-github-action","commit_stats":{"total_commits":557,"total_committers":7,"mean_commits":79.57142857142857,"dds":0.5816876122082586,"last_synced_commit":"e437795e6760134d4f306df4ab35edf298a42d70"},"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/pmd/pmd-github-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmd%2Fpmd-github-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmd%2Fpmd-github-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmd%2Fpmd-github-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmd%2Fpmd-github-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pmd","download_url":"https://codeload.github.com/pmd/pmd-github-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmd%2Fpmd-github-action/sbom","scorecard":{"id":738723,"data":{"date":"2025-08-11","repo":{"name":"github.com/pmd/pmd-github-action","commit":"e437795e6760134d4f306df4ab35edf298a42d70"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.8,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/18 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/generate.yml:1","Warn: no topLevel permission defined: .github/workflows/publish.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Pinned-Dependencies","score":4,"reason":"dependency not pinned by hash detected -- score normalized to 4","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/generate.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/pmd/pmd-github-action/generate.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/generate.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/pmd/pmd-github-action/generate.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/generate.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/pmd/pmd-github-action/generate.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/pmd/pmd-github-action/publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/pmd/pmd-github-action/publish.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/pmd/pmd-github-action/publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/pmd/pmd-github-action/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/pmd/pmd-github-action/test.yml/main?enable=pin","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 third-party GitHubAction dependencies pinned","Info:   2 out of   2 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 12 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"19 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-cr5q-6q9f-rq6q","Warn: Project is vulnerable to: GHSA-j6gc-792m-qgm2","Warn: Project is vulnerable to: GHSA-pj73-v5mw-pm9j","Warn: Project is vulnerable to: GHSA-6jwc-qr2q-7xwj","Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j","Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672","Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7","Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975","Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3","Warn: Project is vulnerable to: GHSA-6jrj-vc65-c983"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T16:42:22.701Z","repository_id":37053207,"created_at":"2025-08-22T16:42:22.701Z","updated_at":"2025-08-22T16:42:22.701Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30622757,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-17T11:26:08.186Z","status":"ssl_error","status_checked_at":"2026-03-17T11:24:37.311Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","linter"],"created_at":"2025-06-14T18:10:34.271Z","updated_at":"2026-03-17T11:34:10.088Z","avatar_url":"https://github.com/pmd.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GitHub Action for PMD\n\n[![pmd-github-action-status](https://github.com/pmd/pmd-github-action/actions/workflows/test.yml/badge.svg)](https://github.com/pmd/pmd-github-action/actions)\n[![Coverage](./badges/coverage.svg)](./badges/coverage.svg)\n[![release](https://img.shields.io/github/v/release/pmd/pmd-github-action)](https://img.shields.io/github/v/release/pmd/pmd-github-action)\n\nThis action runs [PMD](https://pmd.github.io) static code analysis checks.\n\nIt can execute PMD with your own ruleset against your project. It creates a [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html)\nreport which is uploaded as a build artifact. Furthermore the build can be failed based on the number of violations (see the extended examples).\n\nThe action can also be used as a code scanner to create \"Code scanning alerts\".\n\n## Usage\n\nThe input `rulesets` is mandatory.\n\n### Basic\n\n```yaml\nsteps:\n  - uses: actions/checkout@v4\n  - uses: actions/setup-java@v4\n    with:\n      distribution: 'temurin'\n      java-version: '11'\n  - uses: pmd/pmd-github-action@v2\n    with:\n      rulesets: 'ruleset.xml'\n```\n\n### Extended\n\nUse a specific PMD version (6.55.0) and fail the build based on the number of violations:\n\n```yaml\nsteps:\n  - uses: actions/checkout@v4\n  - uses: actions/setup-java@v4\n    with:\n      distribution: 'temurin'\n      java-version: '11'\n  - uses: pmd/pmd-github-action@v2\n    id: pmd\n    with:\n      version: '6.55.0'\n      sourcePath: 'src/main/java'\n      rulesets: 'rulesets/java/quickstart.xml,ruleset.xml'\n  - name: Fail build if there are violations\n    if: steps.pmd.outputs.violations != 0\n    run: exit 1\n```\n\nCreate Code scanning alerts by uploading a SARIF file to GitHub:\n\n```yaml\nsteps:\n  - uses: actions/checkout@v4\n  - uses: actions/setup-java@v4\n    with:\n      distribution: 'temurin'\n      java-version: '11'\n  - uses: pmd/pmd-github-action@v2\n    with:\n      rulesets: 'ruleset.xml'\n      analyzeModifiedFilesOnly: false\n  - name: Upload SARIF file\n    uses: github/codeql-action/upload-sarif@v3\n    with:\n      sarif_file: pmd-report.sarif\n```\n\nThe created alerts are available in the project under \"Security\" / \"Code scanning alerts\".\nSee also [Uploading a SARIF file to GitHub](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github).\n\n## Inputs\n\n|input       |required|default|description|\n|------------|---|--------|---------------|\n|`token`     |no |\"github.token\"|Personal access token (PAT) used to query the latest PMD release via api.github.com and to determine the modified files of a push/pull request (see option \"analyzeModifiedFilesOnly\").\u003cbr\u003eBy default the automatic token for GitHub Actions is used.\u003cbr\u003eIf this action is used in GHES environment (e.g. the baseUrl is not \"api.github.com\"), then the token is only used for querying the modified files of a push/pull request. The token won't be used to query the latest PMD release.\u003cbr\u003e[Learn more about automatic token authentication](https://docs.github.com/en/actions/security-guides/automatic-token-authentication)\u003cbr\u003e[Learn more about creating and using encrypted secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets)|\n|`version`   |no |\"latest\"|PMD version to use. Using \"latest\" automatically downloads the latest version.\u003cbr\u003eAvailable versions: \u003chttps://github.com/pmd/pmd/releases\u003e\u003cbr\u003eNote: Only PMD 6.31.0 and later is supported due to required support for [Sarif report format](https://pmd.github.io/latest/pmd_userdocs_report_formats.html#sarif).|\n|`downloadUrl`|no|\"\"      |Manually specify the download URL from where the PMD binary distribution will be downloaded. By default, this parameter is empty and the download URL is automatically determined by querying the PMD releases at \u003chttps://github.com/pmd/pmd/releases\u003e.\u003cbr\u003eThis can be used to test PMD versions that are not official releases.\u003cbr\u003eIf a downloadUrl is specified, then the version must not be \"latest\". You need to specify a concrete version. The downloaded PMD won't be cached and will always be downloaded again.|\n|`sourcePath`|no |\".\"     |Root directory for sources. Uses by default the current directory|\n|`rulesets`  |yes|        |Comma separated list of ruleset names to use.|\n|`analyzeModifiedFilesOnly`|no|\"true\"|Instead of analyze all files under \"sourcePath\", only the files that have been touched in a pull request or push will be analyzed. This makes the analysis faster and helps especially bigger projects which gradually want to introduce PMD. This helps in enforcing that no new code violation is introduced.\u003cbr\u003eDepending on the analyzed language, the results might be less accurate results. At the moment, this is not a problem, as PMD mostly analyzes each file individually, but that might change in the future.\u003cbr\u003eIf the change is very big, not all files might be analyzed. Currently the maximum number of modified files is 300.\u003cbr\u003eNote: When using PMD as a code scanner in order to create \"Code scanning alerts\" on GitHub, all files should be analyzed in order to produce a complete picture of the project. Otherwise alerts might get closed too soon.|\n|`createGitHubAnnotations`|no|\"true\"|By default, all detected violations are added as annotations to the pull request. You can disable this by setting FALSE. This can be useful if you are using another tool for this purpose.|\n|`uploadSarifReport`|no|\"true\"|By default, the generated SARIF report will be uploaded as an artifact named \"PMD Report\". This can be disabled, e.g. if there are multiple executions on multiple os of this action.|\n\n## Outputs\n\n|output      |description|\n|------------|-----------|\n|`violations`|Number of detected violations. Can be used to fail the build.|\n\n## Limitations\n\nBelow are a list of known limitations for the **PMD GitHub Action**:\n\n*   You can analyze Java sources. But this actions current lacks the ability to configure the `auxclasspath` hence\n    the results won't be as good as they could be. For Java projects, integrating PMD via maven or gradle is\n    recommended. Furthermore, the project is analyzed as is. No build is initiated before by this action.\n    For Java this means, that the project is not compiled.\n\n*   While you can provide a custom ruleset, you can only use custom rules entirely defined within your ruleset.\n    This means that this action is limited to XPath rules for custom rules. In order to support custom Java based\n    rules, the accompanying jar file containing the custom rule implementation would need to be provided.\n\n*   Setting additional environment variables is not possible. This might be needed for some languages,\n    e.g. [Visualforce](https://pmd.github.io/latest/pmd_languages_visualforce.html).\n\n## Other similar actions for PMD\n\n[Github Marketplace PMD Actions](https://github.com/marketplace?type=actions\u0026query=pmd):\n\n| Marketplace | Github | License |\n|-------------|--------|---------|\n|https://github.com/marketplace/actions/pmd-analyser | https://github.com/synergy-au/pmd-analyser-action | MIT |\n|https://github.com/marketplace/actions/push-pmd-report | https://github.com/jwgmeligmeyling/pmd-github-action | MIT |\n|https://github.com/marketplace/actions/pmd-automatic-reviewer | https://github.com/krukmat/setup-pmd | MIT |\n|https://github.com/marketplace/actions/pmd-code-analyzer-action | https://github.com/billyan2018/setup-pmd | MIT |\n|https://github.com/marketplace/actions/pmd-analyzer-action | https://github.com/RTJL/pmd-analyzer-action | ? |\n|https://github.com/marketplace/actions/pmd-source-code-analyzer-action | https://github.com/sfdx-actions/setup-pmd | MIT |\n|https://github.com/marketplace/actions/pmd-source-code-analyzer-action-for-sap | https://github.com/ashkumar-wtc/setup-pmd | MIT |\n|https://github.com/marketplace/actions/pmd-salesforce-apex-code-analyzer-action | https://github.com/legetz/setup-pmd | MIT |\n|https://github.com/marketplace/actions/powermode-scan | https://github.com/ncino/powermode-scan |\n|https://github.com/marketplace/actions/sfdx-scan-pull-request | https://github.com/mitchspano/sfdx-scan-pull-request | Apache 2.0 |\n\n## License\n\nThe scripts and documentation in this project are released under the [MIT License](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpmd%2Fpmd-github-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpmd%2Fpmd-github-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpmd%2Fpmd-github-action/lists"}