Request A Demo
Back to All Blog Articles

Analyze a Salesforce Code Base Using PMD as Part of the CI/CD Process

FlexDeploy’s s rich DevOps features, flexibility in controlling release automation, and integrated Salesforce support provide a highly efficient solution for your enterprise. If you are looking for an introduction to FlexDeploy’s support for Salesforce, start with this blog series.

In this blog, we’ll cover how to integrate PMD source code analyzer for apex classes, visual force pages, and JavaScript into your release pipelines. PMD scans help you find common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and more.

After a quick configuration, you’ll be ready to execute PMD scans as part of your pipeline in FlexDeploy.

Configure the PMD Scan in FlexDeploy:

  1. The PMD plugin can install a version of PMD for you if the endpoint has access to the Internet. If not, install PMD: Download the PMD installation file and install it on the FlexDeploy server. If you already have a PMD installed host, use that endpoint to connect and execute the scan.
  2. Tie to FlexDeploy: After installation, provide the path in the FlexDeploy configuration screen. Go to the Topology -> Environments ->Properties
    PMD Path
  3. Add to a Workflow: To include the PMD rules evaluation as part of the CI/CD process, create a workflow and include the PMD evaluation as a step.
  4. The PMD plugin operation is just dragged and dropped onto the canvas. You can insert the scan before a build if you are sourcing files from SCM or after the build and before deployment.
  5. Optionally, specify a custom rule file and output variables on the plugin configuration. This gives you full control over what you want to check and scan in your code. This also eliminates a lot of manual review work.

Set security based on roles, by group, globally, or by projects, applications and folders.

Watch Video

Execute the PMD Scan:

  • Execute the build (create package) manually or as part of a CI trigger. After the build execution completes, errors or non-compliant code from the to-be-deployed package are captured and displayed on the summary screen and reports tab. This report can be sent as an email to the desired audience.

  • View the summary of the scan execution. It will show the count of Critical, High, and Medium results found.
    The PMD scan execution summary will show the count of Critical, High, and Medium results found.
  • You can view the full report in the Reports tab. You can also download the report from this tab.
    View the full PMD scan report in the Reports tab, or download the report from this tab.
  • You can add a quality gate in your pipeline that will take automated action based on the results of a scan. If needed, fail the build when critical issues are found or as per your threshold level.


The PMD source code analysis toolset helps achieve and enforce industry best practices, and makes your code more stable and less vulnerable from the security standpoint. This integration is another great example of FlexDeploy’s extensive support for Salesforce. You can seamlessly integrate PMD and other scanning tools into your CI/CD pipeline and drive the DevSecOps journey of your organization using FlexDeploy. This will help deliver high-quality code into production fast.

A Comprehensive, Integrated Approach to DevOps

Tell us about your integration challenges. We’ve got you covered.

Related Resources

Join DevOps leaders across the globe who receive analysis, tips, and trends in their inbox