GitHub acquires Semmle to speed up bug hunting in open source projects

Credit: ID 127625451 © Gagarych |

Microsoft-owned code-sharing site GitHub has acquired Semmle, a firm behind the code analysis query engine, QL, and LGTM, its QL-powered continuous code analysis platform. Both help developers find security flaws in products. 

Semmle has a number of high profile customers including Google, Mozilla, Microsoft, NASA, NASDAQ, and Uber. 

Microsoft, for example, uses QL to perform ‘variant analysis’ or finding variants of a given vulnerability to ensure it can patch all of them simultaneously and reduce the risk of the vulnerability being exploited in the wild. It’s also used QL to speed up manual code reviews, for example when assessing Linux-based firmware for devices in the Azure cloud.        

GitHub today also announced it has become a CVE Numbering Authority (CNA), meaning the site will be able issue CVEs or vulnerability identifiers for security advisories opened on GitHub. 

“Disclose vulnerabilities, alert developers, and provide updates all from within GitHub. Coming soon!,” noted GitHub on Twitter. 

Semmle’s is a free tool for open source projects and it’s already integrated with GitHub and Atlassian-owned rival Bitbucket. The tool can be used to analyze projects in Java, Python, JavaScript, TypeScript, C#, C and C++. 

“There will be no disruption to existing users of Semmle products. GitHub and Semmle are deeply committed to securing the open source ecosystem, and as part of that commitment, will continue to be available for free for public repositories and open source,” said Semmle CEO, Oege de Moor has been used to identify 107 vulnerabilities affecting major open source projects including UBoot, Apache Struts, Chromium, the Linux kernel, Memcached, VLC, and Apple's XNU kernel for macOS and iOS.

The acquisition furthers GitHub’s recent efforts to expand security tools for developers and maintainers that address common security problems affecting open source projects, such as fixing vulnerable dependencies and vulnerability disclosure. 

GitHub’s security services include its access token scanning service, the Dependabot service that automatically patches dependencies in downstream repositories affected by a newly fixed dependency flaw, security alerts and mitigation guidance, and its space for developers to privately discuss fixes for new vulnerabilities

GitHub today also announced dependency graph support for PHP, the fourth most popular language on GitHub, and PHP repositories with Composer dependencies. That means PHP developers may soon start seeing security alerts if a new vulnerability is disclosed that affects Composer dependencies. Users with public repositories automatically get the alerts however users with private repositories will need to enable them. 

GitHub hasn't disclosed the value of its acquisition. Semmle in August 2018 received $21 million in venture capital backing, bringing its total funding to $31 million since launching in 2006. 

Shanku Niyogi, GitHub's VP of product, explained Semmle's value was in its ability to address a shortage of security researchers in the face of a rapidly growing population of software developers.

"As software development has grown, however, the community of security researchers has not, and the ratio of security researchers to developers continues to drop. It’s critical that these researchers can be as productive as possible," he wrote. 

"Traditionally, vulnerabilities are discovered by penetration testing, or inspecting code by hand. Semmle scales the work of security researchers by treating code as data."

Tags open sourceMicrosoftGoogleNASAGitHubdeveloperSemmle

Show Comments