GitHub acquires Semmle to help developers spot security vulnerabilities

GitHub acquires Semmle to help developers spot security vulnerabilities
Credit: GitHub

Popular software hosting service GitHub has acquired Semmle, a code analysis platform that helps product developers and security researchers discover potential zero-days and critical vulnerabilities in large codebases.

The financial terms of the deal were not disclosed by the two companies. But GitHub intends to make Semmle’s automated code review products available via GitHub Actions.

The San Francisco-based firm — founded in 2006 — counts Uber, NASA, Microsoft, Google, and Nasdaq as some of its clients.

Semmle offers tools like QL that codifies logical programming errors as queries to spot mistakes, find variants of the same bug elsewhere in the code, and prevent them from occurring in the future.

QL also powers Semmle’s second product, LGTM (short for “Looks Good to Me”), a software engineering analytics platform that combines deep semantic code search with data science insights to let teams get feedback, recommendations, and uncover vulnerable versions of third-party library dependencies.

GitHub is positioning Semmle’s offerings as a means to “investigate, address, and propagate security issues” in open-source projects, as it seeks to incentivize developers in securing software.

In addition, GitHub revealed it’s now a Common Vulnerabilities and Exposures (CVE) Numbering Authority, thereby allowing the company to assign identifiers to new security flaws as and when they are discovered on the platform.

With Semmle integration, every CVE-ID can be associated with a Semmle QL query, which can then be shared and tracked by the broader developer community.

To date, hundreds of CVEs in open-source projects have been uncovered using Semmle, spanning across Google Chromium, Linux, Ubuntu, and Microsoft’s Edge browser.

The Microsoft subsidiary’s acquisition comes months after it purchased Pull Panda to beef up its portfolio of code review tools and provide developers an infrastructure to create secure software that follows the best software practices.

In the year since the tech giant acquired GitHub, the latter has grown into a full-fledged version control system, in addition to becoming one of the largest repositories for hosting open-source software.

Viewed in that light, Semmle is a cog in the grand GitHub wheel that fits right into its software development workflow.

Read next: Google opens a new AI research center in India