Sep 27, 2019

GitHub acquires Semmle to help researchers and developers secure open source software

As the backbone of the open source supply chain, GitHub has a unique responsibility to preserve the overall health of the open source ecosystem. With the acquisition of Semmle, GitHub takes another step to help developers on its platform safely create and consume open source software with automated testing and vulnerability detection.

Semmle’s security tools will streamline vulnerability detection for engineering teams. GitHub plans to integrated Semmle’s automated code review into GitHub Actions, further strengthening its arsenal of developer-centric automated workflows.

The acquisition will benefit security researchers, too. GitHub notes that Semmle’s tools can empower community security researchers who are needed to secure the world’s open source software at a time when the ratio of security researchers to developers is falling.

Semmle offers two main products. QL helps security researchers quickly find vulnerabilities in code using coding exploration tools and a variant analysis engine that detects variants of critical vulnerabilities. LGTM automatically analyzes commits to identify vulnerabilities and help developers avoid security issues before their code reaches production.

Semmle is used at a number of large technology companies, including Uber, NASA, Microsoft, and Google. With a strong reputation and a long history of detecting security issues in open source projects, Semmle will noticeably enhance GitHub’s security features.

Want to get more of these in your inbox?

Subscribe for weekly updates from the Software team.