GitHub Acquires Semmle To Help Developers Find Flaws In Their Codes

Becoming a developer can be fun. But also scary and intimidating, especially when dealing with projects that have endless lines of code.

Developers are responsible for their projects, and that includes discovering potential zero-days exploit and other security vulnerabilities.

This is easier said than done on projects with large codebases with multiple collaborators.

As the largest software hosting service, GitHub wants to solve this recurring issue by acquiring Semmle, a code analysis platform that helps product developers and security researchers discover flaws in their codes.

According to GitHub on its blog post:

"Human progress depends on the open source community. One of the biggest issues facing developers today is how to create and consume open source in a secure and trusted way. And at GitHub, we have a unique opportunity and responsibility to provide the tools, best practices, and infrastructure to make software development secure."

"Today we’re announcing a big step in securing the open source supply chain: we’re welcoming Semmle to GitHub."

Semmle offers tools like QL that codifies logical programming errors as queries to find mistakes, find variants of the same bug elsewhere in the code, and prevent them from occurring again in the future.

QL also powers LGTM (Looks Good to Me), another Semmle product that performs software engineering analytics by combining deep semantic code search with data science insights to let collaborating developers get feedback, recommendations, and uncover vulnerable versions of third-party library dependencies.

With the tools, Semmle allows developers search for vulnerabilities by writing simple declarative queries. Developer teams can also share their queries with the Semmle community to improve the safety of code in other codebases.

This can be done because every CVE-ID can be associated with a Semmle QL query, which can then be shared and tracked by the broader developer community.

Having used by security teams at Uber, NASA, Microsoft, Google, Semmle "has helped find thousands of vulnerabilities in some of the largest codebases in the world, as well as over 100 CVEs [Common Vulnerabilities and Exposures] in open source projects to date," explained GitHub.

GitHub is implementing Semmle’s products to help developers "investigate, address, and propagate security issues” in open-source projects, as it seeks to incentivize them in securing software.

"We’re so excited to be joined by the Semmle team," welcome GitHub. "Together, we’ll bring their work to all open source communities and to our customers. As a community of developers, maintainers, and researchers, we can all work together toward more secure software for everyone."

"This is a fabulous milestone in a 13-year journey," wrote Oege de Moor, co-founder and CEO of Semmle, in a blog post. "I look forward to many more years of working with you all, within GitHub."

The acquisition comes months after Microsoft acquired Pull Panda to help GitHub ramp up its software development platform with more collaborative tools.