GitHub acquires code analysis tool startup Semmle to help developers spot code exploits

GitHub, a tech startup Microsoft bought in June 2018 for $7.5 billion, has acquired Semmle, a startup that provides code analysis tool to help developers and security researchers spot code exploits and discover potential vulnerabilities in their code.

Founded in 2006 by Julian Tibble, Oege de Moor, and Pavel Avgustinov, Semmle develops an engineering analytics platform to manage the software development process. Its platform serves both technical and strategic decision making by analyzing software code quality in the context of other data, such as development cost, source code, issue tickets, test coverage, team location, and version history. Semmle’s products include Engineering Analytics and Code Exploration. Its clients include Citi, Credit Suisse, Dell, Murex, Nordea, NASA Jet Propulsion Laboratory, and Trafigura.

In a blog post, co-founder Oege de Moor said, “I am thrilled and excited to announce that Semmle is joining GitHub! This is a fabulous milestone in a 13-year journey. At the outset of Semmle in 2006, we had the idea of querying source code like any other type of data. At the time, it seemed impossible to make that idea work in depth and at scale, and people told us so in no uncertain terms. However, thanks to our amazing team, our vision of “code as data” has now matured into a product that is used by Google, Uber, Microsoft, and many open source projects to improve security. Over the last year alone, we doubled the number of customers and increased open source usage 10x.”

In a separate blog post on GitHub,  Nat Friedman said: “Today we’re announcing a big step in securing the open source supply chain: we’re welcoming Semmle to GitHub. Semmle’s revolutionary semantic code analysis engine allows developers to write queries that identify code patterns in large codebases and search for vulnerabilities and their variants. Semmle is trusted by security teams at Uber, NASA, Microsoft, Google, and has helped find thousands of vulnerabilities in some of the largest codebases in the world, as well as over 100 CVEs in open source projects to date.”

Security researchers use Semmle to quickly find vulnerabilities in code with simple declarative queries. These teams then share their queries with the Semmle community to improve the safety of code in other codebases. Software security is a community effort; no single company can find every vulnerability or secure the open source supply chain behind everyone’s code. Semmle’s community-driven approach to identifying and preventing security vulnerabilities is the very best way forward.