GitHub acquires Semmle to improve open source code security



Microsoft-owned open source code repository GitHub has acquired a startup called Semmle that specializes in helping developers analyze code for vulnerabilities.

Nat Friedman, CEO of GitHub, announced the acquisition in a blog post on Wednesday, calling it “a big step in securing the open source supply chain.”

Financial terms of the acquisition were not disclosed.

[Related: ‘Major’ GitHub Outage Briefly Halts Developers]

Friedman said Semmle’s “revolutionary” semantic code analysis engine has helped uncover thousands of vulnerabilities “in some of the world’s largest code bases” and is used by security teams at Uber, NASA, Microsoft and Google.

“Security researchers use Semmle to quickly find vulnerabilities in code with simple declarative queries,” he wrote. “These teams then share their queries with the Semmle community to improve code security in other code bases.”

In a separate blog post, Shanku Niyogi, senior vice president of products at GitHub, said that GitHub is now a CVE numbering authority, which means the company can now issue CVEs, or Common Vulnerabilities and Exposures, for security advisories posted on GitHub.

“We will be able to issue CVEs for open security advisories on GitHub, allowing even wider awareness across the industry,” Niyogi wrote.

Friedman said that Semmle’s team, which includes security engineers and researchers, is joining GitHub with the acquisition, and that Semmle’s platform will be made available to all open source communities and all GitHub clients.

“As a community of developers, maintainers and researchers, we can all work together towards more secure software for everyone,” he said.

Semmle was founded in 2006 by Julian Tibble, Oege de Moor and Pavel Avgustinov, according to Crunchbase. The San Francisco-based startup had raised a total of $ 31 million from investors, most recently with a Series B round of $ 21 million last year.



Comments are closed.