Securing software, together: GitHub + Semmle

I am thrilled and excited to announce that Semmle is joining GitHub!

This is a fabulous milestone in a 13-year journey. At the outset of Semmle in 2006, we had the idea of querying source code like any other type of data. At the time, it seemed impossible to make that idea work in depth and at scale, and people told us so in no uncertain terms. However, thanks to our amazing team, our vision of “code as data” has now matured into a product that is used by Google, Uber, Microsoft, and many open source projects to improve security. Over the last year alone, we doubled the number of customers and increased open source usage 10x.

By joining GitHub we are taking the next step in changing how software is developed, allowing every developer to benefit from the expertise of the top security researchers in the world. I can't imagine a more fitting recognition of our team's hard work, or a better opportunity to realize the full potential of the vision and technology.

Vision and technology

At Semmle, we aim to secure software, together. Security researchers discover and study new vulnerabilities to diagnose the conditions that made the code vulnerable. They express those conditions as simple queries over code. Those queries can be shared and refined, making it easier to collaborate and eliminate a whole class of vulnerabilities. Developers see the results of those queries directly in their code reviews, making sure that once diagnosed, a new type of vulnerability is eradicated forever. Developers work together with security researchers to refine queries, creating a virtuous cycle of ever deeper analysis and vulnerability fixes. As a result, consumers of open source get more secure, trustworthy frameworks to build on.

All this is happening today, but on a modest scale. True adoption will mean that every CVE comes with a Semmle query. All those queries are shared in open source, continuously refined, and extended by the community. Every commit on every open source project is analyzed with this curated body of crowd-sourced queries. Together, maintainers and security researchers make the entire ecosystem much safer than before.

The natural home for this vision is GitHub. GitHub is the one place where the community meets, where security experts and open source maintainers collaborate, and where the consumers of open source find their building blocks. GitHub’s recent moves to secure the ecosystem (with maintainer security advisories, automated security fixes, token scanning, and many other advances in secure development) are all pieces of the same puzzle. The Semmle vision and technology belong at GitHub.

Culture

We also belong together as a team. One of my favorite tenets of the Semmle culture is this: “If someone says you cannot do it, do it twice and take pictures!” That same can-do attitude abounds at GitHub—just witness the torrent of new features they shipped over the past year! Our teams also share the belief that we owe the world secure software: it’s our duty to honour the trust that society has put in us, software developers. GitHub and Semmle are driven by the same motivation to do the impossible.

Products

There will be no disruption to existing users of Semmle products. GitHub and Semmle are deeply committed to securing the open source ecosystem, and as part of that commitment, LGTM.com will continue to be available for free for public repositories and open source. We’ll also continue our open source security research, which to date has yielded 107 CVEs in high-profile projects like UBoot, Apache Struts, the Linux Kernel, Memcached, VLC, and Apple's XNU. Of course there are incredible opportunities where deeper integration with GitHub’s existing product line will deliver additional value—watch this space!

Customers

I started off by talking about the community: that community is firmly rooted in our customers, who have been wonderful partners to Semmle as we developed the technology. Some of them signed up ten years ago, and have loyally worked with us as the product was improved and extended, heavily guided by their feedback. The team at Semmle is deeply grateful for that loyalty, and I want to assure all of our customers we’ll do our utmost to continue and step up our collaboration. In fact, because we’re now part of a much larger organization we have the means to serve you even better than in the past.

Investors

I’m also grateful for the help, advice and support from our investors. The seed investors (Joe Hall, Howard Leach, Tom Klein and others) have been a quiet force behind Semmle with sage advice and introductions since 2011. Accel Partners led our Series A (Kevin Comolli) and B (Ping Li and Vas Natarajan), putting our growth on the fast track. Work-Bench (Jon Lehr and Jessica Lin) participated in Series B, and made many introductions through their incredible enterprise network in New York.

Team

Finally, I want to thank my incredible colleagues at Semmle. Your good cheer, perseverance, kindness, humor and sheer brilliance make you family to me. I look forward to many more years of working with you all, within GitHub.

I’m extremely excited about what comes next, and on October 3rd, Semmle’s CSO Fermín Serna and I will share more about our vision for the future.

FAQ

What is happening to the existing Semmle products?

We’ll continue to support our existing products. There’s lots of incredible new functionality in the works, made possible through tight integration with GitHub’s existing product range. Stay tuned!

Will LGTM.com remain free for open source?

Yes, and it will expand significantly. Securing open source is something we’re deeply committed to. Please help by fixing security alerts and contributing queries!

Can new users still sign up to LGTM.com?

Yes, the LGTM.com service will continue to operate as-is. Please encourage your friends and colleagues to join the fight to improve open source security!

What if I have code on a private repository or something other than on GitHub?

The existing commercial products support analysis of private repos, and also other repo hosting services. Try out our products, and tell us what you think!

What if I am a current Semmle customer?

We’ll continue to support you as before, but even better. Your account manager will be in touch in case there are particular concerns you’d like to discuss. We’re here to help!

How will Semmle services that we paid for be handled?

They’ll be delivered as agreed. As always, we’re ready to answer any questions or concerns you may have - just let us know!

Are you hiring?

Yes! Please see https://semmle.com/careers, and check out https://github.com/about/careers/.

Who do we contact with any other questions?

From today, you can always reach us on github@semmle.com with any questions. Or just email us to say what you think about Semmle and GitHub coming together!