GitHub Buys Semmle To Improve Open-Source Code Security

GitHub, the Microsoft-owned open-source code repository, has acquired a startup called Semmle that specializes in helping developers analyze code for vulnerabilities.

Nat Friedman, CEO of GitHub, announced the acquisition in a Wednesday blog post, calling it a "big step in securing the open-source supply chain."

Financial terms of the acquisition were not disclosed.

[Related: ‘Major’ GitHub Outage Briefly Halts Developers]

Friedman said Semmle's "revolutionary" semantic code analysis engine has helped uncover thousands of vulnerabilities "in some of the largest codebases in the world" and is used by security teams at Uber, NASA, Microsoft and Google.

"Security researchers use Semmle to quickly find vulnerabilities in code with simple declarative queries," he wrote. "These teams then share their queries with the Semmle community to improve the safety of code in other codebases."

In a separate blog post, Shanku Niyogi, senior vice president of product at GitHub, said GitHub is now a CVE Numbering Authority, meaning the company can now issue CVEs, or Common Vulnerabilities and Exposures, for security advisories posted on GitHub.

"We’ll be able to issue CVEs for security advisories opened on GitHub, allowing for even broader awareness across the industry," Niyogi wrote.

Friedman said the Semmle team, which includes engineers and security researchers, are joining GitHub with the acquisition, and that Semmle's platform will be made available to all open-source communities and all of GitHub's customers.

"As a community of developers, maintainers and researchers, we can all work together toward more secure software for everyone," he said.

Semmle was founded in 2006 by Julian Tibble, Oege de Moor and Pavel Avgustinov, according to Crunchbase. The San Francisco-based startup had raised a total of $31 million from investors, most recently with a $21 million Series B round from last year.