GitHub has acquired Semmle, the San Francisco-based maker of a code analysis platform, to bump up security for the coding repository.
Semmle, which has an office in Bellevue, Wash., aims to make it easier for security researchers to spot vulnerabilities in large code bases quickly.
According to the companies, coding mistakes are the most common cause of security vulnerabilities. Semmle helps researchers find all variations of a mistake.
“Semmle’s revolutionary semantic code analysis engine allows developers to write queries that identify code patterns in large codebases and search for vulnerabilities and their variants,” GitHub CEO Nat Frieman wrote in a blog post. “Semmle is trusted by security teams at Uber, NASA, Microsoft, Google, and has helped find thousands of vulnerabilities in some of the largest codebases in the world, as well as over 100 CVEs in open source projects to date.”
GitHub says it will bring these tools to all its public repositories and enterprise customers as part of CI tests running on GitHub Actions.
“GitHub is the one place where the community meets, where security experts and open source maintainers collaborate, and where the consumers of open source find their building blocks,” Semmle CEO Oege De Moor said in a statement. “GitHub’s recent moves to secure the ecosystem (with maintainer security advisories, automated security fixes, token scanning, and many other advances in secure development) are all pieces of the same puzzle. The Semmle vision and technology belong at GitHub.”
Microsoft acquired GitHub for $7.5 billion last year. Since then, GitHub has added a number of new features. It has 40 million users across the world. In June, GitHub named Erica Brescia, the long-time CEO of open-source web app store maker BitRock, its new chief operating officer.