Microsoft acquires code-analysis platform vendor Semmle

Microsoft plans to more tightly integrate Semmle's security products with the GitHub product line.
Written by Mary Jo Foley, Senior Contributing Editor

Microsoft is acquiring Semmle, a San Francisco-based code-analysis platform vendor, for an undisclosed amount. Microsoft plans to make Semmle part of its GitHub business, the two companies said on Sept. 18. 

Semmle was founded in 2006, with the idea that querying source code should work like any other type of data. Since then, its products have been used by Google, Uber, NASA and Microsoft and "many open source projects" in the name of improving security, according to a blog post by Semmle.

Semmle lists as its products QL, which provides automated variant analysis to help product security teams find zero-days and variants of critical vulnerabilities; and LGTM, which provides continuous security analysis for developers.

Semmle officials said there will be no disruption to existing Semmle customers, even with the planned "tight integration with GitHub's existing product range." 

 From Semmle's blog post about the purchase:

"GitHub and Semmle are deeply committed to securing the open-source ecosystem, and as part of that commitment, LGTM.com will continue to be available for free for public repositories and open source. We'll also continue our open source security research, which to date has yielded 107 CVEs in high-profile projects like UBoot, Apache Struts, the Linux Kernel, Memcached, VLC, and Apple's XNU. Of course, there are incredible opportunities where deeper integration with GitHub's existing product line will deliver additional value-watch this space!"

Microsoft bought GitHub in 2018 for $7.5 billion.

Editorial standards