What you need to know

  • Microsoft today announced that it has acquired Semmle and plans to integrate its team with GitHub.
  • Semmle is the company behind a code analysis engine used by NASA, Microsoft, Google, and more.
  • Semmle's tools have been used to find vulnerabilities "some of the largest codebases in the world," Microsoft says.

Microsoft announced the acquisition of Semmle, a company that develops code analysis tools for companies and organizations ranging from NASA and Microsoft to Google and Microsoft. Semmle will join GitHub, which Microsoft acquired last year for 7.5 billion.

Semmle began life in 2006 and set out to develop tools that treat "code as data," according to the company's blog post announcing the acquisition. "Semmle's revolutionary semantic code analysis engine allows developers to write queries that identify code patterns in large codebases and search for vulnerabilities and their variants," GitHub explaines in its own blog post.

Security researchers can use Semmle to "quickly find vulnerabilities in code with simple declartive queries," Microsoft says. Those results are then shared through the Semmle community to help improve code quickly across different codebases.

Semmle says that current Semmle users won't see a disruption as part of the acqisition:

GitHub and Semmle are deeply committed to securing the open source ecosystem, and as part of that commitment, LGTM.com will continue to be available for free for public repositories and open source. We'll also continue our open source security research, which to date has yielded 107 CVEs in high-profile projects like UBoot, Apache Struts, the Linux Kernel, Memcached, VLC, and Apple's XNU.

On GitHub's side of things, Semmle's platform will see deeper integration throughout the platform.