GitHub is going after the software security market


Find vulnerabilities that other tools miss

Semmle QL is the industry’s leading semantic code analysis engine. Our revolutionary approach treats code as data to identify security vulnerabilities faster.

Treating code as data

Traditionally, vulnerabilities are discovered by security researchers, inspecting code by hand. Semmle’s semantic code analysis engine, QL , treats code as data with a powerful query engine. It identifies even the most complex semantic patterns at scale and gets smarter over time.

A revolutionary engine

QL combines the latest research for compiler optimization with insights in database implementation to provide a declarative, object-oriented language. So security teams can find vulnerabilities at scale that evade other tools.

Community-led approach

Leading security researchers express patterns in QL queries to share their expertise with the world. QL ships with thousands of queries used to power variant analysis, so developers, maintainers, and security teams can build on existing queries or create their own.


Defining the open source security workflow

Open source powers the world’s software. GitHub provides the infrastructure security researchers and open source maintainers need to report and disclose security vulnerabilities.

Responsible vulnerability reporting

Open source maintainers set security policies for their projects, letting their communities know the best way to responsibly report vulnerabilities.

Organization-wide security policies

A repository’s SECURITY.MD file describes everything researchers and users need to report a potential vulnerability. Maintainers can create per-project policies or automatically apply one security policy to every repository in their organization.


Maintainer security advisories

Open source maintainers have a secure and private space to work through vulnerabilities together. They collaborate on fixes and publish security advisories to the community of people that rely on their projects without leaving GitHub—or tipping off would-be hackers.

Private collaboration for maintainers

Before they send out public advisories, maintainers privately discuss the impact of a vulnerability in draft advisories. They collaborate in temporary private forks, and then publish advisories to alert and update the entire ecosystem.

Securing repositories and their dependents

Since the launch of security advisories in 2019, open source projects have relied on GitHub to publish security advisories and notify all dependent repositories.


Security alerts

GitHub reviews every security vulnerability to identify and alert affected repositories. We source our vulnerability information from industry experts to provide the details project owners need to understand and remediate risks.

Research-driven vulnerability data

GitHub tracks vulnerabilities in packages from supported package managers using data from security researchers, maintainers, the National Vulnerability Database , and WhiteSource — including release notes, changelog entries, and commit details.

New CVE records from GitHub

Security alerts from items on the CVE list contain a link to the CVE record with more details about the vulnerability. For novel vulnerabilities, GitHub creates a new record to inform the security community.

Helping everyone stay secure

GitHub continuously scans security advisories for popular languages. We send security alerts to maintainers of affected repositories with details on the severity level and a link to relevant files.


Update vulnerable

dependencies, automatically

Identifying security vulnerabilities is only half the challenge—but project owners can update vulnerable dependencies faster than ever with Dependabot.


Automated pull requests for security updates

Dependabot keeps projects secure and up to date by monitoring your dependencies for new releases. Then it automatically opens pull requests to update dependencies to the minimum version that resolves the vulnerability. Compatibility scores based on community tests help maintainers merge updates with confidence.

Since launch, more than 100,000 automated fixes are merged and ready to secure.

Protecting codebases from new vulnerabilities

Keeping code up to date isn’t enough to secure open source for everyone. We’re working with security researchers, maintainers, and developers to prevent new vulnerabilities from entering software projects.


Automatic token scanning

Every developer has to manage credentials. GitHub scans for tokens that have accidentally been exposed in public repositories, then alerts the provider within seconds so they may revoke or notify the owner as appropriate.

Collaborating with service providers

Once the service provider validates the credential, they decide whether they should revoke the token, issue a new token, or reach out to a user directly.

Keeping GitHub tokens secret

When a valid GitHub token is pushed to a public repository, we’ll revoke it and notify the token owner within seconds.

Growing support for popular service providers

Token scanning supports tokens from Alibaba Cloud, Atlassian, AWS, Azure, Dropbox, Discord, Google Cloud, Mailgun, npm, Proctorio, Pulumi, Slack, Stripe, and Twilio, with more added all of the time.

Eradicate vulnerabilities and their variants before they become a problem

Never make the same mistake twice. Security teams leverage Semmle LGTM to build security into DevOps processes, scaling secure development to all engineers.

Find and eliminate all variants of bugs and vulnerabilities

Scan across multiple codebases at scale. By building on existing queries and automating variant analysis, teams find critical vulnerabilities and their variants faster, even in the largest codebases.

Analyze new changes to prevent mistakes from reaching production

LGTM’s continuous code analysis helps prevent vulnerabilities from reaching production by analyzing every commit and recognizing vulnerable code as soon as it’s checked in.

Secure development at every step

LGTM brings consistent analysis to every step of the development process by integrating with IDEs, issue trackers, CI/CD services, and more.

Compare plans

Whether you’re contributing to an open source project or choosing new tools for your team, your security needs are covered. Interested in learning more about secure development in your organization?

Contact sales
Feature Free Pro Team Enterprise
Advanced vulnerability scanning Public repositories Public repositories Public repositories Contact us
Automated security fixes BETA Enterprise Cloud
Maintainer Security Advisories BETA Public repositories Public repositories Public repositories Public repositories Enterprise Cloud
Security alerts
Security policies Public repositories Public repositories Public repositories Public repositories Enterprise Cloud
Token scanning Public repositories Public repositories Public repositories Public repositories Enterprise Cloud
Dependency insights Enterprise Cloud
Two-factor Authentication (2FA)
WebAuthn & security keys
Required 2FA for organizations
Delegated Account Recovery
Git over Secure Shell (SSH) and HTTPS
Git over Secure Shell with Enterprise issued certificate authentication
GPG commit-signing verification
Security audit log
Protected branches
Required reviews Public repositories
Required status checks Public repositories

Learn more about Semmle

Semmle makes dozens of disclosures every year. Learn more about their security discoveries—or try LGTM free.

Explore recent disclosures Try LGTM free

See Semmle in action

Join us for a live demo and discussion with the Semmle and GitHub teams, October 3, 2019.

Sign up