Semmle QL is the industry’s leading semantic code analysis engine. Our revolutionary approach treats code as data to identify security vulnerabilities faster.
Traditionally, vulnerabilities are discovered by security researchers, inspecting code by hand. Semmle’s semantic code analysis engine, QL , treats code as data with a powerful query engine. It identifies even the most complex semantic patterns at scale and gets smarter over time.
QL combines the latest research for compiler optimization with insights in database implementation to provide a declarative, object-oriented language. So security teams can find vulnerabilities at scale that evade other tools.
Leading security researchers express patterns in QL queries to share their expertise with the world. QL ships with thousands of queries used to power variant analysis, so developers, maintainers, and security teams can build on existing queries or create their own.
Open source powers the world’s software. GitHub provides the infrastructure security researchers and open source maintainers need to report and disclose security vulnerabilities.
Open source maintainers set security policies for their projects, letting their communities know the best way to responsibly report vulnerabilities.
A repository’s SECURITY.MD file describes everything researchers and users need to report a potential vulnerability. Maintainers can create per-project policies or automatically apply one security policy to every repository in their organization.
Open source maintainers have a secure and private space to work through vulnerabilities together. They collaborate on fixes and publish security advisories to the community of people that rely on their projects without leaving GitHub—or tipping off would-be hackers.
Before they send out public advisories, maintainers privately discuss the impact of a vulnerability in draft advisories. They collaborate in temporary private forks, and then publish advisories to alert and update the entire ecosystem.
Since the launch of security advisories in 2019, open source projects have relied on GitHub to publish security advisories and notify all dependent repositories.
GitHub reviews every security vulnerability to identify and alert affected repositories. We source our vulnerability information from industry experts to provide the details project owners need to understand and remediate risks.
Security alerts from items on the CVE list contain a link to the CVE record with more details about the vulnerability. For novel vulnerabilities, GitHub creates a new record to inform the security community.
GitHub continuously scans security advisories for popular languages. We send security alerts to maintainers of affected repositories with details on the severity level and a link to relevant files.
Identifying security vulnerabilities is only half the challenge—but project owners can update vulnerable dependencies faster than ever with Dependabot.
Dependabot keeps projects secure and up to date by monitoring your dependencies for new releases. Then it automatically opens pull requests to update dependencies to the minimum version that resolves the vulnerability. Compatibility scores based on community tests help maintainers merge updates with confidence.
Since launch, more than 100,000 automated fixes are merged and ready to secure.
Keeping code up to date isn’t enough to secure open source for everyone. We’re working with security researchers, maintainers, and developers to prevent new vulnerabilities from entering software projects.
Every developer has to manage credentials. GitHub scans for tokens that have accidentally been exposed in public repositories, then alerts the provider within seconds so they may revoke or notify the owner as appropriate.
Once the service provider validates the credential, they decide whether they should revoke the token, issue a new token, or reach out to a user directly.
When a valid GitHub token is pushed to a public repository, we’ll revoke it and notify the token owner within seconds.
Token scanning supports tokens from Alibaba Cloud, Atlassian, AWS, Azure, Dropbox, Discord, Google Cloud, Mailgun, npm, Proctorio, Pulumi, Slack, Stripe, and Twilio, with more added all of the time.
Never make the same mistake twice. Security teams leverage Semmle LGTM to build security into DevOps processes, scaling secure development to all engineers.
Scan across multiple codebases at scale. By building on existing queries and automating variant analysis, teams find critical vulnerabilities and their variants faster, even in the largest codebases.
LGTM’s continuous code analysis helps prevent vulnerabilities from reaching production by analyzing every commit and recognizing vulnerable code as soon as it’s checked in.
LGTM brings consistent analysis to every step of the development process by integrating with IDEs, issue trackers, CI/CD services, and more.
Whether you’re contributing to an open source project or choosing new tools for your team, your security needs are covered. Interested in learning more about secure development in your organization?Contact sales
|Advanced vulnerability scanning||Public repositories||Public repositories||Public repositories||Contact us|
|Automated security fixes BETA||Enterprise Cloud|
|Maintainer Security Advisories BETA||Public repositories||Public repositories||Public repositories||Public repositories Enterprise Cloud|
|Security policies||Public repositories||Public repositories||Public repositories||Public repositories Enterprise Cloud|
|Token scanning||Public repositories||Public repositories||Public repositories||Public repositories Enterprise Cloud|
|Dependency insights||Enterprise Cloud|
|Two-factor Authentication (2FA)|
|WebAuthn & security keys|
|Required 2FA for organizations|
|Delegated Account Recovery|
|Git over Secure Shell (SSH) and HTTPS|
|Git over Secure Shell with Enterprise issued certificate authentication|
|GPG commit-signing verification|
|Security audit log|
|Required reviews||Public repositories|
|Required status checks||Public repositories|