Semmle

Semmle develops a code analysis platform, using its CodeQL query engine for deep semantic software analysis. This technology automates code reviews, tracks developer contributions, and identifies security vulnerabilities. It allows structured querying of codebases through an object-oriented language rooted in advanced academic research.

Founded in December 2006 in Oxford, England, by Oege de Moor, Semmle emerged from pioneering academic work at the University of Oxford. This research focused on innovative program analysis and querying software sources, creating the unique foundation for the company's ability to analyze and secure complex code.

Previously serving financial and government entities, Semmle's technology now powers continuous vulnerability detection within GitHub. Its vision is to democratize advanced code intelligence, enabling global developers and security experts to enhance software quality and mitigate risks with accessible, powerful analysis tools.

High-Level Overview

Semmle was a software company specializing in code analysis technology, offering the LGTM platform powered by CodeQL—a semantic code analysis engine for automating code review, tracking developer contributions, identifying security vulnerabilities, and enabling custom queries on codebases.[1][3] It served major enterprises like NASA, Uber, Microsoft, Google, Credit Suisse, and Nasdaq, solving critical problems in software quality, security, and engineering analytics by treating code as queryable data for continuous monitoring and variant analysis.[1][2][4] Founded in 2006 with around $31M in funding, Semmle achieved strong growth, doubling revenue in 2018 before its acquisition by GitHub in September 2019, after which its technology integrated into GitHub's security tools, with free access for open-source projects.[1][3][4]

Origin Story

Semmle spun out from the University of Oxford in December 2006, leveraging research on querying software source code as data, initially for applications like software renovation and application intelligence.[1][3][4] Key founders included CEO Oege de Moor and co-founder Pavel Avgustinov (VP of platform engineering), who built on academic work in object-oriented query languages like QL (now CodeQL).[3][4] Early traction came from industrial tools like SemmleCode for Java analysis in Eclipse, evolving from business analytics for development processes to security-focused variant analysis.[3][7] Pivotal moments included a $2M seed in 2011, $8M Series A in 2014 from Accel Partners, and $21M Series B in 2018 (also led by Accel, totaling $31M raised), fueling expansion to 60 employees across San Francisco (HQ), Oxford, Copenhagen, New York, Seattle, and Valencia.[2][4][7][8] In 2019, it hired its first CSO, Fermín Serna (ex-Google/Microsoft), amid high-profile CVE disclosures.[2]

Core Differentiators

• Semantic Code Querying: Unique approach treats code as a database, using CodeQL (formerly QL) for custom, domain-specific queries to detect vulnerabilities, zero-days, and patterns—far beyond traditional static analysis.[1][3][4]
• Variant Analysis Automation: Pioneered techniques for finding vulnerability variants (e.g., in Apache Struts, Apple XNU), with shared queries from experts at Google/Microsoft via open-source repos.[2][4]
• Dual Open/Enterprise Model: Free LGTM for 80,000+ open-source projects; enterprise version for large-scale monitoring, integrating with VS Code post-acquisition.[1][3][4]
• Developer and Security Focus: Automates reviews, tracks productivity, supports multiple languages/environments; strong security research ethos, bridging dev/sec teams.[1][2][5]

Role in the Broader Tech Landscape

Semmle rode the shift toward DevSecOps and automated security in software supply chains, enabling "secure all software" by uniting security researchers and developers amid rising zero-day threats and open-source dependencies.[2][5] Timing was ideal post-2010s funding boom for code analytics, aligning with enterprise needs for scalable analysis as codebases exploded (e.g., at FAANG-scale orgs).[2][4] Market forces like CVE proliferation, regulatory pressures (e.g., on supply chain security), and AI-driven tools favored its query-based model, influencing ecosystems via GitHub integration—now powering Advanced Security for millions of repos and standardizing semantic analysis.[1][3] It democratized elite security expertise, boosting open-source safety and enterprise productivity.

Quick Take & Future Outlook

Post-2019 GitHub acquisition (under Microsoft), Semmle's CodeQL lives on as a cornerstone of GitHub Advanced Security, with ongoing enhancements in AI-powered querying and broader language support amid rising cyber threats.[1][3] Trends like AI in security, zero-trust dev pipelines, and massive open-source scrutiny will amplify its reach, potentially evolving into fully autonomous vulnerability hunting. Its legacy as a code-to-data pioneer positions it to shape secure software at global scale, fulfilling the original mission from Oxford's labs.