LGTM Enterprise 1.22.2

About LGTM

LGTM's mission: to promote community-driven security analysis.

Why?

Software is critical in all aspects of our lives. From entertainment, shopping and dating, to business-critical systems and software where human lives are at stake. And yet security bugs are all too frequent, mainly because the process of finding vulnerabilities is manual, tedious and repetitive, and because the expertise is not shared with other security researchers or with developers. LGTM seeks to address this situation.

How?

LGTM is a variant analysis platform that automatically checks your code for real CVEs and vulnerabilities. By combining deep semantic code search with data science insights, LGTM ranks the most relevant results to show you only the alerts that matter. LGTM offers insights from a large community of top security researchers to help developers ship secure code.

The concept of LGTM comes from the observation that the same bugs often reappear over and over again throughout a project's lifetime, and in multiple places in a codebase. They may also be present under different forms, called “variants”. When such bugs lead to security vulnerabilities, the consequences can be pretty severe. That's why it's important to fix not only the original bug, but also to investigate how often the mistake is repeated in a codebase, or across multiple projects, and fix any other similar vulnerabilities.

The technology behind LGTM is QL. Using QL, you can write a query to find a bug in your projects. Once you've found the original issue and fixed it, you can extend the query to find code patterns that are semantically similar to the original bug.

The standard or built-in QL queries used on LGTM are all open source, and are constantly updated, pulling in shared knowledge from security teams at our customers, our in-house experts, and other QL users. At Semmle, we believe that security is a shared responsibility. Together, LGTM and QL provide continuous monitoring and scalable variant analysis for your projects, even if you don’t have your own security team. And if you enable automated code review in LGTM, you can even catch those issues—or prevent them from being reintroduced in the codebase—even before they are merged into the default branch.

We have a dedicated team of security researchers who work closely with the open source community. Their mission is to be on the lookout for new security vulnerabilities, and to write QL queries to detect them. For more information, visit the Semmle Security Research page on LGTM.com. Some of the security vulnerabilities discovered by the team are also published on the Semmle blog.

What?

LGTM Enterprise is configured to process the contents of software development projects whose source code is stored in:

  • Git repositories hosted using:
    • Azure DevOps Server (formerly TFS)
    • Azure DevOps Services (formerly VSTS)
    • Bitbucket Cloud
    • Bitbucket Server
    • GitHub.com
    • GitHub Enterprise
    • GitLab.com
    • GitLab Enterprise
  • Simple Git repositories
  • Subversion repositories
  • Team Foundation Version Control (TFVC) repositories hosted using:
    • Azure DevOps Server
    • Azure DevOps Services

Currently supported languages are:

  • C and C++
  • C#
  • COBOL
  • Java
  • JavaScript/TypeScript
  • Python

Once it's part of LGTM, every revision of a project committed to the default branch is analyzed. Your local LGTM administrator can configure a different default branch for your project or projects from the admin panel. Any problems found are reported as alerts. The alert list is compared with the parent revisions and any new or fixed alerts identified—to determine the impact of each commit on the quality of the codebase.

You can also set up automated code review for pull requests. This allows you to catch problems before they're even merged into your repository.

The repository host systems for which you can set up automated code review of pull requests are as follows:

  • Azure DevOps Services—Git projects only
  • Bitbucket Cloud
  • Bitbucket Server
  • GitHub.com
  • GitHub Enterprise
  • GitLab.com
  • GitLab Enterprise

Automated code review for pull requests isn't available for projects stored in Azure DevOps Server, Subversion, and simple Git repositories, or for TFVC projects stored in Azure DevOps Services.

All examples in the help are taken from the public version of LGTMLGTM.com.

Related topicsRelated topics