Three years ago, the team that built LGTM.com joined GitHub. From that moment on, we have worked tirelessly to natively integrate its underlying CodeQL analysis technology into GitHub. In 2020, GitHub code scanning was launched in public beta, and later that year it became generally available for everyone. GitHub code scanning is powered by the very same analysis engine: CodeQL.
We’ve since continued to invest in CodeQL and GitHub code scanning. Today, GitHub code scanning has all of LGTM.com’s key features—and more! The time has therefore come to announce the plan for the gradual deprecation of LGTM.com.
End of August 2022: no more user sign-ups and new repositories
Starting at the end of August, LGTM.com will no longer accept new user sign-ups. It will also no longer be possible to add new repositories for analysis to LGTM.com. Existing users will continue to be able to log in and use LGTM.com, and the analysis of existing repositories will continue to work. However, historical analysis will no longer be performed–only new commits will be analyzed.
October: help migrate repositories to GitHub code scanning
We will do our best to help migrate repositories that actively use LGTM.com to flag potential security issues in their pull requests. For those repositories, we will create pull requests that add a GitHub Actions workflow that runs code scanning. Once that configuration file is merged, the repository’s source code (and future pull requests) will be scanned by GitHub code scanning. GitHub code scanning will flag any potential security issues in pull requests and on the repository’s security tab. Once that’s all working as it should, you can disable the LGTM.com integration.
Some repositories make use of advanced LGTM.com build and analysis configurations. In such cases, we might not be able to automatically propose a GitHub Actions workflow to set up code scanning. We will notify such repositories directly.
End of November: new commits and pull requests are no longer analyzed
At the end of November, LGTM.com will stop fetching new commits for the repositories that it analyzes. It will also stop analyzing pull requests on GitHub.com. Repositories that still use LGTM.com’s pull request analysis in the week(s) leading up to this deprecation phase will be reminded through a message in the pull request comments that are posted by LGTM.com.
From the 16th of December, LGTM.com will no longer be available. This includes but is not limited to:
So long and thanks for all the fish!
On behalf of the entire LGTM.com team, we’d like to thank you all for joining us on this wonderful journey. From launching LGTM.com back in 2017, all the way through GitHub’s acquisition of Semmle in 2019, the subsequent launch of GitHub code scanning, and all the improvements we’ve since shipped: it’s been an absolutely amazing journey. Thank you!
How do I get started with GitHub code scanning?
GitHub is committed to helping build safer and more secure software without compromising on the developer experience. To learn more or enable GitHub’s security features in repositories, like code scanning or Dependabot, check out the getting started guide.
If you are an active user of the LGTM.com query console and are not yet part of our beta program to test this functionality on GitHub, please leave us a note here.
Where can I ask questions or leave feedback?
Please join our GitHub Discussion on this topic here!
Please take a look at the large number of APIs that are available on LGTM.com.