Gemnasium is acquired by GitLab, the future of version control is built-in security

6 years ago, was the beginning of a new adventure. At the time, I was part of a group of developers that were among the firsts to detect the need to monitor software dependencies. We were managing multiple projects and had a hard time keeping up with all the ruby on rails and gems vulnerabilities. We were afraid of missing an important vulnerability, and couldn’t find a service to do the job. A few commits later, Gemnasium was born. We even had our badge on the Ruby On Rails project page.

During these years, Gemnasium was improved in many ways. We added new features like team management and reports, as well as support for GitLab, Bitbucket, slack notifications and more. We expanded language support to include Python, PHP, JavaScript and even Java.

Now, 6 years later, Gemnasium is considered one of the market references in dependencies monitoring used by over 750,000 projects.

I am very proud of the Gemnasium team and our achievements, especially because Gemnasium has been completely bootstrapped. During recent years, we have seen our revenue grow at very steady rate of 50% per year. That’s not what you can expect from a successful startup, but at one point it’s breakeven, and that’s the important part.

Gemnasium growth

Most of our revenue was coming from projects hosted on GitHub. So when our primary distribution channel contacted us to be part of the new marketplace, it totally made sense for us to join. There was an opportunity to be the first again, and in August 2017, Gemnasium was officially launched in the dependency management section. We thought the traction of the marketplace could bring us to the next level, and boost our MRR. After 6 months, it was clear we were wrong. Our revenue coming from the marketplace was only 3% of our MRR. It didn’t even cover the efforts to develop the integration.

In October 2017, while assisting GitHub Universe like many other partners, we were surprised and shocked by the announcement of their own security feature. GitHub didn’t seem (or didn’t want) to realize they were attacking our core business directly. There was no clue or warning of this feature, which probably started internally even before our integration was added to the MarketPlace.

GitHub had done something like this before. In 2016 they created new tools and features that competed with ZenHub and Waffle. More recently, GitHub announced static code analysis coming as a feature. They will compete directly with their partners Codacy, CodeClimate, and others. A couple of weeks ago they announced updates to their project boards that again compete directly with Waffle. Before GitHub announced Security Alerts, we didn’t realize the risk of having the platform reduce our product to a feature.

The result was immediate. Our churn rate doubled, and our previously growing company-wide MRR stalled completely.

After GitHub’s announcement, VersionEye was the first dependency monitoring company to fall. We noticed how clearly linked the shut down was to the new security notifications in GitHub when VersionEye’s Founder, Robert Reiz, mentioned, “Now GitHub notifies you directly about security vulnerabilities in your Gemfile. No need to use VersionEye anymore”. I share the same feeling as Robert. In many ways Gemnasium is better than GitHub’s implementation (more languages, more security advisories, etc.). But, in Robert’s words, “For me there is no reason to compete with GitHub”. I know GitHub’s traction, number of users, and free pricing will eventually put Gemnasium out of business in 2018. It is time to find a new home for the team.

Unfortunately, that means we have to shut down Gemnasium soon. We’ve chosen a date of May 15th, before GDPR goes into effect, to shut down https://gemnasium.com and https://beta.gemnasium.com as well as our Enterprise services. For more info on what will happen to our users and their data please see the FAQ at the end of this post.

Starting today, we’re thrilled to join the amazing team of GitLab, to develop security functionality (Static and Dynamic Application Security Testing, Container Scanning and more). GitLab was a natural fit for us: we’ve been using it internally since the early hours, and we share almost the same DNA. Like Gemnasium, GitLab is completely distributed, that means not only working remotely, but using the right tools and define proper communication. It was the right direction for the team, and a fantastic opportunity to focus on what we love. We’ll be taking many of the Gemnasium features you know and love and integrating them into GitLab CI/CD as a native experience.

We don’t want to leave our users without a replacement solution. That’s why we’ll be starting right away by bringing Gemnasium security checks to GitLab CI/CD. GitLab already supports security testing for JavaScript, Python and Ruby. The next version, GitLab 10.5, will include an implementation of Gemnasium, which will improve significantly the dependencies check for these languages. We expect to have coverage for PHP and Java in 10.6 (to be released on March 22).

GitLab can perform checks scoped to a specific Merge Request and provide the results in the request status. While GitHub only provides security advisories for a whole repository, GitLab unleashes the power of pipelines to provide development teams a complete and integrated tool. Our team will also be responsible for Dynamic Application Security Testing (based on Review Apps):

GitLab DAST

And even Docker images scanning:

GitLab SAST container

We’re excited about GitLab’s security vision, there is a lot of room to grow, and it’s already moving really fast. Each month a new version of GitLab is released with many improvements. Now our team will be building and improving SAST, DAST, container scanning, and even IAST (Interactive Application Security Testing).

The complete DevOps lifecycle was never easier, and now secure!


Philippe Lafoucrière
Founder and CEO Gemnasium

FAQ

When will Gemnasium.com shut down?

https://gemnasium.com (and https://beta.gemnasium.com) as well as our Enterprise services will be wound down on May 15th. We’ve chosen this date so that we can complete the shut down before GDPR goes into effect.

Can new users still sign up for Gemnasium.com?

Yes, until May 15.

What will happen for paid customers?

Gemnasium will continue to deliver the same features until the sunset. The remaining paid subscriptions on May 15th will be automatically canceled, and the users refund on prorata temporis basis.

What will happen to users data?

Gemnasium will not share any user data with GitLab, and GitLab will have no access to projects, affections, or even tokens.

What about my open source projects?

GitLab.com users will benefit directly of Gemnasium integration. GitLab CI/CD will have at least the same language coverage as Gemnasium today.

Who can I contact if I have questions?

Our support will be open for the questions you might have, please visit http://support.gemnasium.com

What are the feature that will not be available on GitLab CI/CD?

GitLab already offers static code analysis as part of Auto DevOps, and will benefit from Gemnasium security advisories on dependencies. A different (and better) version of AutoUpdate will be available later in the year only. Other features will be added in the future in GitLab, to build a better experience for the users.

What will happen to my badge?

GitLab already provides Build and Coverage badges. This is certainly something we want to add in the future, please follow this issue for more information and updates.