Business on an eco-platform is hard: you built a promising add-on for a platform and enjoy continuous growth, suddenly the platform incorporates the feature of your product as a part of their service, then nobody would pay you the additional cost. Your business easily break.

This is like telco copying the value-added content services from their partners. Another story is that Facebook blatantly copied the ideas of other companies (some start-ups said Facebook first seemed to lure them to merge with Facebook, after that Facebook released new features copying their service).

Gemnasium seems lucky that they can join a competitor of GitHub, as described in the story below.

6 years ago, was the beginning of a new adventure. At the time, I was part of a group of developers that were among the firsts to detect the need to monitor software dependencies. We were managing multiple projects and had a hard time keeping up with all the ruby on rails and gems vulnerabilities. We were afraid of missing an important vulnerability, and couldn’t find a service to do the job. A few commits later, Gemnasium was born. We even had our badge on the Ruby On Rails project page.

During these years, Gemnasium was improved in many ways. We added new features like team management and reports, as well as support for GitLab, Bitbucket, slack notifications and more. We expanded language support to include Python, PHP, JavaScript and even Java.

Now, 6 years later, Gemnasium is considered one of the market references in dependencies monitoring used by over 750,000 projects.

I am very proud of the Gemnasium team and our achievements, especially because Gemnasium has been completely bootstrapped. During recent years, we have seen our revenue grow at very steady rate of 50% per year. That’s not what you can expect from a successful startup, but at one point it’s breakeven, and that’s the important part.

Most of our revenue was coming from projects hosted on GitHub. So when our primary distribution channel contacted us to be part of the new marketplace, it totally made sense for us to join. There was an opportunity to be the first again, and in August 2017, Gemnasium was officially launched in the dependency management section. We thought the traction of the marketplace could bring us to the next level, and boost our MRR. After 6 months, it was clear we were wrong. Our revenue coming from the marketplace was only 3% of our MRR. It didn’t even cover the efforts to develop the integration.

In October 2017, while assisting GitHub Universe like many other partners, we were surprised and shocked by the announcement of their own security feature. GitHub didn’t seem (or didn’t want) to realize they were attacking our core business directly. There was no clue or warning of this feature, which probably started internally even before our integration was added to the MarketPlace.

GitHub had done something like this before. In 2016 they created new tools and features that competed with ZenHub and Waffle. More recently, GitHub announced static code analysis coming as a feature. They will compete directly with their partners CodacyCodeClimate, and others. A couple of weeks ago they announced updates to their project boards that again compete directly with Waffle. Before GitHub announced Security Alerts, we didn’t realize the risk of having the platform reduce our product to a feature.

The result was immediate. Our churn rate doubled, and our previously growing company-wide MRR stalled completely.

After GitHub’s announcement, VersionEye was the first dependency monitoring company to fall. We noticed how clearly linked the shut down was to the new security notifications in GitHub when VersionEye’s Founder, Robert Reiz, mentioned“Now GitHub notifies you directly about security vulnerabilities in your Gemfile. No need to use VersionEye anymore”. I share the same feeling as Robert. In many ways Gemnasium is better than GitHub’s implementation (more languages, more security advisories, etc.). But, in Robert’s words, “For me there is no reason to compete with GitHub”. I know GitHub’s traction, number of users, and free pricing will eventually put Gemnasium out of business in 2018. It is time to find a new home for the team.

Unfortunately, that means we have to shut down Gemnasium soon. We’ve chosen a date of May 15th, before GDPR goes into effect, to shut down https://gemnasium.com and https://beta.gemnasium.com as well as our Enterprise services. For more info on what will happen to our users and their data please see the FAQ at the end of this post.

Starting today, we’re thrilled to join the amazing team of GitLab, to develop security functionality (Static and Dynamic Application Security Testing, Container Scanning and more). GitLab was a natural fit for us: we’ve been using it internally since the early hours, and we share almost the same DNA. Like Gemnasium, GitLab is completely distributed, that means not only working remotely, but using the right tools and define proper communication. It was the right direction for the team, and a fantastic opportunity to focus on what we love. We’ll be taking many of the Gemnasium features you know and love and integrating them into GitLab CI/CD as a native experience.

We don’t want to leave our users without a replacement solution. That’s why we’ll be starting right away by bringing Gemnasium security checks to GitLab CI/CD. GitLab already supports security testing for JavaScript, Python and Ruby. The next version, GitLab 10.5, will include an implementation of Gemnasium, which will improve significantly the dependencies check for these languages. We expect to have coverage for PHP and Java in 10.6 (to be released on March 22).

GitLab can perform checks scoped to a specific Merge Request and provide the results in the request status. While GitHub only provides security advisories for a whole repository, GitLab unleashes the power of pipelines to provide development teams a complete and integrated tool. Our team will also be responsible for Dynamic Application Security Testing (based on Review Apps):

And even Docker images scanning:

We’re excited about GitLab’s security vision, there is a lot of room to grow, and it’s already moving really fast. Each month a new version of GitLab is released with many improvements. Now our team will be building and improving SAST, DAST, container scanning, and even IAST (Interactive Application Security Testing).

The complete DevOps lifecycle was never easier, and now secure!


Philippe Lafoucrière
Founder and CEO Gemnasium

Source: Gemnasium is acquired by GitLab, the future of version control is built-in security – Gemnasium

Gemnasium is acquired by GitLab, after GitHub released a feature replicating its security product
Tagged on:         
%d bloggers like this: