6 years ago, was the beginning of a new adventure. At the time, I was part of a group of developers that were among the firsts to detect the need to monitor software dependencies. We were managing multiple projects and had a hard time keeping up with all the ruby on rails and gems vulnerabilities. We were afraid of missing an important vulnerability, and couldn\u2019t find a service to do the job. A few commits later, Gemnasium was born. We even had our badge on the Ruby On Rails project page.<\/p>\n
During these years, Gemnasium was improved in many ways. We added new features like team management and reports, as well as support for GitLab, Bitbucket, slack notifications and more. We expanded language support to include Python, PHP, JavaScript and even Java.<\/p>\n
Now, 6 years later, Gemnasium is considered one of the market references in dependencies monitoring used by over 750,000 projects.<\/p>\n
I am very proud of the Gemnasium team and our achievements, especially because Gemnasium has been completely bootstrapped. During recent years, we have seen our revenue grow at very steady rate of 50% per year. That\u2019s not what you can expect from a successful startup, but at one point it\u2019s breakeven, and that\u2019s the important part.<\/p>\n
Most of our revenue was coming from projects hosted on GitHub. So when our primary distribution channel contacted us to be part of the\u00a0new marketplace<\/a>, it totally made sense for us to join. There was an opportunity to be the first again, and in August 2017, Gemnasium was officially launched in the dependency management section. We thought the traction of the marketplace could bring us to the next level, and boost our MRR. After 6 months, it was clear we were wrong. Our revenue coming from the marketplace was only 3% of our MRR. It didn\u2019t even cover the efforts to develop the integration.<\/p>\n In October 2017, while assisting GitHub Universe like many other partners, we were surprised and shocked by the announcement of their own security feature. GitHub didn\u2019t seem (or didn\u2019t want) to realize they were attacking our core business directly. There was no clue or warning of this feature, which probably started internally even before our integration was added to the MarketPlace.<\/p>\n GitHub had done something like this before. In 2016 they created new\u00a0tools and features<\/a>\u00a0that competed with\u00a0ZenHub<\/a>\u00a0and\u00a0Waffle<\/a>. More recently, GitHub announced static code analysis coming as a\u00a0feature<\/a>. They will compete directly with their partners\u00a0Codacy<\/a>,\u00a0CodeClimate<\/a>, and others. A couple of weeks ago they announced\u00a0updates to their project boards<\/a>\u00a0that again compete directly with Waffle. Before GitHub announced Security Alerts, we didn\u2019t realize the risk of having the platform reduce our product to a feature.<\/p>\n The result was immediate. Our churn rate doubled, and our previously growing company-wide MRR stalled completely.<\/p>\n After GitHub\u2019s announcement, VersionEye was the first dependency monitoring company to fall. We noticed how clearly linked the shut down was to the new security notifications in GitHub when\u00a0VersionEye\u2019s Founder, Robert Reiz, mentioned<\/a>,\u00a0\u201cNow GitHub notifies you directly about security vulnerabilities in your Gemfile. No need to use VersionEye anymore\u201d<\/em>. I share the same feeling as Robert. In many ways Gemnasium is better than GitHub\u2019s implementation (more languages, more security advisories, etc.). But, in Robert\u2019s words,\u00a0\u201cFor me there is no reason to compete with GitHub\u201d<\/em>. I know GitHub\u2019s traction, number of users, and free pricing will eventually put Gemnasium out of business in 2018. It is time to find a new home for the team.<\/p>\n Unfortunately, that means we have to shut down Gemnasium soon. We\u2019ve chosen a date of May 15th, before\u00a0GDPR<\/a>\u00a0goes into effect, to shut down\u00a0https:\/\/gemnasium.com<\/a>\u00a0and\u00a0https:\/\/beta.gemnasium.com<\/a>\u00a0as well as our Enterprise services. For more info on what will happen to our users and their data please see the FAQ at the end of this post.<\/p>\n Starting today, we\u2019re thrilled to join the amazing team of\u00a0GitLab<\/a>, to develop security functionality (Static<\/a>\u00a0and\u00a0Dynamic Application Security Testing<\/a>, Container Scanning and more). GitLab was a natural fit for us: we\u2019ve been using it internally since the early hours, and we share almost the same DNA. Like Gemnasium, GitLab is completely distributed, that means not only working remotely, but using the right tools and define proper communication. It was the right direction for the team, and a fantastic opportunity to focus on what we love. We\u2019ll be taking many of the Gemnasium features you know and love and integrating them into GitLab CI\/CD as a native experience.<\/p>\n We don\u2019t want to leave our users without a replacement solution. That\u2019s why we\u2019ll be starting right away by bringing Gemnasium security checks to GitLab CI\/CD. GitLab already supports\u00a0security testing<\/a>\u00a0for JavaScript, Python and Ruby. The next version, GitLab 10.5, will include an implementation of Gemnasium, which will improve significantly the dependencies check for these languages. We expect to have coverage for PHP and Java in 10.6 (to be released on March 22).<\/p>\n GitLab can perform checks scoped to a specific Merge Request and provide the results in the request status. While GitHub only provides security advisories for a whole repository, GitLab unleashes the power of pipelines to provide development teams a complete and integrated tool. Our team will also be responsible for Dynamic Application Security Testing (based on Review Apps):<\/p>\n And even\u00a0Docker images scanning<\/a>:<\/p>\n We\u2019re excited about GitLab\u2019s security vision, there is a lot of room to grow, and it\u2019s already moving really fast. Each month a new version of GitLab is released with many improvements. Now our team will be building and improving SAST, DAST, container scanning, and even IAST (Interactive Application Security Testing).<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/rosetta.vn\/short\/wp-content\/uploads\/sites\/3\/2018\/02\/gemnasium-growth.png?w=750&ssl=1\")
<\/a><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/rosetta.vn\/short\/wp-content\/uploads\/sites\/3\/2018\/02\/dast_all.png?w=750&ssl=1\")
<\/a><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/rosetta.vn\/short\/wp-content\/uploads\/sites\/3\/2018\/02\/sast-container.png?w=750&ssl=1\")
<\/a><\/p>\n