LGTM - Detailed Review

Developer Tools

LGTM Website
LGTM - Detailed Review Contents
    Add a header to begin generating the table of contents

    LGTM - Product Overview



    Introduction to LGTM

    LGTM, which stands for “looks good to me,” is a multifaceted tool within the developer tools category, particularly focused on code review and security analysis.



    Primary Function

    LGTM serves two main purposes:

    1. Code Review Approval: In the context of GitHub, LGTM is used as a simple pull request approval system. It ensures that pull requests are locked and cannot be merged until they receive the minimum number of approvals from project maintainers. Reviewers indicate their approval by commenting “LGTM” on the pull request.
    2. Code Analysis and Security: LGTM.com, now deprecated in favor of GitHub code scanning, was a code analysis platform that helped development teams identify vulnerabilities early in the development process. It used CodeQL to analyze source code for real CVEs and vulnerabilities, combining deep semantic code search with data science insights to rank the most relevant results.


    Target Audience

    The primary target audience for LGTM includes:

    • Software development teams
    • Project maintainers
    • Developers who need to review and approve code changes
    • Security researchers and teams focused on identifying and fixing vulnerabilities in codebases


    Key Features



    Code Review

    • Uses GitHub protected branches and maintainers files to manage pull request approvals.
    • Ensures that pull requests cannot be merged without the required number of approvals.
    • Simple approval process via commenting “LGTM” on the pull request.


    Code Analysis and Security

    • Automatically checks code for vulnerabilities and real CVEs.
    • Utilizes CodeQL for analyzing source code and identifying potential security issues.
    • Provides insights from a large community of security researchers to help developers ship secure code.
    • Supports various programming languages including C, C , C#, Go, Java, JavaScript/TypeScript, and Python.


    Current Status

    LGTM.com has been deprecated and is now replaced by GitHub code scanning. However, the LGTM approval system for pull requests remains active and widely used.

    LGTM - User Interface and Experience



    LGTM as a Pull Request Approval System

    In the context of the GitHub pull request approval system, LGTM (Looks Good To Me) is relatively simple and straightforward. The user interface is minimal and integrated directly into GitHub’s pull request comments. Here’s how it works:
    • Project maintainers approve pull requests by commenting with “LGTM” on the pull request.
    • The system locks pull requests and prevents them from being merged until the required number of approvals is received.
    • This process is managed through GitHub’s protected branches and maintainers files, making it easy for developers to follow and adhere to approval protocols without needing a separate, complex interface.
    The ease of use is high because it leverages existing GitHub functionality, making it intuitive for developers already familiar with GitHub.

    LGTM Stack for Observability

    In the context of observability tools, the LGTM stack refers to a suite of tools from Grafana Labs: Loki for logs, Grafana for dashboards and visualization, Tempo for traces, and Mimir for metrics.

    User Interface

    The user interface for the LGTM stack is primarily centered around Grafana, which is known for its user-friendly and customizable dashboards.
    • Grafana provides a unified view of metrics, logs, and traces, allowing users to create and customize dashboards easily.
    • The interface is intuitive, with drag-and-drop features and a wide range of visualization options, making it accessible even for those new to observability tools.


    Ease of Use

    The LGTM stack is designed to be easy to use, especially for those already familiar with monitoring and observability tools.
    • The setup process is well-documented, and resources like webinars and workshops are available to help users get started quickly.
    • The tools are integrated in a way that allows users to correlate different types of data (metrics, logs, traces) seamlessly, which enhances the overall user experience.


    Overall User Experience

    The overall user experience is positive due to the integration and simplicity of the tools.
    • Users can connect disparate data sources to a single dashboard, reducing the need to switch between multiple tools.
    • The ability to correlate different types of observability data helps in faster troubleshooting and incident resolution, making the user experience efficient and effective.
    In summary, both versions of LGTM are designed with simplicity and ease of use in mind, leveraging existing platforms and tools to provide a seamless user experience.

    LGTM Website

    LGTM - Key Features and Functionality



    LGTM Overview

    LGTM, which stands for “looks good to me,” encompasses several key features and functionalities, particularly in the context of code review, security, and integration with development tools.



    Code Review and Approval System

    LGTM functions as a simple pull request approval system, particularly when integrated with GitHub protected branches and maintainers files. Here’s how it works:

    • Pull requests are locked and cannot be merged until they receive the minimum number of approvals required.
    • Project maintainers can indicate their approval by commenting “LGTM” on the pull request.
    • This system ensures that code changes are reviewed and approved by the necessary team members before they are merged into the main branch.


    Integration with GitHub

    LGTM integrates seamlessly with GitHub through the use of protected branches and `OWNERS` files. Here are the key points:

    • An `OWNERS` file is created to define who has the authority to approve pull requests for specific parts of the codebase.
    • GitHub webhooks are set up to run the `lgtm` check on pull requests, ensuring that reviewers are notified when their approval is needed.
    • The system locks down the GitHub repository to prevent merging without successful checks, ensuring that all necessary approvals are obtained before code is merged.


    Security and Vulnerability Analysis

    LGTM also serves as a variant analysis platform that automatically checks code for real CVEs (Common Vulnerabilities and Exposures) and other vulnerabilities. Here’s what it does:

    • It combines deep semantic code search with data science insights to rank the most relevant results, showing only the alerts that matter.
    • The platform leverages insights from a large community of top security researchers to help developers ship secure code.
    • It supports various programming languages and processes software development projects with source code stored in public Git repositories.


    AI-Driven Code Scanning

    LGTM utilizes AI-driven code scanning through its integration with CodeQL, a technology developed by Semmle, which is now part of GitHub. Here’s how it works:

    • CodeQL allows for advanced code scanning by executing queries against the codebase to identify vulnerabilities and other issues.
    • Developers can try out CodeQL queries on the LGTM site to see how they function, which is a great starting point for those new to code scanning.


    Benefits

    The benefits of using LGTM include:

    • Improved Code Quality: Ensures that code changes are thoroughly reviewed and approved before merging, reducing the likelihood of bugs and vulnerabilities.
    • Enhanced Security: Automatically scans code for vulnerabilities, providing actionable insights to developers.
    • Streamlined Workflow: Automates the approval process and integrates well with continuous integration servers like Jenkins and Travis CI, making the development workflow more efficient.


    Conclusion

    In summary, LGTM is a versatile tool that enhances code review processes, improves code security, and integrates well with existing development tools, all while leveraging AI-driven technologies to make the development process more secure and efficient.

    LGTM - Performance and Accuracy



    Performance

    LGTM, as a static application security testing (SAST) tool, has been compared to other tools like Snyk Code and SonarQube in terms of scan times. A significant finding is that LGTM is notably slower compared to Snyk Code. According to a comparison study, Snyk Code is up to 106 times faster than LGTM, with LGTM’s scan times ranging from around 2 minutes to over 17 minutes.

    This slower performance can be a significant limitation, especially in agile development environments where quick feedback is crucial. Developers often cannot afford to wait several minutes for scan results, which can delay their development processes.



    Accuracy

    While performance is a concern, the accuracy of LGTM in identifying code issues is another critical aspect. LGTM is known for its ability to detect security vulnerabilities and code quality issues, but there is limited recent data on its accuracy compared to other tools.

    However, it is important to note that LGTM’s capabilities are being transitioned to GitHub Code Scanning, which suggests that the accuracy and functionality of LGTM are being integrated into a more comprehensive platform. This transition indicates that the core functionalities of LGTM are valued, but the tool itself is being phased out in favor of a more integrated solution.



    Limitations and Areas for Improvement

    One of the main limitations of LGTM is its slow scan times, which can hinder the development process. This slow performance makes it less developer-friendly compared to faster alternatives like Snyk Code.

    Another limitation is the impending shutdown of LGTM.com, with users being recommended to move to GitHub Code Scanning. This transition may require some adjustment and setup, particularly for maintaining historical data and integrating the new scanning tools into existing workflows.

    In terms of areas for improvement, if LGTM or its successor tools are to remain competitive, they need to address the speed issue. Optimizing the scanning process to provide near real-time feedback would significantly enhance their usability and appeal to developers.



    Conclusion

    LGTM, while capable of detecting code issues, faces significant challenges in terms of performance. Its slow scan times and the transition to GitHub Code Scanning highlight the need for improvements in speed and integration. For developers seeking quick and accurate code analysis, faster alternatives like Snyk Code may be more suitable. However, the integration of LGTM’s functionalities into GitHub Code Scanning suggests a commitment to maintaining and enhancing code analysis capabilities within the GitHub ecosystem.

    LGTM Website

    LGTM - Pricing and Plans



    GitHub Code Scanning Integration

    GitHub Code Scanning is a feature that has been integrated into GitHub’s platform, particularly within the GitHub Advanced Security suite. This integration means that the pricing for code scanning is tied to the broader GitHub plans.

    GitHub Plans and Code Scanning



    Free Plan

    The GitHub Free plan does not include GitHub Advanced Security or code scanning features. It offers basic features such as unlimited public and private repositories, automatic security and version updates, and limited CI/CD minutes and package storage.

    Team Plan

    The GitHub Team plan also does not include GitHub Advanced Security or code scanning. It adds features like GitHub Codespaces, protected branches, multiple reviewers in pull requests, and increased CI/CD minutes and package storage compared to the Free plan.

    Enterprise Plan

    The GitHub Enterprise plan is where you can access GitHub Advanced Security, which includes code scanning. Here are the key features:
    • Code Scanning: Helps find and remediate security issues in your code.
    • Secret Scanning: Prevents and detects secret exposures across your organization.
    • Dependency Review: Catches vulnerable dependencies before they are introduced to your environment.


    Pricing for GitHub Advanced Security
    • GitHub Advanced Security is available as a separately paid add-on for the GitHub Enterprise plan.
    • It costs $49 per committer per month, where a committer is defined as any contributor who has contributed to a repository in the last 90 days.


    Trial Option

    There is a 30-day trial available for GitHub Advanced Security, which allows you to use all its features across your organizations attached to your Enterprise Account. Since the specific pricing for LGTM as a standalone product is not available in the provided sources, it is clear that its features are now part of the broader GitHub Advanced Security offering within the GitHub Enterprise plan. If you need code scanning capabilities, you would need to opt for the GitHub Enterprise plan with the Advanced Security add-on.

    LGTM - Integration and Compatibility



    Integration with GitHub

    LGTM heavily relies on GitHub’s features, such as protected branches and OWNERS files. Here’s how it integrates:

    Protected Branches

    LGTM uses GitHub protected branches to lock down repositories, preventing merges without the required approvals.

    OWNERS Files

    It utilizes OWNERS files to define reviewers and required reviewers for specific files or directories. This ensures that the right people are notified and must sign off on changes before a pull request can be merged.

    Webhooks and CI/CD

    LGTM can be integrated with continuous integration servers like Jenkins and Travis CI. For example, you can configure Jenkins to run the `lgtm` tool on every pull request, comment, or new commit pushed to a pull request.

    Compatibility with CI/CD Tools

    LGTM is compatible with several CI/CD tools:

    Jenkins

    You can install the GitHub pull request builder plugin in Jenkins and configure it to run the `lgtm` tool as part of the build steps.

    Travis CI

    LGTM can be integrated into a `.travis.yml` file to run checks on pull requests. However, note that Travis CI cannot be triggered to rebuild on new comments automatically, requiring manual re-triggering.

    Platform Independence

    While the primary documentation does not explicitly mention platform-specific compatibility for the LGTM tool itself, it is typically run within CI/CD environments which can be hosted on various platforms. Since it is often used within Python scripts or Docker environments, it can be executed on any platform that supports these technologies, such as Linux, Windows, or macOS.

    Usage in Python

    LGTM can also be integrated into existing Python checks, allowing for flexible usage within Python scripts. This involves importing the `lgtm` module and using its functions to check if a pull request is ready to be merged.

    Conclusion

    In summary, LGTM is highly integrated with GitHub and various CI/CD tools, ensuring a streamlined code review process. Its compatibility is generally tied to the platforms supported by these tools, making it versatile across different environments. However, specific platform compatibility details for the LGTM tool itself are not explicitly outlined in the available resources.

    LGTM Website

    LGTM - Customer Support and Resources



    Support Options



    Transition from LGTM.com

    As of December 2022, LGTM.com is no longer available, and all its functionalities have been integrated into GitHub code scanning. For support, users now need to rely on GitHub’s support mechanisms. If you have a paid GitHub product or are part of an organization using a paid product, you can directly contact GitHub Support through the GitHub Support portal.



    Support for GitHub Free Users

    For users of GitHub Free, support for account, security, and abuse issues can still be accessed through the GitHub Support portal, but general support is available through GitHub Community discussions.



    Additional Resources



    GitHub Code Scanning

    This is the primary resource now, as it has replaced LGTM.com. GitHub code scanning, powered by CodeQL, offers code scanning, secret scanning, and dependency review within GitHub Enterprise organizations. You can set up code scanning using GitHub Actions workflows, which is a straightforward process through the repository’s Security tab.



    Migration Assistance

    GitHub provided assistance to migrate repositories from LGTM.com to GitHub code scanning. This included creating pull requests to add the necessary GitHub Actions workflows for code scanning.



    Documentation and Guides

    GitHub offers detailed guides on getting started with code scanning and other security features. These resources are available on the GitHub blog and in the GitHub documentation.



    Community Support

    Users can engage with the GitHub community through discussions and forums to get help and feedback from other users and GitHub staff.



    Tools and Features



    CodeQL

    This is the underlying analysis engine for GitHub code scanning. You can try out CodeQL queries on the LGTM site (though it is being deprecated) or directly within GitHub. CodeQL helps in identifying vulnerabilities and security issues in your code.



    GitHub Actions

    These workflows are essential for setting up and running code scanning on your repositories. GitHub provides a base workflow that you can customize to suit your needs.

    By leveraging these resources and support options, users can effectively transition from LGTM.com to GitHub code scanning and continue to ensure the security and quality of their code.

    LGTM - Pros and Cons



    Advantages



    Security Focus

    LGTM, now part of GitHub code scanning, is highly focused on detecting and fixing security vulnerabilities in code. It uses CodeQL, a powerful code analysis engine, to identify issues such as remote code execution (RCE), SQL injection, and cross-site scripting (XSS) vulnerabilities.

    Integration with GitHub

    The tool seamlessly integrates with GitHub, allowing developers to analyze code directly within their GitHub workflow. This includes running code scans as part of GitHub Actions or existing CI/CD environments, and displaying results as code scanning alerts within pull requests and the repository’s security tab.

    Community Contributions

    CodeQL, the engine behind LGTM, benefits from community contributions. There are over 2,000 CodeQL queries created by GitHub and the community, which can be used to find and prevent security concerns. This community-driven approach enhances the tool’s effectiveness.

    Flexibility and Extensibility

    GitHub code scanning is flexible and extensible, allowing it to integrate with other security tools and third-party scanning engines. This enables developers to view results from multiple security tools in a single interface and export multiple scan results through a single API.

    Free for Public Repositories

    Code scanning is free for public repositories, making it accessible to open-source projects and encouraging broader adoption and security improvements in the open-source ecosystem.

    Disadvantages



    Deprecation of LGTM.com

    LGTM.com is being deprecated, with no new user sign-ups or new repositories accepted since August 2022. While existing users can continue to use it, historical analysis is no longer performed, and users are encouraged to migrate to GitHub code scanning.

    Limited Historical Analysis

    After the deprecation of LGTM.com, historical analysis of existing repositories will no longer be performed, which might be a drawback for projects that rely on historical data for security audits.

    Migration Effort

    Migrating from LGTM.com to GitHub code scanning may require some effort, especially for repositories with advanced build and analysis configurations. While GitHub provides support for migration, it can still be a significant task.

    Cost for Private Repositories

    For private repositories, code scanning is available only through GitHub Enterprise with Advanced Security, which requires a paid subscription. This can be a significant cost for large teams or organizations. In summary, LGTM, as integrated into GitHub code scanning, offers strong security features, seamless integration with GitHub, and community-driven enhancements, but it also involves the deprecation of the standalone LGTM.com service and potential costs for private repositories.

    LGTM Website

    LGTM - Comparison with Competitors



    When Comparing LGTM and Other Code Scanning Tools

    When comparing LGTM (now being deprecated in favor of GitHub Code Scanning) with other code scanning and security tools in the developer tools category, several key points and alternatives stand out.



    GitHub Code Scanning

    GitHub Code Scanning, which is replacing LGTM, uses the CodeQL analysis engine to identify security vulnerabilities and coding errors. Here are some of its unique features:

    • Native Integration: It is natively integrated into GitHub, making it easy to set up and use, especially for GitHub users.
    • Automated Scans: It can automatically scan code in pull requests and repositories, flagging potential security issues on the repository’s security tab.
    • Multi-Language Support: CodeQL supports a wide range of programming languages, and GitHub has also integrated various third-party tools to cover additional languages like PHP, Swift, Kotlin, and Ruby.
    • Advanced Security Features: For private repositories and GitHub Enterprise Cloud users, it requires a GitHub Advanced Security license, which includes additional features like GitHub Copilot Autofix for suggesting fixes.


    Snyk

    Snyk is an enterprise-level code scanning tool that offers several features:

    • Multi-Platform Support: It works with both GitHub and Bitbucket and can integrate with CI/CD pipelines for containers and infrastructure deployments.
    • Automated Remediation: Snyk can automatically remediate some security incidents without user intervention and continuously optimizes its scanning capabilities using AI.
    • Broad Language Coverage: It supports a multitude of languages and can detect unique instances of software vulnerabilities.


    Gitleaks

    Gitleaks is a lightweight, open-source tool:

    • Ease of Use: It is simple to set up and run, making it suitable for small projects and hobbyists. It scans code for sensitive information like secrets and passwords.
    • Automatic Scans: Gitleaks can be integrated into commit actions to automatically scan code before it is uploaded to a repository.


    SpectralOps

    SpectralOps is geared towards enterprise projects:

    • Comprehensive Scanning: It scans every repository, binary, static files, and code for a wide range of secrets and sensitive data. It offers real-time scans and continuous monitoring.
    • Customizable Signals: It allows DevSecOps teams to customize signals to detect specific assets or sensitive information.


    GitGuardian

    GitGuardian is a secret scanning tool suitable for mid-sized projects:

    • Tiered Pricing: It offers pricing from free to enterprise levels, making it accessible to various project sizes. It works with GitHub, GitLab, Bitbucket, and Azure repositories.
    • Email Notifications: It sends emails to repository owners when sensitive information is detected.


    Key Differences and Alternatives

    • Integration and Ease of Use: GitHub Code Scanning stands out for its seamless integration with GitHub, making it very user-friendly for GitHub users. In contrast, tools like Snyk and SpectralOps require more setup but offer broader platform support and advanced features.
    • Cost and Accessibility: GitHub Code Scanning is free for public repositories on GitHub, while private repositories require a GitHub Advanced Security license. Tools like Gitleaks and GitGuardian offer free or low-cost options for smaller projects.
    • Language Support and Customization: While GitHub Code Scanning has extensive language support through CodeQL and third-party integrations, tools like Snyk and SpectralOps offer more comprehensive coverage and customization options for enterprise environments.


    Conclusion

    In summary, the choice between these tools depends on the specific needs of the project:

    • For GitHub users looking for a straightforward, integrated solution, GitHub Code Scanning is a strong choice.
    • For enterprise projects requiring advanced security features and broad platform support, Snyk or SpectralOps might be more suitable.
    • For smaller projects or hobbyists, Gitleaks or GitGuardian could provide the necessary security scanning without the overhead of more complex tools.

    LGTM - Frequently Asked Questions



    Frequently Asked Questions about LGTM and GitHub Code Scanning



    Q: What is happening to LGTM.com?

    LGTM.com is being gradually deprecated in favor of GitHub code scanning. As of the end of August 2022, LGTM.com stopped accepting new user sign-ups and new repositories. By December 16, 2022, LGTM.com was shut down completely.



    Q: How do I migrate my repositories from LGTM.com to GitHub code scanning?

    GitHub is helping users migrate their repositories by creating pull requests that add a GitHub Actions workflow to run code scanning. For repositories with advanced configurations, GitHub will notify the users directly to assist in the migration. Once the configuration is merged, the repository will be scanned by GitHub code scanning.



    Q: What features will be lost when LGTM.com is shut down?

    When LGTM.com is shut down, several features will no longer be available, including code quality badges, the LGTM query console (including historical results), LGTM documentation, and all LGTM.com APIs.



    Q: How do I get started with GitHub code scanning?

    To get started with GitHub code scanning, you need to enable GitHub’s security features in your repositories. You can follow the getting started guide provided by GitHub to learn more about how to set up and use code scanning and other security features like Dependabot.



    Q: Can I continue using the LGTM.com query console?

    If you are an active user of the LGTM.com query console, you may be able to test this functionality on GitHub through a beta program. However, the query console itself will no longer be available after LGTM.com is shut down.



    Q: How does GitHub code scanning work?

    GitHub code scanning uses the CodeQL analysis engine to find security vulnerabilities and coding errors in your repository. It can be triggered by specific events, such as pushes, and displays alerts in the repository for any issues found. Once the issues are fixed, GitHub closes the alerts.



    Q: What types of repositories can use GitHub code scanning?

    GitHub code scanning is available for public repositories on GitHub.com and organization-owned repositories on GitHub Enterprise Cloud with GitHub Advanced Security enabled.



    Q: How can I download data from LGTM.com before it goes offline?

    You can use the various APIs available on LGTM.com to download your data before the service is shut down. It is recommended to take a look at the available APIs to ensure you retrieve all necessary data.



    Q: What happens to historical analysis data on LGTM.com?

    After the end of November 2022, LGTM.com stopped fetching new commits and analyzing pull requests. Historical analysis data will not be available once LGTM.com is shut down.



    Q: How can I ask questions or leave feedback about the transition from LGTM.com to GitHub code scanning?

    You can join the GitHub Discussion on this topic to ask questions or leave feedback. This is a great way to engage with the community and get support during the transition.

    LGTM Website

    LGTM - Conclusion and Recommendation



    Final Assessment of LGTM in the Developer Tools AI-driven Product Category

    LGTM (Look Good To Me), now integrated into GitHub as GitHub Code Scanning, is a powerful tool in the developer tools category, particularly focused on code analysis and security.

    Key Benefits



    Code Security and Vulnerability Detection

    LGTM excels in detecting and fixing security vulnerabilities in code. It uses a deep semantic code search combined with data science insights to identify and rank relevant security alerts, ensuring developers can focus on the most critical issues.



    Integration and Flexibility

    LGTM integrates seamlessly with various version control systems, including Git, and is not limited to GitHub repositories. This flexibility allows developers to analyze code from different sources, making it a versatile tool for diverse development environments.



    Automated Code Analysis

    The tool automates the process of finding and fixing software vulnerabilities, which is a significant time-saver for development teams. It uses CodeQL (Code Query Language) for deep analysis of the code, identifying issues such as known security vulnerabilities, dependency problems, and coding malpractices.



    Who Would Benefit Most



    Security-Conscious Teams

    Development teams that prioritize code security and want to ensure their codebase is free from vulnerabilities would greatly benefit from LGTM. This includes teams working on critical applications where security breaches could have significant consequences.



    Large and Distributed Teams

    Teams with multiple contributors and a large codebase can leverage LGTM to streamline their code review process. The automated analysis and alert system help in maintaining code quality and security across the entire project.



    Organizations with Compliance Requirements

    Companies that need to comply with strict security standards can use LGTM to ensure their code meets these requirements. The detailed reports and alerts provided by the tool can be invaluable for auditing and compliance purposes.



    Overall Recommendation

    LGTM, as part of GitHub Code Scanning, is a valuable addition to any development toolkit, especially for teams that need robust code security and analysis. Here are some key points to consider:



    Cost

    While LGTM offers a free version for open-source projects, commercial use requires a subscription. However, the benefits in terms of security and code quality often justify the cost.



    Ease of Use

    The integration with GitHub and other version control systems makes it relatively easy to implement and use, especially for teams already familiar with these platforms.



    Effectiveness

    The automated code analysis and the use of CodeQL make LGTM highly effective in identifying and fixing vulnerabilities, which can significantly reduce the risk of security breaches.

    In summary, if your team is looking to enhance code security, streamline the code review process, and ensure compliance with security standards, LGTM is a highly recommended tool. Its integration with GitHub and other version control systems, along with its advanced code analysis capabilities, make it a valuable asset for any development team.

    LGTM Website
    Back to Detailed Reviews Main Page
    Scroll to Top