The latest articles on DEV Community by James Moceri (@jmogaming). https://dev.to/jmogaming https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3579458%2F94674bfa-6327-4945-9a51-68e600e4ff53.png https://dev.to/jmogaming en James Moceri Thu, 30 Oct 2025 04:07:14 +0000 https://dev.to/jmogaming/kubernetes-style-scan-scheduling-comes-to-security-tools-jmo-security-v080-1je1 https://dev.to/jmogaming/kubernetes-style-scan-scheduling-comes-to-security-tools-jmo-security-v080-1je1 <p>Running security scans manually gets old fast. You start with good intentions — "I'll scan every Friday before release" — but then Friday becomes Saturday becomes "whenever I remember."</p> <p>The solution? Automation. But here's the problem: most security tools don't integrate cleanly with CI/CD platforms. You end up writing YAML by hand, copying configs between projects, and maintaining a dozen different cron schedules.</p> <p>I built JMo Security to orchestrate 12+ security scanners (Trivy, Semgreg, TruffleHog, Checkov, ZAP, Nuclei, etc.) with a unified CLI. Version 0.8.0 adds the missing piece: <strong>enterprise-grade scheduling and CI/CD integration</strong>.</p> <h2> Table of Contents </h2> <ul> <li> What's New in v0.8.0 <ul> <li>1. Kubernetes-Style Schedule Management</li> <li>2. GitLab CI/CD Workflow Generation</li> <li>3. Slack Notifications</li> </ul> </li> <li>Why This Matters</li> <li>Real-World Use Cases</li> <li>Getting Started</li> <li>What's Next</li> <li>Contributing</li> </ul> <h2> What's New in v0.8.0 </h2> <h3> 1. Kubernetes-Style Schedule Management </h3> <p>If you've worked with Kubernetes CronJobs, this will feel instantly familiar:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a weekly security scan schedule</span> jmo schedule create prod-security-audit <span class="se">\</span> <span class="nt">--cron</span> <span class="s2">"0 2 * * 1"</span> <span class="se">\</span> <span class="nt">--profile</span> balanced <span class="se">\</span> <span class="nt">--repo</span> ./myapp <span class="se">\</span> <span class="nt">--image</span> myapp:latest <span class="se">\</span> <span class="nt">--url</span> https://myapp.com <span class="se">\</span> <span class="nt">--backend</span> gitlab-ci <span class="se">\</span> <span class="nt">--slack-webhook</span> <span class="s2">"https://hooks.slack.com/services/YOUR/WEBHOOK"</span> </code></pre> </div> <p>This creates a schedule resource with Kubernetes-style metadata, spec, and status fields:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prod-security-audit</span> <span class="na">uid</span><span class="pi">:</span> <span class="s">f47ac10b-58cc-4372-a567-0e02b2c3d479</span> <span class="na">creationTimestamp</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2025-10-28T14:30:00Z"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0</span><span class="nv"> </span><span class="s">2</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">1"</span> <span class="c1"># Every Monday at 2 AM</span> <span class="na">jobTemplate</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">profile</span><span class="pi">:</span> <span class="s">balanced</span> <span class="na">targets</span><span class="pi">:</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">./myapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myapp:latest</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://myapp.com</span> <span class="na">notifications</span><span class="pi">:</span> <span class="na">channels</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">slack</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://hooks.slack.com/..."</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">gitlab-ci</span> <span class="na">status</span><span class="pi">:</span> <span class="na">lastScheduleTime</span><span class="pi">:</span> <span class="kc">null</span> <span class="na">nextScheduleTime</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2025-11-04T02:00:00Z"</span> </code></pre> </div> <p>Schedules are stored locally in <code>~/.jmo/schedules.json</code> with secure permissions (0o600). No cloud dependencies.</p> <h3> 2. GitLab CI/CD Workflow Generation </h3> <p>Once you've defined a schedule, export it to a ready-to-use GitLab CI pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>jmo schedule <span class="nb">export </span>prod-security-audit <span class="o">&gt;</span> .gitlab-ci.yml </code></pre> </div> <p>This generates a complete <code>.gitlab-ci.yml</code> with:</p> <ul> <li>Profile-based jobs (fast/balanced/deep)</li> <li>Multi-target support (repos, containers, IaC, web apps, K8s clusters)</li> <li>Slack notifications on success/failure</li> <li>Artifact uploads (JSON findings, HTML dashboard, SARIF reports)</li> <li>Pipeline schedules matching your cron syntax</li> </ul> <p>Example generated pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Generated by JMo Security Schedule Manager</span> <span class="c1"># Schedule: prod-security-audit (0 2 * * 1)</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">JMO_PROFILE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">balanced"</span> <span class="na">SLACK_WEBHOOK_URL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://hooks.slack.com/services/YOUR/WEBHOOK"</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">scan</span> <span class="pi">-</span> <span class="s">notify</span> <span class="na">jmo-security-scan</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">scan</span> <span class="na">image</span><span class="pi">:</span> <span class="s">jmogaming/jmo-security:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">jmo scan --profile balanced --repo . --image myapp:latest --url https://myapp.com</span> <span class="pi">-</span> <span class="s">jmo report ./results --profile</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">reports</span><span class="pi">:</span> <span class="na">sast</span><span class="pi">:</span> <span class="s">results/summaries/findings.sarif</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">results/</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">30 days</span> <span class="na">only</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">schedules</span> <span class="na">notify-slack-success</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">notify</span> <span class="na">image</span><span class="pi">:</span> <span class="s">curlimages/curl:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">curl -X POST "$SLACK_WEBHOOK_URL" \</span> <span class="s">-H 'Content-Type: application/json' \</span> <span class="s">-d "{</span> <span class="s">\"text\": \"✅ Security scan PASSED: $CI_PIPELINE_URL\",</span> <span class="s">\"attachments\": [{</span> <span class="s">\"color\": \"good\",</span> <span class="s">\"fields\": [</span> <span class="s">{\"title\": \"Commit\", \"value\": \"$CI_COMMIT_SHORT_SHA\", \"short\": true},</span> <span class="s">{\"title\": \"Branch\", \"value\": \"$CI_COMMIT_BRANCH\", \"short\": true}</span> <span class="s">]</span> <span class="s">}]</span> <span class="s">}"</span> <span class="na">only</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">schedules</span> <span class="na">when</span><span class="pi">:</span> <span class="s">on_success</span> <span class="na">notify-slack-failure</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">notify</span> <span class="na">image</span><span class="pi">:</span> <span class="s">curlimages/curl:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">curl -X POST "$SLACK_WEBHOOK_URL" \</span> <span class="s">-H 'Content-Type: application/json' \</span> <span class="s">-d "{</span> <span class="s">\"text\": \"❌ Security scan FAILED: $CI_PIPELINE_URL\",</span> <span class="s">\"attachments\": [{</span> <span class="s">\"color\": \"danger\",</span> <span class="s">\"fields\": [</span> <span class="s">{\"title\": \"Commit\", \"value\": \"$CI_COMMIT_SHORT_SHA\", \"short\": true},</span> <span class="s">{\"title\": \"Branch\", \"value\": \"$CI_COMMIT_BRANCH\", \"short\": true}</span> <span class="s">]</span> <span class="s">}]</span> <span class="s">}"</span> <span class="na">only</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">schedules</span> <span class="na">when</span><span class="pi">:</span> <span class="s">on_failure</span> </code></pre> </div> <h3> 3. Slack Notifications </h3> <p>Slack integration is built-in. Configure webhooks in your schedule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">notifications</span><span class="pi">:</span> <span class="na">channels</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">slack</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://hooks.slack.com/services/YOUR/WEBHOOK"</span> </code></pre> </div> <p>Notifications include:</p> <ul> <li>✅ Pipeline status (success/failure)</li> <li>📊 Commit info (SHA, branch, author)</li> <li>🔍 Findings count (when available)</li> <li>🔗 Direct link to pipeline</li> </ul> <h2> Why This Matters </h2> <p>Before v0.8.0, you had three options:</p> <ol> <li> <strong>Manual scans</strong> — Inconsistent, easy to forget</li> <li> <strong>Hand-written CI/CD YAML</strong> — Error-prone, hard to maintain across projects</li> <li> <strong>Third-party services</strong> — Expensive, cloud dependencies, vendor lock-in</li> </ol> <p>Now you have a fourth option:</p> <ul> <li> <strong>Declarative schedules</strong> stored locally</li> <li> <strong>Auto-generated CI/CD configs</strong> for GitLab (GitHub Actions coming soon)</li> <li> <strong>Zero cloud dependencies</strong> (except Slack webhooks, optional)</li> <li><strong>100% open source</strong></li> </ul> <h2> Real-World Use Cases </h2> <h3> Use Case 1: Multi-Environment Security Gates </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Dev environment: Fast scans on every commit</span> jmo schedule create dev-security <span class="se">\</span> <span class="nt">--cron</span> <span class="s2">"*/15 * * * *"</span> <span class="se">\</span> <span class="nt">--profile</span> fast <span class="se">\</span> <span class="nt">--repo</span> <span class="nb">.</span> <span class="se">\</span> <span class="nt">--backend</span> gitlab-ci <span class="c"># Staging: Balanced scans nightly</span> jmo schedule create staging-security <span class="se">\</span> <span class="nt">--cron</span> <span class="s2">"0 1 * * *"</span> <span class="se">\</span> <span class="nt">--profile</span> balanced <span class="se">\</span> <span class="nt">--repo</span> <span class="nb">.</span> <span class="se">\</span> <span class="nt">--image</span> staging:latest <span class="se">\</span> <span class="nt">--url</span> https://staging.example.com <span class="se">\</span> <span class="nt">--backend</span> gitlab-ci <span class="se">\</span> <span class="nt">--slack-webhook</span> <span class="s2">"</span><span class="nv">$STAGING_SLACK_WEBHOOK</span><span class="s2">"</span> <span class="c"># Production: Deep scans weekly</span> jmo schedule create prod-security <span class="se">\</span> <span class="nt">--cron</span> <span class="s2">"0 2 * * 0"</span> <span class="se">\</span> <span class="nt">--profile</span> deep <span class="se">\</span> <span class="nt">--repo</span> <span class="nb">.</span> <span class="se">\</span> <span class="nt">--image</span> prod:latest <span class="se">\</span> <span class="nt">--url</span> https://example.com <span class="se">\</span> <span class="nt">--k8s-context</span> prod <span class="se">\</span> <span class="nt">--backend</span> gitlab-ci <span class="se">\</span> <span class="nt">--slack-webhook</span> <span class="s2">"</span><span class="nv">$PROD_SLACK_WEBHOOK</span><span class="s2">"</span> </code></pre> </div> <h3> Use Case 2: Compliance Automation </h3> <p>JMo Security auto-enriches findings with 6 compliance frameworks (OWASP Top 10, CWE Top 25, NIST CSF 2.0, PCI DSS 4.0, CIS Controls v8.1, MITRE ATT&amp;CK). Schedule weekly compliance reports:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>jmo schedule create compliance-weekly <span class="se">\</span> <span class="nt">--cron</span> <span class="s2">"0 9 * * 1"</span> <span class="se">\</span> <span class="nt">--profile</span> balanced <span class="se">\</span> <span class="nt">--repo</span> <span class="nb">.</span> <span class="se">\</span> <span class="nt">--image</span> app:latest <span class="se">\</span> <span class="nt">--terraform-state</span> infrastructure.tfstate <span class="se">\</span> <span class="nt">--backend</span> gitlab-ci <span class="se">\</span> <span class="nt">--slack-webhook</span> <span class="s2">"</span><span class="nv">$COMPLIANCE_SLACK_WEBHOOK</span><span class="s2">"</span> </code></pre> </div> <p>Pipeline artifacts include:</p> <ul> <li> <code>COMPLIANCE_SUMMARY.md</code> — Cross-framework compliance status</li> <li> <code>PCI_DSS_COMPLIANCE.md</code> — PCI DSS 4.0 detailed report</li> <li> <code>attack-navigator.json</code> — MITRE ATT&amp;CK Navigator heatmap</li> </ul> <h3> Use Case 3: GitOps Workflow </h3> <p>Commit schedules to version control:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create schedules</span> jmo schedule create security-scan <span class="nt">--cron</span> <span class="s2">"0 2 * * *"</span> <span class="nt">--profile</span> balanced <span class="nt">--repo</span> <span class="nb">.</span> <span class="c"># Export to GitLab CI</span> jmo schedule <span class="nb">export </span>security-scan <span class="o">&gt;</span> .gitlab-ci.yml <span class="c"># Commit and push</span> git add .gitlab-ci.yml git commit <span class="nt">-m</span> <span class="s2">"ci: add automated security scans"</span> git push <span class="c"># GitLab automatically picks up the pipeline schedule</span> </code></pre> </div> <h2> Architecture Deep Dive </h2> <h3> Storage </h3> <p>Schedules are stored in <code>~/.jmo/schedules.json</code> with strict permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"schedules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"metadata"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"prod-security-audit"</span><span class="p">,</span><span class="w"> </span><span class="nl">"uid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"f47ac10b-58cc-4372-a567-0e02b2c3d479"</span><span class="p">,</span><span class="w"> </span><span class="nl">"creationTimestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-10-28T14:30:00Z"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"spec"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"schedule"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0 2 * * 1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"jobTemplate"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="nl">"backend"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gitlab-ci"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"nextScheduleTime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-11-04T02:00:00Z"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Cron Validation </h3> <p>Uses <code>croniter</code> library for full cron syntax support:</p> <ul> <li>Standard 5-field cron (<code>0 2 * * 1</code>)</li> <li>Extended syntax (ranges, steps, lists)</li> <li>Timezone support (UTC default)</li> <li>Next run calculation</li> </ul> <h3> Backend Abstraction </h3> <p>Designed for extensibility:</p> <ul> <li> <strong>gitlab-ci</strong> (v0.8.0)</li> <li> <strong>github-actions</strong> (planned v0.9.0)</li> <li> <strong>local-cron</strong> (planned v0.9.0)</li> <li> <strong>jenkins</strong> (community request)</li> </ul> <h2> Getting Started </h2> <h3> Option 1: Docker (Zero Installation) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker pull jmogaming/jmo-security:0.8.0 docker run <span class="nt">--rm</span> <span class="nt">-it</span> <span class="se">\</span> <span class="nt">-v</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">:/scan"</span> <span class="se">\</span> jmogaming/jmo-security:0.8.0 <span class="se">\</span> schedule create my-scan <span class="nt">--cron</span> <span class="s2">"0 2 * * *"</span> <span class="nt">--profile</span> balanced <span class="nt">--repo</span> <span class="nb">.</span> </code></pre> </div> <h3> Option 2: PyPI </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>jmo-security<span class="o">==</span>0.8.0 jmo schedule create my-scan <span class="nt">--cron</span> <span class="s2">"0 2 * * *"</span> <span class="nt">--profile</span> balanced <span class="nt">--repo</span> <span class="nb">.</span> </code></pre> </div> <h3> Option 3: GitHub Clone </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/jimmy058910/jmo-security-repo.git <span class="nb">cd </span>jmo-security-repo make dev-deps jmo schedule create my-scan <span class="nt">--cron</span> <span class="s2">"0 2 * * *"</span> <span class="nt">--profile</span> balanced <span class="nt">--repo</span> <span class="nb">.</span> </code></pre> </div> <h2> Upgrade Notes </h2> <p><strong>Breaking Changes:</strong> None. v0.8.0 is fully backward-compatible.</p> <p><strong>New Dependencies:</strong></p> <ul> <li> <code>croniter&gt;=2.0</code> (cron parsing)</li> <li> <code>types-croniter</code> (type hints)</li> </ul> <p>Install with: <code>pip install --upgrade jmo-security[scheduling]</code></p> <h2> What's Next </h2> <p><strong>v0.9.0 Roadmap:</strong></p> <ul> <li>GitHub Actions workflow generation</li> <li>Local cron integration</li> <li>Schedule templating (reusable schedule configs)</li> <li>Multi-region scheduling (different timezones per schedule)</li> <li>Schedule dependency chains ("run scan B after scan A succeeds")</li> </ul> <p><strong>See full roadmap:</strong> <a href="https://github.com/jimmy058910/jmo-security-repo/blob/main/ROADMAP.md" rel="noopener noreferrer">ROADMAP.md</a></p> <h2> Contributing </h2> <p>JMo Security is 100% open source (MIT OR Apache-2.0 dual-licensed). Contributions welcome:</p> <ul> <li>🐛 Report bugs: <a href="https://github.com/jimmy058910/jmo-security-repo/issues" rel="noopener noreferrer">GitHub Issues</a> </li> <li>💡 Feature requests: <a href="https://github.com/jimmy058910/jmo-security-repo/discussions" rel="noopener noreferrer">GitHub Discussions</a> </li> <li>🔧 Pull requests: <a href="https://github.com/jimmy058910/jmo-security-repo/blob/main/CONTRIBUTING.md" rel="noopener noreferrer">CONTRIBUTING.md</a> </li> </ul> <p><strong>Looking to hire?</strong> I'm a recent cybersecurity bootcamp graduate (Michigan Tech × Institute of Data, October 2025) actively seeking cybersecurity/DevSecOps roles. JMo Security started as my capstone project and evolved into a production-grade platform. <a href="https://linkedin.com/in/jimmy058910" rel="noopener noreferrer">Connect with me on LinkedIn</a>.</p> <h2> Support the Project </h2> <ul> <li>⭐ Star on GitHub: <a href="https://github.com/jimmy058910/jmo-security-repo" rel="noopener noreferrer">jimmy058910/jmo-security-repo</a> </li> <li>💚 Support on Ko-fi: <a href="https://ko-fi.com/jmogaming" rel="noopener noreferrer">ko-fi.com/jmogaming</a> </li> <li>💰 Sponsor on GitHub: <a href="https://github.com/sponsors/jimmy058910" rel="noopener noreferrer">github.com/sponsors/jimmy058910</a> </li> <li>📧 Subscribe to newsletter: <a href="https://jmotools.com/subscribe.html" rel="noopener noreferrer">jmotools.com/subscribe.html</a> </li> </ul> <p><strong>Links:</strong></p> <ul> <li>Documentation: <a href="https://docs.jmotools.com" rel="noopener noreferrer">docs.jmotools.com</a> </li> <li>Blog: <a href="https://blog.jmotools.com" rel="noopener noreferrer">blog.jmotools.com</a> </li> <li>GitHub: <a href="https://github.com/jimmy058910/jmo-security-repo" rel="noopener noreferrer">github.com/jimmy058910/jmo-security-repo</a> </li> <li>PyPI: <a href="https://pypi.org/project/jmo-security/" rel="noopener noreferrer">pypi.org/project/jmo-security/</a> </li> <li>Docker Hub: <a href="//hub.docker.com/r/jmogaming/jmo-security">hub.docker.com/r/jmogaming/jmo-security</a> </li> </ul> cybersecurity devops gitlab opensource James Moceri Fri, 24 Oct 2025 22:25:00 +0000 https://dev.to/jmogaming/why-i-built-a-free-security-scanner-that-makes-sense-2cn7 https://dev.to/jmogaming/why-i-built-a-free-security-scanner-that-makes-sense-2cn7 <p>I just completed the Institute of Data / Michigan Tech Cybersecurity program, and for my capstone project, I scanned 22 random GitHub repositories with 4 secrets scanning tools.</p> <p>The results shocked me:</p> <ul> <li>🚨 <strong>1,562 security findings</strong> across 22 repos</li> <li>🔴 <strong>5 CRITICAL verified secrets</strong> (live API keys, active tokens)</li> <li>🟠 <strong>579 HIGH severity issues</strong> (hardcoded credentials, weak crypto, injection flaws)</li> <li>📊 <strong>Only 3.5% false positive rate</strong> </li> </ul> <p>But here's the real problem: <strong>I had to manually parse 4 different JSON formats, spend 3-4 hours aggregating results, and then map findings to compliance frameworks (OWASP, PCI DSS, NIST) by hand.</strong></p> <p>Each one of those 5 critical secrets was a potential data breach waiting to happen. And most developers don't even know their secrets are exposed until it's too late.</p> <p>So I built a solution.</p> <h2> The Problem: Security Scanning Is Unnecessarily Complicated </h2> <p>During my bootcamp, I researched "Vibe Coding" platforms—tools like Replit, Lovable, and AI code generators that let anyone build apps without traditional coding. These platforms are amazing for accessibility, but they introduce serious vulnerabilities.</p> <p>Here's what frustrated me: <strong>how are non-technical users supposed to catch security issues?</strong></p> <p>Most security scanners assume you have:</p> <ul> <li>A dedicated security team</li> <li>Deep knowledge of tool configurations</li> <li>Time to learn 5+ different tools</li> <li>$$$/year for commercial platforms</li> <li>A Linux/macOS environment (Windows users? Good luck.)</li> </ul> <p>For solo developers, small teams, and bootcamp graduates like me, this was a non-starter.</p> <p><strong>I needed a tool that just worked.</strong></p> <h2> The Solution: JMo Security </h2> <p><strong>JMo Security</strong> is an open-source security audit toolkit that integrates 11+ industry-standard scanners into one unified platform.</p> <p>Instead of juggling Trivy, Semgrep, TruffleHog, OWASP ZAP, and 7 other tools, you get one command and one dashboard.</p> <h3> What Makes It Different </h3> <h4> 1. Multi-Target Scanning (One Command, Six Asset Types) </h4> <p>Most scanners only work on Git repositories. JMo scans:</p> <ul> <li>📦 <strong>Repositories</strong> (local Git repos)</li> <li>🐳 <strong>Container images</strong> (Docker/OCI)</li> <li>☁️ <strong>IaC files</strong> (Terraform, CloudFormation, Kubernetes manifests)</li> <li>🌐 <strong>Live websites</strong> (DAST with OWASP ZAP)</li> <li>🦊 <strong>GitLab repos</strong> (with TruffleHog verified secrets)</li> <li>⎈ <strong>Kubernetes clusters</strong> (live cluster scanning)</li> </ul> <p>Example: Scan your app, its container, and your production website in one command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>jmo scan <span class="se">\</span> <span class="nt">--repo</span> ./myapp <span class="se">\</span> <span class="nt">--image</span> myapp:latest <span class="se">\</span> <span class="nt">--url</span> https://myapp.com <span class="se">\</span> <span class="nt">--k8s-context</span> prod </code></pre> </div> <p><strong>Result:</strong> One unified dashboard with deduplicated findings across all targets.</p> <h4> 2. Compliance Automation (No More Manual Mapping) </h4> <p>Remember those 3-4 hours I spent manually mapping findings to compliance frameworks? JMo does it automatically.</p> <p>Every finding is auto-tagged with <strong>six compliance frameworks</strong>:</p> <ul> <li> <strong>OWASP Top 10 2021</strong> - Web application security risks</li> <li> <strong>CWE Top 25 2024</strong> - Most dangerous software weaknesses</li> <li> <strong>NIST Cybersecurity Framework 2.0</strong> - Federal compliance</li> <li> <strong>PCI DSS 4.0</strong> - Payment card industry standards</li> <li> <strong>CIS Controls v8.1</strong> - Critical security controls</li> <li> <strong>MITRE ATT&amp;CK</strong> - Adversary tactics and techniques</li> </ul> <p><strong>Real talk:</strong> This feature alone saved me 40+ hours during my capstone. What used to take days now takes 5 minutes.</p> <h4> 3. Beginner-Friendly (5-Minute First Scan) </h4> <p>Interactive wizard guides first-time users:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>jmotools wizard </code></pre> </div> <p>The wizard:</p> <ul> <li>Detects your environment (Docker available? Use that!)</li> <li>Recommends scan profiles (fast/balanced/deep)</li> <li>Auto-discovers repositories and URLs</li> <li>Shows command preview before running</li> <li>Opens results when done</li> </ul> <p><strong>No security knowledge required.</strong></p> <h4> 4. Windows Support (Docker Mode) </h4> <p>Most security tools don't work on Windows. JMo's Docker mode delivers <strong>100% tool coverage</strong> on Windows/WSL2:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-v</span> <span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span>:/scan ghcr.io/jimmy058910/jmo-security:latest <span class="se">\</span> scan <span class="nt">--repo</span> /scan/myapp </code></pre> </div> <p>Zero installation. Full tool suite. Works everywhere.</p> <h3> How It Works </h3> <p>JMo uses a two-phase architecture:</p> <h4> Phase 1: Scan </h4> <ul> <li>Runs 11 tools in parallel (configurable threads)</li> <li>Writes raw JSON outputs to <code>results/</code> </li> <li>Supports timeouts and retries for flaky tools</li> </ul> <h4> Phase 2: Report </h4> <ul> <li>Normalizes all findings to a unified schema</li> <li>Deduplicates by fingerprint ID</li> <li>Enriches with compliance frameworks</li> <li>Generates dashboard, SARIF, JSON, Markdown</li> </ul> <h4> Tools Orchestrated (v0.7.0) </h4> <ul> <li> <strong>Secrets:</strong> TruffleHog (verified secrets), Nosey Parker (deep scanning)</li> <li> <strong>SAST:</strong> Semgrep (multi-language), Bandit (Python-specific)</li> <li> <strong>SBOM + Vuln:</strong> Syft (SBOM), Trivy (CVE scanning)</li> <li> <strong>IaC:</strong> Checkov (policy-as-code)</li> <li> <strong>Dockerfile:</strong> Hadolint (best practices)</li> <li> <strong>DAST:</strong> OWASP ZAP (web security), Nuclei (API security)</li> <li> <strong>Runtime:</strong> Falco (container/K8s monitoring)</li> <li> <strong>Fuzzing:</strong> AFL++ (coverage-guided fuzzing)</li> </ul> <h3> Real-World Example </h3> <p><strong>Scenario:</strong> Audit a web app before production launch.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan repo + Docker image + live staging environment</span> jmo scan <span class="se">\</span> <span class="nt">--repo</span> ./webapp <span class="se">\</span> <span class="nt">--image</span> webapp:staging <span class="se">\</span> <span class="nt">--url</span> https://staging.myapp.com <span class="se">\</span> <span class="nt">--profile-name</span> balanced <span class="se">\</span> <span class="nt">--results-dir</span> ./audit <span class="c"># Generate compliance report</span> jmo report ./audit <span class="nt">--profile</span> </code></pre> </div> <p><strong>Output:</strong></p> <ul> <li> <code>dashboard.html</code> — Interactive findings with suggested fixes</li> <li> <code>COMPLIANCE_SUMMARY.md</code> — Auto-mapped to OWASP/NIST/PCI DSS</li> <li> <code>findings.sarif</code> — Upload to GitHub Security tab</li> <li> <code>timings.json</code> — Performance profiling</li> </ul> <p><strong>Time:</strong> 15 minutes (vs. 8+ hours manually running tools)</p> <h2> Why Open Source? </h2> <p>I'm building this in public for three reasons:</p> <p><strong>1. Security tools should be accessible.</strong></p> <p>Not everyone has $$$/year for commercial scanners. Those 5 critical secrets I found? They were in open-source projects maintained by solo developers and small teams. They deserve enterprise-grade security without the enterprise price tag.</p> <p><strong>2. I'm learning (and I want feedback).</strong></p> <p>After 12+ years in operational management, I'm bringing that process-oriented mindset to cybersecurity. I want experienced engineers to tear this apart, suggest improvements, and help me build something truly useful.</p> <p><strong>3. I believe in giving back.</strong></p> <p>The open-source community helped me many times over my lifetime. This is my way of contributing—and hopefully making security less painful for the next person.</p> <h3> Current Status </h3> <ul> <li>✅ <strong>272 tests passing</strong> (91% coverage)</li> <li>✅ <strong>v0.7.0 released</strong> (privacy-first telemetry, multi-target wizard)</li> <li>✅ <strong>PyPI package</strong> (<code>pip install jmo-security</code>)</li> <li>✅ <strong>Docker images</strong> (3 variants: full/slim/alpine)</li> <li>✅ <strong>CI/CD ready</strong> (GitHub Actions examples included)</li> </ul> <h3> What's Next </h3> <p>I'm actively working on:</p> <ul> <li>Scheduled scans with cron support</li> <li>Machine-readable diff reports (compare scans over time)</li> <li>Plugin system for custom tools</li> <li>Policy-as-Code integration (OPA)</li> </ul> <p>See the full roadmap: <a href="https://github.com/jimmy058910/jmo-security-repo/blob/main/ROADMAP.md" rel="noopener noreferrer">ROADMAP.md</a></p> <h3> Try It Yourself </h3> <p><strong>Quick Start (Docker - Zero Installation):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-v</span> <span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span>:/scan ghcr.io/jimmy058910/jmo-security:latest <span class="se">\</span> scan <span class="nt">--repo</span> /scan/myrepo </code></pre> </div> <p><strong>Quick Start (Local Install):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>jmo-security jmotools wizard </code></pre> </div> <p><strong>Links:</strong></p> <p> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/jimmy058910" rel="noopener noreferrer"> jimmy058910 </a> / <a href="https://github.com/jimmy058910/jmo-security-repo" rel="noopener noreferrer"> jmo-security-repo </a> </h2> <h3> JMo Security Suite - Terminal-first security audit toolkit with many tools, multi-target scanning, &amp; compliance </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">JMo's Security Audit Tool Suite</h1> </div> <p> <a rel="noopener noreferrer" href="https://github.com/jimmy058910/jmo-security-repo/assets/jmo-logo.png"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fjimmy058910%2Fjmo-security-repo%2Fassets%2Fjmo-logo.png" alt="JMo Security Audit Tool Suite" width="220"></a> </p> <p><a href="https://github.com/jimmy058910/jmo-security-repo/actions/workflows/ci.yml?query=branch%3Amain" rel="noopener noreferrer"><img src="https://github.com/jimmy058910/jmo-security-repo/actions/workflows/ci.yml/badge.svg?branch=main" alt="Tests"></a> <a href="https://app.codecov.io/gh/jimmy058910/jmo-security-repo" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/e86d969bf907692f3c79f74decd1161f82f2626c08052d41e79ec8d2e7422118/68747470733a2f2f636f6465636f762e696f2f67682f6a696d6d793035383931302f6a6d6f2d73656375726974792d7265706f2f6272616e63682f6d61696e2f67726170682f62616467652e737667" alt="codecov"></a> <a href="https://pypi.org/project/jmo-security/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/b5b113a90ee5a947d5ff3856a0d7232e0caa281661e89e036da1084154da4846/68747470733a2f2f696d672e736869656c64732e696f2f707970692f762f6a6d6f2d73656375726974792e737667" alt="PyPI version"></a> <a href="https://pypi.org/project/jmo-security/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/def0a4716fee1246c98b7bd0ee9baf60fd61ff042038f6d07e91e04a453f8cf9/68747470733a2f2f696d672e736869656c64732e696f2f707970692f707976657273696f6e732f6a6d6f2d73656375726974792e737667" alt="Python Versions"></a> <a href="https://opensource.org/licenses/MIT" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/f39131127545ad7907bcecba201dabc10b0b32199c4a45b16a35959a3eb21da4/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d49542532304f522532304170616368652d2d322e302d626c75652e737667" alt="License: MIT OR Apache-2.0"></a> <a href="https://hub.docker.com/r/jmogaming/jmo-security" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/1a3469f40a1fae83d07810b1234d25b3d9552b20fdd7ca4106acc11a21a56eda/68747470733a2f2f696d672e736869656c64732e696f2f646f636b65722f70756c6c732f6a6d6f67616d696e672f6a6d6f2d7365637572697479" alt="Docker Pulls"></a> <a href="https://github.com/jimmy058910/jmo-security-repo" rel="noopener noreferrer"><img src="https://camo.githubusercontent.com/ed87c41cd3f4caacfbe8e0707dc0e03360c388048314c33d5838a0969d1b988d/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f73746172732f6a696d6d793035383931302f6a6d6f2d73656375726974792d7265706f3f7374796c653d736f6369616c" alt="GitHub Stars"></a> <a href="https://docs.jmotools.com" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/5b32dacc44d07984dcc1de654273926bf78516dcbcf27271b3998deaced9bfd5/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f646f63732d52656164546865446f63732d626c75652e737667" alt="Documentation"></a> <a href="https://blog.jmotools.com" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/c3620cb277ed58d1c524189d36c7ec1e4f2ecdfcd1f4f2f053008f3edc2b88d2/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f626c6f672d486173686e6f64652d3239363246462e737667" alt="Blog"></a></p> <div class="markdown-heading"> <h2 class="heading-element">📬 Stay Updated &amp; Support</h2> </div> <p><a href="https://jmotools.com/subscribe.html" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/6421d30e89db7b24b329c1a3f6cda05a4b0ed6df8f7bba3e0d16c990480b8334/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f2546302539462539332541375f4e6577736c65747465722d5375627363726962652d363637656561" alt="Newsletter"></a> <a href="https://ko-fi.com/jmogaming" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/b0a6f864d635bc158bb267a3be523aa96ec223067a191bb1486053c98e75563e/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f2546302539462539322539415f4b6f2d2d66692d537570706f72742d6666356535623f6c6f676f3d6b6f2d6669266c6f676f436f6c6f723d7768697465" alt="Ko-fi"></a> <a href="https://github.com/sponsors/jimmy058910" rel="noopener noreferrer"><img src="https://camo.githubusercontent.com/6514015aec0cdc50392511c53062fd1b18c88015cefbb25a159cef32997d0e50/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f2546302539462539322542305f53706f6e736f722d4769744875622d6561346161613f6c6f676f3d676974687562266c6f676f436f6c6f723d7768697465" alt="GitHub Sponsors"></a></p> <p><strong>Get security tips and updates delivered to your inbox:</strong></p> <ul> <li>🚀 New feature announcements</li> <li>💡 Real-world security case studies &amp; exclusive guides</li> </ul> <p><strong><a href="https://jmotools.com/subscribe.html" rel="nofollow noopener noreferrer">Subscribe to Newsletter</a></strong> | <strong><a href="https://ko-fi.com/jmogaming" rel="nofollow noopener noreferrer">Support Full-Time Development</a></strong></p> <p>A terminal-first, cross-platform security audit toolkit that orchestrates multiple scanners (secrets, SAST, SBOM, IaC, Dockerfile) with a unified Python CLI, normalized outputs, and an HTML dashboard.</p> <p>👉 New here? Read the comprehensive User Guide: <a href="https://github.com/jimmy058910/jmo-security-repo/docs/USER_GUIDE.md" rel="noopener noreferrer">docs/USER_GUIDE.md</a> Docs hub: <a href="https://github.com/jimmy058910/jmo-security-repo/docs/index.md" rel="noopener noreferrer">docs/index.md</a> Project homepage: <a href="https://jmotools.com" rel="nofollow noopener noreferrer">jmotools.com</a></p> <blockquote> <p><strong>Origin Story:</strong> Built as my capstone project for <strong>Institute of Data × Michigan Tech University's Cybersecurity Bootcamp</strong> (graduated October 2025). Now a production-grade security platform. <strong>Actively seeking cybersecurity/DevSecOps roles</strong> — let's connect! Issues and PRs welcome.</p> </blockquote> <p>Thinking about contributing? See <a href="https://github.com/jimmy058910/jmo-security-repo/CONTRIBUTING.md" rel="noopener noreferrer">CONTRIBUTING.md</a> for setup and coding standards. For publishing, see <a href="https://github.com/jimmy058910/jmo-security-repo/docs/RELEASE.md" rel="noopener noreferrer">docs/RELEASE.md</a>.</p> <p>Roadmap &amp; history:</p> <ul> <li> <strong>Latest:</strong> ROADMAP #2 (Interactive Wizard) ✅ Complete - see <a href="https://github.com/jimmy058910/jmo-security-repo/docs/examples/wizard-examples.md" rel="noopener noreferrer">docs/examples/wizard-examples.md</a> </li> <li>Completed steps (summary): see <a href="https://github.com/jimmy058910/jmo-security-repo/CHANGELOG.md" rel="noopener noreferrer">CHANGELOG.md</a> → ROADMAP…</li> </ul> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/jimmy058910/jmo-security-repo" rel="noopener noreferrer">View on GitHub</a></div> </div> <ul> <li>📖 Documentation: <a href="https://docs.jmotools.com" rel="noopener noreferrer">docs.jmotools.com</a> </li> <li>💼 LinkedIn: <a href="https://www.linkedin.com/in/jimmy-moceri/" rel="noopener noreferrer">linkedin.com/in/jimmy-moceri</a> </li> <li>💚 Support: <a href="https://ko-fi.com/jmogaming" rel="noopener noreferrer">ko-fi.com/jmogaming</a> </li> <li>💰 Sponsor: <a href="https://github.com/sponsors/jimmy058910" rel="noopener noreferrer">github.com/sponsors/jimmy058910</a> </li> </ul> <h3> Get Updates </h3> <p>I'm sharing:</p> <ul> <li>Real-world security case studies</li> <li>New feature announcements</li> <li>Behind-the-scenes development stories</li> </ul> <p><strong><a href="https://jmotools.com/subscribe.html" rel="noopener noreferrer">Subscribe to Newsletter</a></strong> | <strong><a href="https://github.com/jimmy058910" rel="noopener noreferrer">Follow on GitHub</a></strong></p> <h2> Final Thoughts </h2> <p>If you're juggling multiple security tools, paying for commercial scanners, or just starting in cybersecurity, <strong>I built this for you.</strong></p> <p>Those 5 critical secrets I found during my capstone? They're still out there. In production. Waiting to be exploited.</p> <p>Security teams shouldn't spend hours juggling tools. They should spend that time fixing vulnerabilities.</p> <p>JMo Security is 100% open-source, self-hosted, and free. No vendor lock-in. No data leaves your machine. No PhD in cybersecurity required.</p> <p><strong>I'm currently seeking a Cybersecurity, DevSecOps, or Application Security roles</strong> where I can combine hands-on technical skills with a process-oriented mindset.</p> <p>I'd love your feedback—issues, PRs, and stars are all welcome. Let's connect if you're building security teams that value both technical depth and operational excellence.</p> <p>Let's make security accessible to everyone.</p> <p>— James (JMo) Moceri</p> cybersecurity opensource security devops