Why I Built a Free Security Scanner That Makes Sense

I just completed the Institute of Data / Michigan Tech Cybersecurity program, and for my capstone project, I scanned 22 random GitHub repositories with 4 secrets scanning tools.

The results shocked me:

• 🚨 1,562 security findings across 22 repos
• 🔴 5 CRITICAL verified secrets (live API keys, active tokens)
• 🟠 579 HIGH severity issues (hardcoded credentials, weak crypto, injection flaws)
• 📊 Only 3.5% false positive rate

But here's the real problem: I had to manually parse 4 different JSON formats, spend 3-4 hours aggregating results, and then map findings to compliance frameworks (OWASP, PCI DSS, NIST) by hand.

Each one of those 5 critical secrets was a potential data breach waiting to happen. And most developers don't even know their secrets are exposed until it's too late.

So I built a solution.

The Problem: Security Scanning Is Unnecessarily Complicated

During my bootcamp, I researched "Vibe Coding" platforms—tools like Replit, Lovable, and AI code generators that let anyone build apps without traditional coding. These platforms are amazing for accessibility, but they introduce serious vulnerabilities.

Here's what frustrated me: how are non-technical users supposed to catch security issues?

Most security scanners assume you have:

• A dedicated security team
• Deep knowledge of tool configurations
• Time to learn 5+ different tools
• $$$/year for commercial platforms
• A Linux/macOS environment (Windows users? Good luck.)

For solo developers, small teams, and bootcamp graduates like me, this was a non-starter.

I needed a tool that just worked.

The Solution: JMo Security

JMo Security is an open-source security audit toolkit that integrates 11+ industry-standard scanners into one unified platform.

Instead of juggling Trivy, Semgrep, TruffleHog, OWASP ZAP, and 7 other tools, you get one command and one dashboard.

What Makes It Different

1. Multi-Target Scanning (One Command, Six Asset Types)

Most scanners only work on Git repositories. JMo scans:

• 📦 Repositories (local Git repos)
• 🐳 Container images (Docker/OCI)
• ☁️ IaC files (Terraform, CloudFormation, Kubernetes manifests)
• 🌐 Live websites (DAST with OWASP ZAP)
• 🦊 GitLab repos (with TruffleHog verified secrets)
• ⎈ Kubernetes clusters (live cluster scanning)

Example: Scan your app, its container, and your production website in one command:

jmo scan \
  --repo ./myapp \
  --image myapp:latest \
  --url https://myapp.com \
  --k8s-context prod

Result: One unified dashboard with deduplicated findings across all targets.

2. Compliance Automation (No More Manual Mapping)

Remember those 3-4 hours I spent manually mapping findings to compliance frameworks? JMo does it automatically.

Every finding is auto-tagged with six compliance frameworks:

• OWASP Top 10 2021 - Web application security risks
• CWE Top 25 2024 - Most dangerous software weaknesses
• NIST Cybersecurity Framework 2.0 - Federal compliance
• PCI DSS 4.0 - Payment card industry standards
• CIS Controls v8.1 - Critical security controls
• MITRE ATT&CK - Adversary tactics and techniques

Real talk: This feature alone saved me 40+ hours during my capstone. What used to take days now takes 5 minutes.

3. Beginner-Friendly (5-Minute First Scan)

Interactive wizard guides first-time users:

jmotools wizard

The wizard:

• Detects your environment (Docker available? Use that!)
• Recommends scan profiles (fast/balanced/deep)
• Auto-discovers repositories and URLs
• Shows command preview before running
• Opens results when done

No security knowledge required.

4. Windows Support (Docker Mode)

Most security tools don't work on Windows. JMo's Docker mode delivers 100% tool coverage on Windows/WSL2:

docker run -v $(pwd):/scan ghcr.io/jimmy058910/jmo-security:latest \
  scan --repo /scan/myapp

Zero installation. Full tool suite. Works everywhere.

How It Works

JMo uses a two-phase architecture:

Phase 1: Scan

• Runs 11 tools in parallel (configurable threads)
• Writes raw JSON outputs to results/
• Supports timeouts and retries for flaky tools

Phase 2: Report

• Normalizes all findings to a unified schema
• Deduplicates by fingerprint ID
• Enriches with compliance frameworks
• Generates dashboard, SARIF, JSON, Markdown

Tools Orchestrated (v0.7.0)

• Secrets: TruffleHog (verified secrets), Nosey Parker (deep scanning)
• SAST: Semgrep (multi-language), Bandit (Python-specific)
• SBOM + Vuln: Syft (SBOM), Trivy (CVE scanning)
• IaC: Checkov (policy-as-code)
• Dockerfile: Hadolint (best practices)
• DAST: OWASP ZAP (web security), Nuclei (API security)
• Runtime: Falco (container/K8s monitoring)
• Fuzzing: AFL++ (coverage-guided fuzzing)

Real-World Example

Scenario: Audit a web app before production launch.

# Scan repo + Docker image + live staging environment
jmo scan \
  --repo ./webapp \
  --image webapp:staging \
  --url https://staging.myapp.com \
  --profile-name balanced \
  --results-dir ./audit

# Generate compliance report
jmo report ./audit --profile

Output:

• dashboard.html — Interactive findings with suggested fixes
• COMPLIANCE_SUMMARY.md — Auto-mapped to OWASP/NIST/PCI DSS
• findings.sarif — Upload to GitHub Security tab
• timings.json — Performance profiling

Time: 15 minutes (vs. 8+ hours manually running tools)

Why Open Source?

I'm building this in public for three reasons:

1. Security tools should be accessible.

Not everyone has $$$/year for commercial scanners. Those 5 critical secrets I found? They were in open-source projects maintained by solo developers and small teams. They deserve enterprise-grade security without the enterprise price tag.

2. I'm learning (and I want feedback).

After 12+ years in operational management, I'm bringing that process-oriented mindset to cybersecurity. I want experienced engineers to tear this apart, suggest improvements, and help me build something truly useful.

3. I believe in giving back.

The open-source community helped me many times over my lifetime. This is my way of contributing—and hopefully making security less painful for the next person.

Current Status

• ✅ 272 tests passing (91% coverage)
• ✅ v0.7.0 released (privacy-first telemetry, multi-target wizard)
• ✅ PyPI package (pip install jmo-security)
• ✅ Docker images (3 variants: full/slim/alpine)
• ✅ CI/CD ready (GitHub Actions examples included)

What's Next

I'm actively working on:

• Scheduled scans with cron support
• Machine-readable diff reports (compare scans over time)
• Plugin system for custom tools
• Policy-as-Code integration (OPA)

See the full roadmap: ROADMAP.md

Try It Yourself

Quick Start (Docker - Zero Installation):

docker run -v $(pwd):/scan ghcr.io/jimmy058910/jmo-security:latest \
  scan --repo /scan/myrepo

Quick Start (Local Install):

pip install jmo-security
jmotools wizard

Links:

jimmy058910 / jmo-security-repo

JMo Security Suite - Terminal-first security audit toolkit with many tools, multi-target scanning, & compliance

JMo's Security Audit Tool Suite

📬 Stay Updated & Support

Get security tips and updates delivered to your inbox:

• 🚀 New feature announcements
• 💡 Real-world security case studies & exclusive guides

Subscribe to Newsletter | Support Full-Time Development

---

A terminal-first, cross-platform security audit toolkit that orchestrates multiple scanners (secrets, SAST, SBOM, IaC, Dockerfile) with a unified Python CLI, normalized outputs, and an HTML dashboard.

👉 New here? Read the comprehensive User Guide: docs/USER_GUIDE.md Docs hub: docs/index.md Project homepage: jmotools.com

Origin Story: Built as my capstone project for Institute of Data × Michigan Tech University's Cybersecurity Bootcamp (graduated October 2025). Now a production-grade security platform. Actively seeking cybersecurity/DevSecOps roles — let's connect! Issues and PRs welcome.

Thinking about contributing? See CONTRIBUTING.md for setup and coding standards. For publishing, see docs/RELEASE.md.

Roadmap & history:

• Latest: ROADMAP #2 (Interactive Wizard) ✅ Complete - see docs/examples/wizard-examples.md
• Completed steps (summary): see CHANGELOG.md → ROADMAP…

View on GitHub

• 📖 Documentation: docs.jmotools.com
• 💼 LinkedIn: linkedin.com/in/jimmy-moceri
• 💚 Support: ko-fi.com/jmogaming
• 💰 Sponsor: github.com/sponsors/jimmy058910

Get Updates

I'm sharing:

• Real-world security case studies
• New feature announcements
• Behind-the-scenes development stories

Subscribe to Newsletter | Follow on GitHub

---

Final Thoughts

If you're juggling multiple security tools, paying for commercial scanners, or just starting in cybersecurity, I built this for you.

Those 5 critical secrets I found during my capstone? They're still out there. In production. Waiting to be exploited.

Security teams shouldn't spend hours juggling tools. They should spend that time fixing vulnerabilities.

JMo Security is 100% open-source, self-hosted, and free. No vendor lock-in. No data leaves your machine. No PhD in cybersecurity required.

I'm currently seeking a Cybersecurity, DevSecOps, or Application Security roles where I can combine hands-on technical skills with a process-oriented mindset.

I'd love your feedback—issues, PRs, and stars are all welcome. Let's connect if you're building security teams that value both technical depth and operational excellence.

Let's make security accessible to everyone.

— James (JMo) Moceri