JMo's Security Audit Tool Suite v0.8.0 | Automated Security Scanning

Comprehensive Security Coverage Across All Asset Types

Scan 6 different target types with one unified platform—replace 5+ separate security tools.

🎯

Multi-Target Scanning (v0.6.0)

Scan repositories, container images, IaC files, web apps, GitLab repos, and Kubernetes clusters in one unified workflow.

6 target types, one CLI
Parallel execution
Unified reporting

🐳

Container Image Scanning

Scan Docker/OCI images with Trivy and Syft for vulnerabilities, secrets, misconfigurations, and SBOMs.

Registry-wide audits
CI/CD gates
Batch scanning from file

☁️

Infrastructure as Code Scanning

Scan Terraform, CloudFormation, and Kubernetes manifests with Checkov and Trivy for policy compliance.

Pre-deployment validation
Multi-cloud support
Policy enforcement

🌐

Live Web Application Scanning (DAST)

Dynamic security testing of web apps and APIs with OWASP ZAP for runtime vulnerabilities.

Production app scanning
API endpoint testing
OpenAPI/Swagger support

🔐

Repository & GitLab Scanning

Detect verified secrets with TruffleHog, SAST with Semgrep, and comprehensive coverage for repositories and GitLab.

GitHub + GitLab support
95% false positive reduction
Multi-language SAST

☸️

Kubernetes Cluster Scanning

Live K8s cluster security audits with Trivy for vulnerabilities, misconfigurations, and compliance.

Live cluster audits
Namespace filtering
Compliance checks

⏰

Scheduled Scans (v0.8.0) 🆕

Automate recurring security scans with GitHub Actions, GitLab CI, or local cron. Set up once, scan continuously.

3 scheduling backends
Kubernetes-inspired API
Multi-target scheduling
Wizard integration

📜

Compliance Automation (v0.5.1)

Automated compliance reporting for 6 frameworks: OWASP, CWE, NIST CSF, PCI DSS, CIS Controls, MITRE ATT&CK.

Automated mapping
Audit-ready reports
Risk prioritization

📊

Comprehensive Reporting

Beautiful HTML dashboards, SARIF output, JSON/YAML exports, compliance reports, and Markdown summaries.

Multiple output formats
Unified findings
Dashboard v2.1 with filters

Three Ways to Get Started

Choose the approach that best fits your experience level and workflow.

Install JMo Security (One-Time)

pipx install "jmo-security[reporting]"

Recommended: Beginner-friendly with step-by-step guidance

Launch Interactive Wizard

jmotools wizard

The wizard guides you through profile selection, Docker vs native, target selection, and more!

Follow the Prompts

Choose profile (fast/balanced/deep)
Select Docker or native mode
Pick scan target (auto-detection available)
Review and confirm settings
Wizard runs scan and opens results automatically!

💡

Non-Interactive Mode

jmotools wizard --yes  # Use smart defaults

Perfect for automation and CI/CD pipelines!

Pull Docker Image (One-Time)

docker pull ghcr.io/jimmy058910/jmo-security:latest

Zero tool installation! All 11+ scanners pre-installed (~500MB)

Scan Current Directory

docker run --rm -v $(pwd):/scan \
  ghcr.io/jimmy058910/jmo-security:latest \
  scan --repo /scan --results /scan/results \
  --profile balanced --human-logs

View Results

# macOS
open results/summaries/dashboard.html

# Linux
xdg-open results/summaries/dashboard.html

Interactive dashboard with filters, sorting, and exports!

🐳

Image Variants

:latest (~500MB) - All 11+ scanners
:slim (~200MB) - 6 core scanners for CI/CD
:alpine (~150MB) - Minimal footprint

Install JMo Security

pipx install "jmo-security[reporting]"

Or: pip install --user "jmo-security[reporting]"

Clone Repository (for Makefile)

git clone https://github.com/jimmy058910/jmo-security-repo.git
cd jmo-security-repo

Install Security Tools

make tools

Auto-detects Linux/WSL/macOS and installs trufflehog, semgrep, trivy, syft, checkov, hadolint, OWASP ZAP, and more

Run Your First Scan

jmotools balanced --repos-dir ~/repos

Or: make balanced DIR=~/repos

Create Schedule (2 Minutes)

jmo schedule create \
  --name nightly-deep \
  --cron "0 2 * * *" \
  --profile deep \
  --repos-dir ~/repos \
  --backend github-actions

NEW v0.8.0: Automate recurring scans with 3 backends: GitHub Actions, GitLab CI, local cron

Export Workflow File

jmo schedule export nightly-deep > .github/workflows/jmo-nightly.yml

For GitLab CI: --backend gitlab-ci > .gitlab-ci.yml

Commit and Push

git add .github/workflows/jmo-nightly.yml
git commit -m "Add nightly security scans"
git push

Done! Your repository now scans automatically every night at 2 AM UTC

💡

Common Patterns & Management

Daily: 0 2 * * * (2 AM daily)
Weekly: 0 2 * * 0 (Sunday 2 AM)
Every 6h: 0 */6 * * *
List schedules: jmo schedule list
Validate: jmo schedule validate {name}
Local cron: jmo schedule install {name} (Linux/macOS)

jmotools wizard  # Interactive scheduling via wizard!

📖 Full Documentation ⏰ Scheduling Guide (NEW) 🐳 Docker Guide 🧙 Wizard Examples 💬 Get Help

Real-World Use Cases

See how JMo Security Tools fits into your security workflow.

🎯

Multi-Target Security Audits

Scan repositories, containers, IaC, and web apps together for complete security posture visibility.

jmo scan \
  --repo ./myapp \
  --image myapp:latest \
  --url https://myapp.com \
  --k8s-context prod

Unified Comprehensive One Command

🔄

CI/CD Multi-Target Gating

Scan container images and web apps in CI/CD with severity-based gating for production deployment.

jmo ci \
  --image myapp:latest \
  --url https://staging.myapp.com \
  --fail-on HIGH

Automated Quality Gates Fast

🐳

Registry-Wide Container Audits

Batch scan all container images from a file for vulnerabilities, secrets, and compliance.

jmo scan \
  --images-file registry.txt \
  --tools trivy syft \
  --profile balanced

Batch Processing SBOM Compliance

☸️

Live Kubernetes Cluster Audits

Scan production K8s clusters for misconfigurations, vulnerabilities, and compliance violations.

jmo scan \
  --k8s-context prod \
  --k8s-all-namespaces \
  --tools trivy

Live Audits K8s Security Compliance

☁️

Infrastructure-as-Code Compliance

Pre-deployment validation of Terraform, CloudFormation, and K8s manifests for policy compliance.

jmo scan \
  --terraform-state terraform.tfstate \
  --tools checkov trivy \
  --fail-on MEDIUM

Pre-Deploy Policy Checks IaC Security

🌐

Live Web Application DAST

Dynamic security testing of production web apps and APIs for runtime vulnerabilities.

jmo scan \
  --url https://example.com \
  --api-spec swagger.json \
  --tools zap

DAST API Testing Production

⏰

Automated Scheduled Scans (v0.8.0) 🆕

Set up recurring security scans with GitHub Actions, GitLab CI, or local cron. Zero maintenance continuous security monitoring.

jmo schedule create \
  --name weekly-audit \
  --cron "0 2 * * 0" \
  --profile deep \
  --repos-dir ~/repos \
  --backend github-actions

Automated Continuous Zero Maintenance

Help Build Something Great

JMo Security Tools started as a Capstone Project and has grown into a comprehensive security suite. As a bootstrapped solo developer, I'm looking for passionate collaborators to help make this tool even better.

Ways to Contribute

💻

Code Contributions

Add features, fix bugs, improve performance

📝

Documentation

Improve guides, add examples, write tutorials

🧪

Testing & QA

Test on different platforms, report bugs

🔧

Tool Integration

Add support for new security scanners

🎨

Design & UX

Improve dashboards and reports

💡

Ideas & Feedback

Share use cases and feature requests

Contributing Guide View Issues

Support the Project

If you find this tool valuable, consider supporting its development. Your contribution helps me dedicate more time to building features and maintaining this open-source project.

Support on Ko-fi

100% of donations go directly to project development and maintenance.

Star on GitHub

Show your support by starring the repository!

Star

JMo's Security Audit Tool Suite