The solution? Automation. But here's the problem: most security tools don't integrate cleanly with CI/CD platforms. You end up writing YAML by hand, copying configs between projects, and maintaining a dozen different cron schedules.

I built JMo Security to orchestrate 12+ security scanners (Trivy, Semgrep, TruffleHog, Checkov, ZAP, Nuclei, etc.) with a unified CLI. Version 0.8.0 adds the missing piece: enterprise-grade scheduling and CI/CD integration.

What's New in v0.8.0

1. Kubernetes-Style Schedule Management

If you've worked with Kubernetes CronJobs, this will feel instantly familiar:

# Create a weekly security scan schedule
jmo schedule create prod-security-audit \
  --cron "0 2 * * 1" \
  --profile balanced \
  --repo ./myapp \
  --image myapp:latest \
  --url https://myapp.com \
  --backend gitlab-ci \
  --slack-webhook "https://hooks.slack.com/services/YOUR/WEBHOOK"

This creates a schedule resource with Kubernetes-style metadata, spec, and status fields:

metadata:
  name: prod-security-audit
  uid: f47ac10b-58cc-4372-a567-0e02b2c3d479
  creationTimestamp: "2025-10-28T14:30:00Z"
spec:
  schedule: "0 2 * * 1"  # Every Monday at 2 AM
  jobTemplate:
    spec:
      profile: balanced
      targets:
        repo: ./myapp
        image: myapp:latest
        url: https://myapp.com
      notifications:
        channels:
          - type: slack
            url: "https://hooks.slack.com/..."
  backend:
    type: gitlab-ci
status:
  lastScheduleTime: null
  nextScheduleTime: "2025-11-04T02:00:00Z"

Schedules are stored locally in ~/.jmo/schedules.json with secure permissions (0o600). No cloud dependencies.

2. GitLab CI/CD Workflow Generation

Once you've defined a schedule, export it to a ready-to-use GitLab CI pipeline:

jmo schedule export prod-security-audit > .gitlab-ci.yml

This generates a complete .gitlab-ci.yml with:

• Profile-based jobs (fast/balanced/deep)

• Multi-target support (repos, containers, IaC, web apps, K8s clusters)

• Slack notifications on success/failure

• Artifact uploads (JSON findings, HTML dashboard, SARIF reports)

• Pipeline schedules matching your cron syntax

Example generated pipeline:

# Generated by JMo Security Schedule Manager
# Schedule: prod-security-audit (0 2 * * 1)

variables:
  JMO_PROFILE: "balanced"
  SLACK_WEBHOOK_URL: "https://hooks.slack.com/services/YOUR/WEBHOOK"

stages:
  - scan
  - notify

jmo-security-scan:
  stage: scan
  image: jmogaming/jmo-security:latest
  script:
    - jmo scan --profile balanced --repo . --image myapp:latest --url https://myapp.com
    - jmo report ./results --profile
  artifacts:
    reports:
      sast: results/summaries/findings.sarif
    paths:
      - results/
    expire_in: 30 days
  only:
    - schedules

notify-slack-success:
  stage: notify
  image: curlimages/curl:latest
  script:
    - |
      curl -X POST "$SLACK_WEBHOOK_URL" \
        -H 'Content-Type: application/json' \
        -d "{
          \"text\": \"✅ Security scan PASSED: $CI_PIPELINE_URL\",
          \"attachments\": [{
            \"color\": \"good\",
            \"fields\": [
              {\"title\": \"Commit\", \"value\": \"$CI_COMMIT_SHORT_SHA\", \"short\": true},
              {\"title\": \"Branch\", \"value\": \"$CI_COMMIT_BRANCH\", \"short\": true}
            ]
          }]
        }"
  only:
    - schedules
  when: on_success

notify-slack-failure:
  stage: notify
  image: curlimages/curl:latest
  script:
    - |
      curl -X POST "$SLACK_WEBHOOK_URL" \
        -H 'Content-Type: application/json' \
        -d "{
          \"text\": \"❌ Security scan FAILED: $CI_PIPELINE_URL\",
          \"attachments\": [{
            \"color\": \"danger\",
            \"fields\": [
              {\"title\": \"Commit\", \"value\": \"$CI_COMMIT_SHORT_SHA\", \"short\": true},
              {\"title\": \"Branch\", \"value\": \"$CI_COMMIT_BRANCH\", \"short\": true}
            ]
          }]
        }"
  only:
    - schedules
  when: on_failure

3. Slack Notifications

Slack integration is built-in. Configure webhooks in your schedule:

notifications:
  channels:
    - type: slack
      url: "https://hooks.slack.com/services/YOUR/WEBHOOK"

Notifications include:

• ✅ Pipeline status (success/failure)

• 📊 Commit info (SHA, branch, author)

• 🔍 Findings count (when available)

• 🔗 Direct link to pipeline

Why This Matters

Before v0.8.0, you had three options:

1. Manual scans — Inconsistent, easy to forget

2. Hand-written CI/CD YAML — Error-prone, hard to maintain across projects

3. Third-party services — Expensive, cloud dependencies, vendor lock-in

Now you have a fourth option:

• Declarative schedules stored locally

• Auto-generated CI/CD configs for GitLab (GitHub Actions coming soon)

• Zero cloud dependencies (except Slack webhooks, optional)

• 100% open source

Real-World Use Cases

Use Case 1: Multi-Environment Security Gates

# Dev environment: Fast scans on every commit
jmo schedule create dev-security \
  --cron "*/15 * * * *" \
  --profile fast \
  --repo . \
  --backend gitlab-ci

# Staging: Balanced scans nightly
jmo schedule create staging-security \
  --cron "0 1 * * *" \
  --profile balanced \
  --repo . \
  --image staging:latest \
  --url https://staging.example.com \
  --backend gitlab-ci \
  --slack-webhook "$STAGING_SLACK_WEBHOOK"

# Production: Deep scans weekly
jmo schedule create prod-security \
  --cron "0 2 * * 0" \
  --profile deep \
  --repo . \
  --image prod:latest \
  --url https://example.com \
  --k8s-context prod \
  --backend gitlab-ci \
  --slack-webhook "$PROD_SLACK_WEBHOOK"

Use Case 2: Compliance Automation

JMo Security auto-enriches findings with 6 compliance frameworks (OWASP Top 10, CWE Top 25, NIST CSF 2.0, PCI DSS 4.0, CIS Controls v8.1, MITRE ATT&CK). Schedule weekly compliance reports:

jmo schedule create compliance-weekly \
  --cron "0 9 * * 1" \
  --profile balanced \
  --repo . \
  --image app:latest \
  --terraform-state infrastructure.tfstate \
  --backend gitlab-ci \
  --slack-webhook "$COMPLIANCE_SLACK_WEBHOOK"

Pipeline artifacts include:

• COMPLIANCE_SUMMARY.md — Cross-framework compliance status

• PCI_DSS_COMPLIANCE.md — PCI DSS 4.0 detailed report

• attack-navigator.json — MITRE ATT&CK Navigator heatmap

Use Case 3: GitOps Workflow

Commit schedules to version control:

# Create schedules
jmo schedule create security-scan --cron "0 2 * * *" --profile balanced --repo .

# Export to GitLab CI
jmo schedule export security-scan > .gitlab-ci.yml

# Commit and push
git add .gitlab-ci.yml
git commit -m "ci: add automated security scans"
git push

# GitLab automatically picks up the pipeline schedule

Architecture Deep Dive

Storage

Schedules are stored in ~/.jmo/schedules.json with strict permissions:

{
  "schedules": [
    {
      "metadata": {
        "name": "prod-security-audit",
        "uid": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
        "creationTimestamp": "2025-10-28T14:30:00Z"
      },
      "spec": {
        "schedule": "0 2 * * 1",
        "jobTemplate": { ... },
        "backend": { "type": "gitlab-ci" }
      },
      "status": {
        "nextScheduleTime": "2025-11-04T02:00:00Z"
      }
    }
  ]
}

Cron Validation

Uses croniter library for full cron syntax support:

• Standard 5-field cron (0 2 * * 1)

• Extended syntax (ranges, steps, lists)

• Timezone support (UTC default)

• Next run calculation

Backend Abstraction

Designed for extensibility:

• gitlab-ci (v0.8.0)

• github-actions (planned v0.9.0)

• local-cron (planned v0.9.0)

• jenkins (community request)

Getting Started

Option 1: Docker (Zero Installation)

docker pull jmogaming/jmo-security:0.8.0
docker run --rm -it \
  -v "$(pwd):/scan" \
  jmogaming/jmo-security:0.8.0 \
  schedule create my-scan --cron "0 2 * * *" --profile balanced --repo .

Option 2: PyPI

pip install jmo-security==0.8.0
jmo schedule create my-scan --cron "0 2 * * *" --profile balanced --repo .

Option 3: GitHub Clone

git clone https://github.com/jimmy058910/jmo-security-repo.git
cd jmo-security-repo
make dev-deps
jmo schedule create my-scan --cron "0 2 * * *" --profile balanced --repo .

Upgrade Notes

Breaking Changes: None. v0.8.0 is fully backward-compatible.

New Dependencies:

• croniter>=2.0 (cron parsing)

• types-croniter (type hints)

Install with: pip install --upgrade jmo-security[scheduling]

What's Next

v0.9.0 Roadmap:

• GitHub Actions workflow generation

• Full local cron integration

• Schedule templating (reusable schedule configs)

• Multi-region scheduling (different timezones per schedule)

• Schedule dependency chains ("run scan B after scan A succeeds")

See full roadmap: ROADMAP.md

Contributing

JMo Security is 100% open source (MIT OR Apache-2.0 dual-licensed). Contributions welcome:

• 🐛 Report bugs: GitHub Issues

• 💡 Feature requests: GitHub Discussions

• 🔧 Pull requests: CONTRIBUTING.md

Looking to hire? I'm a recent cybersecurity bootcamp graduate (Michigan Tech × Institute of Data, October 2025) actively seeking cybersecurity/DevSecOps roles. JMo Security started as my capstone project and evolved into a production-grade platform. Connect with me on LinkedIn.

Support the Project

• ⭐ Star on GitHub: jimmy058910/jmo-security-repo

• 💚 Support on Ko-fi: ko-fi.com/jmogaming

• 💰 Sponsor on GitHub: github.com/sponsors/jimmy058910

• 📧 Subscribe to newsletter: jmotools.com/subscribe.html

Links:

• Documentation: docs.jmotools.com

• Blog: blog.jmotools.com

• GitHub: github.com/jimmy058910/jmo-security-repo

• PyPI: pypi.org/project/jmo-security/

• Docker Hub: [hub.docker.com/r/jmogaming/jmo-security

I just completed the Institute of Data / Michigan Tech Cybersecurity program, and for my capstone project, I scanned 22 random GitHub repositories with 4 secrets scanning tools.

The results shocked me:

• 🚨 1,562 security findings across 22 repos

• 🔴 5 CRITICAL verified secrets (live API keys, active tokens)

• 🟠 579 HIGH severity issues (hardcoded credentials, weak crypto, injection flaws)

• 📊 Only 3.5% false positive rate

But here's the real problem: I had to manually parse 4 different JSON formats, spend 3-4 hours aggregating results, and then map findings to compliance frameworks (OWASP, PCI DSS, NIST) by hand.

Each one of those 5 critical secrets was a potential data breach waiting to happen. And most developers don't even know their secrets are exposed until it's far too late.

So, I built a solution.

The Problem: Security Scanning Is Unnecessarily Complicated

During my bootcamp, I researched "Vibe Coding" platforms—tools like Replit, Lovable, and AI code generators that let anyone build apps without traditional coding. These platforms are amazing for accessibility, but they introduce serious vulnerabilities.

Here's what frustrated me: how are non-technical users supposed to catch security issues?

Most security scanners assume you have:

• A dedicated security team

• Deep knowledge of tool configurations

• Time to learn 5+ different tools

• $50,000/year for commercial platforms

• A Linux/macOS environment (Windows users? Good luck.)

For solo developers, small teams, and bootcamp graduates like me, this was a non-starter.

I needed a tool that just worked.

The Solution: JMo Security

JMo Security is an open-source security audit toolkit that integrates 11+ industry-standard scanners into one unified platform.

Instead of juggling Trivy, Semgrep, TruffleHog, OWASP ZAP, and 7 other tools, you get one command and one dashboard.

What Makes It Different

1. Multi-Target Scanning (One Command, Six Asset Types)

Most scanners only work on Git repositories. JMo scans:

• 📦 Repositories (local Git repos)

• 🐳 Container images (Docker/OCI)

• ☁️ IaC files (Terraform, CloudFormation, Kubernetes manifests)

• 🌐 Live websites (DAST with OWASP ZAP)

• 🦊 GitLab repos (with TruffleHog verified secrets)

• ⎈ Kubernetes clusters (live cluster scanning)

Example: Scan your app, its container, and your production website in one command:

jmo scan \
  --repo ./myapp \
  --image myapp:latest \
  --url https://myapp.com \
  --k8s-context prod

Result: One unified dashboard with deduplicated findings across all targets.

2. Compliance Automation (No More Manual Mapping)

Remember those 3-4 hours I spent manually mapping findings to compliance frameworks? JMo does it automatically.

Every finding is auto-tagged with six compliance frameworks:

• OWASP Top 10 2021 - Web application security risks

• CWE Top 25 2024 - Most dangerous software weaknesses

• NIST Cybersecurity Framework 2.0 - Federal compliance

• PCI DSS 4.0 - Payment card industry standards

• CIS Controls v8.1 - Critical security controls

• MITRE ATT&CK - Adversary tactics and techniques

Real talk: This feature alone could have saved me many hours during my capstone. What used to take days now takes 5 minutes.

3. Beginner-Friendly (5-Minute First Scan)

Interactive wizard guides first-time users:

jmotools wizard

The wizard:

• Detects your environment (Docker available? Use that!)

• Recommends scan profiles (fast/balanced/deep)

• Auto-discovers repositories and URLs

• Shows command preview before running

• Opens results when done

No security knowledge required.

4. Windows Support (Docker Mode)

Most security tools don't work on Windows. JMo's Docker mode delivers 100% tool coverage on Windows/WSL2:

docker run -v $(pwd):/scan ghcr.io/jimmy058910/jmo-security:latest \
  scan --repo /scan/myapp

Zero installation. Full tool suite. Works everywhere.

How It Works

JMo uses a two-phase architecture:

Phase 1: Scan

• Runs 11 tools in parallel (configurable threads)

• Writes raw JSON outputs to results/

• Supports timeouts and retries for flaky tools

Phase 2: Report

• Normalizes all findings to a unified schema

• Deduplicates by fingerprint ID

• Enriches with compliance frameworks

• Generates dashboard, SARIF, JSON, Markdown

Tools Orchestrated (v0.7.0)

• Secrets: TruffleHog (verified secrets), Nosey Parker (deep scanning)

• SAST: Semgrep (multi-language), Bandit (Python-specific)

• SBOM + Vuln: Syft (SBOM), Trivy (CVE scanning)

• IaC: Checkov (policy-as-code)

• Dockerfile: Hadolint (best practices)

• DAST: OWASP ZAP (web security), Nuclei (API security)

• Runtime: Falco (container/K8s monitoring)

• Fuzzing: AFL++ (coverage-guided fuzzing)

Real-World Example

Scenario: Audit a web app before production launch.

# Scan repo + Docker image + live staging environment
jmo scan \
  --repo ./webapp \
  --image webapp:staging \
  --url https://staging.myapp.com \
  --profile-name balanced \
  --results-dir ./audit

# Generate compliance report
jmo report ./audit --profile

Output:

• dashboard.html — Interactive findings with suggested fixes

• COMPLIANCE_SUMMARY.md — Auto-mapped to OWASP/NIST/PCI DSS

• findings.sarif — Upload to GitHub Security tab

• timings.json — Performance profiling

Time: 15 minutes (vs. 8+ hours manually running tools)

Why Open Source?

I'm building this in public for three reasons:

1. Security tools should be accessible.

Not everyone has $50,000/year for commercial scanners. Those 5 critical secrets I found? They were in open-source projects maintained by solo developers and small teams. They deserve enterprise-grade security without the enterprise price tag.

2. I'm learning (and I want feedback).

After 12+ years in operational management, I'm bringing that process-oriented mindset to cybersecurity. I want experienced engineers to tear this apart, suggest improvements, and help me build something truly useful for all.

3. I believe in giving back.

The bootcamp and open-source community helped me plenty of times over my lifetime. This is my way of contributing—and hopefully making security less painful for the next person.

Current Status

• ✅ 272 tests passing (91% coverage)

• ✅ v0.7.1 released (multi-target wizard addition)

• ✅ PyPI package (pip install jmo-security)

• ✅ Docker images (3 variants: full/slim/alpine)

• ✅ CI/CD ready (GitHub Actions examples included)

What's Next

I'm actively working on:

• Scheduled scans with cron support

• Machine-readable diff reports (compare scans over time)

• Plugin system for custom tools

• Policy-as-Code integration (OPA)

See the full roadmap: ROADMAP.md

Try It Yourself

Quick Start (Docker - Zero Installation):

docker run -v $(pwd):/scan ghcr.io/jimmy058910/jmo-security:latest \
  scan --repo /scan/myrepo

Quick Start (Local Install):

pip install jmo-security
jmotools wizard

Links:

• 📦 GitHub: github.com/jimmy058910/jmo-security-repo

• 📖 Documentation: docs.jmotools.com

• 💼 LinkedIn: linkedin.com/in/jimmy-moceri/

• 💚 Support: ko-fi.com/jmogaming

• 💰 Sponsor: github.com/sponsors/jimmy058910

Get Updates

I'm sharing:

• Real-world security case studies

• New feature announcements

• Behind-the-scenes development stories

Subscribe to Newsletter | Follow on GitHub

Final Thoughts

If you're juggling multiple security tools, paying for commercial scanners, or just starting in cybersecurity, I built this for you.

Those 5 critical secrets I found during my capstone project? They're still out there. In production. Waiting to be exploited.

Security teams shouldn't spend hours juggling tools. They should spend that time fixing vulnerabilities.

JMo Security is 100% open-source, self-hosted, and free. No vendor lock-in. No data leaves your machine. No PhD in cybersecurity required.

I'm currently seeking a Cybersecurity, DevSecOps, or Application Security roles where I can combine hands-on technical skills with a process-oriented mindset.

I'd love your feedback—issues, PRs, and stars are all welcome. Let's connect if you're building security teams that value both technical depth and operational excellence.

Let's make security accessible to everyone.

— James Moceri (JMo)

Tags: cybersecurity opensource devsecops security appsec python docker