JMo Security v1.0.0: One Command to Run 28 Security Scanners

4 min read

Running security tools on your codebase is table stakes for any serious engineering team. But the reality is painful: you need TruffleHog for secrets, Semgrep for static analysis, Trivy for container vulnerabilities, Checkov for IaC misconfigurations, OWASP ZAP for web endpoints, and a dozen others — each with different output formats, different severity scales, and different ways to invoke them.

Most teams run one or two of these. The rest get skipped because nobody has time to wire up 28 different tools.

That’s exactly the problem JMo Security was built to solve.

What is JMo Security?

JMo Security is a terminal-first, open-source security audit toolkit that orchestrates 28+ industry-standard security scanners through a single unified CLI.

One command. Every category. Normalized output.

jmo scan --profile balanced

That’s it. JMo invokes up to 18 tools in parallel — secrets detection, SAST, SCA, SBOM generation, IaC scanning, container analysis, DAST, shell linting, malware scanning — normalizes every finding to a common schema, deduplicates across tools (cutting noise by 30–40%), maps to 6 compliance frameworks, and outputs results in JSON, SARIF, Markdown, CSV, or an interactive HTML dashboard.

The Problem: Security Tool Fragmentation

Modern application security requires coverage across at least 8 categories:

CategoryWhat it catches
SecretsAPI keys, tokens, credentials in code
SASTCode-level vulnerabilities
SCAVulnerable dependencies
SBOMSoftware inventory and license risk
IaCTerraform, Kubernetes, Helm misconfigs
ContainerImage-level CVEs and misconfigurations
DASTLive web endpoint vulnerabilities
CompliancePolicy violations (CIS, NIST, PCI DSS)

Running these individually means:

  • Different invocation syntax per tool
  • Different output formats (JSON, XML, SARIF, text…)
  • Duplicate findings across tools (TruffleHog and Semgrep both flag the same secret)
  • No unified severity scale
  • No compliance mapping
  • No historical tracking to measure improvement

Engineering teams either build custom glue scripts (fragile, maintenance burden) or just skip most tools (security gaps).

JMo’s Solution: The Two-Phase Architecture

JMo uses a clean two-phase approach:

Phase 1: Scan

Invokes tools in parallel based on your chosen profile. Each tool writes its raw output to a structured results directory.

Phase 2: Report

Normalizes every tool’s output to the CommonFinding schema v1.2.0, deduplicates using fingerprint-based similarity clustering (0.65 threshold), enriches with compliance framework mappings, and produces unified output.

This separation means you can re-run reports on existing results without re-scanning, swap in new output formats, and build CI/CD pipelines that consume structured JSON.

28 Tools, 12 Categories

JMo Security v1.0.0 integrates 28 scanners across 12 security categories:

CategoryTools
SecretsTruffleHog, Nosey Parker, Semgrep-Secrets
SASTSemgrep, Bandit, Gosec, Horusec, Bearer
SBOMSyft, CDXgen, ScanCode
SCATrivy, Grype, OWASP Dependency-Check
IaCCheckov, Checkov-CICD
Cloud/CSPMProwler, Kubescape
DASTOWASP ZAP, Nuclei, Akto
Dockerfile/ShellHadolint, ShellCheck
MalwareYARA
MobileMobSF
SystemLynis
PolicyOPA

Not every tool runs every time. JMo’s scan profiles let you choose depth vs. speed:

ProfileToolsTime
fast9 tools5–10 min
slim14 tools12–18 min
balanced18 tools18–25 min
deep28 tools40–70 min

Key Features

6 Compliance Framework Mappings

Every finding is automatically mapped to applicable compliance controls:

  • OWASP Top 10 — Web application security
  • CWE — Common Weakness Enumeration
  • NIST CSF — Cybersecurity Framework
  • PCI DSS — Payment card security
  • CIS Controls — Center for Internet Security benchmarks
  • MITRE ATT&CK — Adversarial tactics and techniques

Your security report doubles as a compliance audit artifact.

Cross-Tool Deduplication

When three secrets scanners all flag the same hardcoded API key, you shouldn’t see three separate findings. JMo’s similarity clustering identifies and deduplicates findings across tools, typically reducing alert volume by 30–40%. Less noise means your team focuses on real issues.

SQLite Historical Storage

Track your security posture over time. Every scan is stored in a local SQLite database, enabling:

jmo history list          # view all scans
jmo history compare id1 id2  # diff two scans
jmo trends analyze --days 30  # trend analysis

This lets you measure improvement, demonstrate compliance progress, and catch regressions before they ship.

CI/CD Integration

jmo ci --fail-on HIGH

One command for pipeline integration. Returns exit code 1 if findings exceed your threshold. Supports machine-readable JSON output and SARIF for GitHub Security tab integration.

5-Minute Quickstart

Install

pip install jmo-security
jmo wizard --yes  # non-interactive setup

Or with Docker (no local tool installation needed):

docker pull jmogaming/jmo-security:latest
docker run -v $PWD:/scan jmogaming/jmo-security:latest scan --profile fast

Run a Scan

# Scan current repo (fast profile — 5-10 min)
jmo scan --profile fast

# Scan a container image
jmo scan --image nginx:latest

# Scan IaC files
jmo scan --iac ./terraform/

# Scan a web endpoint
jmo scan --url https://your-api.com

View Results

jmo report ./results     # Generate HTML dashboard + JSON/SARIF

Open results/summaries/dashboard.html in your browser for the interactive dashboard.

Open Source and Free

JMo Security is 100% free and open source under the MIT OR Apache 2.0 dual license.

The project was built as a capstone for the Institute of Data × Michigan Tech University Cybersecurity Bootcamp (graduated October 2025) and has grown into a production-grade platform with 87% test coverage across 8,000+ tests.

What’s Next

The roadmap includes:

  • API security scanning (REST endpoint enumeration)
  • AI/ML model scanning for supply chain risk
  • Web dashboard for multi-project views
  • Contributor portal for community adapters

Follow along on GitHub or subscribe to the newsletter.

Try It Now

pip install jmo-security
jmo scan --profile fast

Questions or feedback? Open an issue or leave a comment below.