The motivation: I love tools like Semgrep/CodeQL, but on big monorepos I kept ending up in “run scan → go make tea” territory. RMA is my attempt at a single-binary, fast SAST + code intelligence scanner that still outputs something you can actually triage.
What you can try in the dashboard:
Browse scan results with dedupe (unique issues vs occurrences)
Export SARIF (GitHub Security tab friendly) and JSON
Filter security findings by subcategory so “real vulns” don’t get drowned out by audit/hardening noise
Default suppression for generated files (toggle to include)
A detail I’m pretty happy about: we now propagate rule metadata end-to-end (confidence, CWE/OWASP, references, impact/likelihood, etc.) so the findings carry enough context to be actionable.
If you try it, I’d love feedback on:
what feels noisy / what feels missing,
which repos it breaks on,
what you’d want for CI gating (vuln-only vs audit/hardening).
Dashboard: https://rma-dashboard.bukhari-kibuka7.workers.dev/
CLI/source: https://github.com/bumahkib7/rust-monorepo-analyzer