@shieldly/cli 1.0.5 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +61 -1
- package/dist/cli.cjs +288 -40
- package/package.json +6 -2
package/README.md
CHANGED
|
@@ -63,11 +63,70 @@ large CloudFormation templates cost more. [Compare plans →](https://www.shield
|
|
|
63
63
|
|
|
64
64
|
| Command | Description |
|
|
65
65
|
| --- | --- |
|
|
66
|
+
| `shieldly agent-scan [options]` | Blast radius of an AI agent's AWS credentials (offline) |
|
|
66
67
|
| `shieldly analyze-iam <policy-file>` | Analyze an IAM policy for security issues |
|
|
67
68
|
| `shieldly analyze-cf <template-file>` | Analyze a CloudFormation template |
|
|
68
69
|
| `shieldly api-keys list\|create\|revoke` | Manage API keys |
|
|
69
70
|
| `shieldly completion bash\|zsh\|install` | Shell completion |
|
|
70
71
|
|
|
72
|
+
## Agent blast-radius scan
|
|
73
|
+
|
|
74
|
+
See what your AI agents' AWS credentials could **destroy, exfiltrate, or
|
|
75
|
+
escalate to**. Runs fully offline — your config never leaves your machine, no
|
|
76
|
+
API key required.
|
|
77
|
+
|
|
78
|
+
```bash
|
|
79
|
+
# Scan an IAM policy file
|
|
80
|
+
shieldly agent-scan --policy-file agent-policy.json
|
|
81
|
+
|
|
82
|
+
# Fetch and scan a live role (uses your local AWS credentials, read-only)
|
|
83
|
+
shieldly agent-scan --role-arn arn:aws:iam::123456789012:role/my-agent
|
|
84
|
+
|
|
85
|
+
# Resolve an AWS profile's identity and scan it (users: includes group policies)
|
|
86
|
+
shieldly agent-scan --profile agent-profile
|
|
87
|
+
|
|
88
|
+
# Zero flags: auto-discover agent configs in the current directory
|
|
89
|
+
# (.mcp.json, mcp.json, .claude/settings.json, .cursor/.vscode mcp.json,
|
|
90
|
+
# Claude Desktop config) and scan any AWS profiles / role ARNs / hardcoded
|
|
91
|
+
# keys they reference
|
|
92
|
+
shieldly agent-scan
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
Findings are graded overall (CRITICAL / HIGH / MODERATE / LOW) and grouped into
|
|
96
|
+
six categories: privilege escalation, destructive actions, wildcard grants, data
|
|
97
|
+
access, cost risk, and missing guardrails. Hardcoded `AKIA…` keys in agent
|
|
98
|
+
configs are flagged CRITICAL.
|
|
99
|
+
|
|
100
|
+
**Output & remediation:**
|
|
101
|
+
|
|
102
|
+
```bash
|
|
103
|
+
shieldly agent-scan --policy-file p.json --json # machine-readable
|
|
104
|
+
shieldly agent-scan --policy-file p.json --sarif > out.sarif # GitHub Security tab
|
|
105
|
+
shieldly agent-scan --policy-file p.json --fix > tightened.json # least-privilege draft
|
|
106
|
+
shieldly agent-scan --policy-file p.json --ignore BR-DATA-S3 # suppress a rule
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
**CI enforcement** — declare a permission budget and fail the build when an
|
|
110
|
+
agent's blast radius exceeds it:
|
|
111
|
+
|
|
112
|
+
```bash
|
|
113
|
+
shieldly agent-scan --policy-file agent-policy.json --budget shieldly.policy.yml
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
```yaml
|
|
117
|
+
# shieldly.policy.yml
|
|
118
|
+
version: 1
|
|
119
|
+
max-severity: MEDIUM # CRITICAL | HIGH | MEDIUM | LOW | none
|
|
120
|
+
deny-categories:
|
|
121
|
+
- ESCALATION # always fail on privilege-escalation findings
|
|
122
|
+
ignore-rules: [] # accepted false positives, by rule ID
|
|
123
|
+
# max-findings: 50
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
Exit code is `1` on any CRITICAL/HIGH finding (or any budget violation), `0`
|
|
127
|
+
otherwise — drop it straight into CI. See
|
|
128
|
+
[`shieldly.policy.example.yml`](./shieldly.policy.example.yml).
|
|
129
|
+
|
|
71
130
|
## Global options
|
|
72
131
|
|
|
73
132
|
| Option | Description |
|
|
@@ -106,7 +165,8 @@ hashes of the input.
|
|
|
106
165
|
No account required — these run in your browser or document the risks:
|
|
107
166
|
|
|
108
167
|
- [IAM Privilege Escalation Cheat Sheet](https://www.shieldly.io/iam/cheatsheet?utm_source=github&utm_medium=readme) — every common escalation path on one page, with fixes
|
|
109
|
-
- [Free browser tools](https://www.shieldly.io/tools?utm_source=github&utm_medium=readme) — IAM policy linter, trust policy explainer, S3 bucket policy checker, CloudFormation IAM checker
|
|
168
|
+
- [Free browser tools](https://www.shieldly.io/tools?utm_source=github&utm_medium=readme) — IAM policy linter, trust policy explainer, S3 bucket policy checker, CloudFormation IAM checker, ARN parser, policy diff, CloudTrail least-privilege generator
|
|
169
|
+
- [Awesome AWS IAM Security](https://github.com/shieldly-io/awesome-aws-iam-security) — curated list of IAM security tools and references
|
|
110
170
|
- [IAM privilege escalation reference](https://www.shieldly.io/iam?utm_source=github&utm_medium=readme) — each method with a vulnerable policy, the exploit, and the fix
|
|
111
171
|
|
|
112
172
|
## License
|