@shieldly/cli 1.0.5 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +61 -1
  2. package/dist/cli.cjs +293 -40
  3. package/package.json +6 -2
package/README.md CHANGED
@@ -63,11 +63,70 @@ large CloudFormation templates cost more. [Compare plans →](https://www.shield
63
63
 
64
64
  | Command | Description |
65
65
  | --- | --- |
66
+ | `shieldly agent-scan [options]` | Blast radius of an AI agent's AWS credentials (offline) |
66
67
  | `shieldly analyze-iam <policy-file>` | Analyze an IAM policy for security issues |
67
68
  | `shieldly analyze-cf <template-file>` | Analyze a CloudFormation template |
68
69
  | `shieldly api-keys list\|create\|revoke` | Manage API keys |
69
70
  | `shieldly completion bash\|zsh\|install` | Shell completion |
70
71
 
72
+ ## Agent blast-radius scan
73
+
74
+ See what your AI agents' AWS credentials could **destroy, exfiltrate, or
75
+ escalate to**. Runs fully offline — your config never leaves your machine, no
76
+ API key required.
77
+
78
+ ```bash
79
+ # Scan an IAM policy file
80
+ shieldly agent-scan --policy-file agent-policy.json
81
+
82
+ # Fetch and scan a live role (uses your local AWS credentials, read-only)
83
+ shieldly agent-scan --role-arn arn:aws:iam::123456789012:role/my-agent
84
+
85
+ # Resolve an AWS profile's identity and scan it (users: includes group policies)
86
+ shieldly agent-scan --profile agent-profile
87
+
88
+ # Zero flags: auto-discover agent configs in the current directory
89
+ # (.mcp.json, mcp.json, .claude/settings.json, .cursor/.vscode mcp.json,
90
+ # Claude Desktop config) and scan any AWS profiles / role ARNs / hardcoded
91
+ # keys they reference
92
+ shieldly agent-scan
93
+ ```
94
+
95
+ Findings are graded overall (CRITICAL / HIGH / MODERATE / LOW) and grouped into
96
+ six categories: privilege escalation, destructive actions, wildcard grants, data
97
+ access, cost risk, and missing guardrails. Hardcoded `AKIA…` keys in agent
98
+ configs are flagged CRITICAL.
99
+
100
+ **Output & remediation:**
101
+
102
+ ```bash
103
+ shieldly agent-scan --policy-file p.json --json # machine-readable
104
+ shieldly agent-scan --policy-file p.json --sarif > out.sarif # GitHub Security tab
105
+ shieldly agent-scan --policy-file p.json --fix > tightened.json # least-privilege draft
106
+ shieldly agent-scan --policy-file p.json --ignore BR-DATA-S3 # suppress a rule
107
+ ```
108
+
109
+ **CI enforcement** — declare a permission budget and fail the build when an
110
+ agent's blast radius exceeds it:
111
+
112
+ ```bash
113
+ shieldly agent-scan --policy-file agent-policy.json --budget shieldly.policy.yml
114
+ ```
115
+
116
+ ```yaml
117
+ # shieldly.policy.yml
118
+ version: 1
119
+ max-severity: MEDIUM # CRITICAL | HIGH | MEDIUM | LOW | none
120
+ deny-categories:
121
+ - ESCALATION # always fail on privilege-escalation findings
122
+ ignore-rules: [] # accepted false positives, by rule ID
123
+ # max-findings: 50
124
+ ```
125
+
126
+ Exit code is `1` on any CRITICAL/HIGH finding (or any budget violation), `0`
127
+ otherwise — drop it straight into CI. See
128
+ [`shieldly.policy.example.yml`](./shieldly.policy.example.yml).
129
+
71
130
  ## Global options
72
131
 
73
132
  | Option | Description |
@@ -106,7 +165,8 @@ hashes of the input.
106
165
  No account required — these run in your browser or document the risks:
107
166
 
108
167
  - [IAM Privilege Escalation Cheat Sheet](https://www.shieldly.io/iam/cheatsheet?utm_source=github&utm_medium=readme) — every common escalation path on one page, with fixes
109
- - [Free browser tools](https://www.shieldly.io/tools?utm_source=github&utm_medium=readme) — IAM policy linter, trust policy explainer, S3 bucket policy checker, CloudFormation IAM checker
168
+ - [Free browser tools](https://www.shieldly.io/tools?utm_source=github&utm_medium=readme) — IAM policy linter, trust policy explainer, S3 bucket policy checker, CloudFormation IAM checker, ARN parser, policy diff, CloudTrail least-privilege generator
169
+ - [Awesome AWS IAM Security](https://github.com/shieldly-io/awesome-aws-iam-security) — curated list of IAM security tools and references
110
170
  - [IAM privilege escalation reference](https://www.shieldly.io/iam?utm_source=github&utm_medium=readme) — each method with a vulnerable policy, the exploit, and the fix
111
171
 
112
172
  ## License