Add shieldly-io/cli (agent-scan) - AWS blast-radius scanner for AI agent credentials#26
Open
jefftham wants to merge 2 commits into
Open
Add shieldly-io/cli (agent-scan) - AWS blast-radius scanner for AI agent credentials#26jefftham wants to merge 2 commits into
jefftham wants to merge 2 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds Shieldly agent-scan to the Official Security and Code-Quality section, alongside snyk/agent-scan which covers the complementary angle (it scans the agent/tool itself; agent-scan grades what the agent's AWS credentials could do).
Operational use case: before wiring AWS credentials into a Claude Code / Cursor / Windsurf / MCP setup, run
npx @shieldly/cli agent-scanto see what those credentials could destroy, exfiltrate, escalate to, or spend. Auto-discovers agent configs (.mcp.json, Claude Code/Desktop, Cursor, Windsurf, VS Code) or takes --policy-file / --role-arn / --profile / --cfn-file.Action level: read-only (analysis only; the --fix least-privilege generator writes a proposed policy file locally, never touches AWS).
Safety/approval model: offline by default, nothing leaves the machine unless --upload is passed; findings are advisory and need human review.
Evidence: SARIF output for the GitHub Security tab, JSON reports, CI budget-file enforcement. Docs: https://www.shieldly.io/docs/agent-scan
Evaluable without cloud credentials: yes — point it at any policy JSON or CloudFormation template.
Commercial disclosure: the CLI scan, SARIF/budget CI mode, and fix generator are free; scan history/diffs and Slack alerts are part of Shieldly's paid SaaS plans.
Ran the full local validation per CONTRIBUTING (validate_repos_yaml, sync_readme_counts, pytest 45 passed, run_mock_eval_scenarios); bumped the seed-data count test 61→62.
Disclosure: I build Shieldly.