Skip to content

Add shieldly-io/cli (agent-scan) - AWS blast-radius scanner for AI agent credentials#26

Open
jefftham wants to merge 2 commits into
DevOpsAIguru123:mainfrom
jefftham:add-shieldly-agent-scan
Open

Add shieldly-io/cli (agent-scan) - AWS blast-radius scanner for AI agent credentials#26
jefftham wants to merge 2 commits into
DevOpsAIguru123:mainfrom
jefftham:add-shieldly-agent-scan

Conversation

@jefftham

Copy link
Copy Markdown

Adds Shieldly agent-scan to the Official Security and Code-Quality section, alongside snyk/agent-scan which covers the complementary angle (it scans the agent/tool itself; agent-scan grades what the agent's AWS credentials could do).

Operational use case: before wiring AWS credentials into a Claude Code / Cursor / Windsurf / MCP setup, run npx @shieldly/cli agent-scan to see what those credentials could destroy, exfiltrate, escalate to, or spend. Auto-discovers agent configs (.mcp.json, Claude Code/Desktop, Cursor, Windsurf, VS Code) or takes --policy-file / --role-arn / --profile / --cfn-file.

Action level: read-only (analysis only; the --fix least-privilege generator writes a proposed policy file locally, never touches AWS).
Safety/approval model: offline by default, nothing leaves the machine unless --upload is passed; findings are advisory and need human review.
Evidence: SARIF output for the GitHub Security tab, JSON reports, CI budget-file enforcement. Docs: https://www.shieldly.io/docs/agent-scan
Evaluable without cloud credentials: yes — point it at any policy JSON or CloudFormation template.
Commercial disclosure: the CLI scan, SARIF/budget CI mode, and fix generator are free; scan history/diffs and Slack alerts are part of Shieldly's paid SaaS plans.

Ran the full local validation per CONTRIBUTING (validate_repos_yaml, sync_readme_counts, pytest 45 passed, run_mock_eval_scenarios); bumped the seed-data count test 61→62.

Disclosure: I build Shieldly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants