aws-cli

Universal command-line interface for Amazon Web Services

workhorse Python aws/aws-cli

66% pass rate

3/8 principles met

Spec Coverage

How many of the spec's requirements were verified for this tool. See /coverage for the full matrix.

Level	Total	Verified	Unverified
MUST	28	19	9
SHOULD	21	13	8
MAY	10	10	0

Top Issues

FAIL Help flag produces useful output Progressive Help Discovery --help exited with code 252
WARN Version flag works (`--version` plus short alias) Progressive Help Discovery `--version` works but no short alias responded (tried -V, -v, -version). Adding one shortens version probes for agents.
WARN Version flag works (`--version` plus short alias) Progressive Help Discovery `--version` works but no short alias responded (tried -V, -v, -version). Adding one shortens version probes for agents.

All Audits

P1: Non-Interactive by Default

PASS	Non-interactive by default
SKIP	Non-interactive gate flag advertised in --help	target satisfies P1 via alternative gate (help-on-bare or stdin-primary)
SKIP	Flags advertise env-var bindings in --help	target exposes no flags in --help
PASS	Secret-bearing flags expose stdin or *-file companion
WARN	`--help` advertises default values for flags	no default-value annotations found in --help. SHOULD-tier — agents reading help text need to see what value a flag falls back to when omitted (`[default: <value>]` per clap convention).
WARN	Rich-TUI affordance for TTY contexts	no rich-TUI affordance detected (no `--tui`/`--interactive`/`--ui` flag, no spinner/progress/tui mention in --help). MAY-tier — rich TUI in TTY contexts is a nice-to-have, not required.

P2: Structured, Parseable Output

OPT-OUT	Structured output support	no --output/--format flag detected — tool does not ship structured output. Schema-discovery requirements (p2-must-schema-print, p2-should-schema-file) collapse to n/a via antecedent propagation.
N/A	Structured-output CLI exposes its schema at runtime	antecedent `p2-json-output` is opt_out: no --output/--format flag detected — tool does not ship structured output. Schema-discovery requirements (p2-must-schema-print, p2-should-schema-file) collapse to n/a via antecedent propagation.
WARN	--json / --jsonl short aliases for --output	no --json or --jsonl short alias found. Agents and pipelines benefit from short forms alongside the canonical `--output` enum.
WARN	`--raw` flag for pipe-safe unformatted output	no `--raw` flag advertised. MAY-tier — useful for pipelines that want to strip formatting before piping to other tools.
SKIP	`--output` advertises additional formats beyond text/json	no `--output` or `--format` flag advertised; vacuous skip for MAY-tier extra formats.
WARN	Bad invocation exits with structured usage-error code (2)	bad invocation exited with code 252. The 0/1/2/77/78 convention reserves code 2 for usage errors; using a different non-zero code (often 1) blurs the distinction between usage errors and general failure.
SKIP	Errors emit JSON envelope with `error`/`kind`/`message` under `--output json`	binary does not advertise `--output json` in --help; MUST applies only to CLIs that opt into the JSON contract.
SKIP	JSON success and error envelopes share their non-payload key set	binary does not advertise `--output json` in --help; envelope-consistency only applies to CLIs that opt into the JSON contract.

P3: Progressive Help Discovery

FAIL	Help flag produces useful output	--help exited with code 252
WARN	Version flag works (`--version` plus short alias)	`--version` works but no short alias responded (tried -V, -v, -version). Adding one shortens version probes for agents.
WARN	Version flag works (`--version` plus short alias)	`--version` works but no short alias responded (tried -V, -v, -version). Adding one shortens version probes for agents.
WARN	`examples` subcommand or `--examples` flag for curated usage patterns	no `examples` subcommand or `--examples` flag found. MAY-tier — a curated usage block keeps agents from hunting through long help text.
SKIP	Short `-h` summary differs from `--help` long form	could not probe both `-h` and `--help` cleanly
SKIP	Each subcommand's `--help` ships at least one invocation example	binary has no subcommands; MUST applies conditionally to CLIs that use them.
WARN	Help text pairs human and `--output json` example invocations	no paired text + `--output json` example found within 5 lines in top-level or any subcommand `--help`. Pairing keeps agents from reverse-engineering the JSON invocation from the text one.

P4: Fail-Fast, Actionable Errors

PASS	Rejects invalid arguments
PASS	Error messages include a hint or remediation phrase
SKIP	`--output json` produces JSON-formatted errors	binary does not advertise `--output json` in --help; SHOULD applies only to CLIs that opt into the JSON contract.

P5: Safe Retries & Mutation Boundaries

SKIP	Destructive subcommands require `--force` or `--yes`	no destructive subcommands detected; MUST applies conditionally to CLIs with destructive operations.
SKIP	Read and write surfaces are both visible in subcommand list	no recognizable read or write subcommand verbs; the read/write distinction is unobservable from the help surface alone.

P6: Composable, Predictable Command Structure

PASS	Handles SIGPIPE gracefully
SKIP	Pager-using CLI ships --no-pager escape hatch	no pager signal (less/more/$PAGER/--pager) in --help
PASS	Respects NO_COLOR
SKIP	Subcommand verbs follow community-standard names	no subcommands parsed from --help
WARN	`--color` flag for explicit color control	no `--color` flag advertised. MAY-tier — `auto\|always\|never` lets agents and pipelines override the TTY-based default.
SKIP	Input-accepting commands read from stdin when no file is given	no input-accepting subcommand detected (process/parse/convert/transform/analyze/validate/format/lint/audit); vacuous skip for the conditional SHOULD.
SKIP	Subcommand naming follows a consistent verb/noun convention	fewer than 2 user-defined subcommands; vacuous skip for the conditional SHOULD.
PASS	Operations are subcommands, not verb-shaped flags

P7: Bounded, High-Signal Responses

WARN	Quiet mode available	no --quiet/-q flag detected in --help output
WARN	`--verbose` flag for diagnostic escalation	no `--verbose` / `-v` flag advertised. SHOULD-tier — agents debugging failures need a way to escalate diagnostic detail.
SKIP	`--limit` / `--max-results` flag for list operations	no list-style subcommand detected (list/ls/search/query/find/show/get); vacuous skip for the list-only SHOULD.
SKIP	Cursor-based pagination flags for list traversal	no list-style subcommand detected; vacuous skip for the list-only MAY.
SKIP	`--timeout` flag for long-running operations	no long-running subcommand detected (serve/daemon/watch/tail/monitor/follow/run/start/stream); vacuous skip for the conditional SHOULD.
WARN	Help text advertises TTY-aware verbosity behavior	no TTY-aware language found in `--help`. MAY-tier — automatic verbosity reduction when stdout is piped or redirected lets agents skip the explicit `--quiet` flag. Behavioral probes cannot simulate a real TTY without a pty crate, so this audit relies on documented intent.

P8: Discoverable Through Agent Skill Bundles

PASS	Skill bundle has install path (`tool skill install [<host>]`)
PASS	`skill install --all` for multi-runtime install
PASS	`skill update` / `skill upgrade` for bundle refresh

Details

Version scored: 2.34.57
Audit date: 2026-06-01 17:35:05 UTC
Duration: 3.1s
Platform: linux/x86_64
Mode: command
Anc build: 0.5.0
Install: brew install awscli

Embed the badge

The badge floor is 70%; this scorecard is at 66% (4 points below). Once the score clears the floor, the embed snippet will appear here. The top issues above are the place to start.

Reproduce this scorecard for aws-cli locally and inspect the failing audits:

anc audit --command aws --output json

Install anc first if you don't have it. Add --output json to get the same JSON shape committed under scorecards/.