Added S3 support: --aws-profile, --include-extensions, --exclude-extensions#4879
Added S3 support: --aws-profile, --include-extensions, --exclude-extensions#4879ustayready wants to merge 3 commits intotrufflesecurity:mainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Reviewed by Cursor Bugbot for commit 7135cca. Configure here.
| s3ScanBuckets = s3Scan.Flag("bucket", "Name of S3 bucket to scan. You can repeat this flag. Incompatible with --ignore-bucket.").Strings() | ||
| s3ScanIgnoreBuckets = s3Scan.Flag("ignore-bucket", "Name of S3 bucket to ignore. You can repeat this flag. Incompatible with --bucket.").Strings() | ||
| s3ScanMaxObjectSize = s3Scan.Flag("max-object-size", "Maximum size of objects to scan. Objects larger than this will be skipped. (Byte units eg. 512B, 2KB, 4MB)").Default("250MB").Bytes() | ||
| s3ScanProfile = s3Scan.Flag("aws-profile", "AWS shared credentials profile to use. Cannot be used with --key, --secret, --session-token, or --cloud-environment.").Envar("AWS_PROFILE").String() |
There was a problem hiding this comment.
AWS_PROFILE env var breaks existing --cloud-environment usage
High Severity
The --aws-profile flag binds to AWS_PROFILE via .Envar("AWS_PROFILE"). Since AWS_PROFILE is a standard, widely-set AWS environment variable, any user who has it configured will now get an error when using --cloud-environment, because the validation in ScanS3 rejects hasProfile && c.CloudCred. Previously, AWS_PROFILE was transparently handled by the AWS SDK's default credential chain and didn't conflict with --cloud-environment. This is a regression that breaks existing workflows.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 7135cca. Configure here.
1 participant
Description:
Explain the purpose of the PR.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Medium risk because it changes S3 credential resolution (introducing shared profile support and altering how credentials providers are configured), which could affect access/assume-role behavior and scan coverage; also adds new filtering that can skip objects if misconfigured.
Overview
Adds new S3 scan configuration and CLI flags for AWS shared credentials profile (
--aws-profile/AWS_PROFILE) and object key extension filtering (--include-extensions/--exclude-extensions).Updates the S3 scan pipeline end-to-end (CLI →
sources.S3Config→ protobufsourcespb.S3→ S3 source) to enforce mutual exclusivity between profile/static creds/cloud creds and between include/exclude extension lists, and to skip S3 objects based on the configured extension filter during enumeration.Also updates generated protobuf outputs and ignores
.claudein.gitignore.Reviewed by Cursor Bugbot for commit 7135cca. Bugbot is set up for automated code reviews on this repo. Configure here.