trufflesecurity · ustayready · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026 · cursor
@@ -1,6 +1,7 @@
 .idea
 dist
 .env
+.claude
 *.test
 
 # binary

@@ -173,6 +173,9 @@ var (
 	s3ScanBuckets       = s3Scan.Flag("bucket", "Name of S3 bucket to scan. You can repeat this flag. Incompatible with --ignore-bucket.").Strings()
 	s3ScanIgnoreBuckets = s3Scan.Flag("ignore-bucket", "Name of S3 bucket to ignore. You can repeat this flag. Incompatible with --bucket.").Strings()
 	s3ScanMaxObjectSize = s3Scan.Flag("max-object-size", "Maximum size of objects to scan. Objects larger than this will be skipped. (Byte units eg. 512B, 2KB, 4MB)").Default("250MB").Bytes()
+	s3ScanProfile            = s3Scan.Flag("aws-profile", "AWS shared credentials profile to use. Cannot be used with --key, --secret, --session-token, or --cloud-environment.").Envar("AWS_PROFILE").String()
+	s3ScanIncludeExtensions  = s3Scan.Flag("include-extensions", "File extensions to include in scanning, comma-separated (e.g., yaml,yml,config). Incompatible with --exclude-extensions.").Strings()
+	s3ScanExcludeExtensions  = s3Scan.Flag("exclude-extensions", "File extensions to exclude from scanning, comma-separated (e.g., zip,png,jpg). Incompatible with --include-extensions.").Strings()
 
 	gcsScan           = cli.Command("gcs", "Find credentials in GCS buckets.")
 	gcsProjectID      = gcsScan.Flag("project-id", "GCS project ID used to authenticate. Can NOT be used with unauth scan. Can be provided with environment variable GOOGLE_CLOUD_PROJECT.").Envar("GOOGLE_CLOUD_PROJECT").String()
@@ -951,7 +954,10 @@ func runSingleScan(ctx context.Context, cmd string, cfg engine.Config) (metrics,
 			IgnoreBuckets: *s3ScanIgnoreBuckets,
 			Roles:         *s3ScanRoleArns,
 			CloudCred:     *s3ScanCloudEnv,
-			MaxObjectSize: int64(*s3ScanMaxObjectSize),
+			MaxObjectSize:     int64(*s3ScanMaxObjectSize),
+			Profile:           *s3ScanProfile,
+			IncludeExtensions: *s3ScanIncludeExtensions,
+			ExcludeExtensions: *s3ScanExcludeExtensions,
 		}
 		if ref, err := eng.ScanS3(ctx, cfg); err != nil {
 			return scanMetrics, fmt.Errorf("failed to scan S3: %v", err)

@@ -19,28 +19,37 @@ func (e *Engine) ScanS3(ctx context.Context, c sources.S3Config) (sources.JobPro
 	connection := &sourcespb.S3{
 		Credential: &sourcespb.S3_Unauthenticated{},
 	}
-	if c.CloudCred {
-		if len(c.Key) > 0 || len(c.Secret) > 0 || len(c.SessionToken) > 0 {
-			return sources.JobProgressRef{}, fmt.Errorf("cannot use cloud environment and static credentials together")
-		}
-		connection.Credential = &sourcespb.S3_CloudEnvironment{}
+
+	hasStaticCreds := len(c.Key) > 0 || len(c.Secret) > 0 || len(c.SessionToken) > 0
+	hasProfile := len(c.Profile) > 0
+
+	if hasProfile && (hasStaticCreds || c.CloudCred) {
+		return sources.JobProgressRef{}, fmt.Errorf("cannot use --aws-profile with --key, --secret, --session-token, or --cloud-environment")
 	}
-	if len(c.Key) > 0 && len(c.Secret) > 0 {
-		if len(c.SessionToken) > 0 {
-			connection.Credential = &sourcespb.S3_SessionToken{
-				SessionToken: &credentialspb.AWSSessionTokenSecret{
-					Key:          c.Key,
-					Secret:       c.Secret,
-					SessionToken: c.SessionToken,
-				},
-			}
-		} else {
-			connection.Credential = &sourcespb.S3_AccessKey{
-				AccessKey: &credentialspb.KeySecret{
-					Key:    c.Key,
-					Secret: c.Secret,
-				},
-			}
+	if c.CloudCred && hasStaticCreds {
+		return sources.JobProgressRef{}, fmt.Errorf("cannot use cloud environment and static credentials together")
+	}
+
+	switch {
+	case hasProfile:
+		connection.Credential = &sourcespb.S3_CloudEnvironment{}
+		connection.Profile = c.Profile
+	case c.CloudCred:
+		connection.Credential = &sourcespb.S3_CloudEnvironment{}
+	case len(c.Key) > 0 && len(c.Secret) > 0 && len(c.SessionToken) > 0:
+		connection.Credential = &sourcespb.S3_SessionToken{
+			SessionToken: &credentialspb.AWSSessionTokenSecret{
+				Key:          c.Key,
+				Secret:       c.Secret,
+				SessionToken: c.SessionToken,
+			},
+		}
+	case len(c.Key) > 0 && len(c.Secret) > 0:
+		connection.Credential = &sourcespb.S3_AccessKey{
+			AccessKey: &credentialspb.KeySecret{
+				Key:    c.Key,
+				Secret: c.Secret,
+			},
 		}
 	}
 	if len(c.Buckets) > 0 {
@@ -54,6 +63,16 @@ func (e *Engine) ScanS3(ctx context.Context, c sources.S3Config) (sources.JobPro
 		connection.Roles = c.Roles
 	}
 
+	if len(c.IncludeExtensions) > 0 && len(c.ExcludeExtensions) > 0 {
+		return sources.JobProgressRef{}, fmt.Errorf("cannot use --include-extensions and --exclude-extensions together")
+	}
+	if len(c.IncludeExtensions) > 0 {
+		connection.IncludeExtensions = c.IncludeExtensions
+	}
+	if len(c.ExcludeExtensions) > 0 {
+		connection.ExcludeExtensions = c.ExcludeExtensions
+	}
+
 	var conn anypb.Any
 	err := anypb.MarshalFrom(&conn, connection, proto.MarshalOptions{})
 	if err != nil {
-Original file line number
+Diff line change
@@ -1,6 +1,7 @@
     .idea
     dist
     .env
+    .claude
     *.test
     # binary
@@ Expand Down @@