Add Figma Personal Access Token v3 Detector

[shahzadhaider1]

Summary

Adds a v3 detector for Figma Personal Access Tokens to support the new figp_ prefixed token format. Also refactors the shared verification logic across all three detector versions to eliminate code duplication.

Changes

New v3 detector (figp_ prefix)

• Regex pattern: figp_[a-zA-Z0-9_=-]{40,54} as specified by Figma
• Keyword pre-filter uses figp_ for efficient chunk matching
• No word boundary (\b) assertions used since the token character set includes non-word characters (=, -) which are incompatible with \b

Verification logic refactored into shared VerifyMatch function

• Extracted the common verification logic into an exported VerifyMatch function in the v1 package
• v2 and v3 now import and call v1.VerifyMatch instead of duplicating the HTTP verification inline

Verification details

• Endpoint: GET https://api.figma.com/v1/me with X-Figma-Token header
• 200 -> verified
• 403 -> unverified (Figma returns 403 for invalid, expired, or revoked tokens, as well as valid tokens that lack the required scopes for the requested resource)
• Any other status -> unverified with verification error (indeterminate)

Testing

• Unit tests added for v3 covering valid pattern matching and invalid pattern rejection
• Integration tests added for v3 but currently skipped as the new figp_ token format is not yet available for generation in Figma. Tests will be unskipped once v3 secrets are provisioned in GCP.
• Existing v1 and v2 tests remain unchanged and continue to pass

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Adds a new Figma token pattern and registers it in the default detector list, increasing scan surface and potential false positives/negatives. Refactors verification for v1/v2 to a shared VerifyMatch helper (including response-body draining), which could subtly change verification behavior and error handling across versions.

Overview
Adds a new v3 Figma Personal Access Token detector to match the figp_ token format (new regex/keyword) and wires it into the default detector set.

Refactors v1 verification into an exported VerifyMatch helper (with explicit response-body draining/closing) and updates v2/v3 to reuse it; integration tests are updated accordingly and v3 adds new unit + (skipped) integration tests.

^{Written by Cursor Bugbot for commit 10f52aa. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}