[INS-410] Added batch token detector

[MuneebUllahKhan222]

###Description
This PR adds the HashiCorp Vault Token Detector.
It scans for various types of HashiCorp Vault authentication tokens (including standard service tokens, periodic tokens, and legacy tokens) and associated Vault server endpoints. The detector supports live verification against the custom endpoints.

Token Regex: \b(hvb\.[A-Za-z0-9_.-]{50,300})\b

Endpoint Regex: (https?:\/\/[^\s\/]*\.hashicorp\.cloud(?::\d+)?)(?:\/[^\s]*)?

Verification
Verification is performed by sending a GET request to the Vault server's auth/token/lookup-self endpoint using the detected token in the X-Vault-Token header.

A response code of 200 OK indicates the token is valid. In this case, the detector extracts and returns metadata about the token to assist with remediation, including:

• Policies: The permissions associated with the token.

• Entity ID: Useful for identifying the identity/owner and revoking the token.

• Attributes: orphan and renewable status.

A response code of 401 Unauthorized or 403 Forbidden indicates the token is invalid or has been revoked.

This verification is safe as lookup-self is a read-only metadata operation that does not consume secrets or trigger state changes within the Vault cluster.

Corpora Test

The detector does not appear in the list.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Adds a new secret detector that performs live HTTP verification against discovered HashiCorp Vault Cloud endpoints; correctness and rate/latency of verification requests are the main risks.

Overview
Adds a new HashiCorpVaultBatchToken detector that finds hvb. batch tokens, pairs them with detected *.hashicorp.cloud Vault URLs, and (optionally) verifies them via GET /v1/auth/token/lookup-self, returning token metadata in ExtraData on success.

Wires the detector into the default detector set and engine cloud-endpoint initialization expectations, and updates the protobuf enum to include the new detector type. Includes unit, integration, and benchmark coverage for token/URL matching and verification behavior.

^{Written by Cursor Bugbot for commit 4792fae. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Duplicated Vault URL Regex Across Two Detectors

Low Severity

The vaultUrlPat regex (https?:\/\/[^\s\/]*\.hashicorp\.cloud(?::\d+)?...) is defined identically in both hashicorpvaultbatchtoken.go and hashicorpvaultauth.go as separate package-level variables. If the endpoint pattern ever needs to change (e.g., to support additional HashiCorp Cloud domains or fix a matching edge case), both definitions must be updated in sync. A missed update would cause inconsistent detection behaviour between the two detectors.

 

[cursor]

Missing Vault Namespace Header Breaks Verification

High Severity

The verifyVaultToken function never sets the X-Vault-Namespace: admin HTTP header. HCP Vault Dedicated clusters (the only type of endpoint the vaultUrlPat regex can match, since it only matches *.hashicorp.cloud URLs) require this header on every API request — without it, the server returns a 403 permission denied response regardless of token validity. Since the code interprets 403 as an invalid token, every real batch token will always be reported as unverified, making the verification feature non-functional. The sibling hashicorpvaultauth detector correctly sets this header.