Add Figma Personal Access Token v3 Detector

[shahzadhaider1]

Summary

Adds a v3 detector for Figma Personal Access Tokens to support the new figp_ prefixed token format. Also refactors the shared verification logic across all three detector versions to eliminate code duplication.

Changes

New v3 detector (figp_ prefix)

• Regex pattern: figp_[a-zA-Z0-9_=-]{40,54} as specified by Figma
• Keyword pre-filter uses figp_ for efficient chunk matching
• No word boundary (\b) assertions used since the token character set includes non-word characters (=, -) which are incompatible with \b

Verification logic refactored into shared VerifyMatch function

• Extracted the common verification logic into an exported VerifyMatch function in the v1 package
• v2 and v3 now import and call v1.VerifyMatch instead of duplicating the HTTP verification inline

Verification details

• Endpoint: GET https://api.figma.com/v1/me with X-Figma-Token header
• 200 -> verified
• 403 -> unverified (Figma returns 403 for invalid, expired, or revoked tokens, as well as valid tokens that lack the required scopes for the requested resource)
• Any other status -> unverified with verification error (indeterminate)

Testing

• Unit tests added for v3 covering valid pattern matching and invalid pattern rejection
• Integration tests added for v3 but currently skipped as the new figp_ token format is not yet available for generation in Figma. Tests will be unskipped once v3 secrets are provisioned in GCP.
• Existing v1 and v2 tests remain unchanged and continue to pass

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Adds a new detector variant and changes verification behavior for existing Figma token detectors by centralizing the HTTP verification code path; mistakes here could impact verification results and outbound API calls.

Overview
Adds a new Figma Personal Access Token v3 detector to recognize the new figp_ token format (including keyword prefiltering) and registers it in pkg/engine/defaults/defaults.go.

Refactors v1/v2 verification to call a shared figmapersonalaccesstoken.VerifyMatch helper (including draining/closing response bodies), and updates integration tests to expect AnalysisInfo on verified results and to ignore the new primarySecret field in result comparisons.

^{Reviewed by Cursor Bugbot for commit 25d9bac. Bugbot is set up for automated code reviews on this repo. Configure here.}

[amanfcp]

💯

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit ff9b319. Configure here.}

[cursor]

Refactored verification narrows accepted success status codes

Low Severity

The shared VerifyMatch function only treats http.StatusOK (200) as verified, but the original v1 and v2 inline logic treated the entire 2xx range (StatusCode >= 200 && StatusCode < 300) as verified. Any non-200 success response (e.g., 201, 204) now falls into the default case and is reported as an unexpected error instead of being marked as verified. This is a behavioral regression introduced during the refactoring.

Additional Locations (2)

• pkg/detectors/figmapersonalaccesstoken/v1/figmapersonalaccesstoken.go#L62-L65
• pkg/detectors/figmapersonalaccesstoken/v2/figmapersonalaccesstoken_v2.go#L62-L65

 

^{Reviewed by Cursor Bugbot for commit ff9b319. Configure here.}

[shahzadhaider1]

ok cursor