[INS-410] Added batch token detector

[MuneebUllahKhan222]

###Description
This PR adds the HashiCorp Vault Token Detector.
It scans for various types of HashiCorp Vault authentication tokens (including standard service tokens, periodic tokens, and legacy tokens) and associated Vault server endpoints. The detector supports live verification against the custom endpoints.

Token Regex: \b(hvb\.[A-Za-z0-9_.-]{50,300})\b

Endpoint Regex: (https?:\/\/[^\s\/]*\.hashicorp\.cloud(?::\d+)?)(?:\/[^\s]*)?

Verification
Verification is performed by sending a GET request to the Vault server's auth/token/lookup-self endpoint using the detected token in the X-Vault-Token header.

A response code of 200 OK indicates the token is valid. In this case, the detector extracts and returns metadata about the token to assist with remediation, including:

• Policies: The permissions associated with the token.

• Entity ID: Useful for identifying the identity/owner and revoking the token.

• Attributes: orphan and renewable status.

A response code of 401 Unauthorized or 403 Forbidden indicates the token is invalid or has been revoked.

This verification is safe as lookup-self is a read-only metadata operation that does not consume secrets or trigger state changes within the Vault cluster.

Corpora Test

The detector does not appear in the list.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Adds a new detector that performs live HTTP verification against discovered Vault Cloud endpoints, introducing new outbound network behavior and potential false positives/negatives based on regex and endpoint discovery.

Overview
Adds a new HashiCorpVaultBatchToken detector that finds hvb. Vault batch tokens only when paired with a *.hashicorp.cloud endpoint and can optionally verify them via GET /v1/auth/token/lookup-self using the X-Vault-Token header, returning token metadata in ExtraData on success.

Registers the detector in the default engine detector list and protobuf DetectorType enum, updates engine initialization tests for detectors without cloud endpoints, and includes unit + integration coverage plus a benchmark for FromData.

^{Written by Cursor Bugbot for commit 3ad745e. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Missing Vault Namespace Header Breaks Verification

High Severity

The verifyVaultToken function never sets the X-Vault-Namespace: admin HTTP header. HCP Vault Dedicated clusters (the only type of endpoint the vaultUrlPat regex can match, since it only matches *.hashicorp.cloud URLs) require this header on every API request — without it, the server returns a 403 permission denied response regardless of token validity. Since the code interprets 403 as an invalid token, every real batch token will always be reported as unverified, making the verification feature non-functional. The sibling hashicorpvaultauth detector correctly sets this header.

 

[MuneebUllahKhan222]

According to the docs the lookup-self endpoint that we are using doesn't require X-Vault-Namespace header and I have also verified this behaviour using postman.