[INS-355] Added Hashicorp vault token detector

[MuneebUllahKhan222]

###Description
This PR adds the HashiCorp Vault Token Detector.
It scans for various types of HashiCorp Vault authentication tokens (including standard service tokens, periodic tokens, and legacy tokens) and associated Vault server endpoints. The detector supports live verification against the custom endpoints.

Token Regex: \b(hvs\.[A-Za-z0-9_-]{90,120}|s\.[A-Za-z0-9_-]{18,40})\b

Endpoint Regex: (https?:\/\/[^\s\/]*\.hashicorp\.cloud(?::\d+)?)(?:\/[^\s]*)?

Verification
Verification is performed by sending a GET request to the Vault server's auth/token/lookup-self endpoint using the detected token in the X-Vault-Token header.

A response code of 200 OK indicates the token is valid. In this case, the detector extracts and returns metadata about the token to assist with remediation, including:

• Policies: The permissions associated with the token.

• Token Type: Whether it is a service or batch token.

• Entity ID: Useful for identifying the identity/owner and revoking the token.

• Attributes: orphan and renewable status.

A response code of 401 Unauthorized or 403 Forbidden indicates the token is invalid or has been revoked.

This verification is safe as lookup-self is a read-only metadata operation that does not consume secrets or trigger state changes within the Vault cluster.

Corpora Test

The detector does not appear in the list.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Adds a new detector that can perform live HTTP verification against discovered Vault Cloud endpoints, which introduces new outbound network behavior and potential false positives/negatives from regex matching. Also extends the shared DetectorType protobuf enum and default detector registry, affecting global wiring/serialization but in an additive way.

Overview
Adds a new HashiCorpVaultToken detector that finds hvs. and legacy s. Vault tokens, pairs them with discovered *.hashicorp.cloud endpoints, and (optionally) verifies tokens via GET /v1/auth/token/lookup-self using the X-Vault-Token header, returning token metadata in ExtraData when valid.

Registers the detector in the default engine detector list and updates tests to account for it having no cloud endpoint. Extends the protobuf DetectorType enum (and generated code) with HashiCorpVaultToken = 1044, and adds unit + integration coverage plus a benchmark for the new detector.

^{Written by Cursor Bugbot for commit d36bf4a. This will update automatically on new commits. Configure here.}

[cursor]

Regex \b silently truncates tokens ending with hyphen

Low Severity

The token regex includes - in the character class [A-Za-z0-9_-] but wraps the pattern in \b word boundary assertions. In RE2, - is a non-word character, so \b cannot match between a trailing - and end-of-string or whitespace. The regex engine silently backtracks and drops trailing - characters, producing a truncated token in Raw and RawV2 that would fail verification and be incorrect for remediation.

 

[MuneebUllahKhan222]

This is okay as a - doesn't appear at the end of token.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 3 total unresolved issues (including 2 from previous reviews).

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}