Add Figma Personal Access Token v3 Detector

[shahzadhaider1]

Summary

Adds a v3 detector for Figma Personal Access Tokens to support the new figp_ prefixed token format. Also refactors the shared verification logic across all three detector versions to eliminate code duplication.

Changes

New v3 detector (figp_ prefix)

• Regex pattern: figp_[a-zA-Z0-9_=-]{40,54} as specified by Figma
• Keyword pre-filter uses figp_ for efficient chunk matching
• No word boundary (\b) assertions used since the token character set includes non-word characters (=, -) which are incompatible with \b

Verification logic refactored into shared VerifyMatch function

• Extracted the common verification logic into an exported VerifyMatch function in the v1 package
• v2 and v3 now import and call v1.VerifyMatch instead of duplicating the HTTP verification inline

Verification details

• Endpoint: GET https://api.figma.com/v1/me with X-Figma-Token header
• 200 -> verified
• 403 -> unverified (Figma returns 403 for invalid, expired, or revoked tokens, as well as valid tokens that lack the required scopes for the requested resource)
• Any other status -> unverified with verification error (indeterminate)

Testing

• Unit tests added for v3 covering valid pattern matching and invalid pattern rejection
• Integration tests added for v3 but currently skipped as the new figp_ token format is not yet available for generation in Figma. Tests will be unskipped once v3 secrets are provisioned in GCP.
• Existing v1 and v2 tests remain unchanged and continue to pass

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Low Risk
Adds a new detector and consolidates existing verification code without changing external APIs. Main risk is minor behavioral drift in verification error handling for v1/v2 due to the refactor.

Overview
Adds a new v3 Figma Personal Access Token detector to recognize the figp_ token format, including keyword prefiltering, regex matching, and (skipped) integration + unit test coverage.

Refactors v1/v2 verification to call a shared figmapersonalaccesstoken.VerifyMatch helper (handles GET https://api.figma.com/v1/me and status mapping) and updates integration test expectations/field ignores accordingly. Registers the v3 scanner in defaults so it runs by default.

^{Reviewed by Cursor Bugbot for commit 90b6ac1. Bugbot is set up for automated code reviews on this repo. Configure here.}

[amanfcp]

💯

[cursor]

Refactored verification narrows accepted success status codes

Low Severity

The shared VerifyMatch function only treats http.StatusOK (200) as verified, but the original v1 and v2 inline logic treated the entire 2xx range (StatusCode >= 200 && StatusCode < 300) as verified. Any non-200 success response (e.g., 201, 204) now falls into the default case and is reported as an unexpected error instead of being marked as verified. This is a behavioral regression introduced during the refactoring.

Additional Locations (2)

• pkg/detectors/figmapersonalaccesstoken/v1/figmapersonalaccesstoken.go#L62-L65
• pkg/detectors/figmapersonalaccesstoken/v2/figmapersonalaccesstoken_v2.go#L62-L65

 

^{Reviewed by Cursor Bugbot for commit ff9b319. Configure here.}

[shahzadhaider1]

ok cursor

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{Reviewed by Cursor Bugbot for commit 864d266. Configure here.}