[INS-399] Added Bitbucket data center(on prem) PAT detector

[MuneebUllahKhan222]

Description

This PR adds the Bitbucket Data Center Personal Access Token (PAT) Detector for TruffleHog.
It scans for Bitbucket Data Center (on-prem) personal access tokens (prefix BBDC-) and optionally verifies them against the
On-prem Bitbucket REST API.

Regex: \b(BBDC-[A-Za-z0-9+/@_-]{40,50})\b

In addition to detecting tokens, the detector attempts to extract associated Bitbucket endpoints from nearby context (e.g., URLs containing atlassian or bitbucket) to enable accurate verification and also allows the user to configure the verification endpoint.

---

Verification

For verification, we use the Bitbucket Data Center REST API:

GET /rest/api/1.0/projects?limit=1

A request is sent to the detected Bitbucket base URL with the token in the header:

Authorization: Bearer <token>
Accept: application/json

• 200 OK → token is valid
• 401 Unauthorized → token is invalid or revoked
• Other responses → treated as verification errors

This endpoint is part of the standard Bitbucket Data Center API and is read-only, making it safe for verification. It does not perform any destructive actions and only attempts to fetch a minimal list of projects.

Corpora Test

The detector does not appear in the list.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Adds a new detector that extracts host URLs from surrounding text and performs outbound verification requests against Bitbucket Data Center instances, which could affect scan behavior and network access. Changes also extend the shared DetectorType enum, requiring downstream compatibility with the new value.

Overview
Adds a new bitbucketdatacenter detector that finds BBDC- personal access tokens, associates them with discovered or configured Bitbucket base URLs, and (optionally) verifies candidates via GET /rest/api/1.0/projects?limit=1 using a bearer token.

Extends detector_type.proto/generated code with a new DetectorType_BitbucketDataCenter enum value and includes unit tests covering token/url matching and verification outcomes (200/401/unexpected status/timeout) using mocked HTTP.

^{Reviewed by Cursor Bugbot for commit 1ab3d98. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit 1ab3d98. Configure here.}

[cursor]

URL regex excludes HTTP for on-prem instances

Medium Severity

The urlPat regex hardcodes https:// for URL auto-discovery, but this detector specifically targets Bitbucket Data Center (on-prem) instances, which commonly run over plain http://. Tokens near http:// Bitbucket URLs won't be paired with an endpoint and will be silently dropped (producing zero results even though a valid token was found).

 

^{Reviewed by Cursor Bugbot for commit 1ab3d98. Configure here.}

[MuneebUllahKhan222]

Yeah this is something that I would like the opinion of the reviewers on. It does make sense to make it detect http url as-well but idk how secure it is and when it will cause the potential risk of SSRF attacks.

[mustansir14]

I agree with the bot on this. By not including http URLS, we may miss on potential matches. Regarding the security concern, we have many detectors like Portainer, OpenVPN, HashiCorp Vault, Metabase, LiveAgent etc that support on-prem instances and detect HTTP based URLs too, so I guess it's fine.

[mustansir14]

Are we sure that the length is variable? I'm asking because for JIra the length was fixed.

[mustansir14]

nit: can we have consistent formatting here?

[mustansir14]

We may want to switch this to detectors.SaneHttpClient if we agree on detecting http URLs.

[mustansir14]

Update: It seems detectors.DetectorHttpClientWithLocalAddresses is a better option

[mustansir14]

Approving to unblock, but it would be great if you could incorporate those comments.