[INS-399] Added Bitbucket data center(on prem) PAT detector

[MuneebUllahKhan222]

Description

This PR adds the Bitbucket Data Center Personal Access Token (PAT) Detector for TruffleHog.
It scans for Bitbucket Data Center (on-prem) personal access tokens (prefix BBDC-) and optionally verifies them against the
On-prem Bitbucket REST API.

Regex: \b(BBDC-[A-Za-z0-9+/@_-]{40,50})\b

In addition to detecting tokens, the detector attempts to extract associated Bitbucket endpoints from nearby context (e.g., URLs containing atlassian or bitbucket) to enable accurate verification and also allows the user to configure the verification endpoint.

---

Verification

For verification, we use the Bitbucket Data Center REST API:

GET /rest/api/1.0/projects?limit=1

A request is sent to the detected Bitbucket base URL with the token in the header:

Authorization: Bearer <token>
Accept: application/json

• 200 OK → token is valid
• 401 Unauthorized → token is invalid or revoked
• Other responses → treated as verification errors

This endpoint is part of the standard Bitbucket Data Center API and is read-only, making it safe for verification. It does not perform any destructive actions and only attempts to fetch a minimal list of projects.

Corpora Test

The detector does not appear in the list.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Introduces a new network-verifying detector that may change scanning behavior via endpoint extraction and outbound HTTP requests, though it is isolated to a new detector and covered by tests.

Overview
Adds a new bitbucketdatacenter detector that identifies BBDC--prefixed Bitbucket Data Center PATs, associates them with nearby Bitbucket/Atlassian base URLs (or configured endpoints), and emits combined RawV2 results for verification.

When verification is enabled, the detector performs a read-only GET /rest/api/1.0/projects?limit=1 request with Authorization: Bearer <token> and marks results verified on 200, unverified on 401, and records other statuses/errors as verification errors; comprehensive unit tests cover pattern matching, endpoint handling, and verification outcomes/timeouts.

Extends the detector type enum by adding DetectorType_BitbucketDataCenter to detector_type.proto (and regenerated detector_type.pb.go).

^{Reviewed by Cursor Bugbot for commit 90bef4d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit 1ab3d98. Configure here.}

[mustansir14]

Are we sure that the length is variable? I'm asking because for JIra the length was fixed.

[MuneebUllahKhan222]

I generated 10 tokens and they all had a fixed length of 44 but I have added a little relaxation in-case their is a little bit of variation in different versions of on-prem tokens.
Also the bitbucket token has a BBDC- prefix so we can get away with making the regex a bit loose.

[mustansir14]

Approving to unblock, but it would be great if you could incorporate those comments.