feat: add MercadoPago credentials detector

[sergioperezcheco]

Summary

Add a new secret detector for MercadoPago, Latin America's largest payment processing platform.

Credential Types Detected

1. Access Token (High Severity)

APP_USR-{16-digit-userid}-{6-digit-date}-{32-char-hex-hash}__XX_XX__-{merchant-id}

• Regex: \bAPP_USR-\d{16}-\d{6}-[a-f0-9]{32}__[A-Z]{2}_[A-Z]{2}__-\d+\b
• Provides full access to payment processing, transaction history, customer data
• Verification: GET /v1/payments/search with Bearer auth

2. Public Key (Low Severity)

APP_USR-{uuid}

• Regex: \bAPP_USR-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\b
• Useful for context in secret reports
• Verification: GET /v1/payment_methods with Bearer auth

Verification

Both types verified against MercadoPago REST API:

• Valid → 200 OK
• Invalid/expired → 401 Unauthorized (determinate)
• Other → indeterminate error

Changes

• proto/detector_type.proto: Added MercadoPago = 1054
• pkg/pb/detector_typepb/detector_type.pb.go: Regenerated
• pkg/detectors/mercadopago/mercadopago.go: Detector with dual-regex (access token + public key)
• pkg/detectors/mercadopago/mercadopago_test.go: 13 pattern test cases
• pkg/detectors/mercadopago/mercadopago_integration_test.go: Integration test template
• pkg/engine/defaults/defaults.go: Registered detector

Tests (13 cases, all passing)

• ✅ Valid access token (LA region)
• ✅ Valid access token (BR region)
• ✅ Valid public key (UUID format)
• ✅ Both access token + public key in same input
• ✅ YAML config format
• ✅ Bearer header format
• ✅ Multiple access tokens
• ❌ Hash too short (8 chars vs 32)
• ❌ Missing merchant ID
• ❌ Public key wrong format
• ❌ No APP_USR prefix
• ❌ User ID too short (8 digits vs 16)

Closes

Closes #4620

Checklist

• Detector follows existing patterns (Keywords, FromData, SecretParts)
• Verification uses non-destructive read-only API calls
• Unit tests pass (13/13)
• go vet clean
• Full build succeeds

---

Note

Low Risk
Isolated new detector package and enum registration following existing TruffleHog patterns; verification uses read-only GETs with no changes to core scan logic.

Overview
Adds MercadoPago secret scanning for APP_USR-* credentials: full access tokens (structured merchant token regex) and public keys (UUID-shaped APP_USR- values), each emitted with distinct SecretParts labels.

When verification is enabled, tokens are checked via read-only MercadoPago API calls (/v1/payments/search for access tokens, /v1/payment_methods for public keys), treating 200 as verified and 401/403 as invalid.

Registers the new detector as MercadoPago = 1054 in proto/generated enums and wires mercadopago.Scanner into default engine detectors, with unit, integration, and benchmark tests.

^{Reviewed by Cursor Bugbot for commit 4d5a75f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit 4d5a75f. Configure here.}

[cursor]

Integration test ignoreOpts missing fields causes panic

Low Severity

The cmpopts.IgnoreFields call only handles "Raw" and "verificationError", but detectors.Result has additional unexported fields (primarySecret, chunkOffset, chunkOffsetSet) that will cause cmp.Diff to panic when encountering unhandled unexported fields. Additionally, SecretParts is populated by the detector but not listed in the ignore options and not set in the expected want values, which would cause a comparison mismatch. Other detectors (e.g., hashicorpvaultauth) fixed this by using cmpopts.IgnoreUnexported(detectors.Result{}) instead.

 

^{Reviewed by Cursor Bugbot for commit 4d5a75f. Configure here.}