Plugin for PyPI api tokens

[Chandra158]

Please check if the PR fulfills these requirements

• Tests for the changes have been added

• Docs have been added / updated

• All CI checks are green

What kind of change does this PR introduce?

• Feature: new plugin for PyPI tokens
• Token format:

PyPI token is bound to start with:
pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{70,}
A token can be arbitrary long because we may add arbitrary many caveats.

Tests

• New test added for plugin

[lorenzodb1]

Two questions:

1. does the TestPypi token have the same format?
2. is there a way to check the validity of the token?

[Chandra158]

1. does the TestPypi token have the same format?

TestPypi has different format: pypi-AgENdGVzdC5weXBpLm9yZw[A-Za-z0-9-_]{70,}

2. is there a way to check the validity of the token?

This is not supported yet. (refs)
There're some hacky way to do it but it'd also require other details like username in addition to the token.

[lorenzodb1]

Could you add checks for Test Pypi too?

There're some hacky way to do it but it'd also require other details like username in addition to the token.

Do you think is something we could add as optional? Maybe you could add it as a configurable option for the user in the baseline file.

[Chandra158]

Added a new commit for the test.pypi tokens.

Do you think is something we could add as optional?
There're some hacky way t

I misunderstood pypitoken apis; this is only possible if the token is created by us. Not suitable for detect-secrets.
IMO, there's no way to validate yet.