Storyblok Detector Fails to Detect Personal Access Token

[joeleonjr]

Actual Behavior

The Storyblok detector alerts on access tokens (which are tied to a Storyblok space), but not personal access tokens that access the Storyblok Management API. The REGEX for the personal access tokens is different than the CDN keys.

Suggested Improvements

1. Update the existing verification check to exclude "Public" access tokens from being marked as valid, since these are meant to be exposed client-side and are not secrets.
2. There is an argument to be made that "Preview" access tokens should remain private, though the impact is probably not that great, so I believe those should continue to be considered secrets.
3. There are two other new access token types: "Theme" and "Asset". I'm unclear as to whether they should be considered a secret or not and the Storyblok docs aren't updated yet with details.
4. Add a new detector for the Storyblock Management API key type. Maybe it's just the same detector with a separate REGEX and a field in extra_data indicating that it's for a different service within Storyblok. These keys have the largest impact.