Add detection rules for more secret formats

[dgageot]

Extends pkg/secretsscan with nine new detection rules on top of the
upstream Trivy / mcp-gateway catalogue. Each one targets a credential
format with a unique prefix so the keyword pre-filter stays cheap and
the regex's false-positive rate is low.

Provider	Prefix
OpenAI (project / svc-acct / admin / current sk-… keys)	T3BlbkFJ marker
Anthropic Claude	sk-ant-
Google API key (Maps / Cloud / Firebase / Gemini)	AIza
Google OAuth client secret	GOCSPX-
DigitalOcean PAT	dop_v1_
Stripe webhook signing secret	whsec_
JFrog/Artifactory API key	AKCp
Tencent Cloud SecretId	AKID
Sentry user-auth token	sntrys_

TestContainsSecretsRecognisesKnownTokens is extended to cover each
new rule and now also asserts that Redact removes the raw value.
The existing idempotency, linear-scaling and "marker is not a secret"
guard-rails still pass.

[docker-agent]

Assessment: 🟡 NEEDS ATTENTION

This PR adds nine new secret-detection rules with corresponding tests. The regexes are well-structured with unique keyword prefixes to keep pre-filtering cheap. One medium-severity concern was found in the changed code — details in the inline comment.

[docker-agent]

[MEDIUM] Anthropic key regex hard-codes exact body length — brittle to format variations

The regex sk-ant-(api|sid)\d{2}-[A-Za-z0-9_-]{93}AA requires the payload section to be exactly 93 characters followed by a literal AA suffix. While the accompanying comment says keys are "~108 chars long" and AA is standard base64 padding, using a fixed length means any key that doesn't precisely match this layout will silently escape detection.

Real Anthropic API keys come in at least two observed formats (api03-… and sid01-…), and Anthropic could change the key length in a future rotation without notice. A more resilient pattern would use a minimum bound:

// Current (brittle — misses keys of any other length)
expression: `sk-ant-(api|sid)\d{2}-[A-Za-z0-9_-]{93}AA`

// More resilient alternative
expression: `sk-ant-(api|sid)\d{2}-[A-Za-z0-9_-]{90,100}AA`

If the exact 93-char length is a deliberate high-precision choice to minimise false positives, it would help to document that reasoning in the comment so future maintainers don't wonder why it's a fixed count.