False positives in gitleaks SSN checking

Summary

The gitleaks SSN rule is too general and causes false positives.

Steps to reproduce

Run Secret Detection on a project that contains the string "13202-30-293725".

What is the current bug behavior?

gitleaks mistakenly characterizes the string "13202-30-293725" as being an SSN.

What is the expected correct behavior?

gitleaks should not generate an error for this string.

In the gitleaks test

GitLeaks ignores SSNs that start with more than 3 numeric characters.
GitLeaks ignores SSNs that end with more than 4 numeric characters
GitLeaks ignores SSNs that start with numbers above 6

Regular Expression able to be used: ^(?!000|666)[0-8][0-9]{2}-(?!00)[0-9]{2}-(?!0000)[0-9]{4}$

Possible fixes

The regex at https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/770604967e26cb2896356d56740b014bfa1e1f51/gitleaks.toml#L91 should be modified so that it checks for non-digit characters at the start and end of the regex.

Edited May 24, 2021 by Lucas Charles