Math.random() for a security value
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
Math.random() produces predictable output and is used on a line naming a token/secret/session/nonce/key. Use crypto.randomBytes or the Web Crypto API. This is a proximity heuristic.
Why it matters
Math.random() is a non-cryptographic PRNG whose internal state can be recovered from a few outputs, so tokens, session ids, or OTPs built from it are predictable to an attacker. This is a proximity match: it fired because a security-related word sits on the same line. If the value is truly not security-sensitive it may be a false positive.
How to fix it
Use crypto.getRandomValues (browser) or crypto.randomBytes / crypto.randomUUID (Node) for anything an attacker should not be able to guess: tokens, ids, OTPs, nonces, salts, keys. Keep Math.random for cosmetic or simulation values. Convert the random bytes to your needed format (hex, base64url) rather than truncating.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo