Will It Vibe logoWill It Vibe?
CRYPTO-013Medium severity-8 points

Insecure random for a security value in Python

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

The random module is a Mersenne Twister (not cryptographic) and is used on a line naming a token/secret/session/nonce. Use the secrets module or os.urandom. This is a proximity heuristic.

Why it matters

Python's random module is a Mersenne Twister: its full state can be reconstructed from 624 outputs, making every subsequent value predictable. Tokens, OTPs, or session ids built from it are guessable. This is a proximity match against security wording on the line, so verify the value is actually security-sensitive.

How to fix it

Use the secrets module for security values: secrets.token_urlsafe, secrets.token_hex, secrets.randbelow, or os.urandom. Keep random for simulations, sampling, and reproducible test data. Do not seed secrets; it draws from the OS CSPRNG.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks