Insecure random for a security value in Python
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
The random module is a Mersenne Twister (not cryptographic) and is used on a line naming a token/secret/session/nonce. Use the secrets module or os.urandom. This is a proximity heuristic.
Why it matters
Python's random module is a Mersenne Twister: its full state can be reconstructed from 624 outputs, making every subsequent value predictable. Tokens, OTPs, or session ids built from it are guessable. This is a proximity match against security wording on the line, so verify the value is actually security-sensitive.
How to fix it
Use the secrets module for security values: secrets.token_urlsafe, secrets.token_hex, secrets.randbelow, or os.urandom. Keep random for simulations, sampling, and reproducible test data. Do not seed secrets; it draws from the OS CSPRNG.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo