Insecure random for a security value in PHP
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
rand()/mt_rand()/uniqid()/lcg_value() are used on a line naming a token/secret/session/nonce. None are cryptographically secure; use random_bytes() or random_int(). This is a proximity heuristic.
Why it matters
PHP rand(), mt_rand(), lcg_value(), and uniqid() are not cryptographically secure: their outputs are predictable, and uniqid() is derived largely from the current time. Tokens or ids built from them can be guessed or enumerated. This is a proximity match against security wording on the line.
How to fix it
Use random_bytes() for raw entropy and random_int() for bounded integers, both of which draw from the OS CSPRNG. Encode random_bytes with bin2hex or base64 for a printable token. Reserve mt_rand/uniqid for non-security uses like cache-busting on trusted data.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo