Constant PRNG seed
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
Seeding a PRNG with a constant makes its output fully predictable. Harmless for reproducible simulations, but dangerous if the stream feeds security values. This is a heuristic; non-test files only.
Why it matters
Seeding a PRNG with a constant makes the entire output sequence identical on every run and fully predictable. That is fine for reproducible simulations or tests, but if the same generator later produces tokens, ids, or keys, an attacker can reproduce them exactly. This is a heuristic and is often benign, so confirm how the stream is used.
How to fix it
For anything security-sensitive, do not seed a general-purpose PRNG at all; use a cryptographic RNG (crypto.randomBytes, os.urandom/secrets, crypto/rand, SecureRandom) which seeds itself from the OS. Keep constant seeds only in tests or simulations that need determinism, and keep that code away from token or key generation. Make the two uses visibly separate.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo