System.Random used to generate a security-sensitive value
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
new Random() is a non-cryptographic PRNG with a small, guessable seed space. A line that constructs one alongside naming like token/password/otp/secret/session/reset/verification/apikey/nonce suggests it is generating a value that needs to be unguessable, which System.Random cannot provide.
Why it matters
System.Random is a deterministic pseudo-random generator seeded from a small, predictable space (by default, the current time), designed for things like shuffling a list or picking a random display value, not for security. When it is used to generate something like a password-reset token, a session identifier, or a one-time code, an attacker who can narrow down roughly when it was generated has a realistic shot at guessing or brute-forcing the value.
How to fix it
Use RandomNumberGenerator (System.Security.Cryptography) to produce the random bytes for anything security-sensitive, then encode them as base64 or hex for use as a token. RandomNumberGenerator.GetBytes(n) is the standard, cryptographically secure replacement in modern .NET.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo