Will It Vibe?
SEC-011Medium severity-8 points

Weak randomness for a security-sensitive value

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

Math.random() used near token/password/secret naming is not cryptographically secure.

Why it matters

Math.random is predictable: its output can be reconstructed from a few observed values, so tokens built with it can be guessed. A guessable reset token or session id lets an attacker take over accounts without ever touching a password. The secure random APIs cost one extra line.

How to fix it

Use the platform CSPRNG: crypto.randomUUID() or crypto.getRandomValues() in browsers and modern Node, or crypto.randomBytes(32).toString('hex') in Node servers. Keep tokens at 128 bits of randomness or more. Math.random stays fine for non-security uses like animations or sampling.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks