Will It Vibe logoWill It Vibe?
SHELL-010Low severity-4 points

$RANDOM used for a security-sensitive value

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

bash's $RANDOM is a simple 15-bit LCG-style generator, not a cryptographically secure source: its range is small and, in older bash versions, predictable enough to brute-force or guess. Building a token, password, session id, or similar value from it is a heuristic match on naming, so verify the specific value's purpose before treating this as urgent, but a genuinely security-sensitive value should come from a CSPRNG (openssl rand, /dev/urandom, uuidgen) instead.

Why it matters

bash's $RANDOM is a simple, small-range generator (0-32767) built for things like retry jitter or test fixture variety, not for security. It is not cryptographically secure, and in some bash versions its sequence is predictable enough to guess or brute-force. This is a heuristic match on the variable name suggesting a token/password/session id; the specific value's actual purpose should be confirmed before treating it as urgent.

How to fix it

Generate security-sensitive values with a real CSPRNG: openssl rand -hex 32, head -c 32 /dev/urandom | base64, or uuidgen for an identifier that does not need to be secret but should be unguessable. Reserve $RANDOM for genuinely non-security uses like jitter or sampling.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks