$RANDOM used for a security-sensitive value
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
bash's $RANDOM is a simple 15-bit LCG-style generator, not a cryptographically secure source: its range is small and, in older bash versions, predictable enough to brute-force or guess. Building a token, password, session id, or similar value from it is a heuristic match on naming, so verify the specific value's purpose before treating this as urgent, but a genuinely security-sensitive value should come from a CSPRNG (openssl rand, /dev/urandom, uuidgen) instead.
Why it matters
bash's $RANDOM is a simple, small-range generator (0-32767) built for things like retry jitter or test fixture variety, not for security. It is not cryptographically secure, and in some bash versions its sequence is predictable enough to guess or brute-force. This is a heuristic match on the variable name suggesting a token/password/session id; the specific value's actual purpose should be confirmed before treating it as urgent.
How to fix it
Generate security-sensitive values with a real CSPRNG: openssl rand -hex 32, head -c 32 /dev/urandom | base64, or uuidgen for an identifier that does not need to be secret but should be unguessable. Reserve $RANDOM for genuinely non-security uses like jitter or sampling.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo