Do not seed math/rand for security-sensitive randomness

#Metadata

Rule ID

go.security.insecure-rand-seed

Severity

medium

Confidence

0.72

Languages

go

Presets

security, strict

Stability

experimental

Applies to

block

Tags

cryptography, go, rules-catalog, security

#Why it matters

`math/rand` is a PRNG and remains predictable regardless of seed; tokens, secrets, and keys must come from `crypto/rand.Reader`.

#Remediation

Use `crypto/rand.Reader` (or `crypto/rand.Read`) to generate secrets, tokens, and keys. `math/rand` should only be used for non-security-sensitive randomness and does not need seeding in Go 1.20+.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/go/go.security.insecure-rand-seed.rule.yaml.