From 81c9ef02049a033e19eadf71b9e255ebdfb40f60 Mon Sep 17 00:00:00 2001
From: Abhishek Manjegowda <abhishek.manjegowda@hashicorp.com>
Date: Fri, 30 Jan 2026 11:17:07 +0530
Subject: [PATCH] SemGrep rule to identify direct uses of crypto/rand.Reader
 and recommend the use of the SecureRandomReader instead (#6330)

* semgrep rules for crypto/rand added

* error fixed

* semgrep rules for crypto/rand added

* error fixed

* requested changes updated

* requested changes added

* Ent exclude files added
---
 .semgrep/avoid-crypto-rand.yaml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 .semgrep/avoid-crypto-rand.yaml

diff --git a/.semgrep/avoid-crypto-rand.yaml b/.semgrep/avoid-crypto-rand.yaml
new file mode 100644
index 0000000000..3a8b2025d0
--- /dev/null
+++ b/.semgrep/avoid-crypto-rand.yaml
@@ -0,0 +1,33 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+rules:
+  - id: avoid-crypto-rand-use-secure-reader
+    languages:
+      - go
+    severity: WARNING
+    message: |
+      The 'crypto/rand' package is being used directly. 
+      To ensure consistent security patterns across our codebase, 
+      please use 'SecureRandomReader' instead.
+    patterns:
+      - pattern: |
+          rand.Reader
+      - pattern-inside: |
+          import "crypto/rand"
+          ...
+    paths:
+      exclude:
+          - "*_test.go"
+          - "**/website/*"
+          - "**/testing/*"
+          - "options.go"
+          - "testing.go"
+          - "controller.go"
+          - "servers.go"
+          - "worker.go"
+          - "repository_scope.go"
+          - "keys.go"
+          - "testing_ent.go"
+          - "options_ent.go"
+    fix: Use SecureRandomReader instead of crypto/rand.Reader directly.
\ No newline at end of file