diff --git a/src/security/weak-random-patterns.test.ts b/src/security/weak-random-patterns.test.ts
index 0bc17d46ea1..d9bb1a60531 100644
--- a/src/security/weak-random-patterns.test.ts
+++ b/src/security/weak-random-patterns.test.ts
@@ -1,11 +1,50 @@
+import { spawnSync } from "node:child_process";
 import fs from "node:fs/promises";
 import path from "node:path";
 import { describe, expect, it } from "vitest";
-import { listRuntimeSourceFiles } from "../test-utils/repo-scan.js";
+import { listRuntimeSourceFiles, shouldSkipRuntimeSourcePath } from "../test-utils/repo-scan.js";
 
 const SCAN_ROOTS = ["src", "extensions"] as const;
 
 async function findWeakRandomPatternMatches(repoRoot: string): Promise<string[]> {
+  const rgResult = spawnSync(
+    "rg",
+    [
+      "--line-number",
+      "--no-heading",
+      "--color=never",
+      "--glob",
+      "*.ts",
+      "Date\\.now.*Math\\.random|Math\\.random.*Date\\.now",
+      ...SCAN_ROOTS,
+    ],
+    {
+      cwd: repoRoot,
+      encoding: "utf8",
+    },
+  );
+  if (!rgResult.error && (rgResult.status === 0 || rgResult.status === 1)) {
+    const matches: string[] = [];
+    const lines = rgResult.stdout.split(/\r?\n/);
+    for (const line of lines) {
+      const text = line.trim();
+      if (!text) {
+        continue;
+      }
+      const parsed = /^(.*?):(\d+):(.*)$/.exec(text);
+      if (!parsed) {
+        continue;
+      }
+      const relativePath = parsed[1] ?? "";
+      const lineNumber = parsed[2] ?? "";
+      if (shouldSkipRuntimeSourcePath(relativePath)) {
+        continue;
+      }
+      matches.push(`${relativePath}:${lineNumber}`);
+    }
+    return matches;
+  }
+
   const matches: string[] = [];
   const files = await listRuntimeSourceFiles(repoRoot, {
     roots: SCAN_ROOTS,