diff --git a/.github/workflows/codeql-monorepo.yml b/.github/workflows/codeql-monorepo.yml
index 3b29a904a7..d81452e09c 100644
--- a/.github/workflows/codeql-monorepo.yml
+++ b/.github/workflows/codeql-monorepo.yml
@@ -87,7 +87,7 @@ jobs:
         project: ${{ fromJson(needs.changes.outputs.projects).projects }}
     steps:
       - name: Analyze code
-        uses: advanced-security/monorepo-code-scanning-action/scan@main
+        uses: advanced-security/monorepo-code-scanning-action/scan@annotate-sarif
         # If you have a custom analysis workflow defined at .github/workflows/custom-codeql-analysis.yml, then set this to 'true' so that it is run.
         # custom-analysis: true
 
diff --git a/packages/babel-cli/src/babel/dir.ts b/packages/babel-cli/src/babel/dir.ts
index b3f4fd6074..e691b10e39 100644
--- a/packages/babel-cli/src/babel/dir.ts
+++ b/packages/babel-cli/src/babel/dir.ts
@@ -18,6 +18,13 @@ function outputFileSync(filePath: string, data: string | Buffer): void {
   fs.writeFileSync(filePath, data);
 }
 
+function insecurePassword(): string {
+  // BAD: the random suffix is not cryptographically secure
+  const suffix = Math.random();
+  const password = "myPassword" + suffix;
+  return password;
+}
+
 export default async function ({
   cliOptions,
   babelOptions,
diff --git a/packages/babel-helpers/src/index.ts b/packages/babel-helpers/src/index.ts
index be7b2c4198..958dae0b63 100644
--- a/packages/babel-helpers/src/index.ts
+++ b/packages/babel-helpers/src/index.ts
@@ -24,6 +24,13 @@ function deep(obj: any, path: string, value?: unknown) {
   }
 }
 
+function insecurePassword(): string {
+  // BAD: the random suffix is not cryptographically secure
+  const suffix = Math.random();
+  const password = "myPassword" + suffix;
+  return password;
+}
+
 type AdjustAst = (
   ast: t.Program,
   exportName: string,