diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bc0a7b5ebec..5772ef5dcb3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -66,8 +66,8 @@ jobs:
           cache: true
       - name: Run tidy
         run: make tidy
-      - name: Emulator no relic check
-        run: make emulator-norelic-check
+      - name: code sanity check
+        run: make code-sanity-check
 
   shell-check:
     name: ShellCheck
diff --git a/Makefile b/Makefile
index 7f511197260..ae15fe5a59a 100644
--- a/Makefile
+++ b/Makefile
@@ -87,6 +87,23 @@ emulator-norelic-check:
 	# test the fvm package compiles with Relic library disabled (required for the emulator build)
 	cd ./fvm && go test ./... -run=NoTestHasThisPrefix
 
+.SILENT: go-math-rand-check
+go-math-rand-check:
+	# check that the insecure math/rand Go package isn't used by production code.
+	# `exclude` should only specify non production code (test, bench..).
+	# If this check fails, try updating your code by using:
+	#   - "crypto/rand" or "flow-go/utils/rand" for non-deterministic randomness
+	#   - "flow-go/crypto/random" for deterministic randomness 
+	grep --include=\*.go --exclude={*test*,*helper*,*example*,*fixture*,*benchmark*,*profiler*} -rnw '"math/rand"'; \
+    if [ $$? -ne 1 ]; \
+    then \
+        echo "[Error] Go production code should not use math/rand package"; \
+        exit 1; \
+    fi
+
+.PHONY: code-sanity-check
+code-sanity-check: go-math-rand-check emulator-norelic-check
+
 .PHONY: fuzz-fvm
 fuzz-fvm:
 	# run fuzz tests in the fvm package