diff --git a/command/api/token/create.go b/command/api/token/create.go
index 3d5a2fd29..dc2705337 100644
--- a/command/api/token/create.go
+++ b/command/api/token/create.go
@@ -120,7 +120,7 @@ func createAction(ctx *cli.Context) (err error) {
 	client := http.Client{
 		Transport: transport,
 	}
-	resp, err := client.Do(post)
+	resp, err := client.Do(post) // #nosec G704 -- request depends on configuration
 	if err != nil {
 		return err
 	}
diff --git a/command/ca/acme/eab/list.go b/command/ca/acme/eab/list.go
index d1cd28ff4..51e1bfe5b 100644
--- a/command/ca/acme/eab/list.go
+++ b/command/ca/acme/eab/list.go
@@ -5,6 +5,7 @@ import (
 	"io"
 	"os"
 	"os/exec"
+	"strings"
 
 	"github.com/pkg/errors"
 	"github.com/urfave/cli"
@@ -99,8 +100,16 @@ func listAction(ctx *cli.Context) (err error) {
 
 	// prepare the $PAGER command to run when not disabled and when available
 	pager := os.Getenv("PAGER")
+	if strings.ContainsAny(pager, " \t\n;&|<>") {
+		return errors.New("invalid PAGER environment value")
+	}
+
+	if _, err := exec.LookPath(pager); err != nil {
+		return fmt.Errorf("invalid PAGER environment value: %w", err)
+	}
+
 	if usePager && pager != "" {
-		cmd = exec.Command(pager)
+		cmd = exec.Command(pager) // #nosec G702 -- $PAGER is intended to be provided by users; basic validation applied
 		var err error
 		out, err = cmd.StdinPipe()
 		if err != nil {
diff --git a/command/ca/provisioner/add.go b/command/ca/provisioner/add.go
index 0c18b50ca..a6b081a75 100644
--- a/command/ca/provisioner/add.go
+++ b/command/ca/provisioner/add.go
@@ -28,7 +28,7 @@ import (
 )
 
 func addCommand() cli.Command {
-	return cli.Command{
+	return cli.Command{ // #nosec G101 -- Google OIDC example values
 		Name:   "add",
 		Action: cli.ActionFunc(addAction),
 		Usage:  "add a provisioner",
diff --git a/command/certificate/verify.go b/command/certificate/verify.go
index 81e34706a..3bab30795 100644
--- a/command/certificate/verify.go
+++ b/command/certificate/verify.go
@@ -250,7 +250,6 @@ func verifyAction(ctx *cli.Context) error {
 
 	switch {
 	case (verifyCRL || verifyOCSP) && roots != "":
-		//nolint:gosec // using default configuration for 3rd party endpoints
 		tlsConfig := &tls.Config{
 			RootCAs: rootPool,
 		}
@@ -389,7 +388,7 @@ func VerifyOCSPEndpoint(endpoint string, cert, issuer *x509.Certificate, httpCli
 		return false, errors.Errorf("error contacting OCSP server: %s", endpoint)
 	}
 	httpReq.Header.Add("Content-Type", "application/ocsp-request")
-	httpResp, err := httpClient.Do(httpReq)
+	httpResp, err := httpClient.Do(httpReq) // #nosec G704 -- request relies on values from certificate or intentionally provided by user
 	if err != nil {
 		return false, errors.Errorf("error contacting OCSP server: %s", endpoint)
 	}
diff --git a/command/crypto/jwk/keyset.go b/command/crypto/jwk/keyset.go
index a0e4aa8a6..4cef7b971 100644
--- a/command/crypto/jwk/keyset.go
+++ b/command/crypto/jwk/keyset.go
@@ -234,7 +234,7 @@ func rwLockKeySet(filename string) (jwks *jose.JSONWebKeySet, writeFunc func(boo
 		return
 	}
 
-	fd := int(f.Fd())
+	fd := int(f.Fd()) // #nosec G115 -- uintptr comes from file descriptor
 
 	// non-blocking exclusive lock
 	err = sysutils.FileLock(fd)
diff --git a/command/crypto/winpe/winpe.go b/command/crypto/winpe/winpe.go
index 2c10ef995..d4029909f 100644
--- a/command/crypto/winpe/winpe.go
+++ b/command/crypto/winpe/winpe.go
@@ -67,7 +67,7 @@ func extractPEAction(ctx *cli.Context) error {
 }
 
 func extractPE(filename string) error {
-	file, err := os.Open(filename)
+	file, err := os.Open(filename) // #nosec G703 -- file to open intentionally relies on user configuration
 	if err != nil {
 		return errors.Wrapf(err, "error opening %s", filename)
 	}
diff --git a/command/oauth/cmd.go b/command/oauth/cmd.go
index 16761331a..f31a5306e 100644
--- a/command/oauth/cmd.go
+++ b/command/oauth/cmd.go
@@ -66,9 +66,9 @@ const (
 )
 
 type token struct {
-	AccessToken  string `json:"access_token"`
+	AccessToken  string `json:"access_token"` // #nosec G117 -- JSON property
 	IDToken      string `json:"id_token"`
-	RefreshToken string `json:"refresh_token"`
+	RefreshToken string `json:"refresh_token"` // #nosec G117 -- JSON property
 	ExpiresIn    int    `json:"expires_in"`
 	TokenType    string `json:"token_type"`
 	Err          string `json:"error,omitempty"`
@@ -571,13 +571,13 @@ type endpoint struct {
 }
 
 var knownProviders = map[string]endpoint{
-	"google": {
+	"google": { // #nosec G101 -- no credentials; just well-known configuration values
 		authorization:       "https://accounts.google.com/o/oauth2/v2/auth",
 		deviceAuthorization: "https://oauth2.googleapis.com/device/code",
 		token:               "https://www.googleapis.com/oauth2/v4/token",
 		userInfo:            "https://www.googleapis.com/oauth2/v3/userinfo",
 	},
-	"github": {
+	"github": { // #nosec G101 -- no credentials; just well-known configuration values
 		authorization:       "https://github.com/login/oauth/authorize",
 		deviceAuthorization: "https://github.com/login/device/code",
 		token:               "https://github.com/login/oauth/access_token",
@@ -712,7 +712,7 @@ func disco(provider string) (map[string]interface{}, error) {
 // application/json", without this header GitHub will use
 // application/x-www-form-urlencoded.
 func postForm(rawurl string, data url.Values) (*http.Response, error) {
-	req, err := http.NewRequest("POST", rawurl, strings.NewReader(data.Encode()))
+	req, err := http.NewRequest("POST", rawurl, strings.NewReader(data.Encode())) // #nosec G704 -- request intentionally relies on user data
 	if err != nil {
 		return nil, fmt.Errorf("create POST %s request failed: %w", rawurl, err)
 	}
@@ -722,7 +722,7 @@ func postForm(rawurl string, data url.Values) (*http.Response, error) {
 
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Accept", "application/json")
-	return http.DefaultClient.Do(req)
+	return http.DefaultClient.Do(req) // #nosec G704 -- request intentionally relies on user configuration
 }
 
 // NewServer creates http server
@@ -1106,7 +1106,7 @@ func (o *oauth) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 
 	code, state := q.Get("code"), q.Get("state")
 	if code == "" || state == "" {
-		fmt.Fprintf(os.Stderr, "Invalid request received: http://%s%s\n", req.RemoteAddr, req.URL.String())
+		fmt.Fprintf(os.Stderr, "Invalid request received: http://%s%s\n", req.RemoteAddr, req.URL.String()) // #nosec G705 -- terminal output
 		fmt.Fprintf(os.Stderr, "You may have an app or browser plugin that needs to be turned off\n")
 		http.Error(w, "400 bad request", http.StatusBadRequest)
 		return
diff --git a/exec/exec.go b/exec/exec.go
index d841fdfa9..e58991170 100644
--- a/exec/exec.go
+++ b/exec/exec.go
@@ -79,7 +79,7 @@ func RunWithPid(pidFile, name string, arg ...string) {
 	cmd, exitCh, err := run(name, arg...)
 	if err != nil {
 		f.Close()
-		os.Remove(f.Name())
+		_ = os.Remove(f.Name()) // #nosec G703 -- file does not depend on user configuration
 		errorAndExit(name, err)
 	}
 
@@ -94,7 +94,7 @@ func RunWithPid(pidFile, name string, arg ...string) {
 	}
 
 	// clean, exit and wait until os.Exit
-	os.Remove(f.Name())
+	_ = os.Remove(f.Name()) // #nosec G703 -- file does not depend on user configuration
 	exitCh <- getExitStatus(cmd)
 	exitCh <- 0
 }
diff --git a/go.mod b/go.mod
index 3ee00087e..76ad59d80 100644
--- a/go.mod
+++ b/go.mod
@@ -27,7 +27,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/urfave/cli v1.22.17
 	go.mozilla.org/pkcs7 v0.9.0
-	go.step.sm/crypto v0.76.0
+	go.step.sm/crypto v0.76.2
 	golang.org/x/crypto v0.48.0
 	golang.org/x/sys v0.41.0
 	golang.org/x/term v0.40.0
@@ -36,12 +36,12 @@ require (
 )
 
 require (
-	cloud.google.com/go v0.121.6 // indirect
-	cloud.google.com/go/auth v0.18.0 // indirect
+	cloud.google.com/go v0.123.0 // indirect
+	cloud.google.com/go/auth v0.18.1 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.5.3 // indirect
-	cloud.google.com/go/longrunning v0.7.0 // indirect
+	cloud.google.com/go/longrunning v0.8.0 // indirect
 	cloud.google.com/go/security v1.19.2 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
@@ -85,8 +85,8 @@ require (
 	github.com/google/go-tpm-tools v0.4.7 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.9 // indirect
-	github.com/googleapis/gax-go/v2 v2.16.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
+	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
@@ -124,9 +124,9 @@ require (
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel v1.38.0 // indirect
-	go.opentelemetry.io/otel/metric v1.38.0 // indirect
-	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	go.opentelemetry.io/otel v1.39.0 // indirect
+	go.opentelemetry.io/otel/metric v1.39.0 // indirect
+	go.opentelemetry.io/otel/trace v1.39.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/oauth2 v0.34.0 // indirect
@@ -134,10 +134,10 @@ require (
 	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
-	google.golang.org/api v0.260.0 // indirect
-	google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect
+	google.golang.org/api v0.264.0 // indirect
+	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/grpc v1.78.0 // indirect
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/go.sum b/go.sum
index a8080ad4b..f5a1c44c5 100644
--- a/go.sum
+++ b/go.sum
@@ -1,17 +1,17 @@
-cloud.google.com/go v0.121.6 h1:waZiuajrI28iAf40cWgycWNgaXPO06dupuS+sgibK6c=
-cloud.google.com/go v0.121.6/go.mod h1:coChdst4Ea5vUpiALcYKXEpR1S9ZgXbhEzzMcMR66vI=
-cloud.google.com/go/auth v0.18.0 h1:wnqy5hrv7p3k7cShwAU/Br3nzod7fxoqG+k0VZ+/Pk0=
-cloud.google.com/go/auth v0.18.0/go.mod h1:wwkPM1AgE1f2u6dG443MiWoD8C3BtOywNsUMcUTVDRo=
+cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
+cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
+cloud.google.com/go/auth v0.18.1 h1:IwTEx92GFUo2pJ6Qea0EU3zYvKnTAeRCODxfA/G5UWs=
+cloud.google.com/go/auth v0.18.1/go.mod h1:GfTYoS9G3CWpRA3Va9doKN9mjPGRS+v41jmZAhBzbrA=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 cloud.google.com/go/iam v1.5.3 h1:+vMINPiDF2ognBJ97ABAYYwRgsaqxPbQDlMnbHMjolc=
 cloud.google.com/go/iam v1.5.3/go.mod h1:MR3v9oLkZCTlaqljW6Eb2d3HGDGK5/bDv93jhfISFvU=
-cloud.google.com/go/kms v1.24.0 h1:SWltUuoPhTdv9q/P0YEAWQfoYT32O5HdfPgTiWMvrH8=
-cloud.google.com/go/kms v1.24.0/go.mod h1:QDH3z2SJ50lfNOE8EokKC1G40i7I0f8xTMCoiptcb5g=
-cloud.google.com/go/longrunning v0.7.0 h1:FV0+SYF1RIj59gyoWDRi45GiYUMM3K1qO51qoboQT1E=
-cloud.google.com/go/longrunning v0.7.0/go.mod h1:ySn2yXmjbK9Ba0zsQqunhDkYi0+9rlXIwnoAf+h+TPY=
+cloud.google.com/go/kms v1.25.0 h1:gVqvGGUmz0nYCmtoxWmdc1wli2L1apgP8U4fghPGSbQ=
+cloud.google.com/go/kms v1.25.0/go.mod h1:XIdHkzfj0bUO3E+LvwPg+oc7s58/Ns8Nd8Sdtljihbk=
+cloud.google.com/go/longrunning v0.8.0 h1:LiKK77J3bx5gDLi4SMViHixjD2ohlkwBi+mKA7EhfW8=
+cloud.google.com/go/longrunning v0.8.0/go.mod h1:UmErU2Onzi+fKDg2gR7dusz11Pe26aknR4kHmJJqIfk=
 cloud.google.com/go/security v1.19.2 h1:cF3FkCRRbRC1oXuaGZFl3qU2sdu2gP3iOAHKzL5y04Y=
 cloud.google.com/go/security v1.19.2/go.mod h1:KXmf64mnOsLVKe8mk/bZpU1Rsvxqc0Ej0A6tgCeN93w=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
@@ -198,10 +198,10 @@ github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.9 h1:TOpi/QG8iDcZlkQlGlFUti/ZtyLkliXvHDcyUIMuFrU=
-github.com/googleapis/enterprise-certificate-proxy v0.3.9/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
-github.com/googleapis/gax-go/v2 v2.16.0 h1:iHbQmKLLZrexmb0OSsNGTeSTS0HO4YvFOG8g5E4Zd0Y=
-github.com/googleapis/gax-go/v2 v2.16.0/go.mod h1:o1vfQjjNZn4+dPnRdl/4ZD7S9414Y4xA+a/6Icj6l14=
+github.com/googleapis/enterprise-certificate-proxy v0.3.11 h1:vAe81Msw+8tKUxi2Dqh/NZMz7475yUvmRIkXr4oN2ao=
+github.com/googleapis/enterprise-certificate-proxy v0.3.11/go.mod h1:RFV7MUdlb7AgEq2v7FmMCfeSMCllAzWxFgRdusoGks8=
+github.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc=
+github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOIDp5YKHhb9PAgDY=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
@@ -359,18 +359,18 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.6
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
-go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
-go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
-go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
-go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
+go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
+go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
+go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
 go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
 go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
-go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
-go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
-go.step.sm/crypto v0.76.0 h1:K23BSaeoiY7Y5dvvijTeYC9EduDBetNwQYMBwMhi1aA=
-go.step.sm/crypto v0.76.0/go.mod h1:PXYJdKkK8s+GHLwLguFaLxHNAFsFL3tL1vSBrYfey5k=
+go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
+go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
+go.step.sm/crypto v0.76.2 h1:JJ/yMcs/rmcCAwlo+afrHjq74XBFRTJw5B2y4Q4Z4c4=
+go.step.sm/crypto v0.76.2/go.mod h1:m6KlB/HzIuGFep0UWI5e0SYi38UxpoKeCg6qUaHV6/Q=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
@@ -471,14 +471,14 @@ golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.260.0 h1:XbNi5E6bOVEj/uLXQRlt6TKuEzMD7zvW/6tNwltE4P4=
-google.golang.org/api v0.260.0/go.mod h1:Shj1j0Phr/9sloYrKomICzdYgsSDImpTxME8rGLaZ/o=
-google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217 h1:GvESR9BIyHUahIb0NcTum6itIWtdoglGX+rnGxm2934=
-google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:yJ2HH4EHEDTd3JiLmhds6NkJ17ITVYOdV3m3VKOnws0=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b h1:Mv8VFug0MP9e5vUxfBcE3vUkV6CImK3cMNMIDFjmzxU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/api v0.264.0 h1:+Fo3DQXBK8gLdf8rFZ3uLu39JpOnhvzJrLMQSoSYZJM=
+google.golang.org/api v0.264.0/go.mod h1:fAU1xtNNisHgOF5JooAs8rRaTkl2rT3uaoNGo9NS3R8=
+google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH80teYd2em3xtIkkHd7ZhqfH2N9CsM=
+google.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=
+google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M=
+google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
 google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
 google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 h1:F29+wU6Ee6qgu9TddPgooOdaqsxTMunOoj8KA5yuS5A=
diff --git a/internal/cmd/root.go b/internal/cmd/root.go
index 99ae3638c..37eea4e69 100644
--- a/internal/cmd/root.go
+++ b/internal/cmd/root.go
@@ -163,7 +163,7 @@ func panicHandler() {
 
 		fmt.Fprintln(os.Stderr, "Something unexpected happened.")
 		fmt.Fprintln(os.Stderr, "If you want to help us debug the problem, please run:")
-		fmt.Fprintf(os.Stderr, "STEPDEBUG=1 %s\n", strings.Join(os.Args, " "))
+		fmt.Fprintf(os.Stderr, "STEPDEBUG=1 %q\n", strings.Join(os.Args, " ")) // #nosec G705 -- terminal output
 		fmt.Fprintln(os.Stderr, "and send the output to info@smallstep.com")
 		os.Exit(2)
 	}
diff --git a/internal/plugin/plugin.go b/internal/plugin/plugin.go
index 006105253..4c6201636 100644
--- a/internal/plugin/plugin.go
+++ b/internal/plugin/plugin.go
@@ -38,7 +38,7 @@ func LookPath(name string) (string, error) {
 		}
 		for _, ext := range exts {
 			path := filepath.Join(step.BasePath(), "plugins", fileName+ext)
-			if _, err := os.Stat(path); err == nil {
+			if _, err := os.Stat(path); err == nil { // #nosec G703 -- path to stat intentionally relies on (partial) user configuration
 				return path, nil
 			}
 		}
diff --git a/internal/sshutil/agent_unix.go b/internal/sshutil/agent_unix.go
index 5675f2c16..8f179950e 100644
--- a/internal/sshutil/agent_unix.go
+++ b/internal/sshutil/agent_unix.go
@@ -14,7 +14,7 @@ import (
 // to the agent.
 func dialAgent() (*Agent, error) {
 	socket := os.Getenv("SSH_AUTH_SOCK")
-	conn, err := net.Dial("unix", socket)
+	conn, err := net.Dial("unix", socket) // #nosec G704 -- SSH_AUTH_SOCK points to a local Unix domain socket path
 	if err != nil {
 		return nil, errors.Wrap(err, "error connecting with ssh-agent")
 	}
diff --git a/internal/sshutil/agent_windows.go b/internal/sshutil/agent_windows.go
index f323756b5..7d45f8d36 100644
--- a/internal/sshutil/agent_windows.go
+++ b/internal/sshutil/agent_windows.go
@@ -17,7 +17,7 @@ func dialAgent() (*Agent, error) {
 	// Override the default windows openssh-ssh-agent pipe
 	if socket := os.Getenv("SSH_AUTH_SOCK"); socket != "" {
 		// Attempt unix sockets for environments like cygwin.
-		if conn, err := net.Dial("unix", socket); err == nil {
+		if conn, err := net.Dial("unix", socket); err == nil { // #nosec G704 -- SSH_AUTH_SOCK points to a local Unix domain socket path
 			return &Agent{
 				ExtendedAgent: agent.NewClient(conn),
 				Conn:          conn,
diff --git a/internal/sshutil/pipe.go b/internal/sshutil/pipe.go
index 52cd8586c..c8071ccf9 100644
--- a/internal/sshutil/pipe.go
+++ b/internal/sshutil/pipe.go
@@ -38,7 +38,7 @@ var (
 )
 
 func readWindowsPipeNameFrom(configFile string) (pipeName string) {
-	file, err := os.Open(configFile)
+	file, err := os.Open(configFile) // #nosec G703 -- intentionally reading from user configuration
 	if err == nil {
 		sc := bufio.NewScanner(file)
 		for sc.Scan() {
diff --git a/internal/sshutil/shell.go b/internal/sshutil/shell.go
index 81e925a5d..60e9f80d3 100644
--- a/internal/sshutil/shell.go
+++ b/internal/sshutil/shell.go
@@ -179,7 +179,7 @@ func (s *Shell) RemoteShell() error {
 	defer session.Close()
 
 	var fallback bool
-	if fd := int(os.Stdin.Fd()); term.IsTerminal(fd) {
+	if fd := int(os.Stdin.Fd()); term.IsTerminal(fd) { // #nosec G115 -- uintptr comes from file descriptor
 		// Put terminal in raw mode
 		if originalState, err := term.MakeRaw(fd); err != nil {
 			fallback = true
diff --git a/pkg/bcrypt_pbkdf/bcrypt_pbkdf.go b/pkg/bcrypt_pbkdf/bcrypt_pbkdf.go
index 4e7b58f51..a599d6603 100644
--- a/pkg/bcrypt_pbkdf/bcrypt_pbkdf.go
+++ b/pkg/bcrypt_pbkdf/bcrypt_pbkdf.go
@@ -92,6 +92,6 @@ func bcryptHash(out, shapass, shasalt []byte) {
 	}
 	// Swap bytes due to different endianness.
 	for i := 0; i < 32; i += 4 {
-		out[i+3], out[i+2], out[i+1], out[i] = out[i], out[i+1], out[i+2], out[i+3]
+		out[i+3], out[i+2], out[i+1], out[i] = out[i], out[i+1], out[i+2], out[i+3] // #nosec G602 -- loop condition guarantees this doesn't go out of range
 	}
 }
diff --git a/token/parse.go b/token/parse.go
index f3f43ac37..82c6c6220 100644
--- a/token/parse.go
+++ b/token/parse.go
@@ -53,7 +53,7 @@ type Payload struct {
 	Version                 interface{}       `json:"ver"`
 	XMSMirID                string            `json:"xms_mirid"`
 	K8sSANamespace          string            `json:"kubernetes.io/serviceaccount/namespace,omitempty"`
-	K8sSASecretName         string            `json:"kubernetes.io/serviceaccount/secret.name,omitempty"`
+	K8sSASecretName         string            `json:"kubernetes.io/serviceaccount/secret.name,omitempty"` // #nosec G117 -- JSON property
 	K8sSAServiceAccountName string            `json:"kubernetes.io/serviceaccount/service-account.name,omitempty"`
 	K8sSAServiceAccountUID  string            `json:"kubernetes.io/serviceaccount/service-account.uid,omitempty"`
 	Google                  *GCPGooglePayload `json:"google"` // GCP token claims
diff --git a/utils/cautils/tpm.go b/utils/cautils/tpm.go
index d44336ccb..0bdf9c6ff 100644
--- a/utils/cautils/tpm.go
+++ b/utils/cautils/tpm.go
@@ -509,18 +509,18 @@ func (ac *attestationClient) performAttestation(ctx context.Context, t *tpm.TPM,
 
 	encryptedCredentials := tpm.EncryptedCredential{
 		Credential: attResp.Credential,
-		Secret:     attResp.Secret,
+		Secret:     attResp.EncryptedSecret,
 	}
 
 	// activate the credential with the TPM
-	secret, err := ak.ActivateCredential(ctx, encryptedCredentials)
+	decryptedSecret, err := ak.ActivateCredential(ctx, encryptedCredentials)
 	if err != nil {
 		return nil, fmt.Errorf("failed activating credential: %w", err)
 	}
 
-	secretResp, err := ac.secret(ctx, secret)
+	secretResp, err := ac.verifyDecryptedSecret(ctx, decryptedSecret)
 	if err != nil {
-		return nil, fmt.Errorf("failed validating secret: %w", err)
+		return nil, fmt.Errorf("failed validating decrypted secret: %w", err)
 	}
 
 	akChain := make([]*x509.Certificate, len(secretResp.CertificateChain))
@@ -559,8 +559,8 @@ type attestationRequest struct {
 }
 
 type attestationResponse struct {
-	Credential []byte `json:"credential"`
-	Secret     []byte `json:"secret"` // encrypted secret
+	Credential      []byte `json:"credential"`
+	EncryptedSecret []byte `json:"secret"` // #nosec G117 -- JSON property carrying encrypted secret
 }
 
 // attest performs the HTTP POST request to the `/attest` endpoint of the
@@ -616,7 +616,7 @@ func (ac *attestationClient) attest(ctx context.Context, info *tpm.Info, eks []*
 		return nil, fmt.Errorf("failed creating POST http request for %q: %w", attestURL, err)
 	}
 
-	resp, err := ac.client.Do(req)
+	resp, err := ac.client.Do(req) // #nosec G704 -- request intentionally relies on user configuration
 	if err != nil {
 		return nil, fmt.Errorf("failed performing attestation request with Attestation CA %q: %w", attestURL, err)
 	}
@@ -635,18 +635,18 @@ func (ac *attestationClient) attest(ctx context.Context, info *tpm.Info, eks []*
 }
 
 type secretRequest struct {
-	Secret []byte `json:"secret"` // decrypted secret
+	DecryptedSecret []byte `json:"secret"` // #nosec G117 -- JSON property carrying decrypted secret
 }
 
 type secretResponse struct {
 	CertificateChain [][]byte `json:"chain"`
 }
 
-// secret performs the HTTP POST request to the `/secret` endpoint of the
-// Attestation CA.
-func (ac *attestationClient) secret(ctx context.Context, secret []byte) (*secretResponse, error) {
+// verifyDecryptedSecret performs the HTTP POST request to the `/secret`
+// endpoint of the Attestation CA.
+func (ac *attestationClient) verifyDecryptedSecret(ctx context.Context, secret []byte) (*secretResponse, error) {
 	sr := secretRequest{
-		Secret: secret,
+		DecryptedSecret: secret,
 	}
 
 	body, err := json.Marshal(sr)
@@ -660,7 +660,7 @@ func (ac *attestationClient) secret(ctx context.Context, secret []byte) (*secret
 		return nil, fmt.Errorf("failed creating POST http request for %q: %w", secretURL, err)
 	}
 
-	resp, err := ac.client.Do(req)
+	resp, err := ac.client.Do(req) // #nosec G704 -- request intentionally relies on user configuration
 	if err != nil {
 		return nil, fmt.Errorf("failed performing secret request with attestation CA %q: %w", secretURL, err)
 	}
diff --git a/utils/read.go b/utils/read.go
index ca4675deb..86afb038e 100644
--- a/utils/read.go
+++ b/utils/read.go
@@ -53,7 +53,7 @@ func ReadString(r io.Reader) (string, error) {
 // ReadPasswordFromFile reads and returns the password from the given filename.
 // The contents of the file will be trimmed at the right.
 func ReadPasswordFromFile(filename string) ([]byte, error) {
-	password, err := os.ReadFile(filename)
+	password, err := os.ReadFile(filename) // #nosec G703 -- file intended to be provided by user
 	if err != nil {
 		return nil, errs.FileError(err, filename)
 	}
@@ -94,7 +94,7 @@ func ReadFile(name string) (b []byte, err error) {
 		b, err = io.ReadAll(stdin)
 	} else {
 		var contents []byte
-		contents, err = os.ReadFile(name)
+		contents, err = os.ReadFile(name) // #nosec G703 -- file intended to be provided by user
 		if err != nil {
 			return nil, errs.FileError(err, name)
 		}