diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml
new file mode 100644
index 00000000..732fe17b
--- /dev/null
+++ b/.github/workflows/gosec.yml
@@ -0,0 +1,29 @@
+---
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Run gosec
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  gosec_job:
+    runs-on: ubuntu-latest
+    name: Run gosec
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
new file mode 100644
index 00000000..95fcc05e
--- /dev/null
+++ b/.github/workflows/govulncheck.yml
@@ -0,0 +1,26 @@
+---
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Run govulncheck
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  govulncheck_job:
+    runs-on: ubuntu-latest
+    name: Run govulncheck
+    steps:
+      - id: govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+          check-latest: true
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
new file mode 100644
index 00000000..41344d58
--- /dev/null
+++ b/.github/workflows/osv-scanner.yml
@@ -0,0 +1,27 @@
+---
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Run govulncheck
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  osv_scanner_job:
+    runs-on: ubuntu-latest
+    name: Run osv-scanner
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+
+      - name: Check dependencies for security vulnerabilities
+        uses: g-rath/check-with-osv-detector@main
diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
new file mode 100644
index 00000000..28d94b9a
--- /dev/null
+++ b/.github/workflows/trufflehog.yml
@@ -0,0 +1,33 @@
+---
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: TruffleHog Secrets Scan
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  trufflehog_job:
+    runs-on: ubuntu-latest
+    name: Run osv-scanner
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check secrets with TruffleHog OSS
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          head: HEAD
+          extra_args: --only-verified
diff --git a/Makefile b/Makefile
index f4a1e13b..8d95bf5c 100644
--- a/Makefile
+++ b/Makefile
@@ -63,6 +63,7 @@ install-tools-go:
 	$(GO) install github.com/goph/licensei/cmd/licensei@latest
 	$(GO) install github.com/orlangure/gocovsh@latest
 	$(GO) install github.com/pelletier/go-toml/v2/cmd/tomljson@latest
+	$(GO) install github.com/securego/gosec/v2/cmd/gosec@latest
 	$(GO) install github.com/trufflesecurity/driftwood@latest
 	$(GO) install golang.org/x/perf/cmd/benchstat@latest
 	$(GO) install golang.org/x/tools/cmd/godoc@latest
@@ -213,6 +214,10 @@ vuln:
 	@ $(ECHO) "\033[1;33m=====> Running osv-scanner (https://osv.dev)...\033[0m"
 	osv-scanner -r .
 
+	@ $(ECHO) " "
+	@ $(ECHO) "\033[1;33m=====> Running gosec (https://github.com/securego/gosec)...\033[0m"
+	gosec -terse -tests ./...
+
 .PHONY: secrets
 ## secrets: [lint]* Checks for verifiable secrets.
 secrets:
diff --git a/corefunc/env_ensure_test.go b/corefunc/env_ensure_test.go
index 739a9e20..dc359b87 100644
--- a/corefunc/env_ensure_test.go
+++ b/corefunc/env_ensure_test.go
@@ -80,7 +80,7 @@ func BenchmarkEnvEnsure(b *testing.B) {
 		b.Run(name, func(b *testing.B) {
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
-				EnvEnsure(tc.EnvVarName)
+				_ = EnvEnsure(tc.EnvVarName)
 			}
 		})
 	}
@@ -95,7 +95,7 @@ func BenchmarkEnvEnsureParallel(b *testing.B) {
 			b.ResetTimer()
 			b.RunParallel(func(pb *testing.PB) {
 				for pb.Next() {
-					EnvEnsure(tc.EnvVarName)
+					_ = EnvEnsure(tc.EnvVarName)
 				}
 			})
 		})
diff --git a/generator/main.go b/generator/main.go
index 78d4a7f5..279d9f81 100644
--- a/generator/main.go
+++ b/generator/main.go
@@ -129,7 +129,7 @@ func writeFileFromTemplate(varMap map[string]string, templatePath, writePath str
 
 	tmpl := newTemplate(templatePath)
 
-	f, err := os.Create(writePath) // lint:allow_possible_insecure
+	f, err := os.Create(writePath) // #nosec G304 -- lint:allow_possible_insecure
 	if err != nil {
 		panic(err)
 	}