diff --git a/.golangci.yml b/.golangci.yml
index 4bf84599d..da5e0c07f 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -11,12 +11,28 @@ linters:
     - vet
     - unused
     - misspell
+    - gosec
   disable:
     - errcheck
 
 issues:
   include:
     - EXC0002
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
+linters-settings:
+  gosec:
+    # The following issues surfaced when `gosec` linter
+    # was enabled. They are temporarily excluded to unblock
+    # the existing workflow, but still to be addressed by
+    # by future works.
+    excludes:
+      - G204
+      - G305
+      - G306
+      - G402
+      - G404
 
 run:
   timeout: 8m
diff --git a/metadata/boltutil/helpers.go b/metadata/boltutil/helpers.go
index 4722a5226..4201d7ba9 100644
--- a/metadata/boltutil/helpers.go
+++ b/metadata/boltutil/helpers.go
@@ -162,6 +162,7 @@ func WriteExtensions(bkt *bolt.Bucket, extensions map[string]types.Any) error {
 	}
 
 	for name, ext := range extensions {
+		ext := ext
 		p, err := proto.Marshal(&ext)
 		if err != nil {
 			return err
diff --git a/metadata/containers_test.go b/metadata/containers_test.go
index c0192a458..2b9efbd14 100644
--- a/metadata/containers_test.go
+++ b/metadata/containers_test.go
@@ -152,6 +152,7 @@ func TestContainersList(t *testing.T) {
 			}
 
 			for _, result := range results {
+				result := result
 				checkContainersEqual(t, &result, testset[result.ID], "list results did not match")
 			}
 		})
diff --git a/metadata/images_test.go b/metadata/images_test.go
index 7d556b000..323426da1 100644
--- a/metadata/images_test.go
+++ b/metadata/images_test.go
@@ -129,6 +129,7 @@ func TestImagesList(t *testing.T) {
 			}
 
 			for _, result := range results {
+				result := result
 				checkImagesEqual(t, &result, testset[result.Name], "list results did not match")
 			}
 		})
diff --git a/oci/spec_opts_test.go b/oci/spec_opts_test.go
index d8c974be4..679e47205 100644
--- a/oci/spec_opts_test.go
+++ b/oci/spec_opts_test.go
@@ -596,6 +596,7 @@ func TestDevShmSize(t *testing.T) {
 
 	expected := "1024k"
 	for _, s := range ss {
+		s := s
 		if err := WithDevShmSize(1024)(nil, nil, nil, &s); err != nil {
 			if err != ErrNoShmMount {
 				t.Fatal(err)
diff --git a/services/containers/helpers.go b/services/containers/helpers.go
index dde4caed1..aece9ca41 100644
--- a/services/containers/helpers.go
+++ b/services/containers/helpers.go
@@ -25,6 +25,7 @@ func containersToProto(containers []containers.Container) []api.Container {
 	var containerspb []api.Container
 
 	for _, image := range containers {
+		image := image
 		containerspb = append(containerspb, containerToProto(&image))
 	}
 
diff --git a/services/images/helpers.go b/services/images/helpers.go
index 2d4ec76dc..6b7b008c0 100644
--- a/services/images/helpers.go
+++ b/services/images/helpers.go
@@ -27,6 +27,7 @@ func imagesToProto(images []images.Image) []imagesapi.Image {
 	var imagespb []imagesapi.Image
 
 	for _, image := range images {
+		image := image
 		imagespb = append(imagespb, imageToProto(&image))
 	}