diff --git a/.golangci.json b/.golangci.json
deleted file mode 100644
index a654b88e..00000000
--- a/.golangci.json
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-	"linters": {
-		"disable-all": true,
-		"enable": [
-			"goimports",
-			"gofmt",
-			"misspell",
-			"revive",
-			"prealloc"
-		]
-	},
-	"run": {
-		"skip-files": [
-			"/zz_generated_"
-		],
-		"skip-dirs": [
-			"generated"
-		],
-		"deadline": "5m"
-	},
-	"linters-settings": {
-		"goimports": {
-			"local-prefixes": "github.com/harvester/node-disk-manager"
-		}
-	}
-}
diff --git a/.golangci.yaml b/.golangci.yaml
new file mode 100644
index 00000000..0afea8c2
--- /dev/null
+++ b/.golangci.yaml
@@ -0,0 +1,30 @@
+linters:
+  disable-all: true
+  enable:
+    - goimports
+    - gofmt
+    - misspell
+    - revive
+    - gosec
+    - prealloc
+run:
+  skip-files:
+    - /zz_generated_
+    - _generated
+  skip-dirs:
+    - generated
+  deadline: 5m
+  tests: true
+  build-tags:
+    - test
+linters-settings:
+  gosec:
+    # https://github.com/securego/gosec#available-rules
+    excludes:
+      - G101 # Look for hard coded credentials
+      - G108 # Profiling endpoint is automatically exposed on /debug/pprof
+      - G401 # Use of weak cryptographic primitive
+      - G402 # TLS InsecureSkipVerify set true
+      - G505 # Blocklisted import crypto/md5: weak cryptographic primitive
+    config:
+      G306: "0644" # Poor file permissions used when writing to a new file
diff --git a/main.go b/main.go
index 3218ff81..14592d34 100644
--- a/main.go
+++ b/main.go
@@ -14,6 +14,7 @@ import (
 	_ "net/http/pprof"
 	"os"
 	"sync"
+	"time"
 
 	"github.com/ehazlett/simplelog"
 	"github.com/rancher/wrangler/pkg/kubeconfig"
@@ -150,7 +151,11 @@ func initProfiling(opt *option.Option) {
 	// enable profiler
 	if opt.ProfilerAddress != "" {
 		go func() {
-			log.Println(http.ListenAndServe(opt.ProfilerAddress, nil))
+			profilerServer := &http.Server{
+				Addr:              opt.ProfilerAddress,
+				ReadHeaderTimeout: 10 * time.Second,
+			}
+			log.Println(profilerServer.ListenAndServe())
 		}()
 	}
 }
diff --git a/pkg/block/blkid.go b/pkg/block/blkid.go
index 72f49298..a1f8ca87 100644
--- a/pkg/block/blkid.go
+++ b/pkg/block/blkid.go
@@ -7,19 +7,22 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+const (
+	BLKIDCMD = "blkid"
+)
+
 func doCommandBlkid(partition string, param string) ([]byte, error) {
 	if !strings.HasPrefix(partition, "/dev") {
 		partition = "/dev/" + partition
 	}
 	args := []string{
-		"blkid",
 		"-s",
 		param,
 		partition,
 		"-o",
 		"value",
 	}
-	return exec.Command(args[0], args[1:]...).Output()
+	return exec.Command(BLKIDCMD, args[0:]...).Output() // #nosec G204
 }
 
 func GetFileSystemType(part string) string {
diff --git a/pkg/block/util.go b/pkg/block/util.go
index 5d0f9fa6..256a26e8 100644
--- a/pkg/block/util.go
+++ b/pkg/block/util.go
@@ -9,6 +9,10 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+const (
+	LSBLKCMD = "lsblk"
+)
+
 func GetParentDevName(devPath string) (string, error) {
 	return lsblk(devPath, "pkname")
 }
@@ -34,8 +38,8 @@ func GetPartType(devPath string) string {
 }
 
 func GetDevPathByPTUUID(ptUUID string) (string, error) {
-	args := []string{"lsblk", "-dJo", "PATH,PTUUID"}
-	out, err := exec.Command(args[0], args[1:]...).Output()
+	args := []string{"-dJo", "PATH,PTUUID"}
+	out, err := exec.Command(LSBLKCMD, args[0:]...).Output() // #nosec G204
 	if err != nil {
 		return "", fmt.Errorf("failed to execute `%s` for PTUUID %s: %w", strings.Join(args, " "), ptUUID, err)
 	}
@@ -64,12 +68,11 @@ func lsblk(devPath, output string) (string, error) {
 		devPath = "/dev/" + devPath
 	}
 	args := []string{
-		"lsblk",
 		"-dno",
 		output,
 		devPath,
 	}
-	out, err := exec.Command(args[0], args[1:]...).Output()
+	out, err := exec.Command(LSBLKCMD, args[0:]...).Output() // #nosec G204
 	if err != nil {
 		return "", fmt.Errorf("failed to execute `%s`: %s", strings.Join(args, " "), err.Error())
 	}
diff --git a/pkg/controller/blockdevice/controller.go b/pkg/controller/blockdevice/controller.go
index 9d86a96c..326c85e2 100644
--- a/pkg/controller/blockdevice/controller.go
+++ b/pkg/controller/blockdevice/controller.go
@@ -2,9 +2,10 @@ package blockdevice
 
 import (
 	"context"
+	"crypto/rand"
 	"errors"
 	"fmt"
-	"math/rand"
+	"math/big"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -101,9 +102,6 @@ func Register(
 	opt *option.Option,
 	scanner *Scanner,
 ) error {
-	// Initialize random seed.
-	rand.Seed(time.Now().UnixNano())
-
 	controller := &Controller{
 		Namespace:        opt.Namespace,
 		NodeName:         opt.NodeName,
@@ -662,7 +660,12 @@ func needUpdateMountPoint(bd *diskv1.BlockDevice, filesystem *block.FileSystemIn
 // jitterEnqueueDelay returns a random duration between 7 to 13.
 func jitterEnqueueDelay() time.Duration {
 	enqueueDelay := 10
-	return time.Duration(rand.Intn(3)+enqueueDelay) * time.Second
+	randInt, err := rand.Int(rand.Reader, big.NewInt(3))
+	if err != nil {
+		logrus.Errorf("Failed to generate random number: %v", err)
+		randInt = big.NewInt(0)
+	}
+	return time.Duration(randInt.Sign()+enqueueDelay) * time.Second
 }
 
 func convertMountStr(mountOP NeedMountUpdateOP) string {