diff --git a/internal/config/config.go b/internal/config/config.go
index b3adafb..d6f919b 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -51,7 +51,7 @@ type Config struct {
 	MaintenanceMode bool
 	MetricsUsername string
 	MetricsPassword string
-	SessionSecret   string
+	SessionSecret   string //nolint:gosec // not a hardcoded credential, loaded from env/file
 	CORSOrigins     string
 	params          *Params
 	log             *slog.Logger
diff --git a/internal/handlers/api.go b/internal/handlers/api.go
index d97be9b..edf7f46 100644
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@@ -76,7 +76,7 @@ func deploymentToAPI(d *models.Deployment) apiDeploymentResponse {
 func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
 	type loginRequest struct {
 		Username string `json:"username"`
-		Password string `json:"password"`
+		Password string `json:"password"` //nolint:gosec // request field, not a hardcoded credential
 	}
 
 	type loginResponse struct {
diff --git a/internal/handlers/app.go b/internal/handlers/app.go
index 72fb07c..0685a72 100644
--- a/internal/handlers/app.go
+++ b/internal/handlers/app.go
@@ -499,7 +499,7 @@ func (h *Handlers) HandleAppLogs() http.HandlerFunc {
 			return
 		}
 
-		_, _ = writer.Write([]byte(logs))
+		_, _ = writer.Write([]byte(logs)) //nolint:gosec // logs are from trusted container output, not user input
 	}
 }
 
@@ -582,7 +582,7 @@ func (h *Handlers) HandleDeploymentLogDownload() http.HandlerFunc {
 		}
 
 		// Check if file exists
-		_, err := os.Stat(logPath)
+		_, err := os.Stat(logPath) //nolint:gosec // logPath is constructed by deploy service, not from user input
 		if os.IsNotExist(err) {
 			http.NotFound(writer, request)
 
diff --git a/internal/service/notify/notify.go b/internal/service/notify/notify.go
index 0cc29da..0d10728 100644
--- a/internal/service/notify/notify.go
+++ b/internal/service/notify/notify.go
@@ -260,7 +260,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", svc.ntfyPriority(priority))
 
-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) //nolint:gosec // URL constructed from trusted config, not user input
 	if err != nil {
 		return fmt.Errorf("failed to send ntfy request: %w", err)
 	}
@@ -352,7 +352,7 @@ func (svc *Service) sendSlack(
 
 	request.Header.Set("Content-Type", "application/json")
 
-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) //nolint:gosec // URL from trusted webhook config
 	if err != nil {
 		return fmt.Errorf("failed to send slack request: %w", err)
 	}
diff --git a/internal/ssh/keygen.go b/internal/ssh/keygen.go
index 49e0ee9..ce2d8c0 100644
--- a/internal/ssh/keygen.go
+++ b/internal/ssh/keygen.go
@@ -12,7 +12,7 @@ import (
 
 // KeyPair contains an SSH key pair.
 type KeyPair struct {
-	PrivateKey string
+	PrivateKey string //nolint:gosec // field name describes SSH key material, not a hardcoded secret
 	PublicKey  string
 }