diff --git a/.golangci.yml b/.golangci.yml
index e0e7a05..f3e15f8 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -25,6 +25,9 @@ linters:
     - errcheck
   settings:
     gosec:
+      # G706 (log injection): too many false positives.
+      excludes:
+        - G706
       config:
         G302: "0644"
         G306: "0644"
diff --git a/asset/server.go b/asset/server.go
index a2345a9..7075946 100644
--- a/asset/server.go
+++ b/asset/server.go
@@ -154,5 +154,5 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Length", strconv.Itoa(len(body)))
 
 	w.WriteHeader(http.StatusOK)
-	w.Write(body)
+	w.Write(body) // #nosec G705 -- body is from internal asset storage, not user input
 }
diff --git a/certstore/truststore_darwin.go b/certstore/truststore_darwin.go
index a5ad8d7..d077ced 100644
--- a/certstore/truststore_darwin.go
+++ b/certstore/truststore_darwin.go
@@ -94,13 +94,13 @@ func (cs *DiskCertStore) installCATrust() error {
 	}
 	defer os.Remove(plistFile.Name())
 
-	cmd = exec.Command("security", "trust-settings-export", "-d", plistFile.Name()) // #nosec G204
+	cmd = exec.Command("security", "trust-settings-export", "-d", plistFile.Name()) // #nosec G204 G702 -- args are not user-controlled
 	out, err = cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("trust-settings-export: %w\n%s", err, out)
 	}
 
-	plistData, err := os.ReadFile(plistFile.Name())
+	plistData, err := os.ReadFile(plistFile.Name()) // #nosec G703 -- path is from os.CreateTemp, not user input
 	if err != nil {
 		return fmt.Errorf("read plist file: %w", err)
 	}
@@ -133,11 +133,11 @@ func (cs *DiskCertStore) installCATrust() error {
 	if err != nil {
 		return fmt.Errorf("create plist data: %w", err)
 	}
-	err = os.WriteFile(plistFile.Name(), plistData, 0600)
+	err = os.WriteFile(plistFile.Name(), plistData, 0600) // #nosec G703 -- path is from os.CreateTemp, not user input
 	if err != nil {
 		return fmt.Errorf("write plist file: %w", err)
 	}
-	cmd = exec.Command("security", "trust-settings-import", "-d", plistFile.Name()) // #nosec G204
+	cmd = exec.Command("security", "trust-settings-import", "-d", plistFile.Name()) // #nosec G204 G702 -- args are not user-controlled
 	out, err = cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("trust-settings-import: %w\n%s", err, out)
diff --git a/filterliststore/filterliststore.go b/filterliststore/filterliststore.go
index 21d1fb9..e7db6f3 100644
--- a/filterliststore/filterliststore.go
+++ b/filterliststore/filterliststore.go
@@ -52,7 +52,7 @@ func (st *FilterListStore) Get(url string) (io.ReadCloser, error) {
 		return nil, fmt.Errorf("create request: %v", err)
 	}
 
-	resp, err := httpClient.Do(req)
+	resp, err := httpClient.Do(req) // #nosec G704 -- URL is from configured filter lists, not arbitrary user input
 	if err != nil {
 		return nil, fmt.Errorf("do request: %v", err)
 	}
diff --git a/internal/asset/cosmetic/injector.go b/internal/asset/cosmetic/injector.go
index 89ffc64..40a0a44 100644
--- a/internal/asset/cosmetic/injector.go
+++ b/internal/asset/cosmetic/injector.go
@@ -78,7 +78,7 @@ func generateBatchedCSS(selectors []string) string {
 		batch := selectors[i:end]
 
 		joinedSelectors := strings.Join(batch, ",")
-		builder.WriteString(fmt.Sprintf("%s{display:none!important;}", joinedSelectors))
+		fmt.Fprintf(&builder, "%s{display:none!important;}", joinedSelectors)
 	}
 
 	return builder.String()
diff --git a/proxy/proxy.go b/proxy/proxy.go
index 20f7377..4c84699 100644
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -157,7 +157,7 @@ func (p *Proxy) proxyHTTP(w http.ResponseWriter, r *http.Request) {
 
 	removeHopHeaders(r.Header)
 
-	resp, err := p.requestClient.Do(r)
+	resp, err := p.requestClient.Do(r) // #nosec G704 -- this is a proxy; forwarding requests is its purpose
 	if err != nil {
 		log.Printf("error making request: %v", redacted.Redacted(err)) // The error might contain information about the hostname we are connecting to.
 		http.Error(w, err.Error(), http.StatusBadGateway)
@@ -360,7 +360,7 @@ func (p *Proxy) addTransparentHost(host string) {
 // tunnel tunnels the connection between the client and the remote server
 // without inspecting the traffic.
 func (p *Proxy) tunnel(w net.Conn, r *http.Request) {
-	remoteConn, err := net.Dial("tcp", r.Host)
+	remoteConn, err := net.Dial("tcp", r.Host) // #nosec G704 -- this is a proxy; forwarding connections is its purpose
 	if err != nil {
 		log.Printf("dialing remote(%s): %v", redacted.Redacted(r.Host), err)
 		w.Write([]byte("HTTP/1.1 502 Bad Gateway\r\n\r\n"))
diff --git a/sysproxy/system_windows.go b/sysproxy/system_windows.go
index 416cf4a..11d5f0d 100644
--- a/sysproxy/system_windows.go
+++ b/sysproxy/system_windows.go
@@ -10,10 +10,10 @@ import (
 )
 
 var (
-	wininet                       = windows.NewLazySystemDLL("wininet.dll")
-	internetSetOption             = wininet.NewProc("InternetSetOptionW")
-	internetOptionSettingsChanged = 39
-	internetOptionRefresh         = 37
+	wininet                               = windows.NewLazySystemDLL("wininet.dll")
+	internetSetOption                     = wininet.NewProc("InternetSetOptionW")
+	internetOptionSettingsChanged uintptr = 39
+	internetOptionRefresh         uintptr = 37
 
 	//go:embed exclusions/windows.txt
 	platformSpecificExcludedHosts []byte
@@ -56,8 +56,8 @@ func unsetSystemProxy() error {
 	return nil
 }
 
-func callInternetSetOption(dwOption int) {
-	ret, _, err := internetSetOption.Call(0, uintptr(dwOption), 0, 0)
+func callInternetSetOption(dwOption uintptr) {
+	ret, _, err := internetSetOption.Call(0, dwOption, 0, 0)
 	if ret == 0 {
 		log.Printf("failed to call InternetSetOption with option %d: %v", dwOption, err)
 	}