diff --git a/.github/workflows/gosec.yaml b/.github/workflows/gosec.yaml
new file mode 100644
index 000000000..1e565ed0f
--- /dev/null
+++ b/.github/workflows/gosec.yaml
@@ -0,0 +1,25 @@
+name: Gosec
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+          cache: false
+      - name: Run Gosec
+        uses: securego/gosec@master
+        with:
+          args: '-exclude=G104,G115,G304,G406,G507 -exclude-dir=builtin/gen ./...'
\ No newline at end of file
diff --git a/.github/workflows/lint-go.yaml b/.github/workflows/lint-go.yaml
index be7b21b27..f2497950c 100644
--- a/.github/workflows/lint-go.yaml
+++ b/.github/workflows/lint-go.yaml
@@ -25,5 +25,3 @@ jobs:
           args: --timeout=30m --config=.golangci.yml
           only-new-issues: true
           skip-cache: true
-          skip-pkg-cache: true
-          skip-build-cache: true
diff --git a/.golangci.yml b/.golangci.yml
index 7f12c1f02..ac2943c5b 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -6,7 +6,7 @@ run:
   tests: true
   # default is true. Enables skipping of directories:
   #   vendor$, third_party$, testdata$, examples$, Godeps$, builtin$
-  skip-dirs-use-default: true
+  exclude-dirs-use-default: true
 
 linters:
   disable-all: true
diff --git a/cache/rnd_cache.go b/cache/rnd_cache.go
index 22b9b0ad7..66e939ae4 100644
--- a/cache/rnd_cache.go
+++ b/cache/rnd_cache.go
@@ -106,7 +106,7 @@ func (rc *RandCache) Pick() *Entry {
 	if len(rc.s) == 0 {
 		return nil
 	}
-	ent := rc.s[rand.Intn(len(rc.s))] // nolint:gosec
+	ent := rc.s[rand.Intn(len(rc.s))] // #nosec
 	cpy := ent.Entry
 	return &cpy
 }
@@ -141,6 +141,6 @@ func (rc *RandCache) randDrop() {
 	if len(rc.s) == 0 {
 		return
 	}
-	ent := rc.s[rand.Intn(len(rc.s))] // nolint:gosec
+	ent := rc.s[rand.Intn(len(rc.s))] // #nosec
 	rc.remove(ent.Key)
 }
diff --git a/cmd/thor/solo/solo.go b/cmd/thor/solo/solo.go
index 4bcb61f8c..c6ef10800 100644
--- a/cmd/thor/solo/solo.go
+++ b/cmd/thor/solo/solo.go
@@ -262,7 +262,7 @@ func (s *Solo) newTx(clauses []*tx.Clause, from genesis.DevAccount) (*tx.Transac
 
 	return builder.BlockRef(tx.NewBlockRef(0)).
 		Expiration(math.MaxUint32).
-		Nonce(rand.Uint64()). // nolint:gosec
+		Nonce(rand.Uint64()). // #nosec
 		DependsOn(nil).
 		Gas(1_000_000).
 		BuildAndSign(from.PrivateKey)
diff --git a/comm/peer.go b/comm/peer.go
index 506c67ba6..8dab9bd5c 100644
--- a/comm/peer.go
+++ b/comm/peer.go
@@ -84,7 +84,7 @@ func (p *Peer) UpdateHead(id thor.Bytes32, totalScore uint64) {
 // MarkTransaction marks a transaction to known.
 func (p *Peer) MarkTransaction(hash thor.Bytes32) {
 	// that's 10~100 block intervals
-	expiration := mclock.AbsTime(time.Second * time.Duration(thor.BlockInterval*uint64(rand.Intn(91)+10))) // nolint:gosec
+	expiration := mclock.AbsTime(time.Second * time.Duration(thor.BlockInterval*uint64(rand.Intn(91)+10))) // #nosec
 
 	deadline := mclock.Now() + expiration
 	p.knownTxs.Add(hash, deadline)
diff --git a/p2psrv/rpc/rpc.go b/p2psrv/rpc/rpc.go
index 911ded75b..5fa39fd46 100644
--- a/p2psrv/rpc/rpc.go
+++ b/p2psrv/rpc/rpc.go
@@ -158,7 +158,7 @@ func (r *RPC) prepareCall(msgCode uint64, onResult func(*p2p.Msg) error) uint32
 	r.lock.Lock()
 	defer r.lock.Unlock()
 	for {
-		id := rand.Uint32() // nolint:gosec
+		id := rand.Uint32() // #nosec
 		if id == 0 {
 			// 0 id is taken by Notify
 			continue
diff --git a/test/datagen/numbers.go b/test/datagen/numbers.go
index e49a4613d..84df41de5 100644
--- a/test/datagen/numbers.go
+++ b/test/datagen/numbers.go
@@ -10,9 +10,9 @@ import (
 )
 
 func RandInt() int {
-	return mathrand.Int() // nolint:gosec
+	return mathrand.Int() // #nosec
 }
 
 func RandIntN(n int) int {
-	return mathrand.Intn(n) // nolint:gosec
+	return mathrand.Intn(n) // #nosec
 }
diff --git a/txpool/tx_object.go b/txpool/tx_object.go
index dd511cad7..95f690625 100644
--- a/txpool/tx_object.go
+++ b/txpool/tx_object.go
@@ -55,7 +55,7 @@ func (o *txObject) Executable(chain *chain.Chain, state *state.State, headBlock
 	switch {
 	case o.Gas() > headBlock.GasLimit():
 		return false, errors.New("gas too large")
-	case o.IsExpired(headBlock.Number()):
+	case o.IsExpired(headBlock.Number() + 1): // Check tx expiration on top of next block
 		return false, errors.New("expired")
 	case o.BlockRef().Number() > headBlock.Number()+uint32(5*60/thor.BlockInterval):
 		// reject deferred tx which will be applied after 5mins
@@ -81,13 +81,11 @@ func (o *txObject) Executable(chain *chain.Chain, state *state.State, headBlock
 		}
 	}
 
-	if o.BlockRef().Number() > headBlock.Number() {
+	// Tx is considered executable when the BlockRef has passed in reference to the next block.
+	if o.BlockRef().Number() > headBlock.Number()+1 {
 		return false, nil
 	}
 
-	// checkpoint := state.NewCheckpoint()
-	// defer state.RevertTo(checkpoint)
-
 	if _, _, _, _, err := o.resolved.BuyGas(state, headBlock.Timestamp()+thor.BlockInterval); err != nil {
 		return false, err
 	}
diff --git a/txpool/tx_pool.go b/txpool/tx_pool.go
index 0dd01c1cb..6798ae30e 100644
--- a/txpool/tx_pool.go
+++ b/txpool/tx_pool.go
@@ -181,7 +181,7 @@ func (p *TxPool) fetchBlocklistLoop() {
 
 	for {
 		// delay 1~2 min
-		delay := time.Second * time.Duration(rand.Int()%60+60) // nolint:gosec
+		delay := time.Second * time.Duration(rand.Int()%60+60) // #nosec
 		select {
 		case <-p.ctx.Done():
 			return