diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 54a26c7e5c0..bda8986b975 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -26,10 +26,11 @@ jobs:
 
       - name: Run Gosec
         run: |
-          go install github.com/securego/gosec/v2/cmd/gosec@v2.22.11
+          go install github.com/securego/gosec/v2/cmd/gosec@v2.27.1
           # Exclusions configured in .golangci.yml (linters-settings.gosec.exclude)
           # Keep this list in sync with .golangci.yml for consistency
           gosec -fmt sarif -out gosec-results.sarif -stdout -exclude-generated -track-suppressions \
+            -nosec-require-rules -nosec-require-justification \
             -exclude=G101,G115,G204,G602,G301,G302,G304,G306 \
             ./...
 
diff --git a/Makefile b/Makefile
index 9ff10114372..941b5d39fc8 100644
--- a/Makefile
+++ b/Makefile
@@ -195,11 +195,12 @@ security-scan: security-gosec security-govulncheck
 .PHONY: security-gosec
 security-gosec:
 	@echo "Running gosec security scanner..."
-	@command -v gosec >/dev/null || go install github.com/securego/gosec/v2/cmd/gosec@v2.23.0
+	@command -v gosec >/dev/null || go install github.com/securego/gosec/v2/cmd/gosec@v2.27.1
 	@# Exclusions configured in .golangci.yml (linters-settings.gosec.exclude)
 	@# Keep this list in sync with .golangci.yml for consistency
 	@GOPATH=$$(go env GOPATH); \
 	PATH="$$GOPATH/bin:$$PATH" gosec -fmt=json -out=gosec-report.json -stdout -exclude-generated -track-suppressions \
+		-nosec-require-rules -nosec-require-justification \
 		-exclude=G101,G115,G204,G602,G301,G302,G304,G306 \
 		./...
 	@echo "✓ Gosec scan complete (results in gosec-report.json)"
@@ -390,7 +391,7 @@ check-node-version:
 tools: ## Install build-time tools from tools.go
 	@echo "Installing build tools..."
 	@go install github.com/rhysd/actionlint/cmd/actionlint@v1.7.11
-	@go install github.com/securego/gosec/v2/cmd/gosec@v2.23.0
+	@go install github.com/securego/gosec/v2/cmd/gosec@v2.27.1
 	@go install golang.org/x/tools/gopls@v0.21.1
 	@go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
 	@echo "✓ Tools installed successfully"
diff --git a/pkg/cli/run_workflow_validation.go b/pkg/cli/run_workflow_validation.go
index 7ce884b17fa..34dd61a43df 100644
--- a/pkg/cli/run_workflow_validation.go
+++ b/pkg/cli/run_workflow_validation.go
@@ -45,7 +45,7 @@ func IsRunnable(markdownPath string) (bool, error) {
 
 	// Read the lock file - path is sanitized using filepath.Clean() to prevent path traversal attacks.
 	// The lockPath is derived from markdownPath which comes from trusted sources (CLI arguments, validated workflow paths).
-	contentBytes, err := os.ReadFile(cleanLockPath) // #nosec G304
+	contentBytes, err := os.ReadFile(cleanLockPath) // #nosec G304 -- path is sanitized with filepath.Clean() and derived from trusted CLI argument
 	if err != nil {
 		return false, fmt.Errorf("failed to read lock file: %w", err)
 	}
@@ -98,7 +98,7 @@ func getWorkflowInputs(markdownPath string) (map[string]*workflow.InputDefinitio
 
 	// Read the lock file - path is sanitized using filepath.Clean() to prevent path traversal attacks.
 	// The lockPath is derived from markdownPath which comes from trusted sources (CLI arguments, validated workflow paths).
-	contentBytes, err := os.ReadFile(cleanLockPath) // #nosec G304
+	contentBytes, err := os.ReadFile(cleanLockPath) // #nosec G304 -- path is sanitized with filepath.Clean() and derived from trusted CLI argument
 	if err != nil {
 		return nil, fmt.Errorf("failed to read lock file: %w", err)
 	}