diff --git a/.golangci.yml b/.golangci.yml
index 169a5c2a8345..0a8b15ab02c9 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -110,8 +110,15 @@ linters:
       excludes:
         - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
         - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/docker/cli/issues/5584)
+        - G117 # G117: Exported struct field matches secret pattern (false positives for legitimate field names)
+        - G118 # G118: Goroutine uses context.Background/TODO while request-scoped context is available (TODO: evaluate these)
+        - G122 # G122: Filesystem operation in filepath.Walk/WalkDir callback uses race-prone path (TODO: evaluate these)
         - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
         - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
+        - G702 # G702: Command injection via taint analysis (TODO: evaluate these)
+        - G703 # G703: Path traversal via taint analysis (TODO: evaluate these)
+        - G704 # G704: SSRF via taint analysis (TODO: evaluate these)
+        - G705 # G705: XSS via taint analysis (TODO: evaluate these)
 
     govet:
       enable:
diff --git a/cli-plugins/manager/manager_test.go b/cli-plugins/manager/manager_test.go
index 05cebf5103b2..07df0f8ecccb 100644
--- a/cli-plugins/manager/manager_test.go
+++ b/cli-plugins/manager/manager_test.go
@@ -177,9 +177,8 @@ func TestGetPluginDirs(t *testing.T) {
 	pluginDirs := getPluginDirs(cli.ConfigFile())
 	assert.Equal(t, strings.Join(expected, ":"), strings.Join(pluginDirs, ":"))
 
-	extras := []string{
-		"foo", "bar", "baz",
-	}
+	extras := make([]string, 0, 3+len(expected))
+	extras = append(extras, "foo", "bar", "baz")
 	expected = append(extras, expected...)
 	cli.SetConfigFile(&configfile.ConfigFile{
 		CLIPluginsExtraDirs: extras,
diff --git a/cli/command/cli.go b/cli/command/cli.go
index d2805f2530e6..eb69b3eb73fc 100644
--- a/cli/command/cli.go
+++ b/cli/command/cli.go
@@ -566,11 +566,12 @@ type ServerInfo struct {
 // It applies by default the standard streams, and the content trust from
 // environment.
 func NewDockerCli(ops ...CLIOption) (*DockerCli, error) {
-	defaultOps := []CLIOption{
+	defaultOps := make([]CLIOption, 0, 3+len(ops))
+	defaultOps = append(defaultOps,
 		WithDefaultContextStoreConfig(),
 		WithStandardStreams(),
 		WithUserAgent(UserAgent()),
-	}
+	)
 	ops = append(defaultOps, ops...)
 
 	cli := &DockerCli{baseCtx: context.Background()}
diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint
index ba7ab814987a..176afa877183 100644
--- a/dockerfiles/Dockerfile.lint
+++ b/dockerfiles/Dockerfile.lint
@@ -7,7 +7,7 @@ ARG GO_VERSION=1.26.2
 # that's also available as alpine image variant for the Golang version used.
 ARG ALPINE_VERSION=3.23
 # GOLANGCI_LINT_VERSION sets the version of the golangci/golangci-lint image to use.
-ARG GOLANGCI_LINT_VERSION=v2.9.0
+ARG GOLANGCI_LINT_VERSION=v2.10.1
 
 FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint