diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 21cb90104c7cf2771c25b94fd43d4f3d3f677bac..4196e58ad297c0b1b50ee820922fe962a0205d88 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -29,3 +29,10 @@ jobs:
       # Test It
       - name: Test
         run: go test -v ./...
+      # Gosec It
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@v2.5.0
+        env:
+          GOROOT: ""
+        with:
+          args: ./...
diff --git a/cmd/cli/app/verify.go b/cmd/cli/app/verify.go
index 570613c7582660773bbde33316459b8ddc867f5e..4c1c0936fcc8967be63e73f00af4e928c11942da 100644
--- a/cmd/cli/app/verify.go
+++ b/cmd/cli/app/verify.go
@@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 
 	"github.com/projectrekor/rekor/pkg"
 	"github.com/projectrekor/rekor/pkg/log"
@@ -46,11 +47,11 @@ var verifyCmd = &cobra.Command{
 		}
 
 		// Signature and Public Key are always required
-		sig, err := ioutil.ReadFile(signature)
+		sig, err := ioutil.ReadFile(filepath.Clean(signature))
 		if err != nil {
 			log.Fatal(err)
 		}
-		pubKey, err := ioutil.ReadFile(pk)
+		pubKey, err := ioutil.ReadFile(filepath.Clean(pk))
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -64,7 +65,7 @@ var verifyCmd = &cobra.Command{
 		var body []byte
 		if isLocal {
 			var err error
-			body, err = ioutil.ReadFile(artifact)
+			body, err = ioutil.ReadFile(filepath.Clean(artifact))
 			if err != nil {
 				log.Fatal(err)
 			}