diff --git a/br/pkg/mock/mock_cluster.go b/br/pkg/mock/mock_cluster.go
index 86cba3217a596..daee2cc732041 100644
--- a/br/pkg/mock/mock_cluster.go
+++ b/br/pkg/mock/mock_cluster.go
@@ -164,6 +164,7 @@ func waitUntilServerOnline(addr string, statusPort uint) string {
 	// connect http status
 	statusURL := fmt.Sprintf("http://127.0.0.1:%d/status", statusPort)
 	for retry = 0; retry < retryTime; retry++ {
+		// #nosec G107
 		resp, err := http.Get(statusURL) // nolint:noctx,gosec
 		if err == nil {
 			// Ignore errors.
diff --git a/cmd/pluginpkg/pluginpkg.go b/cmd/pluginpkg/pluginpkg.go
index 24a7c6a0a5dd6..5fda6afd79bc9 100644
--- a/cmd/pluginpkg/pluginpkg.go
+++ b/cmd/pluginpkg/pluginpkg.go
@@ -126,7 +126,7 @@ func main() {
 	}
 
 	genFileName := filepath.Join(pkgDir, filepath.Base(pkgDir)+".gen.go")
-	genFile, err := os.OpenFile(genFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0700) // # nosec G302
+	genFile, err := os.OpenFile(genFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0700) // #nosec G302
 	if err != nil {
 		log.Printf("generate code failure during prepare output file, %+v\n", err)
 		os.Exit(1)
diff --git a/executor/select_into.go b/executor/select_into.go
index 5003f1dbf9fd1..78c210b3a4dde 100644
--- a/executor/select_into.go
+++ b/executor/select_into.go
@@ -53,7 +53,7 @@ func (s *SelectIntoExec) Open(ctx context.Context) error {
 	}
 
 	// MySQL-compatible behavior: allow files to be group-readable
-	f, err := os.OpenFile(s.intoOpt.FileName, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0640) // # nosec G302
+	f, err := os.OpenFile(s.intoOpt.FileName, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0640) // #nosec G302
 	if err != nil {
 		return errors.Trace(err)
 	}
diff --git a/util/security.go b/util/security.go
index f380c01e8a4b9..38db2e5afcbf5 100644
--- a/util/security.go
+++ b/util/security.go
@@ -93,9 +93,9 @@ func ToTLSConfigWithVerify(caPath, certPath, keyPath string, verifyCN []string)
 	if !certPool.AppendCertsFromPEM(ca) {
 		return nil, errors.New("failed to append ca certs")
 	}
-	//nolint:gosec
+
 	tlsCfg := &tls.Config{
-		MinVersion:   tls.VersionTLS10,
+		MinVersion:   tls.VersionTLS12,
 		Certificates: certificates,
 		RootCAs:      certPool,
 		ClientCAs:    certPool,
@@ -123,9 +123,9 @@ func ToTLSConfigWithVerifyByRawbytes(caData, certData, keyData []byte, verifyCN
 	if !certPool.AppendCertsFromPEM(caData) {
 		return nil, errors.New("failed to append ca certs")
 	}
-	//nolint:gosec
+
 	tlsCfg := &tls.Config{
-		MinVersion:   tls.VersionTLS10,
+		MinVersion:   tls.VersionTLS12,
 		Certificates: certificates,
 		RootCAs:      certPool,
 		ClientCAs:    certPool,