diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml
new file mode 100644
index 000000000..a01183d42
--- /dev/null
+++ b/.github/workflows/gosec.yml
@@ -0,0 +1,52 @@
+name: gosec
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches: 
+      - master
+      - develop
+jobs:
+  gosec:
+    name: gosec
+    strategy:
+      matrix:
+        go-version: [1.18.x]
+        os: [ubuntu-latest]
+    runs-on: ${{ matrix.os }}
+    env:
+      GOPRIVATE: github.com/bnb-chain
+      GH_ACCESS_TOKEN: ${{ secrets.GH_ACCESS_SECRET }}
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go-version }}
+      - uses: actions/checkout@v3
+      - name: Setup GitHub Token
+        run: git config --global url.https://$GH_ACCESS_TOKEN@github.com/.insteadOf https://github.com/
+      - uses: actions/cache@v3
+        with:
+          # In order:
+          # * Module download cache
+          # * Build cache (Linux)
+          # * Build cache (Mac)
+          # * Build cache (Windows)
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+            ~/Library/Caches/go-build
+            %LocalAppData%\go-build
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - run: |
+          go mod tidy
+          go mod download
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: -quiet -confidence high -severity high ./...
\ No newline at end of file
diff --git a/e2e/core/config.go b/e2e/core/config.go
index ee2c45d1a..1673771ea 100644
--- a/e2e/core/config.go
+++ b/e2e/core/config.go
@@ -4,6 +4,7 @@ import (
 	"bufio"
 	"fmt"
 	"os"
+	"path/filepath"
 )
 
 type SPMnemonics struct {
@@ -53,10 +54,12 @@ func ParseSPMnemonics(i int) SPMnemonics {
 }
 
 func ParseMnemonicFromFile(fileName string) string {
+	fileName = filepath.Clean(fileName)
 	file, err := os.Open(fileName)
 	if err != nil {
 		panic(err)
 	}
+	// #nosec
 	defer file.Close()
 
 	scanner := bufio.NewScanner(file)
diff --git a/e2e/core/utils.go b/e2e/core/utils.go
index c9eab8378..09ea680c0 100644
--- a/e2e/core/utils.go
+++ b/e2e/core/utils.go
@@ -20,11 +20,13 @@ const (
 )
 
 func GenRandomAddr() sdk.AccAddress {
+	// #nosec
 	return sdk.AccAddress(crypto.AddressHash([]byte(fmt.Sprintf("%d", rand.Int()))))
 }
 
 func GenRandomHexString(len int) string {
 	b := make([]byte, len)
+	// #nosec
 	_, err := rand.Read(b)
 	if err != nil {
 		panic(err)
diff --git a/testutil/keeper/payment.go b/testutil/keeper/payment.go
index 4237cef4f..ad4c4b4fe 100644
--- a/testutil/keeper/payment.go
+++ b/testutil/keeper/payment.go
@@ -95,6 +95,7 @@ func PaymentKeeper(t testing.TB) (*keeper.Keeper, sdk.Context) {
 
 func GetRandomAddress() string {
 	b := make([]byte, 20)
+	// #nosec
 	_, err := rand.Read(b)
 	if err != nil {
 		panic(err)
diff --git a/testutil/sample/sample.go b/testutil/sample/sample.go
index ec9396dbf..010ca0ebf 100644
--- a/testutil/sample/sample.go
+++ b/testutil/sample/sample.go
@@ -20,6 +20,7 @@ func Checksum() []byte {
 
 func RandStr(length int) []byte {
 	randBytes := make([]byte, length/2)
+	// #nosec
 	rand.Read(randBytes)
 	return randBytes
 }
diff --git a/x/payment/keeper/storage_fee_charge.go b/x/payment/keeper/storage_fee_charge.go
index 164755f96..dab0837dc 100644
--- a/x/payment/keeper/storage_fee_charge.go
+++ b/x/payment/keeper/storage_fee_charge.go
@@ -31,8 +31,8 @@ func (k Keeper) MergeStreamRecordChanges(base *[]types.StreamRecordChange, newCh
 
 // assume StreamRecordChange is unique by Addr
 func (k Keeper) ApplyStreamRecordChanges(ctx sdk.Context, streamRecordChanges []types.StreamRecordChange) error {
-	for _, fc := range streamRecordChanges {
-		_, err := k.UpdateStreamRecordByAddr(ctx, &fc)
+	for i := 0; i < len(streamRecordChanges); i++ {
+		_, err := k.UpdateStreamRecordByAddr(ctx, &streamRecordChanges[i])
 		if err != nil {
 			return fmt.Errorf("update stream record failed: %w", err)
 		}
diff --git a/x/storage/client/cli/tx.go b/x/storage/client/cli/tx.go
index 6f0a910ba..5478e7d17 100644
--- a/x/storage/client/cli/tx.go
+++ b/x/storage/client/cli/tx.go
@@ -7,6 +7,7 @@ import (
 	"math"
 	"net/http"
 	"os"
+	"path/filepath"
 	"time"
 
 	"github.com/cosmos/cosmos-sdk/client"
@@ -229,7 +230,7 @@ func CmdCreateObject() *cobra.Command {
 			}
 
 			// read file
-			f, err := os.OpenFile(argObjectPath, os.O_RDONLY, 0644)
+			f, err := os.OpenFile(filepath.Clean(argObjectPath), os.O_RDONLY, 0600)
 			if err != nil {
 				return err
 			}