diff --git a/.github/workflows/validate.yaml b/.github/workflows/checks.yaml
similarity index 54%
rename from .github/workflows/validate.yaml
rename to .github/workflows/checks.yaml
index 8e1fe48..c72e4d6 100644
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/checks.yaml
@@ -1,14 +1,14 @@
-name: Validation
+name: Code Checks
 
-on: [push, pull_request]
+on: [push]
 
 defaults:
   run:
     shell: bash
 
 jobs:
-  basic:
-    name: generate and vet
+  makechecks:
+    name: Make Checks
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -17,16 +17,39 @@ jobs:
         with:
           go-version-file: './go.mod'
 
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+
+      - run: pip install yamllint==1.33.0
+
       - run: |
-          make generate
           make manifests
-          go mod tidy
+          make generate
           make fmt
           make vet
+          yamllint .
           git diff --exit-code
 
-  unit-tests:
-    name: Unit Tests
+  # A separate job so that it can annotate the code
+  golangci:
+    name: golangci-lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: './go.mod'
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v5
+        with:
+          version: v1.58
+          # Automatically uses ./.golangci.yml for configuration
+
+  tests:
+    name: Tests
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -38,15 +61,10 @@ jobs:
       - run: |
           make test
 
-          # Fix things up for the coverage report
-          head -1 cover.out > nucleus_cover.out
-          grep 'governance-policy-nucleus' cover.out >> nucleus_cover.out
-          sudo rm -rf .go
-
       - name: Update coverage report
         uses: ncruces/go-coverage-report@v0
         with:
-          coverage-file: nucleus_cover.out
+          coverage-file: cover.out
           output-dir: ${{ github.ref_name }}
           report: true
           chart: false
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
deleted file mode 100644
index 6022ac8..0000000
--- a/.github/workflows/lint.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-name: Linting
-
-on: [push, pull_request]
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  yamllint:
-    name: yamllint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-python@v5
-        with:
-          python-version: 3.x
-
-      - run: pip install yamllint==1.33.0
-
-      - name: Lint YAML files
-        run: yamllint .
-        # Automatically uses ./.yamllint.yaml for configuration
-
-  golangci:
-    name: golangci-lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: './go.mod'
-
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v5
-        with:
-          version: v1.58
-          # Automatically uses ./.golangci.yml for configuration
diff --git a/.gitignore b/.gitignore
index df02ecf..4853111 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,5 +15,8 @@ bin/
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
+# Output of gosec tool
+gosec.json
+
 # Dependency directories (remove the comment below to include it)
 # vendor/
diff --git a/Makefile b/Makefile
index 2b04c53..d5f4625 100644
--- a/Makefile
+++ b/Makefile
@@ -6,8 +6,10 @@ $(LOCAL_BIN):
 	mkdir -p $(LOCAL_BIN)
 
 # Keep an existing GOPATH, make a private one if it is undefined
-GOPATH_DEFAULT := $(ROOTDIR)/.go
-export GOPATH ?= $(GOPATH_DEFAULT)
+export GOPATH ?= $(shell go env GOPATH)
+ifeq ($(GOPATH),)
+	GOPATH := $(ROOTDIR)/.go
+endif
 GOBIN_DEFAULT := $(GOPATH)/bin
 export GOBIN ?= $(GOBIN_DEFAULT)
 
@@ -34,15 +36,26 @@ CONTROLLER_GEN ?= $(LOCAL_BIN)/controller-gen
 $(CONTROLLER_GEN): $(LOCAL_BIN)
 	$(call go-install,sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
 
-ENVTEST ?= $(LOCAL_BIN)/setup-envtest
-$(ENVTEST): $(LOCAL_BIN)
-	$(call go-install,sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
-
 KUSTOMIZE_VERSION ?= v5.4.1 # https://github.com/kubernetes-sigs/kustomize/releases/latest
 KUSTOMIZE ?= $(LOCAL_BIN)/kustomize
 $(KUSTOMIZE): $(LOCAL_BIN)
 	$(call go-install,sigs.k8s.io/kustomize/kustomize/v5@$(KUSTOMIZE_VERSION))
 
+GOFUMPT_VERSION ?= v0.6.0 # https://github.com/mvdan/gofumpt/releases/latest
+GOFUMPT ?= $(LOCAL_BIN)/gofumpt
+$(GOFUMPT): $(LOCAL_BIN)
+	$(call go-install,mvdan.cc/gofumpt@$(GOFUMPT_VERSION))
+
+GCI_VERSION ?= v0.13.4 # https://github.com/daixiang0/gci/releases/latest
+GCI ?= $(LOCAL_BIN)/gci
+$(GCI): $(LOCAL_BIN)
+	$(call go-install,github.com/daixiang0/gci@$(GCI_VERSION))
+
+GOSEC_VERSION ?= v2.19.0 # https://github.com/securego/gosec/releases/latest
+GOSEC ?= $(LOCAL_BIN)/gosec
+$(GOSEC): $(LOCAL_BIN)
+	$(call go-install,github.com/securego/gosec/v2/cmd/gosec@$(GOSEC_VERSION))
+
 GOLANGCI_VERSION ?= v1.58.0 # https://github.com/golangci/golangci-lint/releases/latest
 GOLANGCI ?= $(LOCAL_BIN)/golangci-lint
 $(GOLANGCI): $(LOCAL_BIN)
@@ -55,6 +68,10 @@ GINKGO ?= $(LOCAL_BIN)/ginkgo
 $(GINKGO): $(LOCAL_BIN)
 	$(call go-install,github.com/onsi/ginkgo/v2/ginkgo@$(GINKGO_VERSION))
 
+ENVTEST ?= $(LOCAL_BIN)/setup-envtest
+$(ENVTEST): $(LOCAL_BIN)
+	$(call go-install,sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
+
 .PHONY: manifests
 manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths=".;./api/..." \
@@ -69,12 +86,15 @@ generate: $(CONTROLLER_GEN) ## Generate code containing DeepCopy, DeepCopyInto,
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
 .PHONY: fmt
-fmt: ## Run go fmt against code.
-	go fmt ./...
+fmt: $(GOFUMPT) $(GCI)
+	go mod tidy
+	find . -not \( -path "./.go" -prune \) -name "*.go" | xargs $(GOFUMPT) -l -w
+	find . -not \( -path "./.go" -prune \) -name "*.go" | xargs $(GCI) write --skip-generated -s standard -s default -s localmodule
 
 .PHONY: vet
-vet: ## Run go vet against code.
+vet: $(GOSEC)
 	go vet ./...
+	$(GOSEC) -fmt sonarqube -out gosec.json -stdout -exclude-dir=.go -exclude-dir=test -exclude-generated ./...
 
 # Note: this target is not used by Github Actions. Instead, each linter is run 
 # separately to automatically decorate the code with the linting errors.
diff --git a/api/v1alpha1/reflectiveResourceList.go b/api/v1alpha1/reflectiveResourceList.go
index a524c92..9097a70 100644
--- a/api/v1alpha1/reflectiveResourceList.go
+++ b/api/v1alpha1/reflectiveResourceList.go
@@ -4,8 +4,9 @@ import (
 	"fmt"
 	"reflect"
 
-	"open-cluster-management.io/governance-policy-nucleus/api/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"open-cluster-management.io/governance-policy-nucleus/api/v1beta1"
 )
 
 //+kubebuilder:object:generate=false
diff --git a/test/fakepolicy/main.go b/test/fakepolicy/main.go
index d412354..c81d02e 100644
--- a/test/fakepolicy/main.go
+++ b/test/fakepolicy/main.go
@@ -7,22 +7,20 @@ import (
 	"flag"
 	"os"
 
+	"github.com/go-logr/zapr"
+	"github.com/stolostron/go-log-utils/zaputil"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/dynamic"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
+	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
-	"github.com/go-logr/zapr"
-	"github.com/stolostron/go-log-utils/zaputil"
-	"k8s.io/klog/v2"
-
 	fakev1beta1 "open-cluster-management.io/governance-policy-nucleus/test/fakepolicy/api/v1beta1"
 	"open-cluster-management.io/governance-policy-nucleus/test/fakepolicy/controllers"
-	//+kubebuilder:scaffold:imports
 )
 
 var scheme = runtime.NewScheme()
diff --git a/test/fakepolicy/test/suite_test.go b/test/fakepolicy/test/suite_test.go
index 486d32a..494a32d 100644
--- a/test/fakepolicy/test/suite_test.go
+++ b/test/fakepolicy/test/suite_test.go
@@ -19,7 +19,6 @@ import (
 
 	"open-cluster-management.io/governance-policy-nucleus/test/fakepolicy"
 	fakev1beta1 "open-cluster-management.io/governance-policy-nucleus/test/fakepolicy/api/v1beta1"
-	//+kubebuilder:scaffold:imports
 )
 
 // These tests use Ginkgo (BDD-style Go testing framework). Refer to
diff --git a/test/fakepolicy/test/yamlformat_test.go b/test/fakepolicy/test/yamlformat_test.go
index 3a5b5c8..dda1fde 100644
--- a/test/fakepolicy/test/yamlformat_test.go
+++ b/test/fakepolicy/test/yamlformat_test.go
@@ -7,8 +7,9 @@ import (
 	. "github.com/onsi/gomega"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	nucleusv1beta1 "open-cluster-management.io/governance-policy-nucleus/api/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	nucleusv1beta1 "open-cluster-management.io/governance-policy-nucleus/api/v1beta1"
 )
 
 var _ = Describe("FakePolicy resource format verification", func() {