diff --git a/pkg/modules/background/unsplash/proxy.go b/pkg/modules/background/unsplash/proxy.go
index 8f36e961f..69fb23716 100644
--- a/pkg/modules/background/unsplash/proxy.go
+++ b/pkg/modules/background/unsplash/proxy.go
@@ -32,7 +32,7 @@ func unsplashImage(url string, c *echo.Context) error {
 	if err != nil {
 		return err
 	}
-	resp, err := utils.NewSSRFSafeHTTPClient().Do(req)
+	resp, err := utils.NewSSRFSafeHTTPClient().Do(req) //nolint:gosec // SSRF protection is handled by the SSRF-safe client
 	if err != nil {
 		return err
 	}
diff --git a/pkg/modules/background/unsplash/unsplash.go b/pkg/modules/background/unsplash/unsplash.go
index cbf688e02..b9b5482c3 100644
--- a/pkg/modules/background/unsplash/unsplash.go
+++ b/pkg/modules/background/unsplash/unsplash.go
@@ -261,7 +261,7 @@ func (p *Provider) Set(s *xorm.Session, image *background.Image, project *models
 	if err != nil {
 		return
 	}
-	resp, err := utils.NewSSRFSafeHTTPClient().Do(req)
+	resp, err := utils.NewSSRFSafeHTTPClient().Do(req) //nolint:gosec // SSRF protection is handled by the SSRF-safe client
 	if err != nil {
 		return err
 	}
@@ -373,7 +373,7 @@ func pingbackByPhotoID(photoID string) {
 	if err != nil {
 		log.Errorf("Unsplash Pingback Failed: %s", err.Error())
 	}
-	_, err = utils.NewSSRFSafeHTTPClient().Do(req)
+	_, err = utils.NewSSRFSafeHTTPClient().Do(req) //nolint:gosec // SSRF protection is handled by the SSRF-safe client
 	if err != nil {
 		log.Errorf("Unsplash Pingback Failed: %s", err.Error())
 	}
diff --git a/pkg/modules/migration/helpers.go b/pkg/modules/migration/helpers.go
index 40d18ca0a..b0499507d 100644
--- a/pkg/modules/migration/helpers.go
+++ b/pkg/modules/migration/helpers.go
@@ -48,7 +48,7 @@ func DownloadFileWithHeaders(url string, headers http.Header) (buf *bytes.Buffer
 	}
 
 	hc := utils.NewSSRFSafeHTTPClient()
-	resp, err := hc.Do(req)
+	resp, err := hc.Do(req) //nolint:gosec // SSRF protection is handled by the SSRF-safe client
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/modules/migration/microsoft-todo/microsoft_todo.go b/pkg/modules/migration/microsoft-todo/microsoft_todo.go
index 0e04e4865..d0f9b98e0 100644
--- a/pkg/modules/migration/microsoft-todo/microsoft_todo.go
+++ b/pkg/modules/migration/microsoft-todo/microsoft_todo.go
@@ -188,7 +188,7 @@ func makeAuthenticatedGetRequest(token, urlPart string, v interface{}) error {
 	}
 	req.Header.Set("Authorization", "Bearer "+token)
 
-	resp, err := utils.NewSSRFSafeHTTPClient().Do(req)
+	resp, err := utils.NewSSRFSafeHTTPClient().Do(req) //nolint:gosec // SSRF protection is handled by the SSRF-safe client
 	if err != nil {
 		return err
 	}
diff --git a/pkg/utils/avatar.go b/pkg/utils/avatar.go
index 75fae20be..18b92dde9 100644
--- a/pkg/utils/avatar.go
+++ b/pkg/utils/avatar.go
@@ -101,7 +101,7 @@ func DownloadImage(url string) ([]byte, error) {
 		return nil, fmt.Errorf("failed to create HTTP request: %w", err)
 	}
 
-	resp, err := NewSSRFSafeHTTPClient().Do(req)
+	resp, err := NewSSRFSafeHTTPClient().Do(req) //nolint:gosec // SSRF protection is handled by the SSRF-safe client
 	if err != nil {
 		return nil, fmt.Errorf("failed to download image: %w", err)
 	}
diff --git a/pkg/utils/httpclient_test.go b/pkg/utils/httpclient_test.go
index c1392f0f5..aa1a79724 100644
--- a/pkg/utils/httpclient_test.go
+++ b/pkg/utils/httpclient_test.go
@@ -46,7 +46,7 @@ func TestNewSSRFSafeHTTPClient(t *testing.T) {
 		client := NewSSRFSafeHTTPClient()
 		req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, server.URL, nil)
 		require.NoError(t, err)
-		resp, err := client.Do(req)
+		resp, err := client.Do(req) //nolint:gosec // testing SSRF-safe client
 		require.NoError(t, err)
 		defer resp.Body.Close()
 		assert.Equal(t, http.StatusOK, resp.StatusCode)
@@ -59,7 +59,7 @@ func TestNewSSRFSafeHTTPClient(t *testing.T) {
 		// Attempt to connect to localhost (non-routable)
 		req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://127.0.0.1:1/test", nil)
 		require.NoError(t, err)
-		_, err = client.Do(req) //nolint:bodyclose
+		_, err = client.Do(req) //nolint:bodyclose,gosec // testing SSRF-safe client
 		require.Error(t, err)
 	})
 
@@ -75,7 +75,7 @@ func TestNewSSRFSafeHTTPClient(t *testing.T) {
 		client := NewSSRFSafeHTTPClient()
 		req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, server.URL, nil)
 		require.NoError(t, err)
-		resp, err := client.Do(req)
+		resp, err := client.Do(req) //nolint:gosec // testing SSRF-safe client
 		require.NoError(t, err)
 		defer resp.Body.Close()
 		assert.Equal(t, http.StatusOK, resp.StatusCode)