diff --git a/.github/workflows/code_quality.yml b/.github/workflows/code_quality.yml
index 4ccba68..4a56bda 100644
--- a/.github/workflows/code_quality.yml
+++ b/.github/workflows/code_quality.yml
@@ -26,7 +26,7 @@ jobs:
       - name: set up go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.24"
+          go-version: "1.25"
       - name: initialize codeql
         uses: github/codeql-action/init@v4
         with:
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 6165ede..f83666b 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -21,17 +21,17 @@ jobs:
       - name: set up go
         uses: actions/setup-go@v6
         with:
-          go-version: "1.24"
+          go-version: "1.25"
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v8
         with:
-          version: latest
+          version: v2.11.4
 
   build:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: ["1.24"]
+        go-version: ["1.25"]
     steps:
       - uses: actions/checkout@v6
       - name: set up go
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index 98d64b5..317948e 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -19,7 +19,7 @@ jobs:
       - name: set up go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.24"
+          go-version: "1.25"
       - name: install govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
       - name: run govulncheck
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0c4fe79..0937c07 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,7 +23,7 @@ jobs:
       - name: set up go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.24"
+          go-version: "1.25"
 
       - name: extract version
         run: echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
diff --git a/.github/workflows/runtest.yml b/.github/workflows/runtest.yml
index 9916575..5ca397e 100644
--- a/.github/workflows/runtest.yml
+++ b/.github/workflows/runtest.yml
@@ -18,7 +18,7 @@ jobs:
       - name: set up go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.24"
+          go-version: "1.25"
       - name: build sif
         run: make
       - name: run sif with features
diff --git a/.golangci.yml b/.golangci.yml
index 9630991..75a9fea 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,10 +1,16 @@
+---
+version: "2"
+
+run:
+  timeout: 5m
+  issues-exit-code: 1
+
 linters:
   enable:
     - errcheck      # check error returns
     - govet         # suspicious constructs
-    - staticcheck   # advanced static analysis
+    - staticcheck   # advanced static analysis (absorbs gosimple in v2)
     - unused        # unused code
-    - gosimple      # simplifications
     - ineffassign   # useless assignments
     - misspell      # spelling mistakes
     - gocritic      # opinionated lints
@@ -18,49 +24,90 @@ linters:
     - wastedassign  # assignments to variables never read
     - usetesting    # os.Setenv in tests instead of t.Setenv, etc.
 
-linters-settings:
-  govet:
-    enable-all: true
-    disable:
-      - fieldalignment  # too many structs to reorder, risks breaking serialization
-      - shadow          # common Go pattern, too noisy
-      - unusedwrite     # false positives on test data structs
-  errcheck:
-    check-blank: false
-    exclude-functions:
-      - github.com/dropalldatabases/sif/internal/logger.Write  # log writes are best-effort
-  revive:
-    rules:
-      - name: exported
-        disabled: true  # stuttering names (scan.ScanResult) require breaking API changes
-  gocritic:
-    enabled-tags:
-      - diagnostic
-      - style
-      - performance
-    disabled-checks:
-      - commentedOutCode   # too opinionated for a project with TODO comments
-      - paramTypeCombine   # style-only, not worth churn
-      - unnamedResult      # style-only
-      - unnecessaryDefer   # common pattern in tests
-      - nestingReduce      # inverting conditions in scan logic hurts readability
-  gosec:
-    excludes:
-      - G104  # errcheck covers this
-      - G107  # pentesting tool -- variable URLs are the whole point
-      - G110  # nuclei template decompression, acceptable context
-      - G304  # sif reads user-supplied wordlist paths -- intentional
+  settings:
+    govet:
+      enable-all: true
+      disable:
+        # too many structs to reorder, risks breaking serialization
+        - fieldalignment
+        - shadow          # common Go pattern, too noisy
+        - unusedwrite     # false positives on test data structs
+    errcheck:
+      check-blank: false
+      exclude-functions:
+        # log writes are best-effort
+        - github.com/dropalldatabases/sif/internal/logger.Write
+        # Close on io.Closer is idiomatic best-effort
+        - (io.Closer).Close
+        - (*os.File).Close
+        - (*net/http.Response).Body.Close
+        # fmt.Fprint* returns are rarely actionable
+        - fmt.Fprint
+        - fmt.Fprintf
+        - fmt.Fprintln
+    staticcheck:
+      # QF1003/QF1012 are v2 quickfix suggestions, not bugs.
+      # ST1000/ST1003 were the stylecheck linter in v1
+      # (not previously enabled); skipping to match prior parity.
+      checks:
+        - all
+        - -QF1003
+        - -QF1012
+        - -ST1000
+        - -ST1003
+    revive:
+      rules:
+        # stuttering names (scan.ScanResult) need breaking API changes
+        - name: exported
+          disabled: true
+    gocritic:
+      enabled-tags:
+        - diagnostic
+        - style
+        - performance
+      disabled-checks:
+        - commentedOutCode   # too opinionated for a project with TODOs
+        - paramTypeCombine   # style-only, not worth churn
+        - unnamedResult      # style-only
+        - unnecessaryDefer   # common pattern in tests
+        # inverting conditions in scan logic hurts readability
+        - nestingReduce
+        - importShadow       # nuclei output pkg alias conflict, intentional
+        - rangeValCopy       # nuclei module iterates value types, fine here
+    gosec:
+      excludes:
+        - G104  # errcheck covers this
+        - G107  # pentesting tool -- variable URLs are the whole point
+        - G110  # nuclei template decompression, acceptable context
+        - G301  # log/template dirs need 0755 for common tooling
+        - G302  # log files intentionally world-readable for tailing
+        - G304  # sif reads user-supplied wordlist paths -- intentional
 
-run:
-  timeout: 5m
-  issues-exit-code: 1
+  exclusions:
+    rules:
+      # test files get some slack
+      - path: _test\.go
+        linters:
+          - errcheck
+          - noctx
+      # net.* calls predate context plumbing; refactor tracked separately
+      - path: internal/scan/(ports|shodan|subdomaintakeover)\.go
+        linters:
+          - noctx
+      # Close on concrete types errcheck can't match to (io.Closer).Close
+      - path: internal/nuclei/templates/templates\.go
+        text: "tarball.Close"
+        linters:
+          - errcheck
+      - path: internal/scan/ports\.go
+        text: "tcp.Close"
+        linters:
+          - errcheck
+      - path: sif\.go
+        text: "logger.Close"
+        linters:
+          - errcheck
 
 issues:
   max-issues-per-linter: 50
   max-same-issues: 50
-  exclude-rules:
-    # test files get some slack
-    - path: _test\.go
-      linters:
-        - errcheck
-        - noctx