diff --git a/.github/workflows/golang.yaml b/.github/workflows/golang.yaml
index 0a7e07d9..24f3742d 100644
--- a/.github/workflows/golang.yaml
+++ b/.github/workflows/golang.yaml
@@ -40,7 +40,7 @@ jobs:
       with:
         go-version: ${{ env.GOLANG_VERSION }}
     - name: Lint
-      uses: golangci/golangci-lint-action@v6
+      uses: golangci/golangci-lint-action@v7
       with:
         version: latest
         args: -v --timeout 5m
diff --git a/.golangci.yml b/.golangci.yml
index f1208798..e0204a44 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,43 +1,72 @@
-run:
-  timeout: 10m
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
+version: "2"
 linters:
   enable:
     - contextcheck
     - gocritic
+    - gosec
+    - misspell
+    - unconvert
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      # Exclude the gocritic dupSubExpr issue for cgo files.
+      - linters:
+          - gocritic
+        path: internal/dxcore/dxcore.go
+        text: dupSubExpr
+      # Exclude the checks for usage of returns to config.Delete(Path) in the
+      # crio and containerd config packages.
+      - linters:
+          - errcheck
+        path: pkg/config/engine/
+        text: config.Delete
+      # RENDERD refers to the Render Device and not the past tense of render.
+      - linters:
+          - misspell
+        path: .*.go
+        text: '`RENDERD` is a misspelling of `RENDERED`'
+      # The legacy hook relies on spec.Hooks.Prestart, which is deprecated as of
+      # the v1.2.0 OCI runtime spec.
+      - path: (.+)\.go$
+        text: SA1019:(.+).Prestart is deprecated(.+)
+      # TODO: We should address each of the following integer overflows.
+      - path: (.+)\.go$
+        text: 'G115: integer overflow conversion(.+)'
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
     - gofmt
     - goimports
-    - gosec
-    - gosimple
-    - govet
-    - ineffassign
-    - misspell
-    - staticcheck
-    - unconvert
-
-linters-settings:
-  goimports:
-    local-prefixes: github.com/NVIDIA/nvidia-container-toolkit
-
-issues:
-  exclude:
-  # The legacy hook relies on spec.Hooks.Prestart, which is deprecated as of the v1.2.0 OCI runtime spec.
-  - "SA1019:(.+).Prestart is deprecated(.+)"
-  # TODO: We should address each of the following integer overflows.
-  - "G115: integer overflow conversion(.+)"
-  exclude-rules:
-  # Exclude the gocritic dupSubExpr issue for cgo files.
-  - path: internal/dxcore/dxcore.go
-    linters:
-    - gocritic
-    text: dupSubExpr
-  # Exclude the checks for usage of returns to config.Delete(Path) in the crio and containerd config packages.
-  - path: pkg/config/engine/
-    linters:
-    - errcheck
-    text: config.Delete
-  # RENDERD refers to the Render Device and not the past tense of render.
-  - path: .*.go
-    linters:
-    - misspell
-    text: "`RENDERD` is a misspelling of `RENDERED`"
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/NVIDIA/nvidia-container-toolkit
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/cmd/nvidia-cdi-hook/cudacompat/cudacompat.go b/cmd/nvidia-cdi-hook/cudacompat/cudacompat.go
index 0cecd6c1..fff06fec 100644
--- a/cmd/nvidia-cdi-hook/cudacompat/cudacompat.go
+++ b/cmd/nvidia-cdi-hook/cudacompat/cudacompat.go
@@ -199,7 +199,7 @@ func (m command) createLdsoconfdFile(in containerRoot, pattern string, dirs ...s
 		if added[dir] {
 			continue
 		}
-		_, err = configFile.WriteString(fmt.Sprintf("%s\n", dir))
+		_, err = fmt.Fprintf(configFile, "%s\n", dir)
 		if err != nil {
 			return fmt.Errorf("failed to update config file: %w", err)
 		}
diff --git a/cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go b/cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go
index e35da8ae..4118ad9c 100644
--- a/cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go
+++ b/cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go
@@ -184,7 +184,7 @@ func (m command) createLdsoconfdFile(in containerRoot, pattern string, dirs ...s
 		if added[dir] {
 			continue
 		}
-		_, err = configFile.WriteString(fmt.Sprintf("%s\n", dir))
+		_, err = fmt.Fprintf(configFile, "%s\n", dir)
 		if err != nil {
 			return fmt.Errorf("failed to update config file: %w", err)
 		}
diff --git a/cmd/nvidia-container-runtime-hook/hook_config_test.go b/cmd/nvidia-container-runtime-hook/hook_config_test.go
index ade45d27..19147ecf 100644
--- a/cmd/nvidia-container-runtime-hook/hook_config_test.go
+++ b/cmd/nvidia-container-runtime-hook/hook_config_test.go
@@ -85,7 +85,7 @@ func TestGetHookConfig(t *testing.T) {
 				configflag = &filename
 
 				for _, line := range tc.lines {
-					_, err := configFile.WriteString(fmt.Sprintf("%s\n", line))
+					_, err := fmt.Fprintf(configFile, "%s\n", line)
 					require.NoError(t, err)
 				}
 			}
diff --git a/cmd/nvidia-ctk-installer/main.go b/cmd/nvidia-ctk-installer/main.go
index fce109aa..fa1dabad 100644
--- a/cmd/nvidia-ctk-installer/main.go
+++ b/cmd/nvidia-ctk-installer/main.go
@@ -240,7 +240,7 @@ func (a *app) initialize(pidFile string) error {
 		return fmt.Errorf("unable to get flock on pidfile: %v", err)
 	}
 
-	_, err = f.WriteString(fmt.Sprintf("%v\n", os.Getpid()))
+	_, err = fmt.Fprintf(f, "%v\n", os.Getpid())
 	if err != nil {
 		return fmt.Errorf("unable to write PID to pidfile: %v", err)
 	}
diff --git a/internal/discover/symlinks.go b/internal/discover/symlinks.go
index 0119de0d..b7637aa2 100644
--- a/internal/discover/symlinks.go
+++ b/internal/discover/symlinks.go
@@ -42,7 +42,7 @@ func WithDriverDotSoSymlinks(mounts Discover, version string, nvidiaCDIHookPath
 
 // Hooks returns a hook to create the additional symlinks based on the mounts.
 func (d *additionalSymlinks) Hooks() ([]Hook, error) {
-	mounts, err := d.Discover.Mounts()
+	mounts, err := d.Mounts()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get library mounts: %v", err)
 	}
diff --git a/internal/oci/spec_memory.go b/internal/oci/spec_memory.go
index 478db5a2..fd27bdad 100644
--- a/internal/oci/spec_memory.go
+++ b/internal/oci/spec_memory.go
@@ -61,11 +61,11 @@ func (s *memorySpec) Modify(m SpecModifier) error {
 // Otherwise the returned value will be empty and the boolean will
 // be false.
 func (s memorySpec) LookupEnv(key string) (string, bool) {
-	if s.Spec == nil || s.Spec.Process == nil {
+	if s.Spec == nil || s.Process == nil {
 		return "", false
 	}
 
-	for _, env := range s.Spec.Process.Env {
+	for _, env := range s.Process.Env {
 		if !strings.HasPrefix(env, key) {
 			continue
 		}
diff --git a/internal/oci/spec_memory_test.go b/internal/oci/spec_memory_test.go
index 3e8ba0ed..ebf92e75 100644
--- a/internal/oci/spec_memory_test.go
+++ b/internal/oci/spec_memory_test.go
@@ -160,7 +160,7 @@ func TestModify(t *testing.T) {
 			require.EqualValues(t, &specs.Spec{}, spec.Spec, "%d: %v", i, tc)
 		default:
 			require.NoError(t, err, "%d: %v", i, tc)
-			require.Equal(t, "updated", spec.Spec.Version, "%d: %v", i, tc)
+			require.Equal(t, "updated", spec.Version, "%d: %v", i, tc)
 		}
 	}
 }
diff --git a/internal/platform-support/dgpu/nvsandboxutils.go b/internal/platform-support/dgpu/nvsandboxutils.go
index 7022deab..ebeea7c8 100644
--- a/internal/platform-support/dgpu/nvsandboxutils.go
+++ b/internal/platform-support/dgpu/nvsandboxutils.go
@@ -71,13 +71,13 @@ func (d *nvsandboxutilsDGPU) Devices() ([]discover.Device, error) {
 
 	var devices []discover.Device
 	for _, info := range gpuFileInfos {
-		switch {
-		case info.SubType == nvsandboxutils.NV_DEV_DRI_CARD, info.SubType == nvsandboxutils.NV_DEV_DRI_RENDERD:
+		switch info.SubType {
+		case nvsandboxutils.NV_DEV_DRI_CARD, nvsandboxutils.NV_DEV_DRI_RENDERD:
 			if d.isMig {
 				continue
 			}
 			fallthrough
-		case info.SubType == nvsandboxutils.NV_DEV_NVIDIA, info.SubType == nvsandboxutils.NV_DEV_NVIDIA_CAPS_NVIDIA_CAP:
+		case nvsandboxutils.NV_DEV_NVIDIA, nvsandboxutils.NV_DEV_NVIDIA_CAPS_NVIDIA_CAP:
 			containerPath := info.Path
 			if d.devRoot != "/" {
 				containerPath = strings.TrimPrefix(containerPath, d.devRoot)
@@ -89,7 +89,7 @@ func (d *nvsandboxutilsDGPU) Devices() ([]discover.Device, error) {
 				Path:     containerPath,
 			}
 			devices = append(devices, device)
-		case info.SubType == nvsandboxutils.NV_DEV_DRI_CARD_SYMLINK, info.SubType == nvsandboxutils.NV_DEV_DRI_RENDERD_SYMLINK:
+		case nvsandboxutils.NV_DEV_DRI_CARD_SYMLINK, nvsandboxutils.NV_DEV_DRI_RENDERD_SYMLINK:
 			if d.isMig {
 				continue
 			}
diff --git a/pkg/nvcdi/lib-csv.go b/pkg/nvcdi/lib-csv.go
index 649b801a..75ad00a4 100644
--- a/pkg/nvcdi/lib-csv.go
+++ b/pkg/nvcdi/lib-csv.go
@@ -35,7 +35,7 @@ var _ Interface = (*csvlib)(nil)
 
 // GetSpec should not be called for wsllib
 func (l *csvlib) GetSpec() (spec.Interface, error) {
-	return nil, fmt.Errorf("Unexpected call to csvlib.GetSpec()")
+	return nil, fmt.Errorf("unexpected call to csvlib.GetSpec()")
 }
 
 // GetAllDeviceSpecs returns the device specs for all available devices.
diff --git a/pkg/nvcdi/lib-wsl.go b/pkg/nvcdi/lib-wsl.go
index 1c96c538..dd0e8db0 100644
--- a/pkg/nvcdi/lib-wsl.go
+++ b/pkg/nvcdi/lib-wsl.go
@@ -33,7 +33,7 @@ var _ Interface = (*wsllib)(nil)
 
 // GetSpec should not be called for wsllib
 func (l *wsllib) GetSpec() (spec.Interface, error) {
-	return nil, fmt.Errorf("Unexpected call to wsllib.GetSpec()")
+	return nil, fmt.Errorf("unexpected call to wsllib.GetSpec()")
 }
 
 // GetAllDeviceSpecs returns the device specs for all available devices.
diff --git a/pkg/nvcdi/spec/builder.go b/pkg/nvcdi/spec/builder.go
index 65717452..337a1dd1 100644
--- a/pkg/nvcdi/spec/builder.go
+++ b/pkg/nvcdi/spec/builder.go
@@ -21,19 +21,18 @@ import (
 	"os"
 
 	"tags.cncf.io/container-device-interface/pkg/parser"
-	"tags.cncf.io/container-device-interface/specs-go"
 	cdi "tags.cncf.io/container-device-interface/specs-go"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform"
 )
 
 type builder struct {
-	raw         *specs.Spec
+	raw         *cdi.Spec
 	version     string
 	vendor      string
 	class       string
-	deviceSpecs []specs.Device
-	edits       specs.ContainerEdits
+	deviceSpecs []cdi.Device
+	edits       cdi.ContainerEdits
 	format      string
 
 	mergedDeviceOptions []transform.MergedDeviceOption
@@ -86,7 +85,7 @@ func newBuilder(opts ...Option) *builder {
 func (o *builder) Build() (*spec, error) {
 	raw := o.raw
 	if raw == nil {
-		raw = &specs.Spec{
+		raw = &cdi.Spec{
 			Version:        o.version,
 			Kind:           fmt.Sprintf("%s/%s", o.vendor, o.class),
 			Devices:        o.deviceSpecs,
@@ -127,14 +126,14 @@ func (o *builder) Build() (*spec, error) {
 type Option func(*builder)
 
 // WithDeviceSpecs sets the device specs for the spec builder
-func WithDeviceSpecs(deviceSpecs []specs.Device) Option {
+func WithDeviceSpecs(deviceSpecs []cdi.Device) Option {
 	return func(o *builder) {
 		o.deviceSpecs = deviceSpecs
 	}
 }
 
 // WithEdits sets the container edits for the spec builder
-func WithEdits(edits specs.ContainerEdits) Option {
+func WithEdits(edits cdi.ContainerEdits) Option {
 	return func(o *builder) {
 		o.edits = edits
 	}
@@ -176,7 +175,7 @@ func WithNoSimplify(noSimplify bool) Option {
 }
 
 // WithRawSpec sets the raw spec for the spec builder
-func WithRawSpec(raw *specs.Spec) Option {
+func WithRawSpec(raw *cdi.Spec) Option {
 	return func(o *builder) {
 		o.raw = raw
 	}