diff --git a/securesystemslib/ed25519_keys.py b/securesystemslib/ed25519_keys.py
index 2397043e..b4ad62e9 100755
--- a/securesystemslib/ed25519_keys.py
+++ b/securesystemslib/ed25519_keys.py
@@ -335,7 +335,7 @@ def verify_signature(public_key, scheme, signature, data):
 
             # The pure Python implementation raises 'Exception' if 'signature' is
             # invalid.
-            except Exception:  # pylint: disable=broad-except
+            except Exception:  # pylint: disable=broad-except  # nosec
                 pass
 
     # This is a defensive check for a valid 'scheme', which should have already
diff --git a/securesystemslib/gpg/constants.py b/securesystemslib/gpg/constants.py
index a3f056fe..df023428 100644
--- a/securesystemslib/gpg/constants.py
+++ b/securesystemslib/gpg/constants.py
@@ -18,7 +18,7 @@
 import functools
 import logging
 import os
-import subprocess
+import subprocess  # nosec
 
 from securesystemslib import process
 
diff --git a/securesystemslib/gpg/util.py b/securesystemslib/gpg/util.py
index 6aa7cbc6..8ae712ec 100644
--- a/securesystemslib/gpg/util.py
+++ b/securesystemslib/gpg/util.py
@@ -235,7 +235,9 @@ def compute_keyid(pubkey_packet_data):
     if not CRYPTO:  # pragma: no cover
         raise exceptions.UnsupportedLibraryError(NO_CRYPTO_MSG)
 
-    hasher = hashing.Hash(hashing.SHA1(), backend=backends.default_backend())
+    hasher = hashing.Hash(
+        hashing.SHA1(), backend=backends.default_backend()  # nosec
+    )
     hasher.update(b"\x99")
     hasher.update(struct.pack(">H", len(pubkey_packet_data)))
     hasher.update(bytes(pubkey_packet_data))
diff --git a/securesystemslib/process.py b/securesystemslib/process.py
index 7232e256..54419066 100644
--- a/securesystemslib/process.py
+++ b/securesystemslib/process.py
@@ -25,7 +25,7 @@
 import logging
 import os
 import shlex
-import subprocess
+import subprocess  # nosec
 import sys
 import tempfile
 import time
@@ -119,7 +119,7 @@ def run(cmd, check=True, timeout=_default_timeout(), **kwargs):
         )
         del kwargs["stdin"]
 
-    return subprocess.run(cmd, check=check, timeout=timeout, **kwargs)
+    return subprocess.run(cmd, check=check, timeout=timeout, **kwargs)  # nosec
 
 
 def run_duplicate_streams(cmd, timeout=_default_timeout()):
@@ -205,7 +205,7 @@ def _duplicate_streams():
                 _std["err"] += stderr_part
 
             # Start child process, writing its standard streams to temporary files
-            proc = subprocess.Popen(  # pylint: disable=consider-using-with
+            proc = subprocess.Popen(  # pylint: disable=consider-using-with  # nosec
                 cmd,
                 stdout=stdout_writer,
                 stderr=stderr_writer,
diff --git a/securesystemslib/unittest_toolbox.py b/securesystemslib/unittest_toolbox.py
index ab1e989d..0b6223e8 100755
--- a/securesystemslib/unittest_toolbox.py
+++ b/securesystemslib/unittest_toolbox.py
@@ -131,6 +131,6 @@ def random_string(length=15):
 
         rand_str = ""
         for letter in range(length):  # pylint: disable=unused-variable
-            rand_str += random.choice("abcdefABCDEF" + string.digits)
+            rand_str += random.choice("abcdefABCDEF" + string.digits)  # nosec
 
         return rand_str