diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 28ed1e725..596ab9532 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -24,6 +24,9 @@ on:
 permissions:
   security-events: write
 
+env:
+  GO_VERSION: 1.16.8
+
 jobs:
   analyze:
     name: Analyze
@@ -37,14 +40,27 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
 
+    - name: Set up Go
+      uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 #v2.2.0
+      with:
+        go-version: ${{ env.GO_VERSION }}
+
+    - name: Leverage Cached Go Modules
+      uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7
+      with:
+        path: ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@75f07e7ab2ee63cba88752d8c696324e4df67466 # v1.1.3
       with:
         languages: ${{ matrix.language }}
-
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@75f07e7ab2ee63cba88752d8c696324e4df67466 # v1.1.3
+        queries: +security-and-quality
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@75f07e7ab2ee63cba88752d8c696324e4df67466 # v1.1.3
+      env:
+        CODEQL_EXTRACTOR_GO_BUILD_COMMAND: "make pkg"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 53f63c33a..4d25770ba 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -47,10 +47,10 @@ jobs:
           ${{ runner.os }}-go-
 
     - name: Build
-      run: go build -v ./...
+      run: make pkg
 
     - name: Test
-      run: go test -v ./...
+      run: make test
 
     - name: Ensure no files were modified as a result of the build
       run: git update-index --refresh && git diff-index --quiet HEAD -- || git diff --exit-code
diff --git a/pkg/signature/kms/hashivault/client.go b/pkg/signature/kms/hashivault/client.go
index d20c3d08f..87c4b835f 100644
--- a/pkg/signature/kms/hashivault/client.go
+++ b/pkg/signature/kms/hashivault/client.go
@@ -46,7 +46,7 @@ func init() {
 type hashivaultClient struct {
 	client                  *vault.Client
 	keyPath                 string
-	transitSecretEnginePath string
+	transitSecretEnginePath string // lgtm[go/hardcoded-credentials]
 	keyCache                *ttlcache.Cache
 	keyVersion              uint64
 }
@@ -129,7 +129,7 @@ func newHashivaultClient(address, token, transitSecretEnginePath, keyResourceID
 		transitSecretEnginePath = os.Getenv("TRANSIT_SECRET_ENGINE_PATH")
 	}
 	if transitSecretEnginePath == "" {
-		transitSecretEnginePath = "transit"
+		transitSecretEnginePath = "transit" // lgtm[go/hardcoded-credentials]
 	}
 
 	hvClient := &hashivaultClient{