diff --git a/.golangci.yml b/.golangci.yml
index 677514bce2..870c4e96d3 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -21,6 +21,7 @@ linters:
     - depguard
     - gosec
     - gocritic
+    - nilnesserr
     - govet
     - ineffassign
     - revive
@@ -37,6 +38,9 @@ linters:
           deny:
             - pkg: github.com/pkg/errors
               desc: "use ctxerr if a context.Context is available or stdlib errors.New / fmt.Errorf with the %w verb"
+    govet:
+      enable:
+        - nilness
 
     errcheck:
       check-type-assertions: false
diff --git a/cmd/fleetctl/fleetctl/api.go b/cmd/fleetctl/fleetctl/api.go
index 9cbbf9ab63..96b68df775 100644
--- a/cmd/fleetctl/fleetctl/api.go
+++ b/cmd/fleetctl/fleetctl/api.go
@@ -394,7 +394,8 @@ func parseBodyFlags(flBody []string) (body any, headers map[string]string, err e
 				case '@':
 					// do a multipart file upload
 					if fileWriter, err := multipartWriter.CreateFormFile(k, path.Base(v[1:])); err == nil {
-						if fp, err := os.Open(v[1:]); err == nil {
+						fp, err := os.Open(v[1:])
+						if err == nil {
 							defer fp.Close()
 							_, err = io.Copy(fileWriter, fp)
 							if err != nil {
diff --git a/cmd/fleetctl/fleetctl/user.go b/cmd/fleetctl/fleetctl/user.go
index 454d95d5c6..e9462cfba2 100644
--- a/cmd/fleetctl/fleetctl/user.go
+++ b/cmd/fleetctl/fleetctl/user.go
@@ -236,13 +236,13 @@ func createBulkUsersCommand() *cli.Command {
 				globalRoleString := record[4]
 				teamStrings := strings.Split(record[5], " ")
 				if ssoErr != nil {
-					return fmt.Errorf("SSO is not a vailed Boolean value: %w", err)
+					return fmt.Errorf("SSO is not a vailed Boolean value: %w", ssoErr)
 				}
 				if apiErr != nil {
-					return fmt.Errorf("API Only is not a vailed Boolean value: %w", err)
+					return fmt.Errorf("API Only is not a vailed Boolean value: %w", apiErr)
 				}
 				if passErr != nil {
-					return fmt.Errorf("not able to generate a random password: %w", err)
+					return fmt.Errorf("not able to generate a random password: %w", passErr)
 				}
 
 				var globalRole *string
diff --git a/ee/fleetctl/updates.go b/ee/fleetctl/updates.go
index 787c5b5217..c85cc84275 100644
--- a/ee/fleetctl/updates.go
+++ b/ee/fleetctl/updates.go
@@ -781,16 +781,15 @@ func (p *passphraseHandler) checkPassphrase(store tuf.LocalStore, role string) e
 			// error as we do currently.
 			if ctxerr.Cause(err).Error() != decryptionFailedError {
 				return err
-			} else if err != nil {
-				if p.getPassphraseFromEnv(role) != nil {
-					// Fatal error if environment variable passphrase is
-					// incorrect
-					return fmt.Errorf("%s passphrase from %s is invalid", role, p.passphraseEnvName(role))
-				}
-
-				fmt.Printf("Failed to decrypt %s key. Try again.\n", role)
-				delete(p.cache, role)
 			}
+			if p.getPassphraseFromEnv(role) != nil {
+				// Fatal error if environment variable passphrase is
+				// incorrect
+				return fmt.Errorf("%s passphrase from %s is invalid", role, p.passphraseEnvName(role))
+			}
+
+			fmt.Printf("Failed to decrypt %s key. Try again.\n", role)
+			delete(p.cache, role)
 			continue
 		} else if len(keys) == 0 {
 			return fmt.Errorf("%s key not found", role)
diff --git a/orbit/pkg/packaging/windows.go b/orbit/pkg/packaging/windows.go
index 9a3630c990..d236b45f66 100644
--- a/orbit/pkg/packaging/windows.go
+++ b/orbit/pkg/packaging/windows.go
@@ -546,7 +546,7 @@ func extractZipFile(archiveReader *zip.File, destPath string) error {
 		}
 	} else {
 		// Create all needed directories
-		if os.MkdirAll(filepath.Dir(finalPath), 0o755) != nil {
+		if err := os.MkdirAll(filepath.Dir(finalPath), 0o755); err != nil {
 			return fmt.Errorf("could not create directory %s: %w", filepath.Dir(finalPath), err)
 		}
 
diff --git a/server/mdm/nanodep/storage/mysql/mysql.go b/server/mdm/nanodep/storage/mysql/mysql.go
index a1a8f53fb1..6d255637d3 100644
--- a/server/mdm/nanodep/storage/mysql/mysql.go
+++ b/server/mdm/nanodep/storage/mysql/mysql.go
@@ -115,9 +115,6 @@ WHERE
 	if !consumerKey.Valid { // all auth token fields are set together
 		return nil, storage.ErrNotFound
 	}
-	if err != nil {
-		return nil, err
-	}
 	return &client.OAuth1Tokens{
 		ConsumerKey:       consumerKey.String,
 		ConsumerSecret:    consumerSecret.String,
diff --git a/server/service/apple_mdm.go b/server/service/apple_mdm.go
index 3647f676e9..42a505db1e 100644
--- a/server/service/apple_mdm.go
+++ b/server/service/apple_mdm.go
@@ -7071,10 +7071,7 @@ func (svc *Service) MDMAppleProcessOTAEnrollment(
 // EnsureMDMAppleServiceDiscovery checks if the service discovery URL is set up correctly with Apple
 // and assigns it if necessary.
 func EnsureMDMAppleServiceDiscovery(ctx context.Context, ds fleet.Datastore, depStorage storage.AllDEPStorage, logger kitlog.Logger, urlPrefix string) error {
-	var depSvc *apple_mdm.DEPService
-	if depSvc == nil {
-		depSvc = apple_mdm.NewDEPService(ds, depStorage, logger)
-	}
+	depSvc := apple_mdm.NewDEPService(ds, depStorage, logger)
 
 	ac, err := ds.AppConfig(ctx)
 	if err != nil {
diff --git a/server/service/hosts.go b/server/service/hosts.go
index 7b28b5b3c4..a76292d9bc 100644
--- a/server/service/hosts.go
+++ b/server/service/hosts.go
@@ -1784,12 +1784,11 @@ func (svc *Service) MacadminsData(ctx context.Context, id uint) (*fleet.Macadmin
 	}
 
 	var munkiIssues []*fleet.HostMunkiIssue
-	switch issues, err := svc.ds.GetHostMunkiIssues(ctx, id); {
-	case err != nil:
+	issues, err := svc.ds.GetHostMunkiIssues(ctx, id)
+	if err != nil {
 		return nil, err
-	case err == nil:
-		munkiIssues = issues
 	}
+	munkiIssues = issues
 
 	if munkiInfo == nil && mdm == nil && len(munkiIssues) == 0 {
 		return nil, nil
diff --git a/server/service/team_policies.go b/server/service/team_policies.go
index 021a6e272e..ac8832f151 100644
--- a/server/service/team_policies.go
+++ b/server/service/team_policies.go
@@ -677,7 +677,7 @@ func (svc *Service) modifyPolicy(ctx context.Context, teamID *uint, id uint, p f
 	}
 
 	// Add a special case for handling "No Team" (teamID = 0) in ModifyTeamPolicy
-	if teamID != nil && *teamID == 0 {
+	if *teamID == 0 {
 		noTeamID := int64(0)
 		if err := svc.NewActivity(
 			ctx,
@@ -698,7 +698,7 @@ func (svc *Service) modifyPolicy(ctx context.Context, teamID *uint, id uint, p f
 	// rollback an action in the event of an error writing the associated activity
 
 	var teamName *string
-	if teamID != nil && *teamID != 0 {
+	if *teamID != 0 {
 		if svc.EnterpriseOverrides != nil && svc.EnterpriseOverrides.TeamByIDOrName != nil {
 			team, err := svc.EnterpriseOverrides.TeamByIDOrName(ctx, teamID, nil)
 			if err != nil {
@@ -710,10 +710,8 @@ func (svc *Service) modifyPolicy(ctx context.Context, teamID *uint, id uint, p f
 
 	// Convert *uint to *int64 for the activity
 	var activityTeamID *int64
-	if teamID != nil {
-		teamIDInt64 := int64(*teamID)
-		activityTeamID = &teamIDInt64
-	}
+	teamIDInt64 := int64(*teamID)
+	activityTeamID = &teamIDInt64
 
 	if err := svc.NewActivity(
 		ctx,
diff --git a/tools/tuf/download-artifacts/download-artifacts.go b/tools/tuf/download-artifacts/download-artifacts.go
index 545b088443..0252817569 100644
--- a/tools/tuf/download-artifacts/download-artifacts.go
+++ b/tools/tuf/download-artifacts/download-artifacts.go
@@ -230,7 +230,7 @@ func extractZipFile(archiveReader *zip.File, destPath string) error {
 		}
 	} else {
 		// Create all needed directories
-		if os.MkdirAll(filepath.Dir(finalPath), 0o755) != nil {
+		if err := os.MkdirAll(filepath.Dir(finalPath), 0o755); err != nil {
 			return fmt.Errorf("could not create directory %s: %w", filepath.Dir(finalPath), err)
 		}