diff --git a/internal/goenv/goenv.go b/internal/goenv/goenv.go
index 095e874..52d0f52 100644
--- a/internal/goenv/goenv.go
+++ b/internal/goenv/goenv.go
@@ -6,12 +6,14 @@ import (
 	"strings"
 )
 
-func Read(varNames []string) (map[string]string, error) {
-	out, err := exec.Command("go", append([]string{"env"}, varNames...)...).CombinedOutput()
+func Read() (map[string]string, error) {
+	// pass in a fixed set of var names to avoid needing to unescape output
+	// pass in literals here instead of a variable list to avoid security linter warnings about command injection
+	out, err := exec.Command("go", "env", "GOROOT", "GOPATH", "GOARCH", "GOOS", "CGO_ENABLED").CombinedOutput()
 	if err != nil {
 		return nil, err
 	}
-	return parseGoEnv(varNames, out)
+	return parseGoEnv([]string{"GOROOT", "GOPATH", "GOARCH", "GOOS", "CGO_ENABLED"}, out)
 }
 
 func parseGoEnv(varNames []string, data []byte) (map[string]string, error) {
diff --git a/ruleguard/engine.go b/ruleguard/engine.go
index cadc0dd..88feef9 100644
--- a/ruleguard/engine.go
+++ b/ruleguard/engine.go
@@ -248,7 +248,7 @@ func inferBuildContext() *build.Context {
 	// Inherit most fields from the build.Default.
 	ctx := build.Default
 
-	env, err := goenv.Read([]string{"GOROOT", "GOPATH", "GOARCH", "GOOS", "CGO_ENABLED"})
+	env, err := goenv.Read()
 	if err != nil {
 		return &ctx
 	}