diff --git a/cmd/tink-cli/cmd/hardware/push.go b/cmd/tink-cli/cmd/hardware/push.go
index e73bc160f..78ab0858d 100644
--- a/cmd/tink-cli/cmd/hardware/push.go
+++ b/cmd/tink-cli/cmd/hardware/push.go
@@ -9,6 +9,7 @@ import (
 	"io/ioutil"
 	"log"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/spf13/cobra"
@@ -84,7 +85,7 @@ func readDataFromStdin() string {
 }
 
 func readDataFromFile() string {
-	f, err := os.Open(file)
+	f, err := os.Open(filepath.Clean(file))
 	if err != nil {
 		log.Fatal(err)
 	}
diff --git a/cmd/tink-cli/cmd/template/create.go b/cmd/tink-cli/cmd/template/create.go
index f3df9ff5c..19d3b2fd6 100644
--- a/cmd/tink-cli/cmd/template/create.go
+++ b/cmd/tink-cli/cmd/template/create.go
@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"log"
 	"os"
+	"path/filepath"
 
 	"github.com/spf13/cobra"
 	"github.com/tinkerbell/tink/client"
@@ -39,7 +40,7 @@ $ tink template create --file /tmp/example.tmpl
 			if isInputFromPipe() {
 				reader = os.Stdin
 			} else {
-				f, err := os.Open(filePath)
+				f, err := os.Open(filepath.Clean(filePath))
 				if err != nil {
 					log.Fatal(err)
 				}
diff --git a/cmd/tink-worker/internal/worker.go b/cmd/tink-worker/internal/worker.go
index ab37908af..89723539f 100644
--- a/cmd/tink-worker/internal/worker.go
+++ b/cmd/tink-worker/internal/worker.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@@ -473,7 +474,7 @@ func sendUpdate(ctx context.Context, logger log.Logger, client pb.WorkflowServic
 }
 
 func openDataFile(wfDir string, l log.Logger) *os.File {
-	f, err := os.OpenFile(wfDir+string(os.PathSeparator)+dataFile, os.O_RDWR|os.O_CREATE, 0644)
+	f, err := os.OpenFile(filepath.Clean(wfDir+string(os.PathSeparator)+dataFile), os.O_RDWR|os.O_CREATE, 0600)
 	if err != nil {
 		l.Error(err)
 		os.Exit(1)
diff --git a/grpc-server/grpc_server.go b/grpc-server/grpc_server.go
index 3c83e0e4e..e971d5066 100644
--- a/grpc-server/grpc_server.go
+++ b/grpc-server/grpc_server.go
@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"net"
 	"os"
+	"path/filepath"
 	"strings"
 	"sync"
 	"time"
@@ -110,7 +111,7 @@ func getCerts(facility string, logger log.Logger) (tls.Certificate, []byte, time
 		certsDir += "/"
 	}
 
-	certFile, err := os.Open(certsDir + "bundle.pem")
+	certFile, err := os.Open(filepath.Clean(certsDir + "bundle.pem"))
 	if err != nil {
 		err = errors.Wrap(err, "failed to open TLS cert")
 		logger.Error(err)
@@ -131,7 +132,7 @@ func getCerts(facility string, logger log.Logger) (tls.Certificate, []byte, time
 		logger.Error(err)
 		panic(err)
 	}
-	keyPEM, err := ioutil.ReadFile(certsDir + "server-key.pem")
+	keyPEM, err := ioutil.ReadFile(filepath.Clean(certsDir + "server-key.pem"))
 	if err != nil {
 		err = errors.Wrap(err, "failed to read TLS key")
 		logger.Error(err)
diff --git a/test/framework/hardware.go b/test/framework/hardware.go
index 5510f7939..dcc006295 100644
--- a/test/framework/hardware.go
+++ b/test/framework/hardware.go
@@ -5,13 +5,14 @@ import (
 	"encoding/json"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 
 	"github.com/tinkerbell/tink/client"
 	"github.com/tinkerbell/tink/protos/hardware"
 )
 
 func readHwData(file string) ([]byte, error) {
-	f, err := os.Open(file)
+	f, err := os.Open(filepath.Clean(file))
 	if err != nil {
 		return []byte(""), err
 	}
diff --git a/test/framework/template.go b/test/framework/template.go
index 2d2a3cf8f..d1c9d3343 100644
--- a/test/framework/template.go
+++ b/test/framework/template.go
@@ -4,13 +4,14 @@ import (
 	"context"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 
 	"github.com/tinkerbell/tink/client"
 	"github.com/tinkerbell/tink/protos/template"
 )
 
 func readTemplateData(file string) (string, error) {
-	f, err := os.Open(file)
+	f, err := os.Open(filepath.Clean(file))
 	if err != nil {
 		return "", err
 	}
diff --git a/workflow/template_validator.go b/workflow/template_validator.go
index 864706b39..851ca626f 100644
--- a/workflow/template_validator.go
+++ b/workflow/template_validator.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"path/filepath"
 	"text/template"
 
 	"github.com/docker/distribution/reference"
@@ -52,7 +53,7 @@ func MustParse(yamlContent []byte) *Workflow {
 // MustParseFromFile parse a template from a file and it panics if any error is
 // detected. Ideal to be used in testing.
 func MustParseFromFile(path string) *Workflow {
-	content, err := ioutil.ReadFile(path)
+	content, err := ioutil.ReadFile(filepath.Clean(path))
 	if err != nil {
 		panic(err)
 	}