diff --git a/.envrc b/.envrc
index c8a98ce..e365235 100644
--- a/.envrc
+++ b/.envrc
@@ -3,6 +3,8 @@
 # SPDX-License-Identifier: Apache-2.0
 if type -P lorri &>/dev/null; then
   eval "$(lorri direnv)"
-else
+elif type -P nix &>/dev/null; then
   use nix
+else
+  echo "Found no nix binary. Skipping activating nix-shell..."
 fi
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index 1a19633..3ebcd3f 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -29,7 +29,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.4
+          go-version: 1.23.5
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 97b17a4..3e7d41e 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -32,7 +32,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.4
+          go-version: 1.23.5
       - name: Build all binaries
         run: make build-all
   test:
@@ -47,6 +47,6 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.4
+          go-version: 1.23.5
       - name: Run tests and generate coverage report
         run: make build/cover.out
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 09e243c..ec0edea 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -32,7 +32,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.4
+          go-version: 1.23.5
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
diff --git a/.license-scan-overrides.jsonl b/.license-scan-overrides.jsonl
index 29aac5c..1f9f46d 100644
--- a/.license-scan-overrides.jsonl
+++ b/.license-scan-overrides.jsonl
@@ -1,6 +1,7 @@
 {"name": "github.com/chzyer/logex", "licenceType": "MIT"}
 {"name": "github.com/hashicorp/vault/api/auth/approle", "licenceType": "MPL-2.0"}
 {"name": "github.com/jpillora/longestcommon", "licenceType": "MIT"}
+{"name": "github.com/miekg/dns", "licenceType": "BSD-3-Clause"}
 {"name": "github.com/spdx/tools-golang", "licenceTextOverrideFile": "vendor/github.com/spdx/tools-golang/LICENSE.code"}
 {"name": "github.com/xeipuuv/gojsonpointer", "licenceType": "Apache-2.0"}
 {"name": "github.com/xeipuuv/gojsonreference", "licenceType": "Apache-2.0"}
diff --git a/.license-scan-rules.json b/.license-scan-rules.json
index e584e9d..58cb0df 100644
--- a/.license-scan-rules.json
+++ b/.license-scan-rules.json
@@ -2,10 +2,12 @@
   "allowlist": [
     "Apache-2.0",
     "BSD-2-Clause",
+    "BSD-2-Clause-FreeBSD",
     "BSD-3-Clause",
     "ISC",
     "MIT",
     "MPL-2.0",
-    "Unlicense"
+    "Unlicense",
+    "Zlib"
   ]
 }
diff --git a/Dockerfile b/Dockerfile
index f6a8e7a..fec4597 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.23.4-alpine3.21 AS builder
+FROM golang:1.23.5-alpine3.21 AS builder
 
 RUN apk add --no-cache --no-progress ca-certificates gcc git make musl-dev
 
@@ -16,7 +16,7 @@ RUN addgroup -g 4200 appgroup \
 # upgrade all installed packages to fix potential CVEs in advance
 # also remove apk package manager to hopefully remove dependency on OpenSSL 🤞
 RUN apk upgrade --no-cache --no-progress \
-  && apk del --no-cache --no-progress apk-tools alpine-keys
+  && apk del --no-cache --no-progress apk-tools alpine-keys alpine-release libc-utils
 
 COPY --from=builder /etc/ssl/certs/ /etc/ssl/certs/
 COPY --from=builder /etc/ssl/cert.pem /etc/ssl/cert.pem
diff --git a/Makefile b/Makefile
index 2bd63fc..74a2d78 100644
--- a/Makefile
+++ b/Makefile
@@ -109,6 +109,10 @@ check-dependency-licenses: FORCE install-go-licence-detector
 	@printf "\e[1;36m>> go-licence-detector\e[0m\n"
 	@go list -m -mod=readonly -json all | go-licence-detector -includeIndirect -rules .license-scan-rules.json -overrides .license-scan-overrides.jsonl
 
+goimports: FORCE
+	@printf "\e[1;36m>> goimports -w -local https://github.com/sapcc/argora\e[0m\n"
+	@goimports -w -local github.com/sapcc/tf-registry $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
+
 clean: FORCE
 	git clean -dxf build
 
@@ -157,6 +161,7 @@ help: FORCE
 	@printf "  \e[36mlicense-headers\e[0m              Add license headers to all non-vendored source code files.\n"
 	@printf "  \e[36mcheck-license-headers\e[0m        Check license headers in all non-vendored .go files.\n"
 	@printf "  \e[36mcheck-dependency-licenses\e[0m    Check all dependency licenses using go-licence-detector.\n"
+	@printf "  \e[36mgoimports\e[0m                    Run goimports on all non-vendored .go files\n"
 	@printf "  \e[36mclean\e[0m                        Run git clean.\n"
 
 .PHONY: FORCE