diff --git a/.golangci.yml b/.golangci.yml
index 15b99171..ff56f3ef 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,12 +1,11 @@
+version: "2"
+
 run:
-  timeout: 30m
+  modules-download-mode: vendor
   build-tags:
     - containers_image_openpgp
     - exclude_graphdriver_btrfs
     - exclude_graphdriver_devicemapper
-  # default uses Go version from the go.mod file, fallback on the env var
-  # `GOVERSION`, fallback on 1.17: https://golangci-lint.run/usage/configuration/#run-configuration
-  go: "1.23"
 
 linters:
   enable:
@@ -14,10 +13,7 @@ linters:
     - depguard
     - forbidigo
     - gocritic
-    - gofmt
-    - goimports
     - gosec
-    - gosimple
     - govet
     - ineffassign
     - makezero
@@ -27,79 +23,102 @@ linters:
     - revive
     - staticcheck
     - testifylint
-    - typecheck
     - unused
     - whitespace
-  disable-all: true
-
-linters-settings:
-  gocritic:
-    disabled-checks:
-      - "ifElseChain"
-      - "assignOp"
-      - "appendAssign"
-      - "singleCaseSwitch"
-      - "exitAfterDefer" # FIXME
-  importas:
-    alias:
-      - pkg: "github.com/opencontainers/image-spec/specs-go/v1"
-        alias: "ocispecs"
-      - pkg: "github.com/opencontainers/go-digest"
-        alias: "digest"
-  govet:
-    enable:
-      - nilness
-      - unusedwrite
-  depguard:
+  settings:
+    gocritic:
+      disabled-checks:
+        - "ifElseChain"
+        - "assignOp"
+        - "appendAssign"
+        - "singleCaseSwitch"
+    importas:
+      alias:
+        - pkg: "github.com/opencontainers/image-spec/specs-go/v1"
+          alias: "ocispecs"
+        - pkg: "github.com/opencontainers/go-digest"
+          alias: "digest"
+    govet:
+      enable:
+        - nilness
+        - unusedwrite
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: "github.com/containerd/containerd/errdefs"
+              desc: The containerd errdefs package was migrated to a separate module. Use github.com/containerd/errdefs instead.
+            - pkg: "github.com/containerd/containerd/log"
+              desc: The containerd log package was migrated to a separate module. Use github.com/containerd/log instead.
+            - pkg: "github.com/containerd/containerd/platforms"
+              desc: The containerd platforms package was migrated to a separate module. Use github.com/containerd/platforms instead.
+            - pkg: "io/ioutil"
+              desc: The io/ioutil package has been deprecated.
+    forbidigo:
+      forbid:
+        - pattern: ^context\.WithCancel(# use context\.WithCancelCause instead)?$
+        - pattern: ^context\.WithDeadline(# use context\.WithDeadline instead)?$
+        - pattern: ^context\.WithTimeout(# use context\.WithTimeoutCause instead)?$
+        - pattern: ^ctx\.Err(# use context\.Cause instead)?$
+        - pattern: ^fmt\.Errorf(# use errors\.Errorf instead)?$
+        - pattern: ^platforms\.DefaultString(# use platforms\.Format(platforms\.DefaultSpec()) instead\.)?$
+    gosec:
+      excludes:
+        - G204
+        - G402
+        - G115
+      config:
+        G306: "0644"
+    testifylint:
+      disable:
+        - "empty"
+        - "bool-compare"
+        - "len"
+        - "negative-positive"
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
     rules:
-      main:
-        deny:
-          - pkg: "github.com/containerd/containerd/platforms"
-            desc: The containerd platforms package was migrated to a separate module. Use github.com/containerd/platforms instead.
-          - pkg: "io/ioutil"
-            desc: The io/ioutil package has been deprecated.
-  forbidigo:
-    forbid:
-      - '^fmt\.Errorf(# use errors\.Errorf instead)?$'
-      - '^platforms\.DefaultString(# use platforms\.Format(platforms\.DefaultSpec()) instead\.)?$'
-  gosec:
-    excludes:
-      - G204  # Audit use of command execution
-      - G402  # TLS MinVersion too low
-      - G115  # integer overflow conversion
-    config:
-      G306: "0644"
-  testifylint:
-    disable:
-      # disable rules that reduce the test condition
-      - "empty"
-      - "bool-compare"
-      - "len"
-      - "negative-positive"
+      -
+        linters:
+          - revive
+        text: stutters
+      -
+        linters:
+          - revive
+        text: empty-block
+      -
+        linters:
+          - revive
+        text: superfluous-else
+      -
+        linters:
+          - revive
+        text: unused-parameter
+      -
+        linters:
+          - revive
+        text: redefines-builtin-id
+      -
+        linters:
+          - revive
+        text: if-return
+    paths:
+      - .*\.pb\.go$
+
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - .*\.pb\.go$
 
 issues:
-  exclude-files:
-    - ".*\\.pb\\.go$"
-  exclude-rules:
-    - linters:
-        - revive
-      text: "stutters"
-    - linters:
-        - revive
-      text: "empty-block"
-    - linters:
-        - revive
-      text: "superfluous-else"
-    - linters:
-        - revive
-      text: "unused-parameter"
-    - linters:
-        - revive
-      text: "redefines-builtin-id"
-    - linters:
-        - revive
-      text: "if-return"
-
-  # show all
   max-issues-per-linter: 0
   max-same-issues: 0
diff --git a/hack/lint.Dockerfile b/hack/lint.Dockerfile
index 1ababacf..10be9cd1 100644
--- a/hack/lint.Dockerfile
+++ b/hack/lint.Dockerfile
@@ -3,8 +3,8 @@
 ARG GO_VERSION="1.23"
 ARG XX_VERSION="1.6.1"
 ARG ALPINE_VERSION="3.21"
-ARG GOLANGCI_LINT_VERSION="v1.62.2"
-ARG GOLANGCI_FROM_SOURCE="false"
+ARG GOLANGCI_LINT_VERSION="v2.1.6"
+ARG GOLANGCI_FROM_SOURCE="true"
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx