diff --git a/changelog.yaml b/changelog.yaml
index cda09aee..535bad2f 100644
--- a/changelog.yaml
+++ b/changelog.yaml
@@ -52,6 +52,13 @@
   date: TBD
   changes:
 
+  - type: internal
+    impact: patch
+    title: Fixed checkmarx scan
+    description: |-
+      The checkmarks scan reported some low findings which are fixed now.
+    pullRequestNumber: 223
+
   - type: security
     impact: patch
     title: Update JFR image to 210413_777e270 with secure agent protocols
diff --git a/pkg/k8s/pipelineRun.go b/pkg/k8s/pipelineRun.go
index 5f097078..8feae70d 100644
--- a/pkg/k8s/pipelineRun.go
+++ b/pkg/k8s/pipelineRun.go
@@ -285,7 +285,8 @@ func (r *pipelineRun) HasDeletionTimestamp() bool {
 func (r *pipelineRun) AddFinalizer() error {
 	changed, finalizerList := utils.AddStringIfMissing(r.apiObj.ObjectMeta.Finalizers, FinalizerName)
 	if changed {
-		r.updateFinalizers(finalizerList)
+		err := r.updateFinalizers(finalizerList)
+		return err
 	}
 	return nil
 }
diff --git a/pkg/runctl/controller.go b/pkg/runctl/controller.go
index cfa9a9c0..e5122e63 100644
--- a/pkg/runctl/controller.go
+++ b/pkg/runctl/controller.go
@@ -300,7 +300,10 @@ func (c *Controller) syncHandler(key string) error {
 
 	// As soon as we have a result we can cleanup
 	if pipelineRun.GetStatus().Result != api.ResultUndefined && pipelineRun.GetStatus().State != api.StateCleaning {
-		c.changeState(pipelineRun, api.StateCleaning)
+		err = c.changeState(pipelineRun, api.StateCleaning)
+		if err != nil {
+			klog.V(1).Infof("WARN: change state to cleaning failed with: %s", err.Error())
+		}
 	}
 
 	if pipelineRun.GetStatus().State == api.StateNew {
diff --git a/pkg/runctl/run_manager.go b/pkg/runctl/run_manager.go
index 536682f1..57feaa98 100644
--- a/pkg/runctl/run_manager.go
+++ b/pkg/runctl/run_manager.go
@@ -145,7 +145,7 @@ func (c *runManager) prepareRunNamespace(ctx *runContext) error {
 	// If something goes wrong while creating objects inside the namespaces, we delete everything.
 	cleanupOnError := func() {
 		if err != nil {
-			c.cleanup(ctx)
+			c.cleanup(ctx) // clean-up ignoring error
 		}
 	}
 	defer cleanupOnError()
@@ -506,7 +506,10 @@ func (c *runManager) createTektonTaskRun(ctx *runContext) error {
 		},
 	}
 	c.addTektonTaskRunParamsForJenkinsfileRunnerImage(ctx, &tektonTaskRun)
-	c.addTektonTaskRunParamsForPipeline(ctx, &tektonTaskRun)
+	err = c.addTektonTaskRunParamsForPipeline(ctx, &tektonTaskRun)
+	if err != nil {
+		return serrors.Classify(err, stewardv1alpha1.ResultErrorConfig)
+	}
 	err = c.addTektonTaskRunParamsForLoggingElasticsearch(ctx, &tektonTaskRun)
 	if err != nil {
 		return serrors.Classify(err, stewardv1alpha1.ResultErrorConfig)
diff --git a/pkg/tenantctl/controller.go b/pkg/tenantctl/controller.go
index 30e93f8b..18145ac0 100644
--- a/pkg/tenantctl/controller.go
+++ b/pkg/tenantctl/controller.go
@@ -208,7 +208,7 @@ func (c *Controller) syncHandler(key string) error {
 		if err != nil {
 			return err
 		}
-		tenant, err = c.removeFinalizerAndUpdate(tenant)
+		_, err = c.removeFinalizerAndUpdate(tenant)
 		if err == nil {
 			c.syncCount++
 		}
@@ -226,7 +226,7 @@ func (c *Controller) syncHandler(key string) error {
 	if !equality.Semantic.DeepEqual(origTenant.Status, tenant.Status) {
 		if _, err := c.updateStatus(tenant); err != nil {
 			if !c.isInitialized(origTenant) && c.isInitialized(tenant) {
-				c.deleteTenantNamespace(tenant.Status.TenantNamespaceName, tenant, config)
+				c.deleteTenantNamespace(tenant.Status.TenantNamespaceName, tenant, config) // clean-up ignoring error
 			}
 			return err
 		}
@@ -259,7 +259,7 @@ func (c *Controller) reconcileUninitialized(config clientConfig, tenant *api.Ten
 
 	nsName, err := c.createTenantNamespace(config, tenant)
 	if err != nil {
-		condMsg := fmt.Sprintf("Failed to create a new tenant namespace.")
+		condMsg := "Failed to create a new tenant namespace."
 		tenant.Status.SetCondition(&knativeapis.Condition{
 			Type:    knativeapis.ConditionReady,
 			Status:  corev1.ConditionFalse,
@@ -271,7 +271,7 @@ func (c *Controller) reconcileUninitialized(config clientConfig, tenant *api.Ten
 
 	_, err = c.reconcileTenantRoleBinding(tenant, nsName, config)
 	if err != nil {
-		condMsg := fmt.Sprintf("Failed to initialize a new tenant namespace because the RoleBinding could not be created.")
+		condMsg := "Failed to initialize a new tenant namespace because the RoleBinding could not be created."
 		tenant.Status.SetCondition(&knativeapis.Condition{
 			Type:    knativeapis.ConditionReady,
 			Status:  corev1.ConditionFalse,