diff --git a/Makefile b/Makefile
index fc7d93d30c5..dab5829496d 100644
--- a/Makefile
+++ b/Makefile
@@ -25,6 +25,7 @@ TELEPORT_DEBUG ?= no
 GITTAG=v$(VERSION)
 BUILDFLAGS ?= $(ADDFLAGS) -ldflags '-w -s'
 CGOFLAG ?= CGO_ENABLED=1
+GO_LINTERS ?= "unused,govet,typecheck,deadcode,goimports"
 
 OS ?= $(shell go env GOOS)
 ARCH ?= $(shell go env GOARCH)
@@ -219,8 +220,10 @@ lint:
 		--disable-all \
 		--exclude-use-default \
 		--skip-dirs vendor \
+		--uniq-by-line=false \
+		--max-same-issues=0 \
 		--max-issues-per-linter 0 \
-		--enable unused \
+		--enable $(GO_LINTERS) \
 		$(FLAGS)
 
 # This rule triggers re-generation of version.go and gitref.go if Makefile changes
diff --git a/integration/helpers.go b/integration/helpers.go
index 3db2900f416..e02195b905b 100644
--- a/integration/helpers.go
+++ b/integration/helpers.go
@@ -26,7 +26,6 @@ import (
 	"io/ioutil"
 	"net"
 	"net/http"
-	"net/url"
 	"os"
 	"os/exec"
 	"os/user"
@@ -57,7 +56,6 @@ import (
 	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
 
-	"github.com/gravitational/roundtrip"
 	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
 	log "github.com/sirupsen/logrus"
@@ -1418,24 +1416,6 @@ func closeAgent(teleAgent *teleagent.AgentServer, socketDirPath string) error {
 	return nil
 }
 
-// createWebClient builds a *client.WebClient that is used to simulate
-// browser requests.
-func createWebClient(cluster *TeleInstance, opts ...roundtrip.ClientParam) (*client.WebClient, error) {
-	// Craft URL to Web UI.
-	u := &url.URL{
-		Scheme: "https",
-		Host:   cluster.Config.Proxy.WebAddr.Addr,
-	}
-
-	opts = append(opts, roundtrip.HTTPClient(client.NewInsecureWebClient()))
-	wc, err := client.NewWebClient(u.String(), opts...)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
-	return wc, nil
-}
-
 func fatalIf(err error) {
 	if err != nil {
 		log.Fatalf("%v at %v", string(debug.Stack()), err)
diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
index d7dda7f49c7..b16e75aa48f 100644
--- a/lib/auth/auth_with_roles.go
+++ b/lib/auth/auth_with_roles.go
@@ -1091,7 +1091,7 @@ func (a *AuthWithRoles) CreateResetPasswordToken(ctx context.Context, req Create
 	a.EmitAuditEvent(events.ResetPasswordTokenCreated, events.EventFields{
 		events.ResetPasswordTokenFor: req.Name,
 		events.ResetPasswordTokenTTL: req.TTL.String(),
-		events.EventUser:    a.user.GetName(),
+		events.EventUser:             a.user.GetName(),
 	})
 
 	return a.authServer.CreateResetPasswordToken(ctx, req)
diff --git a/lib/auth/init_test.go b/lib/auth/init_test.go
index 84e895e1023..660c5a49fa7 100644
--- a/lib/auth/init_test.go
+++ b/lib/auth/init_test.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"testing"
 	"time"
 
 	"golang.org/x/crypto/ssh"
@@ -34,7 +35,6 @@ import (
 
 	"github.com/gravitational/trace"
 	. "gopkg.in/check.v1"
-	"testing"
 )
 
 type AuthInitSuite struct {
diff --git a/lib/auth/mocku2f/mocku2f.go b/lib/auth/mocku2f/mocku2f.go
index bc4777c2708..f3d2456f76c 100644
--- a/lib/auth/mocku2f/mocku2f.go
+++ b/lib/auth/mocku2f/mocku2f.go
@@ -37,15 +37,15 @@ import (
 	"strings"
 	"time"
 
-	"github.com/tstranex/u2f"
 	"github.com/gravitational/trace"
+	"github.com/tstranex/u2f"
 )
 
 type Key struct {
-	keyHandle []byte
+	keyHandle  []byte
 	privatekey *ecdsa.PrivateKey
-	cert []byte
-	counter uint32
+	cert       []byte
+	counter    uint32
 }
 
 // The "websafe-base64 encoding" in the U2F specifications removes the padding
@@ -71,12 +71,12 @@ func selfSignPublicKey(keyToSign *ecdsa.PublicKey) (cert []byte, err error) {
 		Subject: pkix.Name{
 			Organization: []string{"Test CA"},
 		},
-		NotBefore: time.Now(),
-		NotAfter: time.Now().Add(time.Hour),
-		KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(time.Hour),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
-		IsCA: true,
+		IsCA:                  true,
 	}
 	cert, err = x509.CreateCertificate(rand.Reader, &template, &template, keyToSign, caPrivateKey)
 	if err != nil {
@@ -110,10 +110,10 @@ func CreateWithKeyHandle(keyHandle []byte) (*Key, error) {
 	}
 
 	return &Key{
-		keyHandle: keyHandle,
+		keyHandle:  keyHandle,
 		privatekey: privatekey,
-		cert: cert,
-		counter: 1,
+		cert:       cert,
+		counter:    1,
 	}, nil
 }
 
@@ -121,9 +121,9 @@ func (muk *Key) RegisterResponse(req *u2f.RegisterRequest) (*u2f.RegisterRespons
 	appIDHash := sha256.Sum256([]byte(req.AppID))
 
 	clientData := u2f.ClientData{
-		Typ: "navigator.id.finishEnrollment",
+		Typ:       "navigator.id.finishEnrollment",
 		Challenge: req.Challenge,
-		Origin: req.AppID,
+		Origin:    req.AppID,
 	}
 	clientDataJson, err := json.Marshal(clientData)
 	if err != nil {
@@ -134,7 +134,7 @@ func (muk *Key) RegisterResponse(req *u2f.RegisterRequest) (*u2f.RegisterRespons
 	marshalledPublickey := elliptic.Marshal(elliptic.P256(), muk.privatekey.PublicKey.X, muk.privatekey.PublicKey.Y)
 
 	var dataToSign []byte
-	dataToSign = append(dataToSign[:], []byte{ 0 }[:]...)
+	dataToSign = append(dataToSign[:], 0)
 	dataToSign = append(dataToSign[:], appIDHash[:]...)
 	dataToSign = append(dataToSign[:], clientDataHash[:]...)
 	dataToSign = append(dataToSign[:], muk.keyHandle[:]...)
@@ -149,16 +149,16 @@ func (muk *Key) RegisterResponse(req *u2f.RegisterRequest) (*u2f.RegisterRespons
 	}
 
 	var regData []byte
-	regData  = append(regData, []byte{ 5 }[:]...) // fixed by specification
+	regData = append(regData, 5) // fixed by specification
 	regData = append(regData, marshalledPublickey[:]...)
-	regData = append(regData, []byte{ byte(len(muk.keyHandle)) }[:]...)
+	regData = append(regData, byte(len(muk.keyHandle)))
 	regData = append(regData, muk.keyHandle[:]...)
 	regData = append(regData, muk.cert[:]...)
 	regData = append(regData, sig[:]...)
 
 	return &u2f.RegisterResponse{
 		RegistrationData: encodeBase64(regData),
-		ClientData: encodeBase64(clientDataJson),
+		ClientData:       encodeBase64(clientDataJson),
 	}, nil
 }
 
@@ -178,9 +178,9 @@ func (muk *Key) SignResponse(req *u2f.SignRequest) (*u2f.SignResponse, error) {
 	muk.counter += 1
 
 	clientData := u2f.ClientData{
-		Typ: "navigator.id.getAssertion",
+		Typ:       "navigator.id.getAssertion",
 		Challenge: req.Challenge,
-		Origin: req.AppID,
+		Origin:    req.AppID,
 	}
 	clientDataJson, err := json.Marshal(clientData)
 	if err != nil {
@@ -190,7 +190,7 @@ func (muk *Key) SignResponse(req *u2f.SignRequest) (*u2f.SignResponse, error) {
 
 	var dataToSign []byte
 	dataToSign = append(dataToSign, appIDHash[:]...)
-	dataToSign = append(dataToSign, []byte{ 1 }[:]...) // user presence
+	dataToSign = append(dataToSign, 1) // user presence
 	dataToSign = append(dataToSign, counterBytes[:]...)
 	dataToSign = append(dataToSign, clientDataHash[:]...)
 
@@ -203,18 +203,17 @@ func (muk *Key) SignResponse(req *u2f.SignRequest) (*u2f.SignResponse, error) {
 	}
 
 	var signData []byte
-	signData = append(signData, []byte{ 1 }[:]...) // user presence
+	signData = append(signData, 1) // user presence
 	signData = append(signData, counterBytes[:]...)
 	signData = append(signData, sig[:]...)
 
 	return &u2f.SignResponse{
-		KeyHandle: req.KeyHandle,
+		KeyHandle:     req.KeyHandle,
 		SignatureData: encodeBase64(signData),
-		ClientData: encodeBase64(clientDataJson),
+		ClientData:    encodeBase64(clientDataJson),
 	}, nil
 }
 
 func (muk *Key) SetCounter(counter uint32) {
 	muk.counter = counter
 }
-
diff --git a/lib/auth/native/native.go b/lib/auth/native/native.go
index fe047870632..20b1f2ca9e5 100644
--- a/lib/auth/native/native.go
+++ b/lib/auth/native/native.go
@@ -310,12 +310,6 @@ func (k *Keygen) GenerateUserCert(c services.UserCertParams) ([]byte, error) {
 	return ssh.MarshalAuthorizedKey(cert), nil
 }
 
-const (
-	principalLocalhost  = "localhost"
-	principalLoopbackV4 = "127.0.0.1"
-	principalLoopbackV6 = "::1"
-)
-
 // BuildPrincipals takes a hostID, nodeName, clusterName, and role and builds a list of
 // principals to insert into a certificate. This function is backward compatible with
 // older clients which means:
diff --git a/lib/reversetunnel/srv.go b/lib/reversetunnel/srv.go
index 1c1ef4e8339..997b0af369a 100644
--- a/lib/reversetunnel/srv.go
+++ b/lib/reversetunnel/srv.go
@@ -968,7 +968,6 @@ const (
 	extCertType     = "certtype@teleport"
 	extAuthority    = "auth@teleport"
 	extCertTypeHost = "host"
-	extCertTypeUser = "user"
 	extCertRole     = "role"
 
 	versionRequest = "x-teleport-version"
diff --git a/lib/service/supervisor.go b/lib/service/supervisor.go
index bb561e6747e..0165ff64232 100644
--- a/lib/service/supervisor.go
+++ b/lib/service/supervisor.go
@@ -145,6 +145,7 @@ func NewSupervisor(id string) Supervisor {
 	reloadContext, signalReload := context.WithCancel(context.TODO())
 
 	srv := &LocalSupervisor{
+		state:        stateCreated,
 		id:           id,
 		services:     []Service{},
 		wg:           &sync.WaitGroup{},
diff --git a/lib/services/local/presence_test.go b/lib/services/local/presence_test.go
index 65a79078565..1ea0bed4953 100644
--- a/lib/services/local/presence_test.go
+++ b/lib/services/local/presence_test.go
@@ -19,6 +19,7 @@ package local
 import (
 	"context"
 	"fmt"
+	"testing"
 
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/lite"
@@ -28,7 +29,6 @@ import (
 	"github.com/gravitational/trace"
 
 	"gopkg.in/check.v1"
-	"testing"
 )
 
 type PresenceSuite struct {
diff --git a/lib/services/suite/suite.go b/lib/services/suite/suite.go
index c5fa4ebe9de..333f08f3b23 100644
--- a/lib/services/suite/suite.go
+++ b/lib/services/suite/suite.go
@@ -1426,6 +1426,7 @@ skiploop:
 	}
 
 	for _, tc := range testCases {
+		c.Logf("test case %q", tc.name)
 		resource := tc.crud()
 
 		ExpectResource(c, w, 3*time.Second, resource)
diff --git a/lib/sshutils/signer.go b/lib/sshutils/signer.go
index ccc54420b9c..1746cd4df76 100644
--- a/lib/sshutils/signer.go
+++ b/lib/sshutils/signer.go
@@ -18,6 +18,7 @@ package sshutils
 
 import (
 	"crypto"
+
 	"golang.org/x/crypto/ssh"
 
 	"github.com/gravitational/trace"
diff --git a/lib/tlsca/parsegen.go b/lib/tlsca/parsegen.go
index b5d10544764..98f67744505 100644
--- a/lib/tlsca/parsegen.go
+++ b/lib/tlsca/parsegen.go
@@ -71,8 +71,8 @@ func GenerateSelfSignedCAWithPrivateKey(priv *rsa.PrivateKey, entity pkix.Name,
 		NotAfter:              notAfter,
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
-		IsCA:     true,
-		DNSNames: dnsNames,
+		IsCA:                  true,
+		DNSNames:              dnsNames,
 	}
 
 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
diff --git a/lib/utils/jsontools.go b/lib/utils/jsontools.go
index bfa69375dcf..e55b49ce221 100644
--- a/lib/utils/jsontools.go
+++ b/lib/utils/jsontools.go
@@ -25,7 +25,7 @@ import (
 	"github.com/gravitational/trace"
 
 	"github.com/ghodss/yaml"
-	"github.com/json-iterator/go"
+	jsoniter "github.com/json-iterator/go"
 	kyaml "k8s.io/apimachinery/pkg/util/yaml"
 )
 
diff --git a/lib/web/ui/cluster.go b/lib/web/ui/cluster.go
index 6122d64f62d..d4960c120dd 100644
--- a/lib/web/ui/cluster.go
+++ b/lib/web/ui/cluster.go
@@ -46,6 +46,7 @@ type Cluster struct {
 	ProxyVersion string `json:"proxyVersion"`
 }
 
+//nolint:unused,deadcode
 var log = logrus.WithFields(logrus.Fields{
 	trace.Component: teleport.ComponentProxy,
 })
diff --git a/tool/tctl/common/resource_command.go b/tool/tctl/common/resource_command.go
index cf3e793ebc6..f62edf65717 100644
--- a/tool/tctl/common/resource_command.go
+++ b/tool/tctl/common/resource_command.go
@@ -97,7 +97,7 @@ func (rc *ResourceCommand) Initialize(app *kingpin.Application, config *service.
 
 	rc.getCmd = app.Command("get", "Print a YAML declaration of various Teleport resources")
 	rc.getCmd.Arg("resources", "Resource spec: 'type/[name][,...]' or 'all'").Required().SetValue(&rc.refs)
-	rc.getCmd.Flag("format", "Output format: 'yaml', 'json' or 'text'").Default(formatYAML).StringVar(&rc.format)
+	rc.getCmd.Flag("format", "Output format: 'yaml', 'json' or 'text'").Default(teleport.YAML).StringVar(&rc.format)
 	rc.getCmd.Flag("namespace", "Namespace of the resources").Hidden().Default(defaults.Namespace).StringVar(&rc.namespace)
 	rc.getCmd.Flag("with-secrets", "Include secrets in resources like certificate authorities or OIDC connectors").Default("false").BoolVar(&rc.withSecrets)
 
@@ -162,7 +162,7 @@ func (rc *ResourceCommand) Get(client auth.ClientI) error {
 }
 
 func (rc *ResourceCommand) GetMany(client auth.ClientI) error {
-	if rc.format != formatYAML {
+	if rc.format != teleport.YAML {
 		return trace.BadParameter("mixed resource types only support YAML formatting")
 	}
 	var resources []services.Resource
@@ -533,12 +533,6 @@ func (rc *ResourceCommand) getCollection(client auth.ClientI) (c ResourceCollect
 	return nil, trace.BadParameter("'%v' is not supported", rc.ref.Kind)
 }
 
-const (
-	formatYAML = "yaml"
-	formatText = "text"
-	formatJSON = "json"
-)
-
 // UpsertVerb generates the correct string form of a verb based on the action taken
 func UpsertVerb(exists bool, force bool) string {
 	switch {