diff --git a/cmd/btoa/btoa.c b/cmd/btoa/btoa.c
index 434afa81fd..aeff0671f3 100644
--- a/cmd/btoa/btoa.c
+++ b/cmd/btoa/btoa.c
@@ -120,6 +120,7 @@ main(int argc, char **argv)
 
     /* Parse command line arguments */
     optstate = PL_CreateOptState(argc, argv, "i:o:w:");
+    PORT_Assert(optstate);
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             default:
@@ -203,9 +204,7 @@ main(int argc, char **argv)
     }
     exitCode = 0;
 loser:
-    if (optstate) {
-        PL_DestroyOptState(optstate);
-    }
+    PL_DestroyOptState(optstate);
     if (inFile && closeIn) {
         fclose(inFile);
     }
diff --git a/cmd/pk11importtest/pk11importtest.c b/cmd/pk11importtest/pk11importtest.c
index b2f4890609..eb8e359ba9 100644
--- a/cmd/pk11importtest/pk11importtest.c
+++ b/cmd/pk11importtest/pk11importtest.c
@@ -185,7 +185,7 @@ handleEncryptedPrivateImportTest(char *progName, PK11SlotInfo *slot,
 }
 
 static const char *const usageInfo[] = {
-    "pk11import - test PK11_PrivateKeyImport()"
+    "pk11import - test PK11_PrivateKeyImport()",
     "Options:",
     " -d certdir            directory containing cert database",
     " -k keysize            size of the rsa, dh, and dsa key to test (default 1024)",
diff --git a/gtests/mozpkix_gtest/pkixder_input_tests.cpp b/gtests/mozpkix_gtest/pkixder_input_tests.cpp
index cf91fa2c61..e70f7952fa 100644
--- a/gtests/mozpkix_gtest/pkixder_input_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixder_input_tests.cpp
@@ -359,6 +359,7 @@ TEST_F(pkixder_input_tests, Skip_WrapAroundPointer)
   // but this should catch the problem on at least some compilers, if not all of
   // them.
   const uint8_t* der = nullptr;
+  // coverity[FORWARD_NULL]
   --der;
   Input buf;
   ASSERT_EQ(Success, buf.Init(der, 0));
diff --git a/gtests/ssl_gtest/ssl_primitive_unittest.cc b/gtests/ssl_gtest/ssl_primitive_unittest.cc
index 7966e063d6..66ecdeb12f 100644
--- a/gtests/ssl_gtest/ssl_primitive_unittest.cc
+++ b/gtests/ssl_gtest/ssl_primitive_unittest.cc
@@ -52,6 +52,7 @@ class AeadTest : public ::testing::Test {
     static const size_t kMaxSize = 32;
 
     ASSERT_GE(kMaxSize, ciphertext_len);
+    ASSERT_LT(0U, ciphertext_len);
 
     uint8_t output[kMaxSize];
     unsigned int output_len = 0;
@@ -191,7 +192,7 @@ TEST_F(AeadTest, AeadAes128Gcm) {
 }
 
 TEST_F(AeadTest, AeadAes256Gcm) {
-  SSLAeadContext *ctxInit;
+  SSLAeadContext *ctxInit = nullptr;
   ASSERT_EQ(SECSuccess,
             SSL_MakeAead(SSL_LIBRARY_VERSION_TLS_1_3, TLS_AES_256_GCM_SHA384,
                          secret_.get(), kLabel, strlen(kLabel), &ctxInit));
diff --git a/gtests/ssl_gtest/ssl_recordsep_unittest.cc b/gtests/ssl_gtest/ssl_recordsep_unittest.cc
index 8a1dea5bfb..393b50ffd5 100644
--- a/gtests/ssl_gtest/ssl_recordsep_unittest.cc
+++ b/gtests/ssl_gtest/ssl_recordsep_unittest.cc
@@ -176,6 +176,7 @@ class BadPrSocket : public DummyIOLayerMethods {
     // NSPR method vtable with the ones from this object.
     dummy_layer_ =
         PR_GetIdentitiesLayer(agent->ssl_fd(), DummyPrSocket::LayerId());
+    EXPECT_TRUE(dummy_layer_);
     original_methods_ = dummy_layer_->methods;
     original_secret_ = dummy_layer_->secret;
     dummy_layer_->methods = fd_->methods;
diff --git a/gtests/ssl_gtest/tls_esni_unittest.cc b/gtests/ssl_gtest/tls_esni_unittest.cc
index dbac56f13c..84becf3a60 100644
--- a/gtests/ssl_gtest/tls_esni_unittest.cc
+++ b/gtests/ssl_gtest/tls_esni_unittest.cc
@@ -70,7 +70,7 @@ static void GenerateEsniKey(time_t windowStart, SSLNamedGroup group,
   ASSERT_NE(nullptr, priv);
   SECITEM_FreeItem(&ecParams, PR_FALSE);
   PRUint8 encoded[1024];
-  unsigned int encoded_len;
+  unsigned int encoded_len = 0;
 
   SECStatus rv = SSL_EncodeESNIKeys(
       &cipher_suites[0], cipher_suites.size(), group, pub, 100, windowStart,
@@ -375,11 +375,13 @@ TEST_P(TlsConnectTls13, ConnectEsniCSMismatch) {
   GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
                   &pub, &priv);
   PRUint8 encoded[1024];
-  unsigned int encoded_len;
+  unsigned int encoded_len = 0;
 
   SECStatus rv = SSL_EncodeESNIKeys(
       &kChaChaSuite[0], kChaChaSuite.size(), ssl_grp_ec_curve25519, pub.get(),
       100, time(0), time(0) + 10, encoded, &encoded_len, sizeof(encoded));
+  ASSERT_EQ(SECSuccess, rv);
+  ASSERT_LT(0U, encoded_len);
   rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(), encoded, encoded_len);
   ASSERT_EQ(SECSuccess, rv);
   rv = SSL_EnableESNI(client_->ssl_fd(), record.data(), record.len(), "");
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
index 1e461b20c9..003e2bec5d 100644
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -1229,6 +1229,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
             }
             if (att->attrib.ulValueLen != sizeof(ctx->key)) {
                 sftk_FreeAttribute(att);
+                PORT_Free(ctx);
                 crv = CKR_KEY_HANDLE_INVALID;
                 break;
             }