diff --git a/secret_loader/__init__.py b/secret_loader/__init__.py
index 7469c79..ccf1d74 100644
--- a/secret_loader/__init__.py
+++ b/secret_loader/__init__.py
@@ -118,12 +118,12 @@ class SecretLoader:
         self.env_key_prefix = self._load_or_none(ENV_KEY_PREFIX)
         if self.env_key_prefix is not None:
             logger.info('Environment enabled with prefix: %s', self.env_key_prefix)
-            assert (
-                self.env_key_prefix == self.env_key_prefix.upper()
-            ), 'Prefix must be uppercase'
-            assert not self.env_key_prefix.endswith(
-                '_',
-            ), 'Prefix must not end with _ (this will be added automatically)'
+            if self.env_key_prefix != self.env_key_prefix.upper():
+                msg = 'Prefix must be uppercase'
+                raise ValueError(msg)
+            if self.env_key_prefix.endswith('_'):
+                msg = 'Prefix must not end with _ (this will be added automatically)'
+                raise ValueError(msg)
 
         # Setup secrets path
         self.secret_folder = Path(
@@ -210,8 +210,12 @@ class SecretLoader:
         if self.pass_folder is None:
             return None
 
-        cmd = ['pass', 'show', f'{self.pass_folder}/{secret_name.lower()}']
-        process = subprocess.run(cmd, capture_output=True, check=False)
+        process = subprocess.run(  # noqa: S603
+            ['/usr/bin/pass', 'show', f'{self.pass_folder}/{secret_name.lower()}'],
+            capture_output=True,
+            check=False,
+            shell=False,
+        )
         if process.returncode:
             return None