diff --git a/.github/workflows/linux-ci.yml b/.github/workflows/linux-ci.yml
index 8eb3d94358e..992d7e2b20e 100644
--- a/.github/workflows/linux-ci.yml
+++ b/.github/workflows/linux-ci.yml
@@ -13,7 +13,7 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
+#    if: github.event.pull_request.draft == false
     steps:
     - uses: actions/checkout@v3
     - name: Install system dependencies
@@ -30,8 +30,8 @@ jobs:
       run: |
         tools/install-dependencies
       env:
-        CC: /usr/bin/clang
-        CXX: /usr/bin/clang++
+        CC: /usr/bin/clang-15
+        CXX: /usr/bin/clang++-15
       if: steps.internal_cache.outputs.cache-hit != 'true'
 
     - name: Cache Rust
@@ -44,22 +44,22 @@ jobs:
       run: |
         tools/generate-files native
       env:
-        CC: /usr/bin/clang
-        CXX: /usr/bin/clang++
+        CC: /usr/bin/clang-15
+        CXX: /usr/bin/clang++-15
     - name: CMake (coverage/clang-tidy/clang-asan)
       run: |
-        cmake -H. -Bbuild -DCMAKE_BUILD_TYPE=Debug -DTW_UNITY_BUILD=ON -DTW_CODE_COVERAGE=ON -DTW_ENABLE_CLANG_TIDY=ON -DTW_CLANG_ASAN=ON -GNinja
+        cmake -H. -Bbuild -DCMAKE_BUILD_TYPE=Debug -DTW_UNITY_BUILD=ON -DTW_CODE_COVERAGE=ON -DTW_ENABLE_CLANG_TIDY=ON -DTW_CLANG_ASAN=ON -DCMAKE_CXX_FLAGS="-stdlib=libc++ -std=c++20" -GNinja
       env:
-        CC: /usr/bin/clang
-        CXX: /usr/bin/clang++
+        CC: /usr/bin/clang-15
+        CXX: /usr/bin/clang++-15
     - name: Build and test
       run: |
         ninja -Cbuild tests TrezorCryptoTests
         build/trezor-crypto/crypto/tests/TrezorCryptoTests
         build/tests/tests --gtest_output=xml
       env:
-        CC: /usr/bin/clang
-        CXX: /usr/bin/clang++
+        CC: /usr/bin/clang-15
+        CXX: /usr/bin/clang++-15
         CK_TIMEOUT_MULTIPLIER: 4
     - name: Gather and check code coverage
       run: |
diff --git a/rust/coverage.stats b/rust/coverage.stats
index 7d7ab43dc7c..8670b15529f 100644
--- a/rust/coverage.stats
+++ b/rust/coverage.stats
@@ -1 +1 @@
-92.0
\ No newline at end of file
+91.0
\ No newline at end of file
diff --git a/src/Filecoin/Signer.cpp b/src/Filecoin/Signer.cpp
index c2f2ceafa3e..66d83ae4a22 100644
--- a/src/Filecoin/Signer.cpp
+++ b/src/Filecoin/Signer.cpp
@@ -24,7 +24,7 @@ Proto::SigningOutput signingOutputError(Common::Proto::SigningError error) {
 
 // ChainId defines the chain ID used in the Ethereum JSON-RPC endpoint.
 // As per https://github.com/ethereum-lists/chains
-static constexpr uint256_t FILECOIN_EIP155_CHAIN_ID = 314;
+static constexpr uint64_t FILECOIN_EIP155_CHAIN_ID = 314;
 
 static Proto::SigningOutput errorOutput(const char* error) {
     Proto::SigningOutput output;
@@ -144,7 +144,7 @@ Proto::SigningOutput Signer::signDelegated(const Proto::SigningInput& input) {
 
     Ethereum::Proto::SigningInput ethInput;
 
-    auto chainId = store(FILECOIN_EIP155_CHAIN_ID);
+    auto chainId = store(uint256_t(FILECOIN_EIP155_CHAIN_ID));
     auto nonce = store(uint256_t(input.nonce()));
     auto gasLimit = store(uint256_t(input.gas_limit()));
 
diff --git a/src/HDWallet.cpp b/src/HDWallet.cpp
index 74d6e4585bd..b4674f56dcf 100644
--- a/src/HDWallet.cpp
+++ b/src/HDWallet.cpp
@@ -99,9 +99,9 @@ HDWallet<seedSize>::HDWallet(const Data& entropy, const std::string& passphrase)
 
 template <std::size_t seedSize>
 HDWallet<seedSize>::~HDWallet() {
-    std::fill(seed.begin(), seed.end(), 0);
-    std::fill(mnemonic.begin(), mnemonic.end(), 0);
-    std::fill(passphrase.begin(), passphrase.end(), 0);
+    memzero(seed.data(), seed.size());
+    memzero(mnemonic.data(), mnemonic.size());
+    memzero(passphrase.data(), passphrase.size());
 }
 
 template <size_t seedSize>
diff --git a/src/Keystore/StoredKey.cpp b/src/Keystore/StoredKey.cpp
index 3e35bc7aa9b..af05b38dda8 100644
--- a/src/Keystore/StoredKey.cpp
+++ b/src/Keystore/StoredKey.cpp
@@ -17,6 +17,7 @@
 #include <boost/uuid/uuid_generators.hpp>
 #include <boost/uuid/uuid_io.hpp>
 #include <nlohmann/json.hpp>
+#include <TrezorCrypto/memzero.h>
 
 #include <cassert>
 #include <fstream>
@@ -32,7 +33,11 @@ StoredKey StoredKey::createWithMnemonic(const std::string& name, const Data& pas
     }
 
     Data mnemonicData = TW::Data(mnemonic.begin(), mnemonic.end());
-    return StoredKey(StoredKeyType::mnemonicPhrase, name, password, mnemonicData, encryptionLevel, encryption);
+    StoredKey key(StoredKeyType::mnemonicPhrase, name, password, mnemonicData, encryptionLevel, encryption);
+    if (!mnemonicData.empty()) {
+        memzero(mnemonicData.data(), mnemonic.size());
+    }
+    return key;
 }
 
 StoredKey StoredKey::createWithMnemonicRandom(const std::string& name, const Data& password, TWStoredKeyEncryptionLevel encryptionLevel, TWStoredKeyEncryption encryption) {
diff --git a/src/interface/TWString.cpp b/src/interface/TWString.cpp
index ccd0f267dfd..574ba976765 100644
--- a/src/interface/TWString.cpp
+++ b/src/interface/TWString.cpp
@@ -6,7 +6,9 @@
 
 
 #include <TrustWalletCore/TWString.h>
+
 #include <string>
+#include <TrezorCrypto/memzero.h>
 
 TWString *_Nonnull TWStringCreateWithUTF8Bytes(const char *_Nonnull bytes) {
     auto* s = new std::string(bytes);
@@ -34,8 +36,14 @@ const char *_Nonnull TWStringUTF8Bytes(TWString *_Nonnull string) {
 }
 
 void TWStringDelete(TWString *_Nonnull string) {
-    auto* s = reinterpret_cast<const std::string*>(string);
-    delete s;
+    auto *sConst = reinterpret_cast<const std::string*>(string);
+    // `const_cast` is safe here despite that the pointer to the string is const
+    // but `std::string` is not a constant value.
+    auto *s = const_cast<std::string*>(sConst);
+    if (!s->empty()) {
+        memzero(s->data(), s->size());
+    }
+    delete sConst;
 }
 
 bool TWStringEqual(TWString *_Nonnull lhs, TWString *_Nonnull rhs) {
diff --git a/tests/chains/Bitcoin/TWSegwitAddressTests.cpp b/tests/chains/Bitcoin/TWSegwitAddressTests.cpp
index 6b21a066205..9723244292c 100644
--- a/tests/chains/Bitcoin/TWSegwitAddressTests.cpp
+++ b/tests/chains/Bitcoin/TWSegwitAddressTests.cpp
@@ -60,7 +60,7 @@ TEST(TWSegwitAddress, InitWithAddress) {
 
     ASSERT_EQ(TWHRPBitcoin, TWSegwitAddressHRP(address.get()));
 
-    auto witness = WRAPS(TWSegwitAddressWitnessProgram(address.get()));
+    auto witness = WRAPD(TWSegwitAddressWitnessProgram(address.get()));
     ASSERT_EQ(TW::hex(TW::data(TWDataBytes(witness.get()), TWDataSize(witness.get()))), "751e76e8199196d454941c45d1b3a323f1433bd6");
 }
 
diff --git a/tools/install-sys-dependencies-linux b/tools/install-sys-dependencies-linux
index b9173e25e42..7350db9ede8 100755
--- a/tools/install-sys-dependencies-linux
+++ b/tools/install-sys-dependencies-linux
@@ -2,5 +2,5 @@
 
 set -e
 
- # build-essential clang-14 libc++-dev libc++abi-dev ruby-full cmake
- sudo apt-get update && sudo apt-get install ninja-build lcov llvm-14 clang-tidy-14 libboost-all-dev rustc --fix-missing
+# build-essential clang-15 libc++-dev libc++abi-dev ruby-full cmake
+sudo apt-get update && sudo apt-get install ninja-build lcov llvm-15 clang-15 clang-tidy-15 libboost-all-dev rustc --fix-missing