diff --git a/internal/embed/root.go b/internal/embed/root.go
index e80b75b..9bf20ae 100644
--- a/internal/embed/root.go
+++ b/internal/embed/root.go
@@ -16,11 +16,13 @@ var prodRoot []byte
 
 var defaultRoot = prodRoot
 
-type RootName string
-type EmbeddedRoot struct {
-	Data []byte
-	Name RootName
-}
+type (
+	RootName     string
+	EmbeddedRoot struct {
+		Data []byte
+		Name RootName
+	}
+)
 
 var (
 	RootDev     = EmbeddedRoot{Data: devRoot, Name: "dev"}
diff --git a/internal/test/mocks.go b/internal/test/mocks.go
index ade9063..5ec7d6f 100644
--- a/internal/test/mocks.go
+++ b/internal/test/mocks.go
@@ -34,7 +34,6 @@ func (r MockResolver) ImageDescriptor(ctx context.Context) (*v1.Descriptor, erro
 		Size:      1234,
 		MediaType: "application/vnd.oci.image.manifest.v1+json",
 	}, nil
-
 }
 
 func (r MockResolver) ImagePlatform(ctx context.Context) (*v1.Platform, error) {
diff --git a/internal/test/test.go b/internal/test/test.go
index 76536b1..793f9ef 100644
--- a/internal/test/test.go
+++ b/internal/test/test.go
@@ -124,10 +124,10 @@ func ExtractStatementsFromIndex(idx v1.ImageIndex, mediaType string) ([]*Annotat
 				return nil, fmt.Errorf("failed to get layer contents: %w", err)
 			}
 			defer r.Close()
-			var intotoStatement = new(intoto.Statement)
+			intotoStatement := new(intoto.Statement)
 			var desc *v1.Descriptor
 			if strings.HasSuffix(string(mt), "+dsse") {
-				var env = new(attestation.Envelope)
+				env := new(attestation.Envelope)
 				err = json.NewDecoder(r).Decode(env)
 				if err != nil {
 					return nil, fmt.Errorf("failed to decode env: %w", err)
diff --git a/internal/test/test_test.go b/internal/test/test_test.go
index 812c019..8852268 100644
--- a/internal/test/test_test.go
+++ b/internal/test/test_test.go
@@ -8,9 +8,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-var (
-	UnsignedTestImage = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
-)
+var UnsignedTestImage = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
 
 const (
 	ExpectedStatements = 4
diff --git a/pkg/attest/verify_test.go b/pkg/attest/verify_test.go
index fcbd734..a04ffd2 100644
--- a/pkg/attest/verify_test.go
+++ b/pkg/attest/verify_test.go
@@ -21,9 +21,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-var (
-	ExampleAttestation = filepath.Join("..", "..", "test", "testdata", "example_attestation.json")
-)
+var ExampleAttestation = filepath.Join("..", "..", "test", "testdata", "example_attestation.json")
 
 const (
 	LinuxAMD64 = "linux/amd64"
@@ -33,7 +31,7 @@ func TestVerifyAttestations(t *testing.T) {
 	ex, err := os.ReadFile(ExampleAttestation)
 	assert.NoError(t, err)
 
-	var env = new(attestation.Envelope)
+	env := new(attestation.Envelope)
 	err = json.Unmarshal(ex, env)
 	assert.NoError(t, err)
 	resolver := &test.MockResolver{
@@ -51,7 +49,6 @@ func TestVerifyAttestations(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-
 			mockPE := policy.MockPolicyEvaluator{
 				EvaluateFunc: func(ctx context.Context, resolver oci.AttestationResolver, pctx *policy.Policy, input *policy.PolicyInput) (*policy.Result, error) {
 					return policy.AllowedResult(), tc.policyEvaluationError
diff --git a/pkg/attestation/attestation.go b/pkg/attestation/attestation.go
index ef48ae2..8ddbd4d 100644
--- a/pkg/attestation/attestation.go
+++ b/pkg/attestation/attestation.go
@@ -47,7 +47,8 @@ func GetAttestationManifestsFromIndex(index v1.ImageIndex) ([]*AttestationManife
 				&AttestationManifest{
 					OriginalDescriptor: &desc,
 					SubjectDescriptor:  subject,
-					OriginalLayers:     attestationLayers})
+					OriginalLayers:     attestationLayers,
+				})
 		}
 	}
 	return attestationManifests, nil
@@ -78,7 +79,7 @@ func GetAttestationsFromImage(image v1.Image) ([]*AttestationLayer, error) {
 		// copy original annotations
 		ann := maps.Clone(layerDesc.Annotations)
 		// only decode intoto statements
-		var stmt = new(intoto.Statement)
+		stmt := new(intoto.Statement)
 		if mt == types.MediaType(intoto.PayloadType) {
 			err = json.NewDecoder(r).Decode(&stmt)
 			if err != nil {
@@ -139,9 +140,9 @@ func SignInTotoStatement(ctx context.Context, statement *intoto.Statement, signe
 func UpdateIndexImage(
 	idx v1.ImageIndex,
 	manifest *AttestationManifest,
-	options ...func(*AttestationManifestImageOptions) error) (v1.ImageIndex, error) {
+	options ...func(*AttestationManifestImageOptions) error,
+) (v1.ImageIndex, error) {
 	image, err := manifest.BuildAttestationImage(options...)
-
 	if err != nil {
 		return nil, fmt.Errorf("failed to build image: %w", err)
 	}
@@ -218,7 +219,7 @@ func (manifest *AttestationManifest) BuildAttestationImage(options ...func(*Atte
 				break
 			}
 		}
-		//add existing layers if they've not been signed or we're not replacing them
+		// add existing layers if they've not been signed or we're not replacing them
 		if !found || !opts.replaceLayers {
 			resultLayers = append(resultLayers, existingLayer)
 		}
@@ -254,7 +255,7 @@ func buildImage(layers []*AttestationLayer, manifest *v1.Descriptor, subject *v1
 		return nil, fmt.Errorf("no layers supplied to build image")
 	}
 	// NB: if we add the subject before the layers, it does not end up being computed/serialised in the output for some reason
-	//TODO - recreate this bug and push upstream
+	// TODO - recreate this bug and push upstream
 	for _, layer := range layers {
 		add := mutate.Addendum{
 			Layer:       layer.Layer,
diff --git a/pkg/attestation/referrers_test.go b/pkg/attestation/referrers_test.go
index 0e05172..da820f6 100644
--- a/pkg/attestation/referrers_test.go
+++ b/pkg/attestation/referrers_test.go
@@ -57,7 +57,7 @@ func TestAttestationReferenceTypes(t *testing.T) {
 		{
 			name:              "attached attestations, referrers repo (mismatched args)",
 			server:            httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
-			expectFailure:     true, //mismatched args
+			expectFailure:     true, // mismatched args
 			attestationSource: config.AttestationStyleAttached,
 			referrersRepo:     "referrers",
 		},
@@ -261,7 +261,7 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 			mfs2, err := attIdx.Index.IndexManifest()
 			require.NoError(t, err)
 			for _, mf := range mfs2.Manifests {
-				//skip signed/unsigned attestations
+				// skip signed/unsigned attestations
 				if mf.Annotations[attestation.DockerReferenceType] == attestation.AttestationManifestType {
 					continue
 				}
diff --git a/pkg/attestation/verify.go b/pkg/attestation/verify.go
index 3eb7361..78ab79f 100644
--- a/pkg/attestation/verify.go
+++ b/pkg/attestation/verify.go
@@ -27,8 +27,10 @@ type KeyMetadata struct {
 	Distrust      bool       `json:"distrust,omitempty"`
 }
 
-type Keys []KeyMetadata
-type KeysMap map[string]KeyMetadata
+type (
+	Keys    []KeyMetadata
+	KeysMap map[string]KeyMetadata
+)
 
 func VerifyDSSE(ctx context.Context, env *Envelope, opts *VerifyOptions) ([]byte, error) {
 	// enforce payload type
diff --git a/pkg/attestation/vsa.go b/pkg/attestation/vsa.go
index 7b90539..5451b67 100644
--- a/pkg/attestation/vsa.go
+++ b/pkg/attestation/vsa.go
@@ -35,7 +35,7 @@ type VSAInputAttestation struct {
 }
 
 func ToVSAResourceURI(sub intoto.Subject) (string, error) {
-	//parse purl
+	// parse purl
 	purl, err := packageurl.FromString(sub.Name)
 	if err != nil {
 		return "", fmt.Errorf("failed to parse package url: %w", err)
diff --git a/pkg/mirror/mirror.go b/pkg/mirror/mirror.go
index 3f53484..fdf4b42 100644
--- a/pkg/mirror/mirror.go
+++ b/pkg/mirror/mirror.go
@@ -137,7 +137,7 @@ func SaveReferrers(manifest *attestation.AttestationManifest, outputs []*oci.Ima
 		if err != nil {
 			return err
 		}
-		//otherwise we end up with the detected platform, though I'm not sure it matters
+		// otherwise we end up with the detected platform, though I'm not sure it matters
 		attOut.Platform = &v1.Platform{
 			OS:           "unknown",
 			Architecture: "unknown",
diff --git a/pkg/mirror/mirror_test.go b/pkg/mirror/mirror_test.go
index f99fb5b..75ca87d 100644
--- a/pkg/mirror/mirror_test.go
+++ b/pkg/mirror/mirror_test.go
@@ -43,7 +43,6 @@ func TestSavingIndex(t *testing.T) {
 }
 
 func TestSavingImage(t *testing.T) {
-
 	outputLayout := test.CreateTempDir(t, "", "mirror-test")
 
 	img := empty.Image
diff --git a/pkg/oci/layout.go b/pkg/oci/layout.go
index 2349ad8..9368c0c 100644
--- a/pkg/oci/layout.go
+++ b/pkg/oci/layout.go
@@ -55,10 +55,9 @@ func (r *OCILayoutResolver) Attestations(ctx context.Context, predicateType stri
 		if mts != dsseMediaType {
 			continue
 		}
-		var env = new(att.Envelope)
+		env := new(att.Envelope)
 		// parse layer blob as json
 		r, err := attestationLayer.Layer.Uncompressed()
-
 		if err != nil {
 			return nil, fmt.Errorf("failed to get layer contents: %w", err)
 		}
diff --git a/pkg/oci/oci.go b/pkg/oci/oci.go
index d96c63b..c5a7638 100644
--- a/pkg/oci/oci.go
+++ b/pkg/oci/oci.go
@@ -63,7 +63,7 @@ func ExtractEnvelopes(manifest *attestation.AttestationManifest, predicateType s
 				return nil, fmt.Errorf("failed to get layer contents: %w", err)
 			}
 			defer reader.Close()
-			var env = new(att.Envelope)
+			env := new(att.Envelope)
 			err = json.NewDecoder(reader).Decode(&env)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode envelope: %w", err)
diff --git a/pkg/oci/oci_test.go b/pkg/oci/oci_test.go
index b9aa68b..545ad36 100644
--- a/pkg/oci/oci_test.go
+++ b/pkg/oci/oci_test.go
@@ -54,9 +54,7 @@ func TestRefToPurl(t *testing.T) {
 	assert.True(t, canonical)
 }
 
-var (
-	UnsignedTestImage = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
-)
+var UnsignedTestImage = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
 
 // Test fix for https://github.com/docker/secure-artifacts-team-issues/issues/202
 func TestImageDigestForPlatform(t *testing.T) {
diff --git a/pkg/oci/referrers.go b/pkg/oci/referrers.go
index 0c756a5..3ef3e31 100644
--- a/pkg/oci/referrers.go
+++ b/pkg/oci/referrers.go
@@ -35,8 +35,7 @@ func WithReferrersRepo(repo string) func(*ReferrersResolver) error {
 	}
 }
 
-func (r *ReferrersResolver) resolveAttestations(ctx context.Context, predicateType string) ([]*attestation.AttestationManifest,
-	error) {
+func (r *ReferrersResolver) resolveAttestations(ctx context.Context, predicateType string) ([]*attestation.AttestationManifest, error) {
 	dsseMediaType, err := attestation.DSSEMediaType(predicateType)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get DSSE media type for predicate '%s': %w", predicateType, err)
diff --git a/pkg/oci/types.go b/pkg/oci/types.go
index 73d5da7..507f9da 100644
--- a/pkg/oci/types.go
+++ b/pkg/oci/types.go
@@ -18,11 +18,13 @@ const (
 	Docker             SourceType = "Docker"
 )
 
-type SourceType string
-type NamedIndex struct {
-	Index v1.ImageIndex
-	Name  string
-}
+type (
+	SourceType string
+	NamedIndex struct {
+		Index v1.ImageIndex
+		Name  string
+	}
+)
 
 type AttestationOptions struct {
 	NoReferrers   bool
diff --git a/pkg/policy/policy_test.go b/pkg/policy/policy_test.go
index 82ab8b1..b7f2fc6 100644
--- a/pkg/policy/policy_test.go
+++ b/pkg/policy/policy_test.go
@@ -22,7 +22,7 @@ func loadAttestation(t *testing.T, path string) *attestation.Envelope {
 		t.Fatal(err)
 	}
 
-	var env = new(attestation.Envelope)
+	env := new(attestation.Envelope)
 	err = json.Unmarshal(ex, env)
 	if err != nil {
 		t.Fatal(err)
@@ -103,7 +103,6 @@ func TestRegoEvaluator_Evaluate(t *testing.T) {
 			}
 		})
 	}
-
 }
 
 func TestLoadingMappings(t *testing.T) {
diff --git a/pkg/policy/rego.go b/pkg/policy/rego.go
index 72ebc8f..a3e8ec0 100644
--- a/pkg/policy/rego.go
+++ b/pkg/policy/rego.go
@@ -140,6 +140,7 @@ var verifyDecl = &ast.Builtin{
 	Decl:             types.NewFunction(types.Args(dynamicObj, dynamicObj), dynamicObj),
 	Nondeterministic: true,
 }
+
 var attestDecl = &ast.Builtin{
 	Name:             "attest.fetch",
 	Decl:             types.NewFunction(types.Args(types.S), dynamicObj),
diff --git a/pkg/tuf/mock.go b/pkg/tuf/mock.go
index 95afba8..bdd065f 100644
--- a/pkg/tuf/mock.go
+++ b/pkg/tuf/mock.go
@@ -38,7 +38,7 @@ func (dc *mockTufClient) DownloadTarget(target string, filePath string) (actualF
 		dstFilePath = filePath
 	}
 
-	err = os.MkdirAll(filepath.Dir(dstFilePath), 0755)
+	err = os.MkdirAll(filepath.Dir(dstFilePath), os.ModePerm)
 	if err != nil {
 		return "", nil, err
 	}
diff --git a/pkg/tuf/tuf.go b/pkg/tuf/tuf.go
index c4fe00a..4bb61a2 100644
--- a/pkg/tuf/tuf.go
+++ b/pkg/tuf/tuf.go
@@ -56,20 +56,19 @@ func NewTufClient(initialRoot []byte, tufPath, metadataSource, targetsSource str
 
 	// create a directory for each initial root.json
 	metadataPath := filepath.Join(tufPath, tufRootDigest)
-	err := os.MkdirAll(metadataPath, 0755)
+	err := os.MkdirAll(metadataPath, os.ModePerm)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create directory '%s': %w", metadataPath, err)
 	}
 	rootFile := filepath.Join(metadataPath, "root.json")
 	var rootBytes []byte
 	rootBytes, err = os.ReadFile(rootFile)
-
 	if err != nil {
 		if !errors.Is(err, fs.ErrNotExist) {
 			return nil, fmt.Errorf("failed to read root.json: %w", err)
 		}
 		// write the root.json file to the metadata directory
-		err = os.WriteFile(rootFile, initialRoot, 0644)
+		err = os.WriteFile(rootFile, initialRoot, 0o666) // #nosec G306
 		if err != nil {
 			return nil, fmt.Errorf("Failed to write root.json %w", err)
 		}
@@ -131,7 +130,7 @@ func (t *TufClient) DownloadTarget(target string, filePath string) (actualFilePa
 
 	// check if filePath exists and create the directory if it doesn't
 	if _, err := os.Stat(filepath.Dir(filePath)); os.IsNotExist(err) {
-		err = os.MkdirAll(filepath.Dir(filePath), 0755)
+		err = os.MkdirAll(filepath.Dir(filePath), os.ModePerm)
 		if err != nil {
 			return "", nil, fmt.Errorf("failed to create target download directory '%s': %w", filepath.Dir(filePath), err)
 		}