conforma · simonbaird · Mar 24, 2026
diff --git a/.regal/config.yaml b/.regal/config.yaml
@@ -45,6 +45,7 @@ rules:
           # schemas can be quite large.
           - "*_schema.rego"
     line-length:
+      max-line-length: 200
       ignore:
         files:
           # schemas can have very long attribute values, e.g. description.

diff --git a/antora/docs/modules/ROOT/pages/packages/release_olm.adoc b/antora/docs/modules/ROOT/pages/packages/release_olm.adoc
@@ -43,7 +43,7 @@ Each image referenced by the OLM bundle should match an entry in the list of pre
 * FAILURE message: `The %q CSV image reference is not from an allowed registry.`
 * Code: `olm.allowed_registries`
 * Effective from: `2024-09-01T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L304[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L303[Source, window="_blank"]
 
 [#olm__allowed_resource_kinds]
 === link:#olm__allowed_resource_kinds[OLM bundle image manifests contain only allowed resource kinds]
@@ -55,7 +55,7 @@ Every manifest in an OLM bundle must be of an allowed resource kind, as defined
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `The %q manifest kind is not in the list of OLM allowed resource kinds.`
 * Code: `olm.allowed_resource_kinds`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L359[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L358[Source, window="_blank"]
 
 [#olm__olm_bundle_multi_arch]
 === link:#olm__olm_bundle_multi_arch[OLM bundle images are not multi-arch]
@@ -68,7 +68,7 @@ OLM bundle images should be built for a single architecture. They should not be
 * FAILURE message: `The %q bundle image is a multi-arch reference.`
 * Code: `olm.olm_bundle_multi_arch`
 * Effective from: `2025-05-01T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L337[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L336[Source, window="_blank"]
 
 [#olm__allowed_registries_related]
 === link:#olm__allowed_registries_related[Related images references are from allowed registries]

diff --git a/antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc b/antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc
@@ -43,7 +43,7 @@ For each of the packages fetched by Hermeto which define externalReferences, ver
 * FAILURE message: `Package %s fetched by Hermeto was sourced from %q which is not allowed`
 * Code: `sbom_spdx.allowed_package_sources`
 * Effective from: `2025-02-17T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L170[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L168[Source, window="_blank"]
 
 [#sbom_spdx__contains_files]
 === link:#sbom_spdx__contains_files[Contains files]
@@ -55,7 +55,7 @@ Check the list of files in the SPDX SBOM is not empty.
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `The list of files is empty`
 * Code: `sbom_spdx.contains_files`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L137[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L135[Source, window="_blank"]
 
 [#sbom_spdx__contains_packages]
 === link:#sbom_spdx__contains_packages[Contains packages]
@@ -80,7 +80,7 @@ Confirm the SPDX SBOM contains only packages without disallowed attributes. By d
 * FAILURE message: `Package %s has the attribute %q set%s`
 * Code: `sbom_spdx.disallowed_package_attributes`
 * Effective from: `2025-02-04T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L216[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L214[Source, window="_blank"]
 
 [#sbom_spdx__disallowed_package_external_references]
 === link:#sbom_spdx__disallowed_package_external_references[Disallowed package external references]
@@ -93,7 +93,7 @@ Confirm the SPDX SBOM contains only packages without disallowed external referen
 * FAILURE message: `Package %s has reference %q of type %q which is disallowed%s`
 * Code: `sbom_spdx.disallowed_package_external_references`
 * Effective from: `2024-07-31T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L105[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L104[Source, window="_blank"]
 
 [#sbom_spdx__matches_image]
 === link:#sbom_spdx__matches_image[Matches image]
@@ -105,7 +105,7 @@ Check the SPDX SBOM targets the image being validated.
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Image digest in the SBOM, %q, is not as expected, %q`
 * Code: `sbom_spdx.matches_image`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L152[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L150[Source, window="_blank"]
 
 [#sbom_spdx__valid]
 === link:#sbom_spdx__valid[Valid]

diff --git a/checks/annotations_test.rego b/checks/annotations_test.rego
@@ -208,16 +208,13 @@ test_required_annotations_invalid if {
 }
 
 test_missing_dependency_invalid if {
-	# regal ignore:line-length
 	err = `ERROR: Missing dependency rule "data.attestation_type.known_attestation_type" at policy/release/attestation_task_bundle.rego:71`
 	lib.assert_equal({err}, checks.violation) with input as opa_inspect_missing_dependency
 }
 
 test_duplicate_rules if {
-	# regal ignore:line-length
 	err1 = `ERROR: Found non-unique code "data.attestation_type.known_attestation_type" at policy/release/attestation_type.rego:30`
 
-	# regal ignore:line-length
 	err2 = `ERROR: Found non-unique code "data.attestation_type.known_attestation_type" at policy/release/attestation_type.rego:50`
 	lib.assert_equal({err1, err2}, checks.violation) with input as opa_inspect_duplicate
 }

diff --git a/policy/build_task/build_labels/build_labels_test.rego b/policy/build_task/build_labels/build_labels_test.rego
@@ -6,7 +6,6 @@ import data.build_labels
 import data.lib
 
 test_build_label_found if {
-	# regal ignore:line-length
 	lib.assert_empty(build_labels.deny) with input as {"metadata": {"labels": {"build.appstudio.redhat.com/build_type": "docker"}}}
 }
 

diff --git a/policy/lib/sbom/sbom.rego b/policy/lib/sbom/sbom.rego
@@ -263,7 +263,6 @@ rule_data_errors contains error if {
 	})
 
 	error := {
-		# regal ignore:line-length
 		"message": sprintf("Rule data %s has unexpected format: %s", [rule_data_disallowed_external_references_key, e.message]),
 		"severity": e.severity,
 	}
@@ -295,7 +294,6 @@ rule_data_errors contains error if {
 	)
 
 	error := {
-		# regal ignore:line-length
 		"message": sprintf("Rule data %s has unexpected format: %s", [rule_data_allowed_package_sources_key, e.message]),
 		"severity": e.severity,
 	}

diff --git a/policy/lib/sbom/sbom_test.rego b/policy/lib/sbom/sbom_test.rego
@@ -140,17 +140,14 @@ test_ignore_unrelated_sboms if {
 	]
 
 	lib.assert_equal(sbom.all_sboms, []) with input.attestations as attestations
-		# regal ignore:line-length
-with 		input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"}
+		with input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"}
 		with ec.oci.blob as ""
 		with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"}
 }
 
 test_image_ref_from_purl if {
-	# regal ignore:line-length
 	purl := "pkg:oci/ubi-minimal@sha256:92b1d5747a93608b6adb64dfd54515c3c5a360802db4706765ff3d8470df6290?repository_url=registry.access.redhat.com/ubi9/ubi-minimal"
 
-	# regal ignore:line-length
 	image_ref := "registry.access.redhat.com/ubi9/ubi-minimal@sha256:92b1d5747a93608b6adb64dfd54515c3c5a360802db4706765ff3d8470df6290"
 	lib.assert_equal(sbom.image_ref_from_purl(purl), image_ref)
 }

diff --git a/policy/lib/tekton/pipeline_test.rego b/policy/lib/tekton/pipeline_test.rego
@@ -30,7 +30,6 @@ test_pipeline_label_selector_build_task_slsa_v0_2 if {
 		"ref": {"name": "build-container", "kind": "Task"},
 		"results": [
 			{"name": "IMAGE_URL", "type": "string", "value": "localhost:5000/repo:latest"},
-			# regal ignore:line-length
 			{"name": "IMAGE_DIGEST", "type": "string", "value": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc"},
 		],
 		"invocation": {"environment": {"labels": {tekton.task_label: "generic"}}},
@@ -65,7 +64,6 @@ test_pipeline_label_selector_pipeline_run_slsa_v0_2 if {
 		"ref": {"name": "build-container", "kind": "Task"},
 		"results": [
 			{"name": "IMAGE_URL", "type": "string", "value": "localhost:5000/repo:latest"},
-			# regal ignore:line-length
 			{"name": "IMAGE_DIGEST", "type": "string", "value": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc"},
 		],
 	}

diff --git a/policy/lib/tekton/recorded_att_test.rego b/policy/lib/tekton/recorded_att_test.rego
@@ -15,7 +15,6 @@ test_slsa_v02_task_extraction if {
 			{"name": "mock-av-scanner"},
 			{"name": "<NAMELESS>"},
 			{
-				# regal ignore:line-length
 				"bundle": "quay.io/lucarval/test-policies-chains@sha256:ae5952d5aac1664fbeae9191d9445244051792af903d28d3e0084e9d9b7cce61",
 				"name": "mock-build",
 			},
@@ -32,82 +31,66 @@ test_slsa_v1_task_extraction if {
 
 	expected := [
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.7@sha256:916781b75e5f42a2e0b578b3ab3418e8bcc305168b2cd26ff41c8057e5c9ec28",
 			"name": "buildah-oci-ta",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:04f75593558f79a27da2336400bc63d460bf0c5669e3c13f40ee2fb650b1ad1e",
 			"name": "ecosystem-cert-preflight-checks",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:ea64f5b99202621e78ed3d74b00df5750cbf572c391e6da1956396f5945e4e11",
 			"name": "git-clone-oci-ta",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:3fa0204a481044b21f0e784ce39cbd25e8fb49c664a5458f3eef351fff1c906e",
 			"name": "prefetch-dependencies-oci-ta",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:4072de81ade0a75ad1eaa5449a7ff02bba84757064549a81b48c28fab3aeca59",
 			"name": "init",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:5623e48314ffd583e9cab383011dc0763b6c92b09c4f427b8bfcca885394a21c",
 			"name": "coverity-availability-check",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:f59175d9a0a60411738228dfe568af4684af4aa5e7e05c832927cb917801d489",
 			"name": "deprecated-image-check",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:803ae1ecf35bc5d22be9882819e942e4b699cb17655055afc6bb6b02d34cfab8",
 			"name": "build-image-index",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:08bba4a659ecd48f871bef00b80af58954e5a09fcbb28a1783ddd640c4f6535e",
 			"name": "push-dockerfile-oci-ta",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:13cf619a8c24e5a565f1b3f20f6998273d3108a2866e04076b6f0dd967251af3",
 			"name": "rpms-signature-scan",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:60f2dac41844d222086ff7f477e51f3563716b183d87db89f603d6f604c21760",
 			"name": "sast-snyk-check-oci-ta",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:1f0fcba24ebc447d9f8a2ea2e8f262fa435d6c523ca6b0346cd67261551fc9ed",
 			"name": "sast-shell-check-oci-ta",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:f3d2d179cddcc07d0228d9f52959a233037a3afa2619d0a8b2effbb467db80c3",
 			"name": "clamav-scan",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:ee558db6af779ab162163ec88f288a5c1b2d5f70c3361f3690a474866e3bdc74",
 			"name": "clair-scan",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:1833c618170ab9deb8455667f220df8e88d16ccd630a2361366f594e2bdcb712",
 			"name": "sast-unicode-check-oci-ta",
 		},
 		{
-			# regal ignore:line-length
 			"bundle": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:a61d8a6d0ba804869e8fe57a9289161817afad379ef2d7433d75ae40a148e2ec",
 			"name": "apply-tags",
 		},

diff --git a/policy/lib/tekton/refs_test.rego b/policy/lib/tekton/refs_test.rego
@@ -28,41 +28,35 @@ _git_key := "git+https://git.local/repo.git//tasks/test.yaml"
 test_bundle_in_definition if {
 	lib.assert_equal(
 		tekton.task_ref({"taskRef": {"bundle": _image, "name": "test", "kind": "Task"}}),
-		# regal ignore:line-length
 		{"bundle": _image, "kind": "task", "name": "test", "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key},
 	)
 
 	lib.assert_equal(
 		tekton.task_ref({"taskRef": {"bundle": _unpinned_image, "name": "test", "kind": "Task"}}),
-		# regal ignore:line-length
 		{"bundle": _unpinned_image, "kind": "task", "name": "test", "pinned": false, "tagged": true, "tagged_ref": "latest", "key": _unpinned_image_key},
 	)
 }
 
 test_bundle_in_slsa_v1_0 if {
 	lib.assert_equal(
 		tekton.task_ref({"spec": {"taskRef": {"name": "test", "kind": "Task", "bundle": _image}}}),
-		# regal ignore:line-length
 		{"bundle": _image, "kind": "task", "name": "test", "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key},
 	)
 
 	lib.assert_equal(
 		tekton.task_ref({"spec": {"taskRef": {"name": "test", "kind": "Task", "bundle": _unpinned_image}}}),
-		# regal ignore:line-length
 		{"bundle": _unpinned_image, "kind": "task", "name": "test", "pinned": false, "tagged": true, "tagged_ref": "latest", "key": _unpinned_image_key},
 	)
 }
 
 test_bundle_in_slsa_v0_2 if {
 	lib.assert_equal(
 		tekton.task_ref({"ref": {"name": "test", "kind": "Task", "bundle": _image}}),
-		# regal ignore:line-length
 		{"bundle": _image, "kind": "task", "name": "test", "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key},
 	)
 
 	lib.assert_equal(
 		tekton.task_ref({"ref": {"name": "test", "kind": "Task", "bundle": _unpinned_image}}),
-		# regal ignore:line-length
 		{"bundle": _unpinned_image, "kind": "task", "name": "test", "pinned": false, "tagged": true, "tagged_ref": "latest", "key": _unpinned_image_key},
 	)
 }
@@ -74,7 +68,6 @@ test_bundles_resolver_in_definition if {
 			{"name": "name", "value": "test"},
 			{"name": "kind", "value": "task"},
 		]}}),
-		# regal ignore:line-length
 		{"bundle": _image, "kind": "task", "name": "test", "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key},
 	)
 
@@ -84,7 +77,6 @@ test_bundles_resolver_in_definition if {
 			{"name": "name", "value": "test"},
 			{"name": "kind", "value": "task"},
 		]}}),
-		# regal ignore:line-length
 		{"bundle": _unpinned_image, "kind": "task", "name": "test", "pinned": false, "tagged": true, "tagged_ref": "latest", "key": _unpinned_image_key},
 	)
 }
@@ -96,7 +88,6 @@ test_bundles_resolver_in_slsa_v1_0 if {
 			{"name": "name", "value": "test"},
 			{"name": "kind", "value": "task"},
 		]}}}),
-		# regal ignore:line-length
 		{"bundle": _image, "kind": "task", "name": "test", "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key},
 	)
 
@@ -106,7 +97,6 @@ test_bundles_resolver_in_slsa_v1_0 if {
 			{"name": "name", "value": "test"},
 			{"name": "kind", "value": "task"},
 		]}}}),
-		# regal ignore:line-length
 		{"bundle": _unpinned_image, "kind": "task", "name": "test", "pinned": false, "tagged": true, "tagged_ref": "latest", "key": _unpinned_image_key},
 	)
 }
@@ -118,7 +108,6 @@ test_bundles_resolver_in_slsa_v0_2 if {
 			{"name": "name", "value": "test"},
 			{"name": "kind", "value": "task"},
 		]}}),
-		# regal ignore:line-length
 		{"bundle": _image, "kind": "task", "name": "test", "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key},
 	)
 
@@ -128,7 +117,6 @@ test_bundles_resolver_in_slsa_v0_2 if {
 			{"name": "name", "value": "test"},
 			{"name": "kind", "value": "task"},
 		]}}),
-		# regal ignore:line-length
 		{"bundle": _unpinned_image, "kind": "task", "name": "test", "pinned": false, "tagged": true, "tagged_ref": "latest", "key": _unpinned_image_key},
 	)
 }
@@ -284,7 +272,6 @@ test_git_resolver_canonical_key if {
 	)
 
 	lib.assert_equal(
-		# regal ignore:line-length
 		tekton.task_ref(json.patch(task, [{"op": "add", "path": "/ref/params/0/value", "value": "git+git.local/repo.git"}])).key,
 		expected,
 	)
@@ -335,15 +322,13 @@ test_local_task_in_slsa_v0_2 if {
 test_bundle_with_defaults if {
 	lib.assert_equal(
 		tekton.task_ref({"ref": {"bundle": _image}}),
-		# regal ignore:line-length
 		{"bundle": _image, "kind": "task", "name": tekton._no_task_name, "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key},
 	)
 }
 
 test_bundle_resolver_with_defaults if {
 	lib.assert_equal(
 		tekton.task_ref({"ref": {"resolver": "bundles", "params": [{"name": "bundle", "value": _image}]}}),
-		# regal ignore:line-length
 		{"bundle": _image, "kind": "task", "name": tekton._no_task_name, "pinned": true, "pinned_ref": _image_digest, "tagged": false, "key": _image_key},
 	)
 }
diff --git a/policy/lib/tekton/task_results_test.rego b/policy/lib/tekton/task_results_test.rego
@@ -54,12 +54,10 @@ test_artifact_result if {
 test_images_result if {
 	results := [{
 		"name": "IMAGES",
-		# regal ignore:line-length
 		"value": "img1@sha256:d19e5701000000000000000000000000000000000000000000000000d19e5701, img2@sha256:d19e5702000000000000000000000000000000000000000000000000d19e5702\n",
 	}]
 	lib.assert_equal(["img1", "img2"], tekton.task_result_artifact_url(resolved_slsav1_task("task1", [], results)))
 	lib.assert_equal(
-		# regal ignore:line-length
 		["sha256:d19e5701000000000000000000000000000000000000000000000000d19e5701", "sha256:d19e5702000000000000000000000000000000000000000000000000d19e5702"],
 		tekton.task_result_artifact_digest(resolved_slsav1_task("task1", [], results)),
 	)
@@ -155,7 +153,6 @@ test_mixed_results if {
 		},
 		{
 			"name": "IMAGES",
-			# regal ignore:line-length
 			"value": "images-1@sha256:4567000000000000000000000000000000000000000000000000000000004567,images-2@sha256:5678000000000000000000000000000000000000000000000000000000005678",
 		},
 		{
@@ -176,12 +173,10 @@ test_mixed_results if {
 		},
 		{
 			"name": "image1_ARTIFACT_OUTPUTS",
-			# regal ignore:line-length
 			"value": {"uri": "artifact-outputs-img1", "digest": "sha256:1234000000000000000000000000000000000000000000000000000000001234"},
 		},
 		{
 			"name": "image2_ARTIFACT_OUTPUTS",
-			# regal ignore:line-length
 			"value": {"uri": "artifact-outputs-img2", "digest": "sha256:9801000000000000000000000000000000000000000000000000000000009801"},
 		},
 	]