diff --git a/copy/single.go b/copy/single.go
index 7bc44d1f83..6aa4e7603a 100644
--- a/copy/single.go
+++ b/copy/single.go
@@ -328,19 +328,16 @@ func prepareImageConfigForDest(ctx context.Context, sys *types.SystemContext, sr
 		}
 		wantedPlatforms := platform.WantedPlatforms(sys)
 
-		options := newOrderedSet()
-		match := false
-		for _, wantedPlatform := range wantedPlatforms {
+		if !slices.ContainsFunc(wantedPlatforms, func(wantedPlatform imgspecv1.Platform) bool {
 			// For a transitional period, this might trigger warnings because the Variant
 			// field was added to OCI config only recently. If this turns out to be too noisy,
 			// revert this check to only look for (OS, Architecture).
-			if platform.MatchesPlatform(ociConfig.Platform, wantedPlatform) {
-				match = true
-				break
+			return platform.MatchesPlatform(ociConfig.Platform, wantedPlatform)
+		}) {
+			options := newOrderedSet()
+			for _, p := range wantedPlatforms {
+				options.append(fmt.Sprintf("%s+%s+%q", p.OS, p.Architecture, p.Variant))
 			}
-			options.append(fmt.Sprintf("%s+%s+%q", wantedPlatform.OS, wantedPlatform.Architecture, wantedPlatform.Variant))
-		}
-		if !match {
 			logrus.Infof("Image operating system mismatch: image uses OS %q+architecture %q+%q, expecting one of %q",
 				ociConfig.OS, ociConfig.Architecture, ociConfig.Variant, strings.Join(options.list, ", "))
 		}
diff --git a/manifest/oci.go b/manifest/oci.go
index 0faa866b7f..a18425d0e5 100644
--- a/manifest/oci.go
+++ b/manifest/oci.go
@@ -166,10 +166,11 @@ func (m *OCI1) UpdateLayerInfos(layerInfos []types.BlobInfo) error {
 // getEncryptedMediaType will return the mediatype to its encrypted counterpart and return
 // an error if the mediatype does not support encryption
 func getEncryptedMediaType(mediatype string) (string, error) {
-	if slices.Contains(strings.Split(mediatype, "+")[1:], "encrypted") {
+	parts := strings.Split(mediatype, "+")
+	if slices.Contains(parts[1:], "encrypted") {
 		return "", fmt.Errorf("unsupported mediaType: %q already encrypted", mediatype)
 	}
-	unsuffixedMediatype := strings.Split(mediatype, "+")[0]
+	unsuffixedMediatype := parts[0]
 	switch unsuffixedMediatype {
 	case DockerV2Schema2LayerMediaType, imgspecv1.MediaTypeImageLayer,
 		imgspecv1.MediaTypeImageLayerNonDistributable: //nolint:staticcheck // NonDistributable layers are deprecated, but we want to continue to support manipulating pre-existing images.
diff --git a/ostree/ostree_src.go b/ostree/ostree_src.go
index 0b597ce266..0f46726aa7 100644
--- a/ostree/ostree_src.go
+++ b/ostree/ostree_src.go
@@ -250,9 +250,7 @@ func newOSTreePathFileGetter(repo *C.struct_OstreeRepo, commit string) (*ostreeP
 
 func (o ostreePathFileGetter) Get(filename string) (io.ReadCloser, error) {
 	var file *C.GFile
-	if strings.HasPrefix(filename, "./") {
-		filename = filename[2:]
-	}
+	filename, _ = strings.CutPrefix(filename, "./")
 	cfilename := C.CString(filename)
 	defer C.free(unsafe.Pointer(cfilename))
 
diff --git a/pkg/sysregistriesv2/system_registries_v2.go b/pkg/sysregistriesv2/system_registries_v2.go
index 9ac050512a..2d47a4f257 100644
--- a/pkg/sysregistriesv2/system_registries_v2.go
+++ b/pkg/sysregistriesv2/system_registries_v2.go
@@ -430,7 +430,8 @@ func (config *V2RegistriesConf) postProcessRegistries() error {
 			return fmt.Errorf("pull-from-mirror must not be set for a non-mirror registry %q", reg.Prefix)
 		}
 		// make sure mirrors are valid
-		for _, mir := range reg.Mirrors {
+		for j := range reg.Mirrors {
+			mir := &reg.Mirrors[j]
 			mir.Location, err = parseLocation(mir.Location)
 			if err != nil {
 				return err
diff --git a/signature/internal/sigstore_payload_test.go b/signature/internal/sigstore_payload_test.go
index d6be57d78a..287fa79ee8 100644
--- a/signature/internal/sigstore_payload_test.go
+++ b/signature/internal/sigstore_payload_test.go
@@ -316,7 +316,7 @@ func TestVerifySigstorePayload(t *testing.T) {
 	for _, invalidSig := range [][]byte{
 		{}, // Empty signature
 		[]byte("invalid signature"),
-		append(bytes.Clone(validSignatureBytes), validSignatureBytes...),
+		bytes.Repeat(validSignatureBytes, 2),
 	} {
 		recorded = acceptanceData{}
 		res, err = VerifySigstorePayload(singlePublicKey, sigstoreSig.UntrustedPayload(), base64.StdEncoding.EncodeToString(invalidSig), recordingRules)
diff --git a/storage/storage_transport.go b/storage/storage_transport.go
index b981953ad4..c26f4e38cb 100644
--- a/storage/storage_transport.go
+++ b/storage/storage_transport.go
@@ -362,15 +362,14 @@ func (s storageTransport) ValidatePolicyConfigurationScope(scope string) error {
 	}
 	storeSpec := scope[1:closeIndex]
 	scope = scope[closeIndex+1:]
-	storeInfo := strings.SplitN(storeSpec, "@", 2)
-	if len(storeInfo) == 1 && storeInfo[0] != "" {
-		// One component: the graph root.
-		if !filepath.IsAbs(storeInfo[0]) {
+	if a, b, ok := strings.Cut(storeSpec, "@"); ok && a != "" && b != "" {
+		// Two components: the driver type and the graph root.
+		if !filepath.IsAbs(b) {
 			return ErrPathNotAbsolute
 		}
-	} else if len(storeInfo) == 2 && storeInfo[0] != "" && storeInfo[1] != "" {
-		// Two components: the driver type and the graph root.
-		if !filepath.IsAbs(storeInfo[1]) {
+	} else if !ok && a != "" {
+		// One component: the graph root.
+		if !filepath.IsAbs(storeSpec) {
 			return ErrPathNotAbsolute
 		}
 	} else {