diff --git a/.github/workflows/test-rego.yaml b/.github/workflows/test-rego.yaml
index af2508b7..f705f8ea 100644
--- a/.github/workflows/test-rego.yaml
+++ b/.github/workflows/test-rego.yaml
@@ -24,6 +24,14 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Setup Regal 
+        uses: StyraInc/setup-regal@33a142b1189004e0f14bf42b15972c67eecce776 # v1
+        with:
+          version: 0.29
+
+      - name: Lint Rego
+        run: make lint-rego
+
       - uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
diff --git a/.regal/config.yaml b/.regal/config.yaml
new file mode 100644
index 00000000..9d0f446d
--- /dev/null
+++ b/.regal/config.yaml
@@ -0,0 +1,16 @@
+rules:
+  default:
+    level: ignore
+  custom:
+    naming-convention:
+      level: error
+      conventions:
+        - pattern: '^builtin|lib|defsec|appshield'
+          targets:
+            - package
+  naming:
+    deny-rule:
+      level: error
+      ignore:
+        files:
+          - "*_test.rego"
diff --git a/.regal/rules/custom/regal/rules/naming/deny-rule/deny_rule.rego b/.regal/rules/custom/regal/rules/naming/deny-rule/deny_rule.rego
new file mode 100644
index 00000000..8a7d56a8
--- /dev/null
+++ b/.regal/rules/custom/regal/rules/naming/deny-rule/deny_rule.rego
@@ -0,0 +1,19 @@
+# METADATA
+# description: Ensures that no rules in the check are named with the prefix 'deny_'
+# related_resources:
+# - description: documentation
+#   ref: https://github.com/aquasecurity/trivy-checks/pull/283
+# schemas:
+# - input: schema.regal.ast
+package custom.regal.rules.naming["deny-rule"]
+
+import rego.v1
+
+import data.regal.ast
+import data.regal.result
+
+report contains violation if {
+	some rule in input.rules
+	startswith(ast.ref_to_string(rule.head.ref), "deny_")
+	violation := result.fail(rego.metadata.chain(), result.location(rule))
+}
diff --git a/.regal/rules/custom/regal/rules/naming/deny-rule/deny_rule_test.rego b/.regal/rules/custom/regal/rules/naming/deny-rule/deny_rule_test.rego
new file mode 100644
index 00000000..d48bd351
--- /dev/null
+++ b/.regal/rules/custom/regal/rules/naming/deny-rule/deny_rule_test.rego
@@ -0,0 +1,35 @@
+package custom.regal.rules.naming["deny-rule_test"]
+
+import rego.v1
+
+import data.custom.regal.rules.naming["deny-rule"] as rule
+
+test_rule_named_startswith_not_allowed if {
+	module := regal.parse_module("example.rego", `
+	package policy
+
+	deny_foo := true`)
+
+	r := rule.report with input as module
+
+	r == {{
+		"category": "naming",
+		"description": "Ensures that no rules in the check are named with the prefix 'deny_'",
+		"related_resources": [{
+			"description": "documentation",
+			"ref": "https://github.com/aquasecurity/trivy-checks/pull/283",
+		}],
+		"level": "error",
+		"location": {
+			"file": "example.rego",
+			"row": 4,
+			"col": 2,
+			"end": {
+				"row": 4,
+				"col": 18,
+			},
+			"text": "\tdeny_foo := true",
+		},
+		"title": "deny-rule",
+	}}
+}
diff --git a/Makefile b/Makefile
index 1353b715..ae1fd6ee 100644
--- a/Makefile
+++ b/Makefile
@@ -15,12 +15,20 @@ rego: fmt-rego test-rego
 
 .PHONY: fmt-rego
 fmt-rego:
-	opa fmt -w lib/ checks/ examples/
+	opa fmt -w lib/ checks/ examples/ .regal/rules
 
 .PHONY: test-rego
 test-rego:
 	go run ./cmd/opa test --explain=fails lib/ checks/ examples/ --ignore '*.yaml'
 
+.PHONY: lint-rego
+lint-rego:
+	@regal test .regal/rules 
+	@regal lint lib checks \
+		--config-file .regal/config.yaml \
+		--enable deny-rule,naming-convention \
+		--timeout 5m
+
 .PHONY: bundle
 bundle: create-bundle verify-bundle