diff --git a/examples/options.yaml b/examples/options.yaml
index b105442d7..d960089ae 100644
--- a/examples/options.yaml
+++ b/examples/options.yaml
@@ -4,10 +4,7 @@ package:
   epoch: 3
   description: "URL retrieval utility and library"
   copyright:
-    - paths:
-        - "*"
-      attestation: TODO
-      license: MIT
+    - license: MIT
 
 environment:
   contents:
diff --git a/pkg/config/config.go b/pkg/config/config.go
index d1b506fda..25095c36c 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -836,15 +836,40 @@ func (cfg Configuration) validate() error {
 
 	// TODO: try to validate value of .package.version
 
-	for i, sp := range cfg.Subpackages {
+	if err := validatePipeline(cfg.Pipeline); err != nil {
+		return ErrInvalidConfiguration{Problem: fmt.Errorf("pipeline validation failed: %w", err)}
+	}
+
+	for _, sp := range cfg.Subpackages {
 		if !packageNameRegex.MatchString(sp.Name) {
-			return ErrInvalidConfiguration{Problem: fmt.Errorf("subpackage name %q (subpackages index: %d) must match regex %q", sp.Name, i, packageNameRegex)}
+			return ErrInvalidConfiguration{Problem: fmt.Errorf("subpackage %q must match regex %q", sp.Name, packageNameRegex)}
+		}
+		if err := validatePipeline(sp.Pipeline); err != nil {
+			return ErrInvalidConfiguration{Problem: fmt.Errorf("subpackage %q pipeline validation failed: %w", sp.Name, err)}
 		}
 	}
 
 	return nil
 }
 
+func validatePipeline(steps []Pipeline) error {
+	for _, step := range steps {
+		if step.Uses == "" && len(step.With) != 0 {
+			return fmt.Errorf("pipeline step %q cannot use 'with' except with 'uses'", step.Name)
+		}
+		if step.Pipeline != nil {
+			if step.Runs != "" && step.Uses != "" {
+				return fmt.Errorf("pipeline step %q cannot use 'runs' or 'uses' with 'pipeline'", step.Name)
+			}
+
+			if err := validatePipeline(step.Pipeline); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
 // PackageURLs returns a list of package URLs ("purls") for the given
 // configuration. The first PURL is always the origin package, and any subsequent
 // items are the PURLs for the Configuration's subpackages. For more information