Static Analysis and Auditing with ShellCheck
Integrate ShellCheck into a security gate and interpret its findings to harden every script.
What Is ShellCheck and Why It Matters
ShellCheck is an open-source static analysis tool for shell scripts. It parses your Bash (and POSIX sh, dash, ksh) source without executing it and reports bugs, unsafe constructs, portability issues, and style problems — each tagged with a unique rule code like SC2086.
In a security-hardened pipeline, ShellCheck acts as a mandatory gate: no script ships until it passes. This matters because:
- Many shell vulnerabilities (word splitting, injection, unquoted expansion) are invisible during happy-path testing but trigger under attacker-controlled input.
- ShellCheck catches these classes of bugs before runtime, at zero cost.
- It documents why each pattern is dangerous, making your team more aware over time.
Install it on any system:
# Debian / Ubuntu
sudo apt-get install shellcheck
# macOS (Homebrew)
brew install shellcheck
# From source via Cabal (any platform)
cabal update && cabal install ShellCheck
# Verify
shellcheck --versionRunning ShellCheck for the First Time
The simplest invocation is shellcheck <script>. ShellCheck reads the shebang line to determine the shell dialect and then emits findings to stdout.
Each finding includes:
- File and line number — exact location
- Severity —
error,warning,info, orstyle - SC code — stable rule identifier you can look up or suppress
- Human explanation — tells you what is wrong and often how to fix it
Run the script below and observe the output ShellCheck would produce:
#!/usr/bin/env bash
# demo_bad.sh — intentionally flawed for ShellCheck demonstration
FILE=$1
if [ $FILE == '' ]; then
echo "No file given"
fi
cat $FILE | grep 'error' | wc -lAll lessons in this course
- Preventing Command and Argument Injection
- Secure Secret Handling and Environment Hygiene
- Least-Privilege Execution and sudo Discipline
- Static Analysis and Auditing with ShellCheck