shellcheck
ShellCheck is a comprehensive static analysis tool for shell scripts that identifies bugs, security issues, and stylistic problems before they cause runtime failures. It serves as the gold standard for shell script quality assurance and reliability.
Key Features:
- Advanced Bug Detection: Catches common shell scripting mistakes like unquoted variables, incorrect conditionals, and path expansion issues
- Security Analysis: Identifies potential security vulnerabilities including command injection risks and unsafe variable usage
- Portability Checking: Warns about bashisms and non-portable constructs to ensure scripts work across different shells (bash, dash, sh)
- Syntax Validation: Comprehensive parsing that catches syntax errors and malformed constructs
- Best Practices Enforcement: Promotes modern shell scripting practices and warns against deprecated or dangerous patterns
- Detailed Explanations: Each warning includes links to explanations with examples and recommended fixes
- Multi-Shell Support: Analyzes bash, sh, dash, and ksh scripts with shell-specific checking
- SARIF Output: Modern security report format for integration with development platforms and security tools
- Extensive Rule Coverage: Over 100 different checks covering everything from quoting to array usage
shellcheck documentation
- Version in MegaLinter: 0.10.0
- Visit Official Web Site
- See How to disable shellcheck rules in files
- See Index of problems detected by shellcheck
Configuration in MegaLinter
- Enable shellcheck by adding
BASH_SHELLCHECKin ENABLE_LINTERS variable - Disable shellcheck by adding
BASH_SHELLCHECKin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| BASH_SHELLCHECK_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| BASH_SHELLCHECK_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| BASH_SHELLCHECK_FILTER_REGEX_INCLUDE | Custom regex including filter Ex: (src\|lib) |
Include every file |
| BASH_SHELLCHECK_FILTER_REGEX_EXCLUDE | Custom regex excluding filter Ex: (test\|examples) |
Exclude no file |
| BASH_SHELLCHECK_CLI_LINT_MODE | Override default CLI lint mode - file: Calls the linter for each file- list_of_files: Call the linter with the list of files as argument- project: Call the linter from the root of the project |
list_of_files |
| BASH_SHELLCHECK_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
["", ".sh", ".bash", ".dash", ".ksh"] |
| BASH_SHELLCHECK_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
| BASH_SHELLCHECK_PRE_COMMANDS | List of bash commands to run before the linter | None |
| BASH_SHELLCHECK_POST_COMMANDS | List of bash commands to run after the linter | None |
| BASH_SHELLCHECK_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling BASH_SHELLCHECK and its pre/post commands | None |
| BASH_SHELLCHECK_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| BASH_SHELLCHECK_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| BASH_SHELLCHECK_CLI_EXECUTABLE | Override CLI executable | ['shellcheck'] |
IDE Integration
Use shellcheck in your favorite IDE to catch errors before MegaLinter !
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 127 |   |
| c_cpp | Optimized for pure C/C++ projects | 57 |   |
|
| ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 22 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 88 |   |
|
| documentation | MegaLinter for documentation projects | 50 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 65 |   |
|
| dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 74 |   |
|
| go | Optimized for GO based projects | 52 |   |
|
| java | Optimized for JAVA based projects | 55 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 60 |   |
|
| php | Optimized for PHP based projects | 55 |   |
|
| python | Optimized for PYTHON based projects | 66 |   |
|
| ruby | Optimized for RUBY based projects | 51 |   |
|
| rust | Optimized for RUST based projects | 51 |   |
|
| salesforce | Optimized for Salesforce based projects | 55 |   |
|
| security | Optimized for security | 24 |   |
|
| swift | Optimized for SWIFT based projects | 51 |   |
|
| terraform | Optimized for TERRAFORM based projects | 55 |   |
Behind the scenes
How are identified applicable files
- File extensions:
`,.sh,.bash,.dash,.ksh` - Detected file content (regex):
^#!/usr/bin/env bash,^#!/bin/bash,^#!/bin/sh
How the linting is performed
- shellcheck is called once with the list of files as arguments (
list_of_filesCLI lint mode)
Example calls
shellcheck --color=auto --external-sources myfile.sh
Help content
Usage: shellcheck [OPTIONS...] FILES...
-a --check-sourced Include warnings from sourced files
-C[WHEN] --color[=WHEN] Use color (auto, always, never)
-i CODE1,CODE2.. --include=CODE1,CODE2.. Consider only given types of warnings
-e CODE1,CODE2.. --exclude=CODE1,CODE2.. Exclude types of warnings
--extended-analysis=bool Perform dataflow analysis (default true)
-f FORMAT --format=FORMAT Output format (checkstyle, diff, gcc, json, json1, quiet, tty)
--list-optional List checks disabled by default
--norc Don't look for .shellcheckrc files
--rcfile=RCFILE Prefer the specified configuration file over searching for one
-o check1,check2.. --enable=check1,check2.. List of optional checks to enable (or 'all')
-P SOURCEPATHS --source-path=SOURCEPATHS Specify path when looking for sourced files ("SCRIPTDIR" for script's dir)
-s SHELLNAME --shell=SHELLNAME Specify dialect (sh, bash, dash, ksh, busybox)
-S SEVERITY --severity=SEVERITY Minimum severity of errors to consider (error, warning, info, style)
-V --version Print version information
-W NUM --wiki-link-count=NUM The number of wiki links to show, when applicable
-x --external-sources Allow 'source' outside of FILES
--help Show this usage summary and exit
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=crate depName=shellcheck-sarif
ARG CARGO_SHELLCHECK_SARIF_VERSION=0.8.0
# renovate: datasource=docker depName=koalaman/shellcheck
ARG BASH_SHELLCHECK_VERSION=v0.10.0
FROM koalaman/shellcheck:${BASH_SHELLCHECK_VERSION} AS shellcheck
COPY --link --from=shellcheck /bin/shellcheck /usr/bin/shellcheck
- Cargo packages (Rust):