← All open source projects

ShellCheck

koalaman/shellcheck

ShellCheck is a static analyzer for shell scripts that finds Bash and sh issues before execution.

GitHub · 39,623 stars Project website
Forks 1,932
Author koalaman
Language Haskell
License GPL-3.0
Synced 2026-06-27

What it is

ShellCheck is a static analyzer for shell scripts. It reads Bash and sh code and warns about quoting issues, missing variables, dangerous substitutions, incompatible syntax, and strange conditions.

Shell scripts are often written quickly and used in important places: deployment, builds, backups, and server setup. One line can break a release or remove the wrong files.

How the approach works

The tool does not execute the script. It analyzes text and reports warnings with codes, explanations, and suggestions.

ShellCheck is especially useful where shell glues tools together. Even experienced developers make mistakes around spaces, quotes, and glob behavior.

Checking scripts

This example shows normal use: analyze files before running them on a real system.

Language: Bash 
shellcheck deploy.sh
shellcheck --severity=warning scripts/*.sh

What is inside

The repository contains the analyzer written in Haskell, documentation, tests, installation instructions, editor integrations, and CI examples.

For teams, ShellCheck turns hidden shell traps into visible warnings.

Practical context

It works best when automated in an editor, pre-commit check, or CI. Manual checks are useful but easy to forget.

Not every warning means immediate failure. Sometimes an exception is intentional, but it should be documented.

Why shell mistakes are expensive

Shell scripts often live where errors are noticed late: builds, installation, server maintenance, file movement, and scheduled tasks. Wrong quoting or subtle variable behavior can break a process after it starts.

ShellCheck is valuable because it catches many of these problems before execution. It warns about quoting, portability, unused variables, odd tests, and constructs that look correct but behave differently across shells.

The limitation is that a static analyzer does not know all business logic. Sometimes a warning should be suppressed deliberately, but the better practice is to understand the reason before disabling a rule.

The repository is useful for almost any project with install scripts, CI commands, server maintenance, or small automations. Shell looks simple, and that is exactly why mistakes can hide easily.

ShellCheck works especially well as part of the normal check before a change: locally, in the editor, or in CI. Small mistakes then stay out of servers and production jobs.

Strengths and limits

The strength is fast detection of common shell mistakes. The limit is that static analysis does not know the whole runtime environment and does not replace test runs.