Want to take your software engineering career to the next level? Join the mailing list for career tips & advice Click here


ShellCheck, a static analysis tool for shell scripts

Subscribe to updates I use shellcheck

Statistics on shellcheck

Number of watchers on Github 10320
Number of open issues 320
Average time to close an issue 25 days
Main language Haskell
Average time to merge a PR 2 days
Open pull requests 19+
Closed pull requests 11+
Last commit about 2 years ago
Repo Created over 7 years ago
Repo Last Updated about 2 years ago
Size 2.92 MB
Homepage https://www.shell...
Organization / Authorkoalaman
Page Updated
Do you use shellcheck? Leave a review!
View open issues (320)
View shellcheck activity
View on github
Fresh, new opensource launches πŸš€πŸš€πŸš€
Software engineers: It's time to get promoted. Starting NOW! Subscribe to my mailing list and I will equip you with tools, tips and actionable advice to grow in your career.
Evaluating shellcheck for your project? Score Explanation
Commits Score (?)
Issues & PR Score (?)

ShellCheck - A shell script static analysis tool

ShellCheck is a GPLv3 tool that gives warnings and suggestions for bash/sh shell scripts:

Screenshot of a terminal showing problematic shell script lines highlighted.

The goals of ShellCheck are

  • To point out and clarify typical beginner's syntax issues that cause a shell to give cryptic error messages.

  • To point out and clarify typical intermediate level semantic problems that cause a shell to behave strangely and counter-intuitively.

  • To point out subtle caveats, corner cases and pitfalls that may cause an advanced user's otherwise working script to fail under future circumstances.

See the gallery of bad code for examples of what ShellCheck can help you identify!

Table of Contents

How to use

There are a number of ways to use ShellCheck!

On the web

Paste a shell script on https://www.shellcheck.net for instant feedback.

ShellCheck.net is always synchronized to the latest git commit, and is the easiest way to give ShellCheck a go. Tell your friends!

From your terminal

Run shellcheck yourscript in your terminal for instant output, as seen above.

In your editor

You can see ShellCheck suggestions directly in a variety of editors.

Screenshot of Vim showing inlined shellcheck feedback.

Screenshot of emacs showing inlined shellcheck feedback.

In your build or test suites

While ShellCheck is mostly intended for interactive use, it can easily be added to builds or test suites.

ShellCheck makes canonical use of exit codes, and can output simple JSON, CheckStyle compatible XML, GCC compatible warnings as well as human readable text (with or without ANSI colors). See the Integration wiki page for more documentation.


The easiest way to install ShellCheck locally is through your package manager.

On systems with Cabal (installs to ~/.cabal/bin):

cabal update
cabal install ShellCheck

On systems with Stack (installs to ~/.local/bin):

stack update
stack install ShellCheck

On Debian based distros:

apt-get install shellcheck

On Arch Linux based distros:

pacman -S shellcheck

or get the dependency free shellcheck-static from the AUR.

On Gentoo based distros:

emerge --ask shellcheck

On EPEL based distros:

yum -y install epel-release
yum install ShellCheck

On Fedora based distros:

dnf install ShellCheck

On OS X with homebrew:

brew install shellcheck

On openSUSE

zypper in ShellCheck

Or use OneClickInstall - https://software.opensuse.org/package/ShellCheck

On Solus:

eopkg install shellcheck

From Docker Hub:

docker pull koalaman/shellcheck:latest  # Or  :v0.4.6  for a release version
docker run -v "$PWD:/mnt" koalaman/shellcheck myscript

or use koalaman/shellcheck-alpine if you want a larger Alpine Linux based image to extend.

Alternatively, get freshly built binaries for the latest commit here:

or see the storage bucket listing for checksums and release builds.

Travis CI

Travis CI now integrated ShellCheck by default, you don't need to manually install it.

Compiling from source

This section describes how to build ShellCheck from a source directory. ShellCheck is written in Haskell and requires 2GB of RAM to compile.

Installing Cabal

ShellCheck is built and packaged using Cabal. Install the package cabal-install from your system's package manager (with e.g. apt-get, brew, emerge, yum, or zypper).

On MacOS (OS X), you can do a fast install of Cabal using brew, which takes a couple of minutes instead of more than 30 minutes if you try to compile it from source.

brew install cask
brew cask install haskell-platform
cabal install cabal-install

On MacPorts, the package is instead called hs-cabal-install, while native Windows users should install the latest version of the Haskell platform from https://www.haskell.org/platform/

Verify that cabal is installed and update its dependency list with

$ cabal update

Compiling ShellCheck

git clone this repository, and cd to the ShellCheck source directory to build/install:

$ cabal install

Or if you intend to run the tests:

$ cabal install --enable-tests

This will compile ShellCheck and install it to your ~/.cabal/bin directory.

Add this directory to your PATH (for bash, add this to your ~/.bashrc):

export PATH="$HOME/.cabal/bin:$PATH"

Log out and in again, and verify that your PATH is set up correctly:

$ which shellcheck

On native Windows, the PATH should already be set up, but the system may use a legacy codepage. In cmd.exe, powershell.exe and Powershell ISE, make sure to use a TrueType font, not a Raster font, and set the active codepage to UTF-8 (65001) with chcp:

> chcp 65001
Active code page: 65001

In Powershell ISE, you may need to additionally update the output encoding:

> [Console]::OutputEncoding = [System.Text.Encoding]::UTF8

Running tests

To run the unit test suite:

$ cabal test

Gallery of bad code

So what kind of things does ShellCheck look for? Here is an incomplete list of detected issues.


ShellCheck can recognize several types of incorrect quoting:

echo $1                           # Unquoted variables
find . -name *.ogg                # Unquoted find/grep patterns
rm "~/my file.txt"                # Quoted tilde expansion
v='--verbose="true"'; cmd $v      # Literal quotes in variables
for f in "*.ogg"                  # Incorrectly quoted 'for' loops
touch $@                          # Unquoted $@
echo 'Don't forget to restart!'   # Singlequote closed by apostrophe
echo 'Don\'t try this at home'    # Attempting to escape ' in ''
echo 'Path is $PATH'              # Variables in single quotes
trap "echo Took ${SECONDS}s" 0    # Prematurely expanded trap


ShellCheck can recognize many types of incorrect test statements.

[[ n != 0 ]]                      # Constant test expressions
[[ -e *.mpg ]]                    # Existence checks of globs
[[ $foo==0 ]]                     # Always true due to missing spaces
[[ -n "$foo " ]]                  # Always true due to literals
[[ $foo =~ "fo+" ]]               # Quoted regex in =~
[ foo =~ re ]                     # Unsupported [ ] operators
[ $1 -eq "shellcheck" ]           # Numerical comparison of strings
[ $n && $m ]                      # && in [ .. ]
[ grep -q foo file ]              # Command without $(..)
[[ "$$file" == *.jpg ]]           # Comparisons that can't succeed
(( 1 -lt 2 ))                     # Using test operators in ((..))

Frequently misused commands

ShellCheck can recognize instances where commands are used incorrectly:

grep '*foo*' file                 # Globs in regex contexts
find . -exec foo {} && bar {} \;  # Prematurely terminated find -exec
sudo echo 'Var=42' > /etc/profile # Redirecting sudo
time --format=%s sleep 10         # Passing time(1) flags to time builtin
while read h; do ssh "$h" uptime  # Commands eating while loop input
alias archive='mv $1 /backup'     # Defining aliases with arguments
tr -cd '[a-zA-Z0-9]'              # [] around ranges in tr
exec foo; echo "Done!"            # Misused 'exec'
find -name \*.bak -o -name \*~ -delete  # Implicit precedence in find
f() { whoami; }; sudo f           # External use of internal functions

Common beginner's mistakes

ShellCheck recognizes many common beginner's syntax errors:

var = 42                          # Spaces around = in assignments
$foo=42                           # $ in assignments
for $var in *; do ...             # $ in for loop variables
var$n="Hello"                     # Wrong indirect assignment
echo ${var$n}                     # Wrong indirect reference
var=(1, 2, 3)                     # Comma separated arrays
array=( [index] = value )         # Incorrect index initialization
echo "Argument 10 is $10"         # Positional parameter misreference
if $(myfunction); then ..; fi     # Wrapping commands in $()
else if othercondition; then ..   # Using 'else if'


ShellCheck can make suggestions to improve style:

[[ -z $(find /tmp | grep mpg) ]]  # Use grep -q instead
a >> log; b >> log; c >> log      # Use a redirection block instead
echo "The time is `date`"         # Use $() instead
cd dir; process *; cd ..;         # Use subshells instead
echo $[1+2]                       # Use standard $((..)) instead of old $[]
echo $(($RANDOM % 6))             # Don't use $ on variables in $((..))
echo "$(date)"                    # Useless use of echo
cat file | grep foo               # Useless use of cat

Data and typing errors

ShellCheck can recognize issues related to data and typing:

args="$@"                         # Assigning arrays to strings
files=(foo bar); echo "$files"    # Referencing arrays as strings
declare -A arr=(foo bar)          # Associative arrays without index
printf "%s\n" "Arguments: $@."    # Concatenating strings and arrays
[[ $# > 2 ]]                      # Comparing numbers as strings
var=World; echo "Hello " var      # Unused lowercase variables
echo "Hello $name"                # Unassigned lowercase variables
cmd | read bar; echo $bar         # Assignments in subshells


ShellCheck can make suggestions for improving the robustness of a script:

rm -rf "$STEAMROOT/"*            # Catastrophic rm
touch ./-l; ls *                 # Globs that could become options
find . -exec sh -c 'a && b {}' \; # Find -exec shell injection
printf "Hello $name"             # Variables in printf format
for f in $(ls *.txt); do         # Iterating over ls output
export MYVAR=$(cmd)              # Masked exit codes


ShellCheck will warn when using features not supported by the shebang. For example, if you set the shebang to #!/bin/sh, ShellCheck will warn about portability issues similar to checkbashisms:

echo {1..$n}                     # Works in ksh, but not bash/dash/sh
echo {1..10}                     # Works in ksh and bash, but not dash/sh
echo -n 42                       # Works in ksh, bash and dash, undefined in sh
trap 'exit 42' sigint            # Unportable signal spec
cmd &> file                      # Unportable redirection operator
read foo < /dev/tcp/host/22      # Unportable intercepted files
foo-bar() { ..; }                # Undefined/unsupported function name
[ $UID = 0 ]                     # Variable undefined in dash/sh
local var=value                  # local is undefined in sh
time sleep 1 | sleep 5           # Undefined uses of 'time'


ShellCheck recognizes a menagerie of other issues:

PS1='\e[0;32m\$\e[0m '            # PS1 colors not in \[..\]
PATH="$PATH:~/bin"                # Literal tilde in $PATH
rm file                         # Unicode quotes
echo "Hello world"                # Carriage return / DOS line endings
echo hello \                      # Trailing spaces after \
var=42 echo $var                  # Expansion of inlined environment
#!/bin/bash -x -e                 # Common shebang errors
echo $((n/180*100))               # Unnecessary loss of precision
ls *[:digit:].txt                 # Bad character class globs
sed 's/foo/bar/' file > file      # Redirecting to input


At first you're like shellcheck is awesome but then you're like wtf are we still using bash

Alexander Tarasikov, via Twitter

Ignoring issues

Issues can be ignored via environmental variable, command line, individually or globally within a file:


Reporting bugs

Please use the GitHub issue tracker for any bugs or feature suggestions:



Please submit patches to code or documentation as GitHub pull requests! Check out the DevGuide on the ShellCheck Wiki.

Contributions must be licensed under the GNU GPLv3. The contributor retains the copyright.


ShellCheck is licensed under the GNU General Public License, v3. A copy of this license is included in the file LICENSE.

Copyright 2012-2015, Vidar 'koala_man' Holen and contributors.

Happy ShellChecking!

shellcheck open issues Ask a question     (View All Issues)
  • over 3 years New check: echo with \\\\ escape sequences are not portable
  • over 3 years var=$( sed 's/a/b/' <<< "$var" ) doesn't trigger sc2001
  • over 3 years SC1090/SC1091: sourcing should find files relative to script
  • over 3 years New check: "Must use subscript when assigning associative array" on arr+=( val )
  • over 3 years Enhancement: Directives to stop parsing at #?
  • over 3 years SC2028 false positive for echo -e alias
  • over 3 years Incompatible with Windows 10
  • over 3 years Error: Prelude.(!!): index too large
  • over 3 years Warn about lack of brace expansion inside [[ ]]
  • over 3 years stop parsing after an unconditional exit
  • over 3 years dash / SC2169 - too strict
  • over 3 years Add optional check for unbound variable usage which could fail with 'set -u'
  • over 3 years SC2034 on arrays used only passed as arguments
  • over 3 years Enhancement: Add enable directive
  • over 3 years Can’t parse assignment to β€œselect” array
  • over 3 years Style: Add optional directive to notify of double-quotes which could be replaced with single quotes
  • over 3 years Style: Add optional directive to flag for variable names not surrounded in curly braces
  • over 3 years Calling exit within an implicit subshell should be flagged as a warning
  • over 3 years SC2070 (test -n without quoting) needs to be generalized
  • over 3 years `sort -o` should not trigger SC2094
  • over 3 years SC2129 inprofment
  • over 3 years Warning for Whitespaces and/or Taps at the end of lines
  • over 3 years Expose goodShells so external tools can use it.
  • over 3 years RFE: Warn about some useless subshell cases involving conditionals
  • over 3 years `shopt -s lastpipe` should disable SC2030/SC2031 appropriately
  • almost 4 years Shellcheck external rules (eg shellcheck.yml)
  • almost 4 years SC2055: [[ A != B || A != C ]] is not true if B == C
  • almost 4 years Create packages for Ubuntu 12.04 LTS and/or 14.04 LTS
  • almost 4 years Return in subshell in a function
  • almost 4 years Warn about `ssh foo` and `bash` with no args, similar to `su`
shellcheck open pull requests (View All Pulls)
  • SC2164: show two possible variants for circumenting the warning
  • Add stack support
  • add compilation documentation for test runners
  • Properly set the end column for SC2086 findings
  • Dockerise the shellcheck
  • Add handling for special characters in parameter substitutions.
  • Add TravisCI Setup to README.md
  • SC2164: show two possible variants for circumenting the warning
  • Update README.md
  • Add VSCode integration to editor list
  • Add snapcraft config to enable building snaps Fixes #830
  • Recognize bash's `shopt -s lastpipe`
  • SC2164: Make SC2164 apply to `pushd` and `popd`
  • Add a pre-commit config so shellcheck can be used as a pre-commit hook
  • Add test for `local` keyword in SC2154
  • Check for calls to `which`.
  • [Docs] Update Travis CI part in README.md
  • Move library into src/
  • Add custom-setup stanza and containers lowerbound
shellcheck list of languages used
Other projects in Haskell