ShellCheck
Shell script analysis tool
Version on this page: | 0.9.0@rev:1 |
LTS Haskell 22.39: | 0.9.0@rev:2 |
Stackage Nightly 2024-10-31: | 0.10.0 |
Latest on Hackage: | 0.10.0 |
ShellCheck-0.9.0@sha256:f5c9c51b4ac5617c8805418a03a78e828a4586fdfc050c99f9bf6b195bc2483f,4094
Module documentation for 0.9.0
- ShellCheck
- ShellCheck.AST
- ShellCheck.ASTLib
- ShellCheck.Analytics
- ShellCheck.Analyzer
- ShellCheck.AnalyzerLib
- ShellCheck.CFG
- ShellCheck.CFGAnalysis
- ShellCheck.Checker
- ShellCheck.Checks
- ShellCheck.Data
- ShellCheck.Debug
- ShellCheck.Fixer
- ShellCheck.Formatter
- ShellCheck.Interface
- ShellCheck.Parser
- ShellCheck.Prelude
- ShellCheck.Regex
ShellCheck - A shell script static analysis tool
ShellCheck is a GPLv3 tool that gives warnings and suggestions for bash/sh shell scripts:
The goals of ShellCheck are
-
To point out and clarify typical beginner’s syntax issues that cause a shell to give cryptic error messages.
-
To point out and clarify typical intermediate level semantic problems that cause a shell to behave strangely and counter-intuitively.
-
To point out subtle caveats, corner cases and pitfalls that may cause an advanced user’s otherwise working script to fail under future circumstances.
See the gallery of bad code for examples of what ShellCheck can help you identify!
Table of Contents
- How to use
- Installing
- Compiling from source
- Gallery of bad code
- Testimonials
- Ignoring issues
- Reporting bugs
- Contributing
- Copyright
- Other Resources
How to use
There are a number of ways to use ShellCheck!
On the web
Paste a shell script on https://www.shellcheck.net for instant feedback.
ShellCheck.net is always synchronized to the latest git commit, and is the easiest way to give ShellCheck a go. Tell your friends!
From your terminal
Run shellcheck yourscript
in your terminal for instant output, as seen above.
In your editor
You can see ShellCheck suggestions directly in a variety of editors.
.
.
-
Sublime, through SublimeLinter.
-
Atom, through Linter.
-
VSCode, through vscode-shellcheck.
-
Most other editors, through GCC error compatibility.
In your build or test suites
While ShellCheck is mostly intended for interactive use, it can easily be added to builds or test suites.
It makes canonical use of exit codes, so you can just add a shellcheck
command as part of the process.
For example, in a Makefile:
check-scripts:
# Fail if any of these files have warnings
shellcheck myscripts/*.sh
or in a Travis CI .travis.yml
file:
script:
# Fail if any of these files have warnings
- shellcheck myscripts/*.sh
Services and platforms that have ShellCheck pre-installed and ready to use:
- Travis CI
- Codacy
- Code Climate
- Code Factor
- CircleCI via the ShellCheck Orb
- Github (only Linux)
Most other services, including GitLab, let you install ShellCheck yourself, either through the system’s package manager (see Installing), or by downloading and unpacking a binary release.
It’s a good idea to manually install a specific ShellCheck version regardless. This avoids any surprise build breaks when a new version with new warnings is published.
For customized filtering or reporting, ShellCheck can output simple JSON, CheckStyle compatible XML, GCC compatible warnings as well as human readable text (with or without ANSI colors). See the Integration wiki page for more documentation.
Installing
The easiest way to install ShellCheck locally is through your package manager.
On systems with Cabal (installs to ~/.cabal/bin
):
cabal update
cabal install ShellCheck
On systems with Stack (installs to ~/.local/bin
):
stack update
stack install ShellCheck
On Debian based distros:
sudo apt install shellcheck
On Arch Linux based distros:
pacman -S shellcheck
or get the dependency free shellcheck-bin from the AUR.
On Gentoo based distros:
emerge --ask shellcheck
On EPEL based distros:
sudo yum -y install epel-release
sudo yum install ShellCheck
On Fedora based distros:
dnf install ShellCheck
On FreeBSD:
pkg install hs-ShellCheck
On macOS (OS X) with Homebrew:
brew install shellcheck
Or with MacPorts:
sudo port install shellcheck
On OpenBSD:
pkg_add shellcheck
On openSUSE
zypper in ShellCheck
Or use OneClickInstall - https://software.opensuse.org/package/ShellCheck
On Solus:
eopkg install shellcheck
On Windows (via chocolatey):
C:\> choco install shellcheck
Or Windows (via scoop):
C:\> scoop install shellcheck
From conda-forge:
conda install -c conda-forge shellcheck
From Snap Store:
snap install --channel=edge shellcheck
From Docker Hub:
docker run --rm -v "$PWD:/mnt" koalaman/shellcheck:stable myscript
# Or :v0.4.7 for that version, or :latest for daily builds
or use koalaman/shellcheck-alpine
if you want a larger Alpine Linux based image to extend. It works exactly like a regular Alpine image, but has shellcheck preinstalled.
Using the nix package manager:
nix-env -iA nixpkgs.shellcheck
Alternatively, you can download pre-compiled binaries for the latest release here:
- Linux, x86_64 (statically linked)
- Linux, armv6hf, i.e. Raspberry Pi (statically linked)
- Linux, aarch64 aka ARM64 (statically linked)
- macOS, x86_64
- Windows, x86
or see the GitHub Releases for other releases (including the latest meta-release for daily git builds).
Distro packages already come with a man
page. If you are building from source, it can be installed with:
pandoc -s -f markdown-smart -t man shellcheck.1.md -o shellcheck.1
sudo mv shellcheck.1 /usr/share/man/man1
pre-commit
To run ShellCheck via pre-commit, add the hook to your .pre-commit-config.yaml
:
repos:
- repo: https://github.com/koalaman/shellcheck-precommit
rev: v0.7.2
hooks:
- id: shellcheck
# args: ["--severity=warning"] # Optionally only show errors and warnings
Travis CI
Travis CI has now integrated ShellCheck by default, so you don’t need to manually install it.
If you still want to do so in order to upgrade at your leisure or ensure you’re using the latest release, follow the steps below to install a binary version.
Installing a pre-compiled binary
The pre-compiled binaries come in tar.xz
files. To decompress them, make sure
xz
is installed.
On Debian/Ubuntu/Mint, you can apt install xz-utils
.
On Redhat/Fedora/CentOS, yum -y install xz
.
A simple installer may do something like:
scversion="stable" # or "v0.4.7", or "latest"
wget -qO- "https://github.com/koalaman/shellcheck/releases/download/${scversion?}/shellcheck-${scversion?}.linux.x86_64.tar.xz" | tar -xJv
cp "shellcheck-${scversion}/shellcheck" /usr/bin/
shellcheck --version
Compiling from source
This section describes how to build ShellCheck from a source directory. ShellCheck is written in Haskell and requires 2GB of RAM to compile.
Installing Cabal
ShellCheck is built and packaged using Cabal. Install the package cabal-install
from your system’s package manager (with e.g. apt-get
, brew
, emerge
, yum
, or zypper
).
On macOS (OS X), you can do a fast install of Cabal using brew, which takes a couple of minutes instead of more than 30 minutes if you try to compile it from source.
$ brew install cabal-install
On MacPorts, the package is instead called hs-cabal-install
, while native Windows users should install the latest version of the Haskell platform from https://www.haskell.org/platform/
Verify that cabal
is installed and update its dependency list with
$ cabal update
Compiling ShellCheck
git clone
this repository, and cd
to the ShellCheck source directory to build/install:
$ cabal install
Or if you intend to run the tests:
$ cabal install --enable-tests
This will compile ShellCheck and install it to your ~/.cabal/bin
directory.
Add this directory to your PATH
(for bash, add this to your ~/.bashrc
):
export PATH="$HOME/.cabal/bin:$PATH"
Log out and in again, and verify that your PATH is set up correctly:
$ which shellcheck
~/.cabal/bin/shellcheck
On native Windows, the PATH
should already be set up, but the system
may use a legacy codepage. In cmd.exe
, powershell.exe
and Powershell ISE,
make sure to use a TrueType font, not a Raster font, and set the active
codepage to UTF-8 (65001) with chcp
:
chcp 65001
In Powershell ISE, you may need to additionally update the output encoding:
[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
Running tests
To run the unit test suite:
$ cabal test
Gallery of bad code
So what kind of things does ShellCheck look for? Here is an incomplete list of detected issues.
Quoting
ShellCheck can recognize several types of incorrect quoting:
echo $1 # Unquoted variables
find . -name *.ogg # Unquoted find/grep patterns
rm "~/my file.txt" # Quoted tilde expansion
v='--verbose="true"'; cmd $v # Literal quotes in variables
for f in "*.ogg" # Incorrectly quoted 'for' loops
touch $@ # Unquoted $@
echo 'Don't forget to restart!' # Singlequote closed by apostrophe
echo 'Don\'t try this at home' # Attempting to escape ' in ''
echo 'Path is $PATH' # Variables in single quotes
trap "echo Took ${SECONDS}s" 0 # Prematurely expanded trap
unset var[i] # Array index treated as glob
Conditionals
ShellCheck can recognize many types of incorrect test statements.
[[ n != 0 ]] # Constant test expressions
[[ -e *.mpg ]] # Existence checks of globs
[[ $foo==0 ]] # Always true due to missing spaces
[[ -n "$foo " ]] # Always true due to literals
[[ $foo =~ "fo+" ]] # Quoted regex in =~
[ foo =~ re ] # Unsupported [ ] operators
[ $1 -eq "shellcheck" ] # Numerical comparison of strings
[ $n && $m ] # && in [ .. ]
[ grep -q foo file ] # Command without $(..)
[[ "$$file" == *.jpg ]] # Comparisons that can't succeed
(( 1 -lt 2 )) # Using test operators in ((..))
[ x ] & [ y ] | [ z ] # Accidental backgrounding and piping
Frequently misused commands
ShellCheck can recognize instances where commands are used incorrectly:
grep '*foo*' file # Globs in regex contexts
find . -exec foo {} && bar {} \; # Prematurely terminated find -exec
sudo echo 'Var=42' > /etc/profile # Redirecting sudo
time --format=%s sleep 10 # Passing time(1) flags to time builtin
while read h; do ssh "$h" uptime # Commands eating while loop input
alias archive='mv $1 /backup' # Defining aliases with arguments
tr -cd '[a-zA-Z0-9]' # [] around ranges in tr
exec foo; echo "Done!" # Misused 'exec'
find -name \*.bak -o -name \*~ -delete # Implicit precedence in find
# find . -exec foo > bar \; # Redirections in find
f() { whoami; }; sudo f # External use of internal functions
Common beginner’s mistakes
ShellCheck recognizes many common beginner’s syntax errors:
var = 42 # Spaces around = in assignments
$foo=42 # $ in assignments
for $var in *; do ... # $ in for loop variables
var$n="Hello" # Wrong indirect assignment
echo ${var$n} # Wrong indirect reference
var=(1, 2, 3) # Comma separated arrays
array=( [index] = value ) # Incorrect index initialization
echo $var[14] # Missing {} in array references
echo "Argument 10 is $10" # Positional parameter misreference
if $(myfunction); then ..; fi # Wrapping commands in $()
else if othercondition; then .. # Using 'else if'
f; f() { echo "hello world; } # Using function before definition
[ false ] # 'false' being true
if ( -f file ) # Using (..) instead of test
Style
ShellCheck can make suggestions to improve style:
[[ -z $(find /tmp | grep mpg) ]] # Use grep -q instead
a >> log; b >> log; c >> log # Use a redirection block instead
echo "The time is `date`" # Use $() instead
cd dir; process *; cd ..; # Use subshells instead
echo $[1+2] # Use standard $((..)) instead of old $[]
echo $(($RANDOM % 6)) # Don't use $ on variables in $((..))
echo "$(date)" # Useless use of echo
cat file | grep foo # Useless use of cat
Data and typing errors
ShellCheck can recognize issues related to data and typing:
args="$@" # Assigning arrays to strings
files=(foo bar); echo "$files" # Referencing arrays as strings
declare -A arr=(foo bar) # Associative arrays without index
printf "%s\n" "Arguments: $@." # Concatenating strings and arrays
[[ $# > 2 ]] # Comparing numbers as strings
var=World; echo "Hello " var # Unused lowercase variables
echo "Hello $name" # Unassigned lowercase variables
cmd | read bar; echo $bar # Assignments in subshells
cat foo | cp bar # Piping to commands that don't read
printf '%s: %s\n' foo # Mismatches in printf argument count
eval "${array[@]}" # Lost word boundaries in array eval
for i in "${x[@]}"; do ${x[$i]} # Using array value as key
Robustness
ShellCheck can make suggestions for improving the robustness of a script:
rm -rf "$STEAMROOT/"* # Catastrophic rm
touch ./-l; ls * # Globs that could become options
find . -exec sh -c 'a && b {}' \; # Find -exec shell injection
printf "Hello $name" # Variables in printf format
for f in $(ls *.txt); do # Iterating over ls output
export MYVAR=$(cmd) # Masked exit codes
case $version in 2.*) :;; 2.6.*) # Shadowed case branches
Portability
ShellCheck will warn when using features not supported by the shebang. For example, if you set the shebang to #!/bin/sh
, ShellCheck will warn about portability issues similar to checkbashisms
:
echo {1..$n} # Works in ksh, but not bash/dash/sh
echo {1..10} # Works in ksh and bash, but not dash/sh
echo -n 42 # Works in ksh, bash and dash, undefined in sh
expr match str regex # Unportable alias for `expr str : regex`
trap 'exit 42' sigint # Unportable signal spec
cmd &> file # Unportable redirection operator
read foo < /dev/tcp/host/22 # Unportable intercepted files
foo-bar() { ..; } # Undefined/unsupported function name
[ $UID = 0 ] # Variable undefined in dash/sh
local var=value # local is undefined in sh
time sleep 1 | sleep 5 # Undefined uses of 'time'
Miscellaneous
ShellCheck recognizes a menagerie of other issues:
PS1='\e[0;32m\$\e[0m ' # PS1 colors not in \[..\]
PATH="$PATH:~/bin" # Literal tilde in $PATH
rm “file” # Unicode quotes
echo "Hello world" # Carriage return / DOS line endings
echo hello \ # Trailing spaces after \
var=42 echo $var # Expansion of inlined environment
!# bin/bash -x -e # Common shebang errors
echo $((n/180*100)) # Unnecessary loss of precision
ls *[:digit:].txt # Bad character class globs
sed 's/foo/bar/' file > file # Redirecting to input
var2=$var2 # Variable assigned to itself
[ x$var = xval ] # Antiquated x-comparisons
ls() { ls -l "$@"; } # Infinitely recursive wrapper
alias ls='ls -l'; ls foo # Alias used before it takes effect
for x; do for x; do # Nested loop uses same variable
while getopts "a" f; do case $f in "b") # Unhandled getopts flags
Testimonials
At first you’re like “shellcheck is awesome” but then you’re like “wtf are we still using bash”
Alexander Tarasikov, via Twitter
Ignoring issues
Issues can be ignored via environmental variable, command line, individually or globally within a file:
https://github.com/koalaman/shellcheck/wiki/Ignore
Reporting bugs
Please use the GitHub issue tracker for any bugs or feature suggestions:
https://github.com/koalaman/shellcheck/issues
Contributing
Please submit patches to code or documentation as GitHub pull requests! Check out the DevGuide on the ShellCheck Wiki.
Contributions must be licensed under the GNU GPLv3. The contributor retains the copyright.
Copyright
ShellCheck is licensed under the GNU General Public License, v3. A copy of this license is included in the file LICENSE.
Copyright 2012-2019, Vidar ‘koala_man’ Holen and contributors.
Happy ShellChecking!
Other Resources
- The wiki has long form descriptions for each warning, e.g. SC2221.
- ShellCheck does not attempt to enforce any kind of formatting or indenting style, so also check out shfmt!
Changes
v0.9.0 - 2022-12-12
Added
- SC2316: Warn about ‘local readonly foo’ and similar (thanks, patrickxia!)
- SC2317: Warn about unreachable commands
- SC2318: Warn about backreferences in ‘declare x=1 y=$x’
- SC2319/SC2320: Warn when $? refers to echo/printf/[ ]/[[ ]]/test
- SC2321: Suggest removing $((..)) in array[$((idx))]=val
- SC2322: Suggest collapsing double parentheses in arithmetic contexts
- SC2323: Suggest removing wrapping parentheses in a[(x+1)]=val
Fixed
- SC2086: Now uses DFA to make more accurate predictions about values
- SC2086: No longer warns about values declared as integer with declare -i
Changed
- ShellCheck now has a Data Flow Analysis engine to make smarter decisions based on control flow rather than just syntax. Existing checks will gradually start using it, which may cause them to trigger differently (but more accurately).
- Values in directives/shellcheckrc can now be quoted with ‘’ or “”
v0.8.0 - 2021-11-06
Added
disable=all
now conveniently disables all warningsexternal-sources=true
directive can be added to .shellcheckrc to make shellcheck behave as if-x
was specified.- Optional
check-extra-masked-returns
for pointing out commands with suppressed exit codes (SC2312). - Optional
require-double-brackets
for recommending [[ ]] (SC2292). - SC2286-SC2288: Warn when command name ends in a symbol like
/.)'"
- SC2289: Warn when command name contains tabs or linefeeds
- SC2291: Warn about repeated unquoted spaces between words in echo
- SC2292: Suggest [[ over [ in Bash/Ksh scripts (optional)
- SC2293/SC2294: Warn when calling
eval
with arrays - SC2295: Warn about “${x#$y}” treating $y as a pattern when not quoted
- SC2296-SC2301: Improved warnings for bad parameter expansions
- SC2302/SC2303: Warn about loops over array values when using them as keys
- SC2304-SC2306: Warn about unquoted globs in expr arguments
- SC2307: Warn about insufficient number of arguments to expr
- SC2308: Suggest other approaches for non-standard expr extensions
- SC2313: Warn about
read
with unquoted, array indexed variable
Fixed
- SC2102 about repetitions in ranges no longer triggers on [[ -v arr[xx] ]]
- SC2155 now recognizes
typeset
and local read-onlydeclare
statements - SC2181 now tries to avoid triggering for error handling functions
- SC2290: Warn about misused = in declare & co, which were not caught by SC2270+
- The flag –color=auto no longer outputs color when TERM is “dumb” or unset
Changed
- SC2048: Warning about $* now also applies to ${array[*]}
- SC2181 now only triggers on single condition tests like
[ $? = 0 ]
. - Quote warnings are now emitted for declaration utilities in sh
- Leading
_
can now be used to suppress warnings about unused variables - TTY output now includes warning level in text as well as color
Removed
- SC1004: Literal backslash+linefeed in ‘’ was found to be usually correct
v0.7.2 - 2021-04-19
Added
disable
directives can now be a range, e.g.disable=SC3000-SC4000
- SC1143: Warn about line continuations in comments
- SC2259/SC2260: Warn when redirections override pipes
- SC2261: Warn about multiple competing redirections
- SC2262/SC2263: Warn about aliases declared and used in the same parsing unit
- SC2264: Warn about wrapper functions that blatantly recurse
- SC2265/SC2266: Warn when using & or | with test statements
- SC2267: Warn when using xargs -i instead of -I
- SC2268: Warn about unnecessary x-comparisons like
[ x$var = xval ]
Fixed
- SC1072/SC1073 now respond to disable annotations, though ignoring parse errors is still purely cosmetic and does not allow ShellCheck to continue.
- Improved error reporting for trailing tokens after ]/]] and compound commands
#!/usr/bin/env -S shell
is now handled correctly- Here docs with \r are now parsed correctly and give better warnings
Changed
- Assignments are now parsed to spec, without leniency for leading $ or spaces
- POSIX/dash unsupported feature warnings now have individual SC3xxx codes
- SC1090: A leading
$x/
or$(x)/
is now treated as./
when locating files - SC2154: Variables appearing in -z/-n tests are no longer considered unassigned
- SC2270-SC2285: Improved warnings about misused
=
, e.g.${var}=42
v0.7.1 - 2020-04-04
Fixed
-f diff
no longer claims that it found more issues when it didn’t- Known empty variables now correctly trigger SC2086
- ShellCheck should now be compatible with Cabal 3
- SC2154 and all command-specific checks now trigger for builtins
called with
builtin
Added
- SC1136: Warn about unexpected characters after ]/]]
- SC2254: Suggest quoting expansions in case statements
- SC2255: Suggest using
$((..))
in[ 2*3 -eq 6 ]
- SC2256: Warn about translated strings that are known variables
- SC2257: Warn about arithmetic mutation in redirections
- SC2258: Warn about trailing commas in for loop elements
Changed
- SC2230: ‘command -v’ suggestion is now off by default (-i deprecate-which)
- SC1081: Keywords are now correctly parsed case sensitively, with a warning
v0.7.0 - 2019-07-28
Added
- Precompiled binaries for macOS and Linux aarch64
- Preliminary support for fix suggestions
- New
-f diff
unified diff format for auto-fixes - Files containing Bats tests can now be checked
- Directory wide directives can now be placed in a
.shellcheckrc
- Optional checks: Use
--list-optional
to show a list of tests, Enable with-o
flags orenable=name
directives - Source paths: Use
-P dir1:dir2
or asource-path=dir1
directive to specify search paths for sourced files. - json1 format like –format=json but treats tabs as single characters
- Recognize FLAGS variables created by the shflags library.
- Site-specific changes can now be made in Custom.hs for ease of patching
- SC2154: Also warn about unassigned uppercase variables (optional)
- SC2252: Warn about
[ $a != x ] || [ $a != y ]
, similar to SC2055 - SC2251: Inform about ineffectual ! in front of commands
- SC2250: Warn about variable references without braces (optional)
- SC2249: Warn about
case
with missing default case (optional) - SC2248: Warn about unquoted variables without special chars (optional)
- SC2247: Warn about $”(cmd)” and $”{var}”
- SC2246: Warn if a shebang’s interpreter ends with /
- SC2245: Warn that Ksh ignores all but the first glob result in
[
- SC2243/SC2244: Suggest using explicit -n for
[ $foo ]
(optional) - SC1135: Suggest not ending double quotes just to make $ literal
Changed
- If a directive or shebang is not specified, a
.bash/.bats/.dash/.ksh
extension will be used to infer the shell type when present. - Disabling SC2120 on a function now disables SC2119 on call sites
Fixed
- SC2183 no longer warns about missing printf args for
%()T
v0.6.0 - 2018-12-02
Added
- Command line option –severity/-S for filtering by minimum severity
- Command line option –wiki-link-count/-W for showing wiki links
- SC2152/SC2151: Warn about bad
exit
values like1234
and"foo"
- SC2236/SC2237: Suggest -n/-z instead of ! -z/-n
- SC2238: Warn when redirecting to a known command name, e.g. ls > rm
- SC2239: Warn if the shebang is not an absolute path, e.g. #!bin/sh
- SC2240: Warn when passing additional arguments to dot (.) in sh/dash
- SC1133: Better diagnostics when starting a line with |/||/&&
Changed
- Most warnings now have useful end positions
- SC1117 about unknown double-quoted escape sequences has been retired
Fixed
- SC2021 no longer triggers for equivalence classes like
[=e=]
- SC2221/SC2222 no longer mistriggers on fall-through case branches
- SC2081 about glob matches in
[ .. ]
now also triggers for!=
- SC2086 no longer warns about spaces in
$#
- SC2164 no longer suggests subshells for
cd ..; cmd; cd ..
read -a
is now correctly considered an array assignment- SC2039 no longer warns about LINENO now that it’s POSIX
v0.5.0 - 2018-05-31
Added
- SC2233/SC2234/SC2235: Suggest removing or replacing (..) around tests
- SC2232: Warn about invalid arguments to sudo
- SC2231: Suggest quoting expansions in for loop globs
- SC2229: Warn about ‘read $var’
- SC2227: Warn about redirections in the middle of ‘find’ commands
- SC2224/SC2225/SC2226: Warn when using mv/cp/ln without a destination
- SC2223: Quote warning specific to
: ${var=value}
- SC1131: Warn when using
elseif
orelsif
- SC1128: Warn about blanks/comments before shebang
- SC1127: Warn about C-style comments
Fixed
- Annotations intended for a command’s here documents now work
- Escaped characters inside groups in =~ regexes now parse
- Associative arrays are now respected in arithmetic contexts
- SC1087 about
$var[@]
now correctly triggers on any index - Bad expansions in here documents are no longer ignored
- FD move operations like {fd}>1- now parse correctly
Changed
- Here docs are now terminated as per spec, rather than by presumed intent
- SC1073: ‘else if’ is now parsed correctly and not like ‘elif’
- SC2163: ‘export $name’ can now be silenced with ‘export ${name?}’
- SC2183: Now warns when printf arg count is not a multiple of format count
v0.4.7 - 2017-12-08
Added
- Statically linked binaries for Linux and Windows (see README.md)!
-a
flag to also include warnings insource
d files- SC2221/SC2222: Warn about overridden case branches
- SC2220: Warn about unhandled error cases in getopt loops
- SC2218: Warn when using functions before they’re defined
- SC2216/SC2217: Warn when piping/redirecting to mv/cp and other non-readers
- SC2215: Warn about commands starting with leading dash
- SC2214: Warn about superfluous getopt flags
- SC2213: Warn about unhandled getopt flags
- SC2212: Suggest
false
over[ ]
- SC2211: Warn when using a glob as a command name
- SC2210: Warn when redirecting to an integer, e.g.
foo 1>2
- SC2206/SC2207: Suggest alternatives when using word splitting in arrays
- SC1117: Warn about double quoted, undefined backslash sequences
- SC1113/SC1114/SC1115: Recognized more malformed shebangs
Fixed
[ -v foo ]
no longer warns iffoo
is undefined- SC2037 is now suppressed by quotes, e.g.
PAGER="cat" man foo
- Ksh nested array declarations now parse correctly
- Parameter Expansion without colons are now recognized, e.g.
${foo+bar}
- The
lastpipe
option is now respected with regard to subshell warnings \(
is now respected for grouping in[
- Leading
\
is now ignored for commands, to allow alias suppression - Comments are now allowed after directives to e.g. explain ‘disable’
v0.4.6 - 2017-03-26
Added
- SC2204/SC2205: Warn about
( -z foo )
and( foo -eq bar )
- SC2200/SC2201: Warn about brace expansion in [/[[
- SC2198/SC2199: Warn about arrays in [/[[
- SC2196/SC2197: Warn about deprecated egrep/fgrep
- SC2195: Warn about unmatchable case branches
- SC2194: Warn about constant ‘case’ statements
- SC2193: Warn about
[[ file.png == *.mp3 ]]
and other unmatchables - SC2188/SC2189: Warn about redirections without commands
- SC2186: Warn about deprecated
tempfile
- SC1109: Warn when finding
&
/>
/<
unquoted - SC1108: Warn about missing spaces in
[ var= foo ]
Changed
- All files are now read as UTF-8 with lenient latin1 fallback, ignoring locale
- Unicode quotes are no longer considered syntactic quotes
ash
scripts will now be checked asdash
with a warning
Fixed
-c
no longer suggested when usinggrep -o | wc
- Comments and whitespace are now allowed before filewide directives
- Here doc delimiters with esoteric quoting like
foo""
are now handled - SC2095 about
ssh
in while read loops is now suppressed when using-n
%(%Y%M%D)T
now recognized as a single formatter inprintf
checksgrep -F
now suppresses regex related suggestions- Command name checks now recognize busybox applet names
v0.4.5 - 2016-10-21
Added
- A Docker build (thanks, kpankonen!)
- SC2185: Suggest explicitly adding path for
find
- SC2184: Warn about unsetting globs (e.g.
unset foo[1]
) - SC2183: Warn about
printf
with more formatters than variables - SC2182: Warn about ignored arguments with
printf
- SC2181: Suggest using command directly instead of
if [ $? -eq 0 ]
- SC1106: Warn when using
test
operators in(( 1 -eq 2 ))
Changed
- Unrecognized directives now causes a warning rather than parse failure.
Fixed
- Indices in associative arrays are now parsed correctly
- Missing shebang warning squashed when specifying with a directive
- Ksh multidimensional arrays are now supported
- Variables in substring ${a:x:y} expansions now count as referenced
- SC1102 now also handles ambiguous
$((
- Using
$(seq ..)
will no longer suggest quoting - SC2148 (missing shebang) is now suppressed when using shell directives
[ a '>' b ]
is now recognized as being correctly escaped
v0.4.4 - 2016-05-15
Added
- Haskell Stack support (thanks, Arguggi!)
- SC2179/SC2178: Warn when assigning/appending strings to arrays
- SC1102: Warn about ambiguous
$(((
- SC1101: Warn when \ linebreaks have trailing spaces
Changed
- Directives directly after the shebang now apply to the entire file
Fixed
{$i..10}
is now flagged similar to{1..$i}
v0.4.3 - 2016-01-13
Fixed
- Build now works on GHC 7.6.3 as found on Debian Stable/Ubuntu LTS
v0.4.2 - 2016-01-09
Added
- First class support for the
dash
shell - The
--color
flag similar to ls/grep’s (thanks, haguenau!) - SC2174: Warn about unexpected behavior of
mkdir -pm
(thanks, eatnumber1!) - SC2172: Warn about non-portable use of signal numbers in
trap
- SC2171: Warn about
]]
without leading[[
- SC2168: Warn about
local
outside functions
Fixed
- Warnings about unchecked
cd
will no longer trigger withset -e
[ a -nt/-ot/-ef b ]
no longer warns about being constant- Quoted test operators like
[ foo "<" bar ]
now parse - Escaped quotes in backticks now parse correctly
v0.4.1 - 2015-09-05
Fixed
- Added missing files to Cabal, fixing the build
v0.4.0 - 2015-09-05
Added
- Support for following
source
d files - Support for setting default flags in
SHELLCHECK_OPTS
- An
--external-sources
flag for following arbitrarysource
d files - A
source
directive to override the filename tosource
- SC2166: Suggest using
[ p ] && [ q ]
over[ p -a q ]
- SC2165: Warn when nested
for
loops use the same variable name - SC2164: Warn when using
cd
without checking that it succeeds - SC2163: Warn about
export $var
- SC2162: Warn when using
read
without-r
- SC2157: Warn about
[ "$var " ]
and similar never-empty string matches
Fixed
cat -vnE file
and similar will no longer flag as UUOC- Nested trinary operators in
(( ))
now parse correctly - Ksh
${ ..; }
command expansions now parse
v0.3.8 - 2015-06-20
Changed
- ShellCheck’s license has changed from AGPLv3 to GPLv3.
Added
- SC2156: Warn about injecting filenames in
find -exec sh -c "{}" \;
Fixed
- Variables and command substitutions in brace expansions are now parsed
- ANSI colors are now disabled on Windows
- Empty scripts now parse
v0.3.7 - 2015-04-16
Fixed
- Build now works on GHC 7.10
- Use
regex-tdfa
overregex-compat
since the latter crashes on OS X.
v0.3.6 - 2015-03-28
Added
- SC2155: Warn about masked return values in
export foo=$(exit 1)
- SC2154: Warn when a lowercase variable is referenced but not assigned
- SC2152/SC2151: Warn about bad
return
values like1234
and"foo"
- SC2150: Warn about
find -exec "shell command" \;
Fixed
coproc
is now supported- Trinary operator now recognized in
((..))
Removed
- Zsh support has been removed
v0.3.5 - 2014-11-09
Added
- SC2148: Warn when not including a shebang
- SC2147: Warn about literal ~ in PATH
- SC1086: Warn about
$
in for loop variables, e.g.for $i in ..
- SC1084: Warn when the shebang uses
!#
instead of#!
Fixed
- Empty and comment-only backtick expansions now parse
- Variables used in PS1/PROMPT_COMMAND/trap now count as referenced
- ShellCheck now skips unreadable files and directories
-f gcc
on empty files no longer crashes- Variables in $”..” are now considered quoted
- Warnings about expansions in single quotes now include backticks
v0.3.4 - 2014-07-08
Added
- SC2146: Warn about precedence when combining
find -o
with actions - SC2145: Warn when concatenating arrays and strings
Fixed
- Case statements now support
;&
and;;&
- Indices in array declarations now parse correctly
let
expressions now parsed as arithmetic expressions- Escaping is now respected in here documents
Changed
- Completely drop Makefile in favor of Cabal (thanks rodrigosetti!)
v0.3.3 - 2014-05-29
Added
- SC2144: Warn when using globs in
[/[[
- SC2143: Suggesting using
grep -q
over[ "$(.. | grep)" ]
- SC2142: Warn when referencing positional parameters in aliases
- SC2141: Warn about suspicious IFS assignments like
IFS="\n"
- SC2140: Warn about bad embedded quotes like
echo "var="value""
- SC2130: Warn when using
-eq
on strings - SC2139: Warn about define time expansions in alias definitions
- SC2129: Suggest command grouping over
a >> log; b >> log; c >> log
- SC2128: Warn when expanding arrays without an index
- SC2126: Suggest
grep -c
overgrep|wc
- SC2123: Warn about accidentally overriding
$PATH
, e.g.PATH=/my/dir
- SC1083: Warn about literal
{/}
outside of quotes - SC1082: Warn about UTF-8 BOMs
Fixed
- SC2051 no longer triggers for
{1,$n}
, only{1..$n}
- Improved detection of single quoted
sed
variables, e.g.sed '$s///'
- Stop warning about single quoted variables in
PS1
and similar - Support for Zsh short form loops,
=(..)
Removed
- SC1000 about unescaped lonely
$
, e.g.grep "^foo$"
v0.3.2 - 2014-03-22
Added
- SC2121: Warn about trying to
set
variables, e.g.set var = value
- SC2120/SC2119: Warn when a function uses
$1..
if none are ever passed - SC2117: Warn when using
su
in interactive mode, e.g.su foo; whoami
- SC2116: Detect useless use of echo, e.g.
for i in $(echo $var)
- SC2115/SC2114: Detect some catastrophic
rm -r "$empty/"
mistakes - SC1081: Warn when capitalizing keywords like
While
- SC1077: Warn when using acute accents instead of backticks
Fixed
- Shells are now properly recognized in shebangs containing flags
- Stop warning about math on decimals in ksh/zsh
- Stop warning about decimal comparisons with
=
, e.g.[ $version = 1.2 ]
- Parsing of
|&
${a[x]}
not counting as a reference ofx
(( x[0] ))
not counting as a reference ofx
v0.3.1 - 2014-02-03
Added
- The
-s
flag to specify shell dialect - SC2105/SC2104: Warn about
break/continue
outside loops - SC1076: Detect invalid
[/[[
arithmetic like[ 1 + 2 = 3 ]
- SC1075: Suggest using
elif
overelse if
Fixed
- Don’t warn when comma separating elements in brace expansions
- Improved detection of single quoted
sed
variables, e.g.sed '$d'
- Parsing of arithmetic for loops using
{..}
instead ofdo..done
- Don’t treat the last pipeline stage as a subshell in ksh/zsh
v0.3.0 - 2014-01-19
Added
- A man page (thanks Dridi!)
- GCC compatible error reporting (
shellcheck -f gcc
) - CheckStyle compatible XML error reporting (
shellcheck -f checkstyle
) - Error codes for each warning, e.g. SC1234
- Allow disabling warnings with
# shellcheck disable=SC1234
- Allow disabling warnings with
--exclude
- SC2103: Suggest using subshells over
cd foo; bar; cd ..
- SC2102: Warn about duplicates in char ranges, e.g.
[10-15]
- SC2101: Warn about named classes not inside a char range, e.g.
[:digit:]
- SC2100/SC2099: Warn about bad math expressions like
i=i+5
- SC2098/SC2097: Warn about
foo=bar echo $foo
- SC2095: Warn when using
ssh
/ffmpeg
inwhile read
loops - Better warnings for missing here doc tokens
Fixed
- Don’t warn when single quoting variables with
ssh/perl/eval
${!var}
is now counted as a variable reference
Removed
- Suggestions about using parameter expansion over basename
- The
jsoncheck
binary. Useshellcheck -f json
instead.
v0.2.0 - 2013-10-27
Added
- Suggest
./*
instead of*
when passing globs to commands - Suggest
pgrep
overps | grep
- Warn about unicode quotes
- Warn about assigned but unused variables
- Inform about client side expansion when using
ssh
Fixed
- CLI tool now uses exit codes and stderr canonically
- Parsing of extglobs containing empty patterns
- Parsing of bash style
eval foo=(bar)
- Parsing of expansions in here documents
- Parsing of function names containing :+-
- Don’t warn about
find|xargs
when using-print0
v0.1.0 - 2013-07-23
Added
- First release