Static Analysis for Bash and Shell Scripts

Nick Galbreath

Your shell scripts need static analysis. Here’s how.

If you must write shell code, use the same techniques you use for your primary programming language:

In fact, given how weird shell code is, it probably needs these tools even more than your regular languages. Fortunately these tools now exist for shell.

shellcheck

shellcheck provides static analysis of shell scripts and covers an number of different dialects of shell. It’s hard to overstate how great this. You’ll be horrified at the output and likely learn something as well.

You can use it three ways.

Protip: You can lint Dockerfiles and the shell script inside them with hadolint.

mvdan/sh and shfmt

shfmt takes your crappy shell code, and makes it beautiful. There is no customization of the format other than “tabs or spaces”, but it’s a good default format. Use it.

It’s a single binary written in go. You can screw around trying to download from GitHub Releases or you can use this downloader script which will do the right thing for your platform. (Disclaimer: I wrote that script.)

client9/shlib

Disclaimer: I wrote this.

The best shell script is one not written. But if you have to use shell, client9/shlib is a collection of tested, portable functions to help you to bootstrap out of shell into something more sane. All the code is in the public domain, so use and remix as needed. Credit and pull requests are welcome but not required.

Others

bashate

bashate used by OpenStack to enforce bash style. I think it’s mostly superseded by the other tools, but you might like some of it’s checks.

BATS

BATS is the “Bash Automation Testing System” and provide an xUnit type of testing framework for … bash. I think it’s overkill but maybe you’ll find it useful.

If you need something simpler, check out the basic assert functions from client9/shlib.