git404hub

what is shellsafe fr?

alhajashafffy/shellsafe — explained in plain English

Analysis updated 2026-05-18

14ShellAudience · ops devopsComplexity · 2/5LicenseSetup · easy

tl;dr

Command-line linter for bash scripts that flags security risks like eval use, curl-pipe-bash, unquoted variables, hardcoded secrets, and unsafe sudo, with an optional auto-fix mode.

vibe map

mindmap
  root((shellsafe))
    Inputs
      Bash script files
      Script directories
    Outputs
      Findings by severity
      Auto-fixed scripts
    Use Cases
      Audit shell scripts
      Block curl pipe bash
      Find hardcoded keys
    Tech Stack
      Shell
      shellcheck
      Codespaces

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Scan a directory of CI bash scripts and flag injection risks, unquoted variables, and missing set -e before merging.

VIBE 2

Run a security-only pass that hides style warnings and surfaces only critical findings like eval and curl piped into bash.

VIBE 3

Auto-fix the safer subset of findings in legacy shell scripts so the result keeps the same behaviour.

VIBE 4

Audit shell scripts for hardcoded passwords, API keys, and world-writable file permissions.

what's the stack?

ShellBashshellcheck

how it stacks up fr

alhajashafffy/shellsafebrettkinny/tower-dashboardluizomf/sannux
Stars141414
LanguageShellShellShell
Setup difficultyeasymoderatemoderate
Complexity2/52/53/5
Audienceops devopsops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · easy time til it works · 30min

Project is set up for GitHub Codespaces, but the README also bundles unrelated GitHub achievement scripts that should be ignored if only the linter is wanted.

MIT license, free to use, modify, and redistribute including in commercial work, as long as the original copyright notice is kept.

in plain english

shellsafe is a command-line tool that reads bash shell scripts and flags patterns that are either bugs waiting to happen or actual security risks. Bash is the scripting language that runs most automation on Linux servers and inside many developer toolchains, and small mistakes in it can let an attacker run their own commands on the machine. The README pitches shellsafe as a layer on top of the well-known shellcheck linter, with a stronger focus on injection risks, privilege issues, and insecure habits. The tool is run as shellsafe scan followed by a file or directory. There is a flag for security-only mode that skips general style warnings, and a fix flag that tries to repair the issues it can change without changing the script's behaviour. The output, shown in the README as an example, groups findings by severity: critical, warning, and info. Each line tells the user which file and line number to look at and what the problem is. The categories of issues the README claims to catch are listed in a table. They include uses of eval, the curl piped into bash pattern that downloads and runs remote code in one step, unquoted variables that can break when filenames contain spaces, missing set -e which would let a script keep going after an error, the older [ ] test syntax instead of the safer [[ ]] form, possible command injection from variables expanded into commands, hardcoded passwords or API keys, unnecessary use of sudo, world-writable files, and bashisms used inside scripts that declare themselves as plain sh. The project is MIT licensed and is set up for GitHub Codespaces. The README also has a section listing a set of helper scripts under scripts/, with names like setup.sh, unlock-all.sh, pull-shark.sh, and pair-extraordinaire.sh, alongside a Node.js achievement tracker. These are labelled GitHub Achievement Scripts and appear to be separate utilities bundled in the same repository rather than part of the linter itself.

prompts (copy fr)

prompt 1
Install shellsafe locally and run shellsafe scan on my scripts/ folder, then walk me through the critical findings.
prompt 2
Show me how to run shellsafe in security-only mode in a GitHub Actions workflow so the build fails on critical issues.
prompt 3
Apply shellsafe scan --fix to my deploy.sh and explain which changes are safe to keep.
prompt 4
Compare shellsafe output to plain shellcheck on the same script and tell me which issues only shellsafe catches.
prompt 5
Write a pre-commit hook that runs shellsafe scan on every staged .sh file and blocks the commit on critical findings.

Frequently asked questions

what is shellsafe fr?

Command-line linter for bash scripts that flags security risks like eval use, curl-pipe-bash, unquoted variables, hardcoded secrets, and unsafe sudo, with an optional auto-fix mode.

What language is shellsafe written in?

Mainly Shell. The stack also includes Shell, Bash, shellcheck.

What license does shellsafe use?

MIT license, free to use, modify, and redistribute including in commercial work, as long as the original copyright notice is kept.

How hard is shellsafe to set up?

Setup difficulty is rated easy, with roughly 30min to a first successful run.

Who is shellsafe for?

Mainly ops devops.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.