alhajashafffy/shellsafe

shellsafe is a command-line tool that reads bash shell scripts and flags patterns that are either bugs waiting to happen or actual security risks. Bash is the scripting language that runs most automation on Linux servers and inside many developer toolchains, and small mistakes in it can let an attacker run their own commands on the machine. The README pitches shellsafe as a layer on top of the well-known shellcheck linter, with a stronger focus on injection risks, privilege issues, and insecure habits. The tool is run as shellsafe scan followed by a file or directory. There is a flag for security-only mode that skips general style warnings, and a fix flag that tries to repair the issues it can change without changing the script's behaviour. The output, shown in the README as an example, groups findings by severity: critical, warning, and info. Each line tells the user which file and line number to look at and what the problem is. The categories of issues the README claims to catch are listed in a table. They include uses of eval, the curl piped into bash pattern that downloads and runs remote code in one step, unquoted variables that can break when filenames contain spaces, missing set -e which would let a script keep going after an error, the older [ ] test syntax instead of the safer [[ ]] form, possible command injection from variables expanded into commands, hardcoded passwords or API keys, unnecessary use of sudo, world-writable files, and bashisms used inside scripts that declare themselves as plain sh. The project is MIT licensed and is set up for GitHub Codespaces. The README also has a section listing a set of helper scripts under scripts/, with names like setup.sh, unlock-all.sh, pull-shark.sh, and pair-extraordinaire.sh, alongside a Node.js achievement tracker. These are labelled GitHub Achievement Scripts and appear to be separate utilities bundled in the same repository rather than part of the linter itself.