explaingit

anordal/shellharden

4,781RustAudience · developerComplexity · 2/5Setup · easy

TLDR

A Rust command-line tool that finds and fixes unsafe quoting patterns in bash scripts, it highlights where quotes are missing around variables and can automatically rewrite the script to prevent word-splitting bugs.

Mindmap

mindmap
  root((shellharden))
    What it does
      Find unsafe quotes
      Preview changes
      Auto-fix scripts
    How it works
      Color highlighting
      Transform mode
      Safe bash guide
    Works with
      ShellCheck
      CI pipelines
    Install methods
      Cargo crates.io
      Linux packages
      Build from source
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Scan a bash script with color highlighting to preview exactly where quoting fixes are needed before applying any changes

USE CASE 2

Automatically rewrite a bash script to add correct quotes around variables and prevent word-splitting bugs

USE CASE 3

Combine with ShellCheck in a CI pipeline to both identify and automatically fix unsafe shell script patterns

USE CASE 4

Learn safe bash scripting conventions through the accompanying guide included in the repository

Tech stack

Rustbashcrates.io

Getting it running

Difficulty · easy Time to first run · 5min

Requires Rust and Cargo installed, also available in Linux distribution package repositories as an alternative to building from source.

No license information was provided in the explanation.

In plain English

Shellharden is a tool for finding and fixing unsafe patterns in bash shell scripts. The most common problem it targets is missing quotation marks around variables. In bash, a variable without quotes gets split on spaces and can expand into multiple arguments, which causes bugs that are often hard to track down. The README describes this concisely: a bash variable without its quotes is like a hand grenade with the pin pulled. The tool works in two modes. In its default mode, it reads a script and displays it with color highlighting that shows the current code in the foreground and marks where quotes should be added or removed using colored backgrounds. This lets you see exactly what changes would be made before committing to them. With the transform option, it actually rewrites the file, applying those fixes automatically. Shellharden is designed to complement ShellCheck, a separate and widely-used tool that finds problems in shell scripts and explains them. ShellCheck can tell you what is wrong but cannot fix it. Shellharden can apply the fixes. The README notes that you should still review changes before applying them, because a script that deliberately relies on the word-splitting behavior that Shellharden removes will behave differently after the transform, and a human needs to judge whether the change is safe. The tool is written in Rust and available as a package on crates.io, which is the Rust package registry. You can install it with a single command if you have Rust installed, or build it from source yourself. Linux distributions also package it through their own repositories. An accompanying guide in the repository explains how to write bash scripts safely by hand, covering patterns that avoid the common pitfalls Shellharden is designed to catch.

Copy-paste prompts

Prompt 1
I have a bash script with subtle variable expansion bugs. Show me how to run shellharden on it in preview mode to see the suggested fixes highlighted before I apply them.
Prompt 2
How do I set up a CI pipeline step that runs both ShellCheck and shellharden on every pull request to catch and fix unsafe bash quoting patterns automatically?
Prompt 3
Install shellharden using Cargo and use it to transform a bash script that has unquoted variables. Explain each change the tool makes and why it is safer.
Prompt 4
What specific bash patterns does shellharden target and what does it mean that an unquoted variable is like a hand grenade with the pin pulled?
Open on GitHub → Explain another repo

← anordal on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.