The 2 AM Phone Call and a Costly Lesson
2 AM, your phone vibrates violently on the nightstand. You blearily check it, only to find thousands of error logs: the production server is out of resources. The cause wasn’t an attack, but a Bash script running a periodic cronjob. Because of a missing pair of double quotes on a path variable containing spaces, the rm -rf command, instead of cleaning up a temp folder, wiped out critical data surrounding it.
This scenario isn’t rare. After over 5 years of system administration, I’ve realized that no matter how careful you are, logic typos are always lurking. To avoid pulling all-nighters fixing bugs, I always rely on a powerful ally: ShellCheck.
ShellCheck isn’t just a syntax checker. It’s like a veteran colleague constantly scrutinizing every line of code, helping you identify security vulnerabilities or outdated commands before they can cause havoc.
Quick Start: Install ShellCheck in 60 Seconds
Equipping yourself with this “shield” is incredibly simple. Depending on your operating system, run the corresponding command:
1. Installing on Linux
Ubuntu/Debian:
sudo apt update && sudo apt install shellcheckCentOS/RHEL (via EPEL):
sudo yum install epel-release -y
sudo yum install shellcheck -yMacOS (using Homebrew):
brew install shellcheck2. Checking Your First Script
Suppose you have a script clean_logs.sh with this common error:
#!/bin/bash
log_dir=/var/log/my app
rm -rf $log_dir/*Run the command: shellcheck clean_logs.sh. Immediately, you’ll get a red warning. In Bash, without quotes, the command above becomes rm -rf /var/log/my app/*. The shell interprets this as two separate arguments: the directory /var/log/my and every file in the app/ directory. That’s where the disaster begins.
3 “Fatal” Errors Everyone Makes
ShellCheck helps you spot logic errors that are very hard to see with the naked eye in scripts hundreds of lines long.
1. Forgetting to Quote Variables (Quoting)
This is the “king” of all errors. Always use double quotes for variables to protect the script from spaces or strange characters.
# High risk
file_path=$1
# Expert standard
file_path="$1"2. Ghost Variables (Unassigned variables)
Did you mistype a variable name? Bash defaults to treating it as an empty string instead of throwing an error. ShellCheck will warn you immediately: var is referenced but not assigned.
target_dir="/tmp/data"
rm -rf "$targte_dir/" # Typo in variable name, almost wiped root /3. Overusing Backticks (“)
Using `command` is a 90s style. It’s extremely difficult to nest and handle special characters. ShellCheck will guide you toward $(command) – more modern and much cleaner.
Integrate ShellCheck into Your Workflow for Easier Living
Don’t wait until you’ve finished writing to check your code. Automate it.
Integrate Directly into VS Code
Find and install the “shellcheck” extension. Every time you make a mistake, a red underline will appear with detailed fix instructions. It’s like having a Linux expert whispering the answers in your ear.
Automate with CI/CD
In larger projects, add ShellCheck to your GitHub Actions or GitLab CI pipeline. A script should only be allowed to merge once it passes the ShellCheck test. This ensures 100% of the Bash code in the repo meets standard.
# Example GitHub Action
steps:
- uses: actions/checkout@v3
- name: Run ShellCheck
run: shellcheck scripts/*.shReal-World Advice: Don’t Just Stop at ShellCheck
To make scripts truly resilient in production, I always apply the trio set -euo pipefail on the second line of every script. This command makes the script stop immediately when an error occurs, instead of continuing and causing further damage.
Additionally, pay attention to file formatting (Line Endings). If you edit on Windows (CRLF) and then move it to Linux (LF), the script will throw strange errors. ShellCheck is very sensitive to this and will remind you to convert the format immediately.
Writing Bash isn’t hard; writing it safely is. Install ShellCheck today. Don’t wait until the server crashes to regret an accidental space!
