Our great sponsors
-
One of my favorite things about Shellcheck is that the error messages come with a link to a wiki page about the problem. Does anyone know other programs that have a similar approach to error messages?
-
This is one of my favorite tips for almost effortlessly improving devops productivity (along with using https://github.com/mvdan/sh for auto-formatting) — by now shellcheck has good editor support in e.g. VSCode and I have a standard pre-commit.com hook for all of my projects. I've seen so many long iterations where people flail at a complex shell script for something like a cron job which was immediately flagged by shellcheck. I generally recommend rewriting in Python but this is a good less invasive step.
One thing which might be worth considering is adding this to your personal ~/.shellcheckrc to make it more pedantic:
enable=all
-
SonarLint
Deliver Cleaner and Safer Code - Right in Your IDE of Choice!. SonarLint is a free and open source IDE extension that identifies and catches bugs and vulnerabilities as you code, directly in the IDE. Install from your favorite IDE marketplace today.
-
Hadolint is another. It's built atop shellcheck.
-
find-sec-bugs
The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
find-sec-bugs does that. It's used by, for example, SonarQube.
See hhttps://github.com/find-sec-bugs/find-sec-bugs/blob/master/f... and do a "CTRL-F" and search for "References".
-
Alongside ShellCheck, I also use shUnit2 as my unit testing framework. Yes, you should test your bash.
-
I haven't used it, but I have seen something similar called shellharden. It pitches it's advantage as being able to auto apply the changes.
-
static-analysis
⚙️ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.
Same. Few years ago I started a little list of linters. Just kept adding tools and the list is huge now thanks to lots of contributors. https://github.com/analysis-tools-dev/static-analysis
-
Scout APM
Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.
-
I really like task (http://taskfile.dev/) as a more usable layer on top of mydan/sh. Task is basically make but with a yaml syntax and built-in posix shell interpreter all in a single statically linked executable. It makes building something even on Windows a total breeze.
-
Since the project I work on (https://spdk.io) largely produces a set of executables as output, it was most natural to write the tests in bash. There's one top level bash script that kicks off the full suite of tests and thousands and thousands of lines of tests all written as bash scripts stringing together calls to these executables.
One of these tests is to run shellcheck against all of the scripts in the repo. We don't allow any modifications to scripts without shellcheck giving them the green light now. The quality of our tests has increased dramatically since this was instituted - it's a really great tool.
-
And talking about tests... I recommend [bats](https://github.com/bats-core/bats-core) for testing! I'm slowly adding tests to my dotfiles using this.
-
shellcheck-repl: Validation of Shell Commands Before Evaluation
https://github.com/HenrikBengtsson/shellcheck-repl
This tool validates your commands at the Bash prompt using ShellCheck and refuses to evaluate them if there's a mistake. It ignores a set of rules that doesn't play well with oneliners.
(Disclaimer: I'm one of the authors)
