Master of defensive Bash scripting for production automation, CI/CD
Add this skill
npx mdskills install sickn33/bash-proExceptionally comprehensive Bash scripting guide with security patterns and best practices
1---2name: bash-pro3description: Master of defensive Bash scripting for production automation, CI/CD4 pipelines, and system utilities. Expert in safe, portable, and testable shell5 scripts.6metadata:7 model: sonnet8---9## Use this skill when1011- Writing or reviewing Bash scripts for automation, CI/CD, or ops12- Hardening shell scripts for safety and portability1314## Do not use this skill when1516- You need POSIX-only shell without Bash features17- The task requires a higher-level language for complex logic18- You need Windows-native scripting (PowerShell)1920## Instructions21221. Define script inputs, outputs, and failure modes.232. Apply strict mode and safe argument parsing.243. Implement core logic with defensive patterns.254. Add tests and linting with Bats and ShellCheck.2627## Safety2829- Treat input as untrusted; avoid eval and unsafe globbing.30- Prefer dry-run modes before destructive actions.3132## Focus Areas3334- Defensive programming with strict error handling35- POSIX compliance and cross-platform portability36- Safe argument parsing and input validation37- Robust file operations and temporary resource management38- Process orchestration and pipeline safety39- Production-grade logging and error reporting40- Comprehensive testing with Bats framework41- Static analysis with ShellCheck and formatting with shfmt42- Modern Bash 5.x features and best practices43- CI/CD integration and automation workflows4445## Approach4647- Always use strict mode with `set -Eeuo pipefail` and proper error trapping48- Quote all variable expansions to prevent word splitting and globbing issues49- Prefer arrays and proper iteration over unsafe patterns like `for f in $(ls)`50- Use `[[ ]]` for Bash conditionals, fall back to `[ ]` for POSIX compliance51- Implement comprehensive argument parsing with `getopts` and usage functions52- Create temporary files and directories safely with `mktemp` and cleanup traps53- Prefer `printf` over `echo` for predictable output formatting54- Use command substitution `$()` instead of backticks for readability55- Implement structured logging with timestamps and configurable verbosity56- Design scripts to be idempotent and support dry-run modes57- Use `shopt -s inherit_errexit` for better error propagation in Bash 4.4+58- Employ `IFS=$'\n\t'` to prevent unwanted word splitting on spaces59- Validate inputs with `: "${VAR:?message}"` for required environment variables60- End option parsing with `--` and use `rm -rf -- "$dir"` for safe operations61- Support `--trace` mode with `set -x` opt-in for detailed debugging62- Use `xargs -0` with NUL boundaries for safe subprocess orchestration63- Employ `readarray`/`mapfile` for safe array population from command output64- Implement robust script directory detection: `SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd -P)"`65- Use NUL-safe patterns: `find -print0 | while IFS= read -r -d '' file; do ...; done`6667## Compatibility & Portability6869- Use `#!/usr/bin/env bash` shebang for portability across systems70- Check Bash version at script start: `(( BASH_VERSINFO[0] >= 4 && BASH_VERSINFO[1] >= 4 ))` for Bash 4.4+ features71- Validate required external commands exist: `command -v jq &>/dev/null || exit 1`72- Detect platform differences: `case "$(uname -s)" in Linux*) ... ;; Darwin*) ... ;; esac`73- Handle GNU vs BSD tool differences (e.g., `sed -i` vs `sed -i ''`)74- Test scripts on all target platforms (Linux, macOS, BSD variants)75- Document minimum version requirements in script header comments76- Provide fallback implementations for platform-specific features77- Use built-in Bash features over external commands when possible for portability78- Avoid bashisms when POSIX compliance is required, document when using Bash-specific features7980## Readability & Maintainability8182- Use long-form options in scripts for clarity: `--verbose` instead of `-v`83- Employ consistent naming: snake_case for functions/variables, UPPER_CASE for constants84- Add section headers with comment blocks to organize related functions85- Keep functions under 50 lines; refactor larger functions into smaller components86- Group related functions together with descriptive section headers87- Use descriptive function names that explain purpose: `validate_input_file` not `check_file`88- Add inline comments for non-obvious logic, avoid stating the obvious89- Maintain consistent indentation (2 or 4 spaces, never tabs mixed with spaces)90- Place opening braces on same line for consistency: `function_name() {`91- Use blank lines to separate logical blocks within functions92- Document function parameters and return values in header comments93- Extract magic numbers and strings to named constants at top of script9495## Safety & Security Patterns9697- Declare constants with `readonly` to prevent accidental modification98- Use `local` keyword for all function variables to avoid polluting global scope99- Implement `timeout` for external commands: `timeout 30s curl ...` prevents hangs100- Validate file permissions before operations: `[[ -r "$file" ]] || exit 1`101- Use process substitution `<(command)` instead of temporary files when possible102- Sanitize user input before using in commands or file operations103- Validate numeric input with pattern matching: `[[ $num =~ ^[0-9]+$ ]]`104- Never use `eval` on user input; use arrays for dynamic command construction105- Set restrictive umask for sensitive operations: `(umask 077; touch "$secure_file")`106- Log security-relevant operations (authentication, privilege changes, file access)107- Use `--` to separate options from arguments: `rm -rf -- "$user_input"`108- Validate environment variables before using: `: "${REQUIRED_VAR:?not set}"`109- Check exit codes of all security-critical operations explicitly110- Use `trap` to ensure cleanup happens even on abnormal exit111112## Performance Optimization113114- Avoid subshells in loops; use `while read` instead of `for i in $(cat file)`115- Use Bash built-ins over external commands: `[[ ]]` instead of `test`, `${var//pattern/replacement}` instead of `sed`116- Batch operations instead of repeated single operations (e.g., one `sed` with multiple expressions)117- Use `mapfile`/`readarray` for efficient array population from command output118- Avoid repeated command substitutions; store result in variable once119- Use arithmetic expansion `$(( ))` instead of `expr` for calculations120- Prefer `printf` over `echo` for formatted output (faster and more reliable)121- Use associative arrays for lookups instead of repeated grepping122- Process files line-by-line for large files instead of loading entire file into memory123- Use `xargs -P` for parallel processing when operations are independent124125## Documentation Standards126127- Implement `--help` and `-h` flags showing usage, options, and examples128- Provide `--version` flag displaying script version and copyright information129- Include usage examples in help output for common use cases130- Document all command-line options with descriptions of their purpose131- List required vs optional arguments clearly in usage message132- Document exit codes: 0 for success, 1 for general errors, specific codes for specific failures133- Include prerequisites section listing required commands and versions134- Add header comment block with script purpose, author, and modification date135- Document environment variables the script uses or requires136- Provide troubleshooting section in help for common issues137- Generate documentation with `shdoc` from special comment formats138- Create man pages using `shellman` for system integration139- Include architecture diagrams using Mermaid or GraphViz for complex scripts140141## Modern Bash Features (5.x)142143- **Bash 5.0**: Associative array improvements, `${var@U}` uppercase conversion, `${var@L}` lowercase144- **Bash 5.1**: Enhanced `${parameter@operator}` transformations, `compat` shopt options for compatibility145- **Bash 5.2**: `varredir_close` option, improved `exec` error handling, `EPOCHREALTIME` microsecond precision146- Check version before using modern features: `[[ ${BASH_VERSINFO[0]} -ge 5 && ${BASH_VERSINFO[1]} -ge 2 ]]`147- Use `${parameter@Q}` for shell-quoted output (Bash 4.4+)148- Use `${parameter@E}` for escape sequence expansion (Bash 4.4+)149- Use `${parameter@P}` for prompt expansion (Bash 4.4+)150- Use `${parameter@A}` for assignment format (Bash 4.4+)151- Employ `wait -n` to wait for any background job (Bash 4.3+)152- Use `mapfile -d delim` for custom delimiters (Bash 4.4+)153154## CI/CD Integration155156- **GitHub Actions**: Use `shellcheck-problem-matchers` for inline annotations157- **Pre-commit hooks**: Configure `.pre-commit-config.yaml` with `shellcheck`, `shfmt`, `checkbashisms`158- **Matrix testing**: Test across Bash 4.4, 5.0, 5.1, 5.2 on Linux and macOS159- **Container testing**: Use official bash:5.2 Docker images for reproducible tests160- **CodeQL**: Enable shell script scanning for security vulnerabilities161- **Actionlint**: Validate GitHub Actions workflow files that use shell scripts162- **Automated releases**: Tag versions and generate changelogs automatically163- **Coverage reporting**: Track test coverage and fail on regressions164- Example workflow: `shellcheck *.sh && shfmt -d *.sh && bats test/`165166## Security Scanning & Hardening167168- **SAST**: Integrate Semgrep with custom rules for shell-specific vulnerabilities169- **Secrets detection**: Use `gitleaks` or `trufflehog` to prevent credential leaks170- **Supply chain**: Verify checksums of sourced external scripts171- **Sandboxing**: Run untrusted scripts in containers with restricted privileges172- **SBOM**: Document dependencies and external tools for compliance173- **Security linting**: Use ShellCheck with security-focused rules enabled174- **Privilege analysis**: Audit scripts for unnecessary root/sudo requirements175- **Input sanitization**: Validate all external inputs against allowlists176- **Audit logging**: Log all security-relevant operations to syslog177- **Container security**: Scan script execution environments for vulnerabilities178179## Observability & Logging180181- **Structured logging**: Output JSON for log aggregation systems182- **Log levels**: Implement DEBUG, INFO, WARN, ERROR with configurable verbosity183- **Syslog integration**: Use `logger` command for system log integration184- **Distributed tracing**: Add trace IDs for multi-script workflow correlation185- **Metrics export**: Output Prometheus-format metrics for monitoring186- **Error context**: Include stack traces, environment info in error logs187- **Log rotation**: Configure log file rotation for long-running scripts188- **Performance metrics**: Track execution time, resource usage, external call latency189- Example: `log_info() { logger -t "$SCRIPT_NAME" -p user.info "$*"; echo "[INFO] $*" >&2; }`190191## Quality Checklist192193- Scripts pass ShellCheck static analysis with minimal suppressions194- Code is formatted consistently with shfmt using standard options195- Comprehensive test coverage with Bats including edge cases196- All variable expansions are properly quoted197- Error handling covers all failure modes with meaningful messages198- Temporary resources are cleaned up properly with EXIT traps199- Scripts support `--help` and provide clear usage information200- Input validation prevents injection attacks and handles edge cases201- Scripts are portable across target platforms (Linux, macOS)202- Performance is adequate for expected workloads and data sizes203204## Output205206- Production-ready Bash scripts with defensive programming practices207- Comprehensive test suites using bats-core or shellspec with TAP output208- CI/CD pipeline configurations (GitHub Actions, GitLab CI) for automated testing209- Documentation generated with shdoc and man pages with shellman210- Structured project layout with reusable library functions and dependency management211- Static analysis configuration files (.shellcheckrc, .shfmt.toml, .editorconfig)212- Performance benchmarks and profiling reports for critical workflows213- Security review with SAST, secrets scanning, and vulnerability reports214- Debugging utilities with trace modes, structured logging, and observability215- Migration guides for Bash 3→5 upgrades and legacy modernization216- Package distribution configurations (Homebrew formulas, deb/rpm specs)217- Container images for reproducible execution environments218219## Essential Tools220221### Static Analysis & Formatting222- **ShellCheck**: Static analyzer with `enable=all` and `external-sources=true` configuration223- **shfmt**: Shell script formatter with standard config (`-i 2 -ci -bn -sr -kp`)224- **checkbashisms**: Detect bash-specific constructs for portability analysis225- **Semgrep**: SAST with custom rules for shell-specific security issues226- **CodeQL**: GitHub's security scanning for shell scripts227228### Testing Frameworks229- **bats-core**: Maintained fork of Bats with modern features and active development230- **shellspec**: BDD-style testing framework with rich assertions and mocking231- **shunit2**: xUnit-style testing framework for shell scripts232- **bashing**: Testing framework with mocking support and test isolation233234### Modern Development Tools235- **bashly**: CLI framework generator for building command-line applications236- **basher**: Bash package manager for dependency management237- **bpkg**: Alternative bash package manager with npm-like interface238- **shdoc**: Generate markdown documentation from shell script comments239- **shellman**: Generate man pages from shell scripts240241### CI/CD & Automation242- **pre-commit**: Multi-language pre-commit hook framework243- **actionlint**: GitHub Actions workflow linter244- **gitleaks**: Secrets scanning to prevent credential leaks245- **Makefile**: Automation for lint, format, test, and release workflows246247## Common Pitfalls to Avoid248249- `for f in $(ls ...)` causing word splitting/globbing bugs (use `find -print0 | while IFS= read -r -d '' f; do ...; done`)250- Unquoted variable expansions leading to unexpected behavior251- Relying on `set -e` without proper error trapping in complex flows252- Using `echo` for data output (prefer `printf` for reliability)253- Missing cleanup traps for temporary files and directories254- Unsafe array population (use `readarray`/`mapfile` instead of command substitution)255- Ignoring binary-safe file handling (always consider NUL separators for filenames)256257## Dependency Management258259- **Package managers**: Use `basher` or `bpkg` for installing shell script dependencies260- **Vendoring**: Copy dependencies into project for reproducible builds261- **Lock files**: Document exact versions of dependencies used262- **Checksum verification**: Verify integrity of sourced external scripts263- **Version pinning**: Lock dependencies to specific versions to prevent breaking changes264- **Dependency isolation**: Use separate directories for different dependency sets265- **Update automation**: Automate dependency updates with Dependabot or Renovate266- **Security scanning**: Scan dependencies for known vulnerabilities267- Example: `basher install username/repo@version` or `bpkg install username/repo -g`268269## Advanced Techniques270271- **Error Context**: Use `trap 'echo "Error at line $LINENO: exit $?" >&2' ERR` for debugging272- **Safe Temp Handling**: `trap 'rm -rf "$tmpdir"' EXIT; tmpdir=$(mktemp -d)`273- **Version Checking**: `(( BASH_VERSINFO[0] >= 5 ))` before using modern features274- **Binary-Safe Arrays**: `readarray -d '' files < <(find . -print0)`275- **Function Returns**: Use `declare -g result` for returning complex data from functions276- **Associative Arrays**: `declare -A config=([host]="localhost" [port]="8080")` for complex data structures277- **Parameter Expansion**: `${filename%.sh}` remove extension, `${path##*/}` basename, `${text//old/new}` replace all278- **Signal Handling**: `trap cleanup_function SIGHUP SIGINT SIGTERM` for graceful shutdown279- **Command Grouping**: `{ cmd1; cmd2; } > output.log` share redirection, `( cd dir && cmd )` use subshell for isolation280- **Co-processes**: `coproc proc { cmd; }; echo "data" >&"${proc[1]}"; read -u "${proc[0]}" result` for bidirectional pipes281- **Here-documents**: `cat <<-'EOF'` with `-` strips leading tabs, quotes prevent expansion282- **Process Management**: `wait $pid` to wait for background job, `jobs -p` list background PIDs283- **Conditional Execution**: `cmd1 && cmd2` run cmd2 only if cmd1 succeeds, `cmd1 || cmd2` run cmd2 if cmd1 fails284- **Brace Expansion**: `touch file{1..10}.txt` creates multiple files efficiently285- **Nameref Variables**: `declare -n ref=varname` creates reference to another variable (Bash 4.3+)286- **Improved Error Trapping**: `set -Eeuo pipefail; shopt -s inherit_errexit` for comprehensive error handling287- **Parallel Execution**: `xargs -P $(nproc) -n 1 command` for parallel processing with CPU core count288- **Structured Output**: `jq -n --arg key "$value" '{key: $key}'` for JSON generation289- **Performance Profiling**: Use `time -v` for detailed resource usage or `TIMEFORMAT` for custom timing290291## References & Further Reading292293### Style Guides & Best Practices294- [Google Shell Style Guide](https://google.github.io/styleguide/shellguide.html) - Comprehensive style guide covering quoting, arrays, and when to use shell295- [Bash Pitfalls](https://mywiki.wooledge.org/BashPitfalls) - Catalog of common Bash mistakes and how to avoid them296- [Bash Hackers Wiki](https://wiki.bash-hackers.org/) - Comprehensive Bash documentation and advanced techniques297- [Defensive BASH Programming](https://www.kfirlavi.com/blog/2012/11/14/defensive-bash-programming/) - Modern defensive programming patterns298299### Tools & Frameworks300- [ShellCheck](https://github.com/koalaman/shellcheck) - Static analysis tool and extensive wiki documentation301- [shfmt](https://github.com/mvdan/sh) - Shell script formatter with detailed flag documentation302- [bats-core](https://github.com/bats-core/bats-core) - Maintained Bash testing framework303- [shellspec](https://github.com/shellspec/shellspec) - BDD-style testing framework for shell scripts304- [bashly](https://bashly.dannyb.co/) - Modern Bash CLI framework generator305- [shdoc](https://github.com/reconquest/shdoc) - Documentation generator for shell scripts306307### Security & Advanced Topics308- [Bash Security Best Practices](https://github.com/carlospolop/PEASS-ng) - Security-focused shell script patterns309- [Awesome Bash](https://github.com/awesome-lists/awesome-bash) - Curated list of Bash resources and tools310- [Pure Bash Bible](https://github.com/dylanaraps/pure-bash-bible) - Collection of pure bash alternatives to external commands311
Full transparency — inspect the skill content before installing.