-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.shellcheckrc
More file actions
123 lines (104 loc) · 5.32 KB
/
.shellcheckrc
File metadata and controls
123 lines (104 loc) · 5.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
###############################################################################
# .shellcheckrc
#
# Purpose:
# Enforce secure, deterministic, and portable Bash 4+ scripting practices.
# Designed for CI enforcement and security-sensitive automation.
#
# Philosophy:
# - Bash-first, zsh-best-effort
# - No hidden control flow
# - No masked failures
# - No undefined behavior
# - No reliance on `set -e`
# - Explicit error handling
# - Array-safe argument passing
###############################################################################
#------------------------------------------------------------------------------
# Shell dialect and version
#------------------------------------------------------------------------------
shell=bash
bash-version=4
#------------------------------------------------------------------------------
# Treat style issues as errors in CI
#------------------------------------------------------------------------------
severity=style
#------------------------------------------------------------------------------
# Enable all checks (we selectively relax below if justified)
#------------------------------------------------------------------------------
#enable=all
#------------------------------------------------------------------------------
# Enforced Safety & Correctness Rules (DO NOT DISABLE)
#------------------------------------------------------------------------------
# Quote variables to prevent word splitting and globbing
# SC2086: Double quote to prevent globbing and word splitting
# SC2046: Quote this to prevent word splitting
# SC2164: cd must be checked
# SC2155: Declare and assign separately to avoid masking return values
# SC2154: Unassigned variables (set -u discipline)
# SC2034: Unused variables (dead code detection)
# SC2317: Unreachable / dead code
# SC2181: Check exit codes explicitly, do not rely on $?
# SC2312: set -e masking failures (documents your explicit ban)
# SC2015: Logical operator misuse (cmd1 && cmd2 || cmd3 pitfalls)
# SC2128: Expanding arrays without index
# SC2206: Unsafe array splitting
# SC2230: Use command -v instead of which
# SC2001: Prefer parameter expansion over external sed
# SC2039: Non-POSIX extensions
# SC2310: Signal handling robustness
# SC3043: local variable scoping
# SC3054: Associative array portability
# SC3057: Prefer printf over echo
# SC3003: Bashisms in sh
# SC3004: pipefail portability notes
#------------------------------------------------------------------------------
# Dynamic sourcing policy
#------------------------------------------------------------------------------
# Allow dynamic sourcing only with explicit annotation:
# # shellcheck source=/absolute/path
disable=SC1090,SC1091
#------------------------------------------------------------------------------
# Rare, controlled deviations (require comment justification in code)
#------------------------------------------------------------------------------
# SC2162: read without -r (only if escape processing is intended)
#disable=SC2162
# SC2294: eval usage (only for heavily audited metaprogramming)
#disable=SC2294
#------------------------------------------------------------------------------
# Formatting & readability
#------------------------------------------------------------------------------
# Enforce modern Bash constructs
enable=require-variable-braces,require-double-brackets,deprecate-which,quote-safe-variables,add-default-case,avoid-nullary-conditions,check-set-e-suppressed,check-unassigned-uppercase,SC2035,SC2148,SC2231
#enable=require-variable-braces # ${VAR} instead of $VAR
#enable=require-double-brackets # [[ ... ]] instead of [ ... ]
#enable=deprecate-which # command -v over which
#enable=quote-safe-variables # quote even "safe" variables
#enable=add-default-case # require default in case
#enable=avoid-nullary-conditions # avoid [ "$var" ] ambiguity
#enable=check-set-e-suppressed # detect masked set -e
#enable=check-unassigned-uppercase # catch typos in constants
#------------------------------------------------------------------------------
# Security foot-gun prevention
#------------------------------------------------------------------------------
enable=SC2035 # .* in rm (can delete too much)
enable=SC2148 # Missing or bad shebang
enable=SC2231 # Loop condition logic errors
#------------------------------------------------------------------------------
# Function semantics policy
#------------------------------------------------------------------------------
# Enforced by external gates:
# - Must use: function name()
# - Must have proc-doc blocks
# - Must not use: name()
# ShellCheck assists but syntax gate is authoritative.
#------------------------------------------------------------------------------
# CI determinism
#------------------------------------------------------------------------------
# Require explicit existence of sourced files (except where annotated)
# Prevents host-dependent behavior and makes pipelines reproducible.
#------------------------------------------------------------------------------
# Optional: Exclude generated or vendor directories
#------------------------------------------------------------------------------
# exclude=vendor/,dist/,build/,node_modules/
###############################################################################