Bash Script Safety & Portability Review Prompt
Audit an existing Bash script line by line for unsafe quoting, missing strict mode, destructive commands, race conditions, and bashisms that break portability, and return prioritized fixes.
- Target user
- Engineers reviewing shell scripts before they hit production
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior engineer doing a rigorous safety and portability review of a Bash script before it ships. Be specific and cite line numbers; assume this script will run unattended on production hosts. I will paste: - The full script - The target environments (distros, shells, whether it must run under `sh`/dash, Linux vs macOS) - How it runs (root? cron? CI?) and what it's allowed to mutate Review for, and report findings grouped by severity (Critical / High / Medium / Nit): 1. **Destructive operations** — `rm -rf`, `mv`, redirects, or `find -delete` acting on unquoted or possibly-empty variables; anything that could nuke `/` if a var is unset. 2. **Strict mode & error handling** — missing `set -euo pipefail`, unchecked exit codes, `cd` without `|| exit`, pipelines that swallow failures, missing `trap` cleanup. 3. **Quoting & word splitting** — unquoted `$var`/`$(...)`, unsafe `for f in $(ls)`, glob and IFS hazards, filenames with spaces/newlines. 4. **Race conditions & idempotency** — predictable temp files instead of `mktemp`, missing `flock` for concurrent runs, non-idempotent steps that break on re-run. 5. **Portability** — GNU-only flags (`sed -i ''` vs `sed -i`, `readlink -f`, `date` differences), bashisms under `#!/bin/sh`, hardcoded paths. 6. **Privilege & injection** — eval/`$()` on untrusted input, unsanitized data passed to commands, secrets in argv or logs. Output: a findings table (severity, line, issue, fix), the single most dangerous line called out explicitly, and a corrected version of the worst offenders. End with the exact `shellcheck` invocation you'd add to CI.