Shell Guardrails

✓ Policy Beta Testing And Quality

Enforce shell script quality standards by validating ShellCheck results. Ensures ShellCheck finds no issues at or above the configured severity level (default: error). Severity filtering happens at the policy level so all data is preserved in Component JSON for dashboards and other consumers.

Add shell to your lunar-config.yml:

uses: github://earthly/lunar-lib/policies/shell@v1.0.5

Get Started View on GitHub

Included Guardrails

This policy includes 1 guardrail that enforce standards for your testing and quality.

Guardrail

`shellcheck-clean`

Ensures ShellCheck finds no issues at or above the configured severity level (default: error). Skips if no shell scripts are detected. Severity filtering and warning threshold are both configurable.

shellcheck shell bash linting clean code quality

View Guardrail

How Guardrails Fit into Lunar

Lunar guardrails define your engineering standards as code. They evaluate data collected by integrations and produce pass/fail checks with actionable feedback.

Policies support gradual enforcement—from silent scoring to blocking PRs or deployments—letting you roll out standards at your own pace without disrupting existing workflows.

Learn How Lunar Works →

↓ Integrations Gather Data

Collectors extract metadata from code, CI pipelines, tool outputs, and scans

{ } Centralized as JSON

All data merged into each component's unified metadata document

✓ Guardrails Enforce Standards This Policy

Real-time feedback in PRs and AI workflows

Required Integrations

This policy evaluates data gathered by one or more of the following integration(s). Make sure to enable them in your lunar-config.yml.

Collector LanguagesBuild Required

Shell Collector

Provides ShellCheck lint data for shell scripts

Configuration

Configure this policy in your lunar-config.yml.

Inputs

Input	Required	Default	Description
`min_severity`	Optional	`error`	Minimum severity level to enforce (error, warning, info, style). Issues below this level are ignored.
`max_shellcheck_warnings`	Optional	`0`	Maximum number of ShellCheck warnings allowed at or above min_severity (0 = must be completely clean)

Documentation

View on GitHub

Shell Guardrails

Enforces shell script quality standards using ShellCheck lint data.

Overview

This policy validates that ShellCheck runs cleanly against shell scripts in a component. It enforces issues at or above the configured severity level (default: error), ensuring scripts follow best practices for portability, quoting, and correctness. The collector gathers all findings; severity filtering happens here at the policy level. Skips gracefully if no shell scripts are detected.

Policies

This plugin provides the following policies (use include to select a subset):

Policy	Description	Failure Meaning
`shellcheck-clean`	Ensures no ShellCheck issues at or above configured severity	ShellCheck found issues in shell scripts

Required Data

This policy reads from the following Component JSON paths:

Path	Type	Provided By
`.lang.shell`	object	`shell` collector
`.lang.shell.lint.warnings`	array	`shell` collector

Installation

Add to your lunar-config.yml:

policies:
  - uses: github://earthly/lunar-lib/policies/shell@main
    on: ["domain:your-domain"]  # replace with your own domain or tags
    enforcement: report-pr
    # with:
    #   min_severity: "error"  # Minimum severity to enforce: error, warning, info, style (default: error)
    #   max_shellcheck_warnings: "0"  # Maximum warnings allowed at or above min_severity (default: "0")

Examples

Passing Example

{
  "lang": {
    "shell": {
      "script_count": 3,
      "scripts": ["deploy.sh", "build/compile.sh", "scripts/test.sh"],
      "shells": ["bash", "sh"],
      "lint": {
        "warnings": [],
        "linters": ["shellcheck"]
      }
    }
  }
}

Failing Example

{
  "lang": {
    "shell": {
      "script_count": 3,
      "scripts": ["deploy.sh", "build/compile.sh", "scripts/test.sh"],
      "shells": ["bash"],
      "lint": {
        "warnings": [
          {
            "file": "deploy.sh",
            "line": 15,
            "column": 3,
            "message": "Double quote to prevent globbing and word splitting.",
            "linter": "shellcheck",
            "severity": "warning",
            "code": "SC2086"
          }
        ],
        "linters": ["shellcheck"]
      }
    }
  }
}

Failure message: "1 ShellCheck warning(s) found, maximum allowed is 0. Run 'shellcheck' on your scripts and fix all warnings."

Remediation

shellcheck-clean

Run shellcheck <script>.sh locally to see all warnings
Fix the reported issues (quoting, unused variables, portability, etc.)
For false positives, use # shellcheck disable=SC2086 inline directives
If some warnings are acceptable, increase max_shellcheck_warnings threshold
Alternatively, use the generic linter policy with language: shell and max_warnings for the same effect

Open Source

This policy is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.

View Repository

Common Use Cases

Explore how individual guardrails work with specific integrations.

Shellcheck Clean + Shell Collector Ensures ShellCheck finds no issues at or above the configured severity level...

→

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process

AI agent rules & prompt files

Post-mortem action items

Security & compliance policies

Testing & quality requirements

Automate Now

Paste your AGENTS.md or manual process doc and get guardrails in minutes

Book a Demo