Drop-in replacement for bash in the
curl | bash pattern.
Buffers the full script, enforces strict mode, analyses for risks,
and asks before running — without adding friction to your workflow.
Before
$ curl -fsSL https://example.com/install.sh | bash
After
$ curl -fsSL https://example.com/install.sh | safesh
Install via go:
$ go install github.com/safesh/safesh/cmd/safesh@latest
Running an installer script through safesh:
Seven guarantees, zero configuration required.
Reads the entire script before executing any of it. A dropped connection never leaves you half-installed.
Prepends set -euo pipefail to catch unset variables and failed commands.
Walks the AST to surface privilege escalation, destructive ops, obfuscation, persistence, and more.
Auto-discovers sibling .sha256 files or accepts an explicit hash to verify before running.
Every run — including dry runs and aborted ones — is logged with script, findings, and exit status.
Strips the environment to a safe baseline. Only PATH, HOME, and a few others pass through.
All findings are reported with line numbers before you decide whether to proceed.
| Category | What it flags |
|---|---|
execution-integrity |
Missing set -e / -u / -o pipefail |
destructive |
rm -rf, dd, mkfs, truncation |
privilege |
sudo, su, pkexec, doas |
persistence |
Shell profile writes, cron jobs, systemd unit installs |
network |
Outbound curl / wget calls with resolved domains |
obfuscation |
eval, base64-decode-and-exec chains |
execution-chain |
Nested curl | bash inside the script |
Unsuspicious ≠ safe. A script that passes all checks is one we couldn't find anything wrong with — not one that is guaranteed harmless. safesh is one layer of defense, not a security guarantee. Use it. Keep your eyes open.