Automated Scripts & Cron
Integrate shellfirm with deployment scripts, cron jobs, and ChatOps workflows
Beyond AI agents and CI/CD pipelines, shellfirm can protect any automated command execution. Deployment scripts, cron jobs, and ChatOps bots can all route commands through shellfirm for safety checks.
Deployment scripts
Wrap critical commands in your deployment scripts with a shellfirm check:
#!/bin/bash
set -e
deploy_command() {
local cmd="$1"
if ! shellfirm check --command "$cmd" --test; then
echo "BLOCKED: shellfirm flagged command as risky: $cmd"
# Get details for the log
shellfirm check --command "$cmd" --json >> /var/log/deploy-blocks.json
return 1
fi
eval "$cmd"
}
# These commands pass through shellfirm before executing
deploy_command "docker pull myapp:latest"
deploy_command "docker stop myapp-web"
deploy_command "docker run -d --name myapp-web myapp:latest"Cron jobs
Validate scheduled commands before they run. Create a wrapper script:
#!/bin/bash
# /usr/local/bin/safe-cron.sh
# Usage: safe-cron.sh "command to check and run"
COMMAND="$1"
if ! shellfirm check --command "$COMMAND" --test; then
echo "$(date -u +%Y-%m-%dT%H:%M:%SZ) BLOCKED: $COMMAND" >> /var/log/shellfirm-cron.log
exit 1
fi
eval "$COMMAND"Use it in your crontab:
# Instead of running the command directly:
# 0 3 * * * /scripts/cleanup-old-data.sh
# Route through shellfirm:
0 3 * * * /usr/local/bin/safe-cron.sh "/scripts/cleanup-old-data.sh"ChatOps integration
If your team uses Slack bots, Discord bots, or other ChatOps tools that execute infrastructure commands, shellfirm can validate commands before execution:
# Example: Slack bot handler (pseudo-code)
def handle_deploy_command(channel, user, command):
import subprocess
# Check with shellfirm
result = subprocess.run(
["shellfirm", "check", "--command", command, "--json"],
capture_output=True, text=True
)
assessment = json.loads(result.stdout)
if not assessment["allowed"]:
rules = assessment["matched_rules"]
msg = f"Command blocked by shellfirm:\n"
for rule in rules:
msg += f"- [{rule['severity']}] {rule['id']}: {rule['description']}\n"
if assessment.get("alternatives"):
msg += f"\nSafer alternative: {assessment['alternatives'][0]['command']}"
send_message(channel, msg)
return
# Command is safe, execute it
subprocess.run(command, shell=True)
send_message(channel, f"Executed: {command}")MCP integration for custom agents
If you are building a custom automation agent, use the MCP protocol for richer integration:
import subprocess
import json
class ShellfirmClient:
def __init__(self):
self.process = subprocess.Popen(
["shellfirm", "mcp"],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
text=True
)
self._initialize()
def _send(self, request):
self.process.stdin.write(json.dumps(request) + "\n")
self.process.stdin.flush()
return json.loads(self.process.stdout.readline())
def _initialize(self):
self._send({"jsonrpc": "2.0", "id": 0, "method": "initialize", "params": {}})
def check_command(self, command):
response = self._send({
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "check_command",
"arguments": {"command": command}
}
})
text = response["result"]["content"][0]["text"]
return json.loads(text)
# Usage
client = ShellfirmClient()
result = client.check_command("rm -rf /var/data")
if result["allowed"]:
os.system("rm -rf /var/data")
else:
print(f"Blocked: {result['denial_reason']}")Batch validation
Validate a list of commands before executing any of them:
#!/bin/bash
# validate-commands.sh
# Reads commands from a file, checks all of them, then executes only if all pass
COMMANDS_FILE="$1"
ALL_SAFE=true
while IFS= read -r cmd; do
[ -z "$cmd" ] && continue
if ! shellfirm check --command "$cmd" --test; then
echo "BLOCKED: $cmd"
ALL_SAFE=false
fi
done < "$COMMANDS_FILE"
if [ "$ALL_SAFE" = false ]; then
echo "Some commands were blocked. Aborting."
exit 1
fi
echo "All commands passed safety checks. Executing..."
while IFS= read -r cmd; do
[ -z "$cmd" ] && continue
eval "$cmd"
done < "$COMMANDS_FILE"