$ shellfirm
Configuration

Check Groups

All 16 check groups and how to enable or disable them

shellfirm organizes its check patterns into groups by ecosystem and tool. Each group can be independently enabled or disabled.

Default groups

All 16 groups are enabled by default:

GroupEcosystemWhat it covers
awsAWSS3 bucket deletion, EC2 termination, CloudFormation stack deletion, IAM changes
azureAzureResource group deletion, VM operations, AKS cluster changes
baseGeneralSystem-level commands, sudo operations, shell redirects
databaseDatabasesGeneric SQL patterns (DROP, TRUNCATE, DELETE without WHERE)
dockerDockerContainer removal, image pruning, system prune, volume deletion
fsFilesystemrm -rf, chmod 777, mkfs, dd, file permission changes
gcpGoogle CloudProject deletion, GKE operations, Compute Engine changes
gitGitForce push, reset --hard, branch deletion, stash drop
herokuHerokuApp destruction, database reset, config changes
kubernetesKubernetesNamespace deletion, scaling to zero, pod deletion, context switching
mongodbMongoDBCollection drop, database drop, index operations
mysqlMySQLMySQL-specific DDL and dangerous DML patterns
networkNetworkiptables flushing, firewall changes, DNS modifications
psqlPostgreSQLPostgreSQL-specific DDL and dangerous DML patterns
redisRedisFLUSHALL, FLUSHDB, CONFIG SET, SHUTDOWN
terraformTerraformterraform destroy, terraform apply without plan

Viewing active groups

shellfirm status

This shows which groups are currently enabled and the total number of active check patterns.

Disabling groups

Via CLI

shellfirm config groups --disable heroku --disable azure --disable gcp

Via settings file

Add groups to the disabled_groups list:

# ~/.shellfirm/settings.yaml
disabled_groups:
  - heroku
  - azure
  - gcp

The disabled_groups list is applied after enabled_groups, so it acts as a blocklist.

Enabling groups

Via CLI

shellfirm config groups --enable aws --enable docker

Interactive multi-select

shellfirm config groups

Running without flags opens an interactive multi-select showing all groups with their current state. Toggle groups on or off and confirm.

Enabling only specific groups

To enable only certain groups, replace the enabled_groups list in the settings file:

# ~/.shellfirm/settings.yaml
enabled_groups:
  - fs
  - git
  - docker
  - kubernetes

Only the listed groups will be active. All others are disabled.

Group details

fs (Filesystem)

Covers destructive filesystem operations:

  • rm -rf (recursive force delete)
  • chmod 777 (overly permissive permissions)
  • mkfs (format filesystem)
  • dd (raw disk writes)
  • File ownership changes

git

Covers dangerous git operations:

  • git push --force (force push, excluding --force-with-lease)
  • git reset --hard (discard uncommitted changes)
  • git clean -fd (remove untracked files)
  • git branch -D (force delete branch)
  • git stash drop (permanently drop stash entry)

docker

Covers Docker operations that remove data:

  • docker rm -f (force remove containers)
  • docker system prune (remove unused data)
  • docker volume rm (delete volumes)
  • docker rmi (remove images)

kubernetes

Covers Kubernetes operations with broad impact:

  • kubectl delete namespace (delete entire namespace)
  • kubectl delete --all (delete all resources of a type)
  • kubectl scale --replicas=0 (scale to zero)
  • kubectl drain (evict pods from a node)
  • kubectl apply -f from stdin (potentially dangerous)

database

Generic database patterns (SQL):

  • DROP DATABASE
  • DROP TABLE
  • TRUNCATE
  • DELETE FROM (without WHERE clause)
  • ALTER TABLE ... DROP

psql, mysql, mongodb, redis

Tool-specific patterns that complement the generic database group. These contain patterns specific to each database's syntax and dangerous commands.

aws, azure, gcp

Cloud provider patterns covering resource deletion, configuration changes, and operations that can cause outages.

terraform

Terraform-specific patterns:

  • terraform destroy
  • terraform apply (without a plan file)
  • State manipulation commands

network

Network configuration changes:

  • iptables -F (flush firewall rules)
  • DNS configuration changes
  • Routing table modifications

base

General system-level patterns:

  • Sudo operations on sensitive paths
  • Shell redirect overwrites
  • System service changes

Settings Reference

Complete reference for ~/.shellfirm/settings.yaml configuration

Custom Check Patterns

Add your own check patterns to shellfirm's pattern database

On this page

Default groupsViewing active groupsDisabling groupsVia CLIVia settings fileEnabling groupsVia CLIInteractive multi-selectEnabling only specific groupsGroup detailsfs (Filesystem)gitdockerkubernetesdatabasepsql, mysql, mongodb, redisaws, azure, gcpterraformnetworkbase