Protection Overview
Summary of all ecosystems and check groups covered by shellfirm
shellfirm ships with built-in check patterns across 9 ecosystems organized into 16 check groups. Every pattern includes a severity level, optional filters, and safer alternatives.
Ecosystem coverage
| Ecosystem | Check groups | Patterns | Severity range | Blast radius |
|---|---|---|---|---|
| Filesystem | fs, fs-strict | 20+ | Medium -- Critical | Yes |
| Git | git, git-strict | 20+ | Low -- High | Yes |
| Docker | docker | 8 | Medium -- High | Yes |
| Kubernetes | kubernetes, kubernetes-strict | 5 | High -- Critical | Yes |
| AWS | aws | 9 | High | No |
| Azure & GCP | azure, gcp | 14 | High | No |
| Terraform | terraform | 5 | High -- Critical | No |
| Databases | database, mongodb, mysql, psql, redis | 15+ | High -- Critical | No |
| System & Network | base, network, heroku | 30+ | Medium -- Critical | No |
Standard vs strict groups
Several ecosystems have two tiers of check groups:
- Standard groups (
fs,git,kubernetes) -- Cover clearly dangerous operations. Enabled by default and appropriate for most users. - Strict groups (
fs-strict,git-strict,kubernetes-strict) -- Cover broader operations that are usually safe but worth flagging in sensitive environments. Also enabled by default but can be disabled for less friction.
For example, git:force_push (standard) catches git push --force, while git-strict:add_all catches git add .. Both are enabled by default.
Enabling and disabling groups
All 16 groups are enabled by default. To disable specific groups:
shellfirm config groups --disable fs-strict --disable git-strictTo see which groups are currently active:
shellfirm config showHow patterns are defined
Each check pattern is a YAML definition with these fields:
- id: git:force_push # Unique ID: group:name
from: git # Check group
test: git\s{1,}push\s{1,}.*--force # Regex pattern
severity: High # Info | Low | Medium | High | Critical
description: "Force push can overwrite remote history."
filters:
- type: NotContains
value: "--force-with-lease"
alternative: "git push --force-with-lease"
alternative_info: "Prevents overwriting others' work"Patterns are compiled into the shellfirm binary at build time from YAML files in the shellfirm/checks/ directory.
Adding custom patterns
You can add project-specific patterns via team policies (.shellfirm.yaml):
version: 1
checks:
- id: custom:deploy_prod
from: custom
test: deploy\s+--env\s+production
severity: Critical
description: "Deploying directly to production"
alternative: "deploy --env staging"
alternative_info: "Deploy to staging first and promote"