Show HN: Vet – A tool for safely running remote shell scripts

(getvet.sh)

89 points a10r | 2 comments | 28 Jun 25 19:56 UTC | HN request time: 0.603s | source

Show context

a10r ◴[28 Jun 25 19:57 UTC] No.44407666[source]▶

Hi HN, I'm the creator of `vet`. I've always been a bit nervous about the `curl | bash` pattern, even for trusted projects. It feels like there's a missing safety step. I wanted a tool that would show me a diff if a script changed, run it through `shellcheck`, and ask for my explicit OK before executing. That's why I built `vet`.

The install process itself uses this philosophy - I encourage you to check the installer script before running it!

I'd love to hear your feedback.

The repo is at https://github.com/vet-run/vet

replies(4): >>44409415 #>>44410454 #>>44410724 #>>44412363 #

1. subjectsigma ◴[29 Jun 25 11:54 UTC] No.44412363[source]▶

>>44407666 #

I appreciate you finding a problem and trying to build a solution, but I think your solution will not work very well. Shellcheck is not a virus or vulnerability scanner, it’s not designed for the thing you are using it for.

replies(1): >>44413234 #

2. a10r ◴[29 Jun 25 14:00 UTC] No.44413234[source]▶

>>44412363 (TP) #

You are absolutely right, and that's a crucial distinction to make. ShellCheck is a linter, not a security scanner.

Its role in vet isn't to find malware, but to act as an automated code quality check. A script full of shellcheck warnings is a red flag, which helps inform the user's final decision to trust it or not. It's one of several signals that vet provides.

Thanks for the important clarification!

↑