Bidirectional shell safety tool that purifies legacy bash scripts and lets you write shell scripts in REAL Rust with automatic safety guarantees.
- What's New
- Why Rash?
- Quick Start
- Features
- Core Commands
- Advanced Testing
- Documentation
- Quality Metrics
- Shell Compatibility
- Performance
- MCP Server
- Contributing
- License
Latest Release - 2025-12-21
- Probar Integration: Three new CLI commands for advanced testing
bashrs playbook- State machine testing for shell scriptsbashrs mutate- Mutation testing with 10 mutation operatorsbashrs simulate- Deterministic simulation replay with seed control
- Transpiler Bug Hunt: 130-point Popper Falsification Checklist (T001-T130)
- Dockerfile Linting: 30-point D-code validation (D001-D030)
- Test Suite: 7,445 tests passing (100% pass rate)
- PMAT Score: 133/134 (Grade A+)
See CHANGELOG.md for complete release notes.
Shell scripts are everywhere—CI/CD pipelines, deployment automation, system configuration—but they're notoriously difficult to write safely. Rash solves this by providing:
- Bidirectional Safety: Write in Rust and transpile to shell, or purify existing bash scripts
- Automatic Transformation: Don't just detect problems—fix them automatically
- Deterministic Guarantees: Same input always produces identical, reproducible output
- Zero Runtime Dependencies: Generated scripts run on any POSIX-compliant system
- 🛡️ Automatic Safety: Protection against shell injection, word splitting, glob expansion
- 🔍 Beyond Linting: Full AST semantic understanding - transforms code, doesn't just warn
- 📦 Zero Runtime Dependencies: Generated scripts work on any POSIX shell
- 🎯 Deterministic Output: Same input always produces identical scripts
- ✅ ShellCheck Compliant: All output passes strict linting
| What ShellCheck Does | What Rash Does |
|---|---|
| ✅ Rewrites to version-based deterministic IDs | |
✅ Transforms to mkdir -p (idempotent) |
|
| ✅ Quotes all variables automatically | |
| Static pattern matching | Full AST semantic understanding |
| Detects issues (read-only) | Fixes issues (read-write transformation) |
Key Difference: ShellCheck tells you what's wrong. Rash understands your code's intent and rewrites it to be safe, deterministic, and idempotent — automatically.
# From crates.io (recommended)
cargo install bashrs
# Or from source
git clone https://github.com/paiml/bashrs
cd bashrs
cargo install --path rash// install.rs
#[rash::main]
fn main() {
let version = env_var_or("VERSION", "1.0.0");
let prefix = env_var_or("PREFIX", "/usr/local");
echo("Installing MyApp {version} to {prefix}");
mkdir_p("{prefix}/bin");
mkdir_p("{prefix}/share/myapp");
if exec("cp myapp {prefix}/bin/") {
echo("✓ Binary installed");
} else {
eprint("✗ Failed to install binary");
exit(1);
}
}Transpile to safe POSIX shell:
$ bashrs build install.rs -o install.shBefore (messy bash):
#!/bin/bash
SESSION_ID=$RANDOM # Non-deterministic
mkdir /app/releases/$RELEASE # Non-idempotent
rm /app/current # Fails if doesn't existAfter (purified by Rash):
#!/bin/sh
session_id="session-${version}" # ✅ Deterministic
mkdir -p "/app/releases/${release}" # ✅ Idempotent
rm -f "/app/current" # ✅ Safe removal# Transpile Rust to shell
bashrs build input.rs -o output.sh
# Purify legacy bash scripts
bashrs purify messy.sh -o clean.sh
# Interactive REPL with debugging
bashrs repl
# Lint shell scripts (including Dockerfiles)
bashrs lint script.sh
# Test bash scripts
bashrs test script.sh
# Quality scoring
bashrs score script.sh
# Comprehensive audit
bashrs audit script.shRash includes Probar integration for comprehensive quality assurance:
# State machine testing with playbooks
bashrs playbook install.playbook.yaml --run
# Mutation testing (goal: >90% kill rate)
bashrs mutate script.sh --count 10
# Deterministic simulation replay
bashrs simulate script.sh --seed 42 --verifyMutation Operators: Rash applies 10 mutation operators including string mutations, command substitutions, conditional inversions, and redirect modifications to verify test quality.
The Rash Book is the canonical source for all documentation:
Quick links:
Why the book?
- ✅ All examples automatically tested
- ✅ Always up-to-date with latest release
- ✅ Comprehensive coverage of all features
- ✅ Real-world examples and tutorials
| Metric | Value | Status |
|---|---|---|
| PMAT Score | 133/134 (99.3%) | ✅ Grade A+ |
| Tests | 7,445 passing | ✅ 100% pass rate |
| Coverage | 91.22% | ✅ Exceeds 85% target |
| T-code Falsification | 142/142 | ✅ 130-point checklist |
| D-code Falsification | 31/31 | ✅ Dockerfile validation |
| ShellCheck | 100% compliant | ✅ All output passes |
| Shell Compatibility | 6 shells | ✅ sh, dash, bash, ash, zsh, mksh |
Rash uses Popperian falsification—tests attempt to disprove functionality rather than prove it works:
# Run 130-point transpiler falsification checklist
cargo test -p bashrs --test transpiler_tcode_tests
# Run 30-point Dockerfile falsification checklist
cargo test -p bashrs --test dockerfile_dcode_testsA passing test means the falsification attempt failed—the feature works correctly.
Generated scripts are tested on:
| Shell | Version | Status |
|---|---|---|
| POSIX sh | - | ✅ Full support |
| dash | 0.5.11+ | ✅ Full support |
| bash | 3.2+ | ✅ Full support |
| ash (BusyBox) | 1.30+ | ✅ Full support |
| zsh | 5.0+ | ✅ Full support |
| mksh | R59+ | ✅ Full support |
Rash is designed for fast transpilation:
- Rust-to-Shell: 21.1µs transpile time
- Makefile Parsing: 0.034-1.43ms (70-320x faster than targets)
- Memory Usage: <10MB for most scripts
Rash provides a Model Context Protocol (MCP) server for AI-assisted shell script generation:
# Install MCP server
cargo install rash-mcp
# Run server
rash-mcpAvailable in the official MCP registry as io.github.paiml/rash.
We welcome contributions! See our Contributing Guide for details.
# Clone and test
git clone https://github.com/paiml/bashrs.git
cd bashrs
make test
# Run all quality checks
make validateMIT License. See LICENSE for details.