kaplanelad · kaplanelad · Mar 29, 2026 · Mar 28, 2026
diff --git a/shellfirm/checks/aws.yaml b/shellfirm/checks/aws.yaml
@@ -14,7 +14,7 @@
     - type: NotContains
       value: "--dryrun"
 - from: aws
-  test: aws\s+ec2\s+terminate-instances
+  test: aws\s+(?:--\S+\s+\S+\s+)*ec2\s+terminate-instances
   description: "Terminating EC2 instances permanently destroys them and their local storage."
   id: aws:ec2_terminate
   severity: High
@@ -28,7 +28,7 @@
   alternative: "aws rds delete-db-instance --skip-final-snapshot=false --final-db-snapshot-identifier <name>"
   alternative_info: "Create a final snapshot before deletion so data can be recovered."
 - from: aws
-  test: aws\s+iam\s+delete-(user|role|policy|group)
+  test: aws\s+iam\s+delete-(user|role|policy|group)(\s|$)
   description: "Deleting IAM resources can break access for services and users."
   id: aws:iam_delete
   severity: High

diff --git a/shellfirm/checks/base.yaml b/shellfirm/checks/base.yaml
@@ -14,12 +14,12 @@
   id: base:execute_all_history_commands
   severity: Critical
 - from: base
-  test: reboot(\s|$)
+  test: (^|\s)reboot(\s|$)
   description: "You are going to reboot your machine."
   id: base:reboot_machine
   severity: High
 - from: base
-  test: shutdown(\s|$)
+  test: (^|\s)shutdown(\s|$)
   description: "You are going to shutdown your machine."
   id: base:shutdown_machine
   severity: High
@@ -46,10 +46,20 @@
   id: systemd:disable_service
   severity: Medium
 - from: base
-  test: systemctl\s+stop\s+(docker|sshd|nginx|apache2|httpd|postgresql|mysql|redis)(\s|$)
+  test: systemctl\s+stop\s+(docker|sshd|nginx|apache2|httpd|postgresql|mysql|redis)[\w.-]*(\s|$)
   description: "Stopping a critical system service can cause outages."
   id: systemd:stop_critical_service
   severity: High
+- from: base
+  test: (halt|poweroff)(\s|$)
+  description: "This command will immediately power off your machine."
+  id: base:poweroff_machine
+  severity: High
+- from: base
+  test: init\s+(0|6)(\s|$)
+  description: "This command will shutdown (init 0) or reboot (init 6) your machine."
+  id: base:init_shutdown_reboot
+  severity: High
 - from: base
   test: ssh-add\s+-D
   description: "Removes all SSH identities from the agent."

diff --git a/shellfirm/checks/database.yaml b/shellfirm/checks/database.yaml
@@ -41,7 +41,12 @@
   id: database:drop_schema_role_user
   severity: High
 - from: database
-  test: (?i)ALTER\s+TABLE\s+\w+\s+DROP\s+COLUMN
+  test: (?i)ALTER\s+TABLE\s+[\w.]+\s+DROP\s+COLUMN
   description: "Dropping a column permanently removes data from all rows."
   id: database:alter_drop_column
   severity: High
+- from: database
+  test: (?i)DROP\s+INDEX
+  description: "Dropping an index on a production table can cause catastrophic performance degradation."
+  id: database:drop_index
+  severity: Medium
diff --git a/shellfirm/checks/docker.yaml b/shellfirm/checks/docker.yaml
@@ -6,7 +6,7 @@
   alternative: "docker system prune"
   alternative_info: "Without -a, only dangling images are removed (not all unused images)."
 - from: docker
-  test: docker\s+rm\s+(-f|--force)\s+\$\(docker\s+ps
+  test: docker\s+rm\s+(-f|--force)\s+(?:\$\(|`)docker\s+ps
   description: "Force removing all running or stopped containers."
   id: docker:force_remove_all_containers
   severity: High
@@ -31,7 +31,7 @@
   id: docker:remove_network
   severity: Medium
 - from: docker
-  test: docker[\s-]compose\s+down\s+.*(-v|--volumes)
+  test: docker[\s-]compose\s+.*down\s+.*(-v|--volumes)
   description: "This will stop containers AND delete all associated volumes and data."
   id: docker:compose_down_volumes
   severity: High
@@ -59,3 +59,11 @@
   description: "Clears the entire Docker build cache."
   id: docker:buildx_prune_all
   severity: High
+- from: docker
+  test: docker\s+run\s+(.+\s+)?--privileged(\s|$|=true)
+  description: "Running a container with --privileged gives it full access to the host system."
+  id: docker:run_privileged
+  severity: High
+  filters:
+    - type: NotContains
+      value: "--privileged=false"
diff --git a/shellfirm/checks/flyio.yaml b/shellfirm/checks/flyio.yaml
@@ -0,0 +1,20 @@
+- from: flyio
+  test: fly(?:ctl)?\s+apps\s+destroy(\s|$)
+  description: "Destroying a Fly.io app permanently removes it and all its resources."
+  id: flyio:apps_destroy
+  severity: Critical
+- from: flyio
+  test: fly(?:ctl)?\s+secrets\s+unset\s+
+  description: "Removing secrets can break running applications that depend on them."
+  id: flyio:secrets_unset
+  severity: High
+- from: flyio
+  test: fly(?:ctl)?\s+volumes?\s+destroy(\s|$)
+  description: "Destroying a volume permanently deletes all data stored on it."
+  id: flyio:volumes_destroy
+  severity: High
+- from: flyio
+  test: fly(?:ctl)?\s+postgres\s+destroy(\s|$)
+  description: "Destroying a Fly Postgres cluster permanently deletes the database and all its data."
+  id: flyio:postgres_destroy
+  severity: Critical
diff --git a/shellfirm/checks/fs.yaml b/shellfirm/checks/fs.yaml
@@ -1,5 +1,5 @@
 - from: fs
-  test: 'rm\s{1,}(?:-[rRfvV]+|--(?:force|recursive|verbose|preserve-root|no-preserve-root|one-file-system))(?:\s+(?:-[rRfvV]+|--(?:force|recursive|verbose|preserve-root|no-preserve-root|one-file-system)))*(?:\s+\S+)*?\s+(\*|\.{1,}|/)(?:\s|$)'
+  test: 'rm\s{1,}(?:-[rRfvV]+|--(?:force|recursive|verbose|preserve-root|no-preserve-root|one-file-system))(?:\s+(?:-[rRfvV]+|--(?:force|recursive|verbose|preserve-root|no-preserve-root|one-file-system)))*(?:\s+\S+)*?\s+(\*|\.{1,}|/|\.\/\*)(?:\s|$)'
   description: "You are going to delete everything in the path."
   id: fs:recursively_delete
   severity: Critical
@@ -125,7 +125,7 @@
     - type: PathExists
       value: 1
 - from: fs
-  test: rsync\s+.*--delete
+  test: rsync\s+.*--delete(\s|$)
   description: "Syncs with deletion — removes files at destination not present in source."
   id: fs:rsync_delete
   severity: High
@@ -141,3 +141,15 @@
   description: "Recursive ownership change on root or wildcard can break system files and SSH keys."
   id: fs:recursively_chown
   severity: Critical
+- from: fs
+  test: shred\s+
+  description: "Shred overwrites file data at the block level, making recovery impossible unlike rm."
+  id: fs:shred
+  severity: High
+  alternative: "rm <file>"
+  alternative_info: "Regular rm only unlinks the file. Use shred only when you truly need irrecoverable deletion."
+- from: fs
+  test: truncate\s+.*-s\s*0\s
+  description: "This command will zero out a file, permanently erasing its contents."
+  id: fs:truncate_zero
+  severity: High
diff --git a/shellfirm/checks/git.yaml b/shellfirm/checks/git.yaml
@@ -9,12 +9,12 @@
   alternative: "git stash"
   alternative_info: "Saves your changes to the stash so you can recover them later with 'git stash pop'."
 - from: git
-  test: git\s{1,}rm\s{1,}(\*|\.)
+  test: git\s{1,}rm\s{1,}(?:-\S+\s+)*(\*|\.)(\s|$)
   description: "This command going to delete all files."
   id: git:delete_all
   severity: High
 - from: git
-  test: git\s{1,}clean\s{1,}(?:-[a-zA-Z]*f[a-zA-Z]*d[a-zA-Z]*|-[a-zA-Z]*d[a-zA-Z]*f[a-zA-Z]*|(?:-\S+\s+)*-f(?:\s+-\S+)*\s+-d|(?:-\S+\s+)*-d(?:\s+-\S+)*\s+-f)
+  test: git\s{1,}clean\s{1,}(?:-[a-zA-Z]*f[a-zA-Z]*d[a-zA-Z]*|-[a-zA-Z]*d[a-zA-Z]*f[a-zA-Z]*|(?:-\S+\s+)*-f(?:\s+-\S+)*\s+-d|(?:-\S+\s+)*-d(?:\s+-\S+)*\s+-f|--force\s+(?:-\S+\s+)*-d|(?:-\S+\s+)*-d(?:\s+-\S+)*\s+--force)
   description: "This command will remove all untracked files and directories."
   id: git:clean_force
   severity: High
@@ -33,6 +33,8 @@
   filters:
     - type: NotContains
       value: "--force-with-lease"
+    - type: NotContains
+      value: "--force-if-includes"
   alternative: "git push --force-with-lease"
   alternative_info: "Checks that your local ref is up-to-date before force pushing, preventing accidental overwrites of others' work."
 - from: git
@@ -43,7 +45,7 @@
   alternative: "git branch -d <branch>"
   alternative_info: "Uses safe delete (-d) which refuses to delete a branch with unmerged changes."
 - from: git
-  test: git\s{1,}checkout\s{1,}(-f|--force)
+  test: git\s{1,}checkout\s{1,}.*(-f\b|--force)
   description: "This command will force checkout and discard local changes."
   id: git:force_checkout
   severity: High
@@ -64,7 +66,7 @@
   alternative: "git stash"
   alternative_info: "Saves your changes to the stash so you can recover them later with 'git stash pop'."
 - from: git
-  test: git\s{1,}rebase\s{1,}-i
+  test: git\s{1,}rebase\s{1,}(-i\b|--interactive)
   description: "This command will start an interactive rebase which can modify commit history."
   id: git:interactive_rebase
   severity: Medium
@@ -76,12 +78,12 @@
   alternative: "git-filter-repo"
   alternative_info: "A faster, safer, and officially recommended alternative to filter-branch."
 - from: git
-  test: git\s{1,}gc\s{1,}--prune=now
+  test: git\s{1,}gc\s{1,}.*--prune=now
   description: "This command will permanently delete unreachable objects."
   id: git:gc_prune
   severity: High
 - from: git
-  test: git\s{1,}update-ref\s{1,}-d
+  test: git\s{1,}update-ref\s{1,}(-d\b|--delete)
   description: "This command will delete a Git reference."
   id: git:delete_ref
   severity: High
@@ -125,13 +127,20 @@
   description: "This command will apply or remove stashed changes."
   id: git-strict:stash_pop_drop
   severity: Low
+- from: git
+  test: git\s{1,}stash\s{1,}clear(\s|$)
+  description: "This command will permanently delete all stash entries with no way to recover them."
+  id: git:stash_clear
+  severity: High
+  alternative: "git stash list"
+  alternative_info: "Review your stashes before clearing them. Use 'git stash drop stash@{N}' to remove individual entries."
 - from: git
   test: git\s{1,}submodule\s{1,}(update|deinit)
   description: "This command will update or deinitialize Git submodules."
   id: git-strict:submodule_update
   severity: Low
 - from: git
-  test: git\s{1,}tag\s{1,}-a
+  test: git\s{1,}tag\s{1,}(-a\b|--annotate)
   description: "This command will create an annotated tag."
   id: git-strict:create_tag
   severity: Low
@@ -141,12 +150,12 @@
   id: git:push_mirror
   severity: Critical
 - from: git
-  test: git\s{1,}push\s{1,}\S+\s{1,}--delete\s|git\s{1,}push\s{1,}\S+\s{1,}:\S
+  test: git\s{1,}push\s{1,}(\S+\s{1,}--delete\s|--delete\s{1,}\S+\s|\S+\s{1,}:\S)
   description: "This command will delete a remote branch."
   id: git:push_delete_branch
   severity: High
 - from: git
-  test: git\s{1,}reflog\s{1,}expire\s{1,}--expire=now
+  test: git\s{1,}reflog\s{1,}expire\s{1,}.*--expire=now
   description: "Expiring all reflog entries destroys the last recovery mechanism for lost commits."
   id: git:reflog_expire
   severity: Critical
diff --git a/shellfirm/checks/github.yaml b/shellfirm/checks/github.yaml
@@ -0,0 +1,35 @@
+- from: github
+  test: gh\s+repo\s+delete(\s|$)
+  description: "Permanently deletes a repository and all its data."
+  id: github:repo_delete
+  severity: Critical
+- from: github
+  test: gh\s+repo\s+archive(\s|$)
+  description: "Archiving a repository makes it read-only and can break workflows."
+  id: github:repo_archive
+  severity: High
+- from: github
+  test: gh\s+repo\s+rename(\s|$)
+  description: "Renaming a repository breaks all existing URLs, clones, and CI/CD references."
+  id: github:repo_rename
+  severity: High
+- from: github
+  test: gh\s+repo\s+edit\s+.*--visibility
+  description: "Changing repository visibility can expose private code or break public access."
+  id: github:repo_change_visibility
+  severity: High
+- from: github
+  test: gh\s+release\s+delete(\s|$)
+  description: "Deleting a release removes it and its assets permanently."
+  id: github:release_delete
+  severity: High
+- from: github
+  test: gh\s+secret\s+delete(\s|$)
+  description: "Deleting a secret can break CI/CD pipelines that depend on it."
+  id: github:secret_delete
+  severity: High
+- from: github
+  test: gh\s+variable\s+delete(\s|$)
+  description: "Deleting a variable can break CI/CD pipelines that depend on it."
+  id: github:variable_delete
+  severity: High
diff --git a/shellfirm/checks/heroku.yaml b/shellfirm/checks/heroku.yaml
@@ -1,95 +1,95 @@
 - from: heroku
-  test: heroku\s*ps:restart
+  test: heroku\s+ps:restart
   description: "Restarting app dynos"
   id: heroku:restart_app_dynos
   severity: Medium
 - from: heroku
-  test: heroku\s*ps:stop
+  test: heroku\s+ps:stop
   description: "Stop app dynos"
   id: heroku:stop_app_dynos
   severity: High
 - from: heroku
-  test: heroku\s*ps:kill
+  test: heroku\s+ps:kill
   description: "Kill app dynos"
   id: heroku:kill_app_dynos
   severity: High
 - from: heroku
-  test: heroku\s*maintenance:on
+  test: heroku\s+maintenance:on
   description: "Put the app into maintenance mode?"
   id: heroku:enable_maintenance_mode
   severity: High
 - from: heroku
-  test: heroku\s*members:remove
+  test: heroku\s+members:remove
   description: "Removes a user from a team"
   id: heroku:remove_member
   severity: High
 - from: heroku
-  test: heroku\s*features:disable
+  test: heroku\s+features:disable
   description: "Disables an app feature"
   id: heroku:disable_app_feature
   severity: Medium
 - from: heroku
-  test: heroku\s*container:rm
+  test: heroku\s+container:rm
   description: "Remove the process type from your app"
   id: heroku:remove_app_container
   severity: High
 - from: heroku
-  test: heroku\s*config:unset
+  test: heroku\s+config:unset
   description: "unset one or more config vars"
   id: heroku:unset_environment_variable
   severity: Medium
 - from: heroku
-  test: heroku\s*clients:destroy
+  test: heroku\s+clients:destroy
   description: "Delete client by ID"
   id: heroku:destroy_client
   severity: High
 - from: heroku
-  test: heroku\s*clients:rotate
+  test: heroku\s+clients:rotate
   description: "Rotate OAuth client secret"
   id: heroku:rotate_oauth_client
   severity: Medium
 - from: heroku
-  test: heroku\s*clients:update
+  test: heroku\s+clients:update
   description: "Update OAuth client"
   id: heroku:update_oauth_client
   severity: Medium
 - from: heroku
-  test: heroku\s*apps:destroy
+  test: heroku\s+apps:destroy
   description: "Permanently destroy an app"
   id: heroku:destroy_app
   severity: Critical
 - from: heroku
-  test: heroku\s*apps:leave
+  test: heroku\s+apps:leave
   description: "Remove yourself from a team app"
   id: heroku:remove_yourself_from_app
   severity: Medium
 - from: heroku
-  test: heroku\s*apps:rename
+  test: heroku\s+apps:rename
   description: "Rename an app"
   id: heroku:rename_app_name
   severity: Medium
 - from: heroku
-  test: heroku\s*addons:destroy
+  test: heroku\s+addons:destroy
   description: "Permanently destroy an add-on resource"
   id: heroku:destroy_addons
   severity: High
 - from: heroku
-  test: heroku\s*addons:detach
+  test: heroku\s+addons:detach
   description: "Detach an existing add-on resource from an app"
   id: heroku:detach_addon
   severity: Medium
 - from: heroku
-  test: heroku\s*access:remove
+  test: heroku\s+access:remove
   description: "Remove users from a team app"
   id: heroku:remove_user_access
   severity: High
 - from: heroku
-  test: heroku\s*access:update
+  test: heroku\s+access:update
   description: "Update existing collaborators on an team app"
   id: heroku:update_collaborators_access
   severity: Medium
 - from: heroku
-  test: heroku\s*repo:reset
+  test: heroku\s+repo:reset
   description: "Reset heroku repo"
   id: heroku:reset_repo
   severity: High