Skip to content

risky-shell-pipe

This rule checks for the bash pipefail option with the Ansible shell module.

You should always set pipefail when piping output from one command to another. The return status of a pipeline is the exit status of the command. The pipefail option ensures that tasks fail as expected if the first command fails.

As this requirement does not apply to PowerShell, for shell commands that have pwsh inside executable attribute, this rule will not trigger.

Problematic Code

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Pipeline without pipefail
      ansible.builtin.shell: false | cat

Correct Code

---
- name: Example playbook
  hosts: localhost
  become: false
  tasks:
    - name: Pipeline with pipefail
      ansible.builtin.shell:
        cmd: set -o pipefail && false | cat
        executable: /bin/bash

    - name: Pipeline with pipefail, multi-line
      ansible.builtin.shell:
        cmd: |
          set -o pipefail # <-- adding this will prevent surprises
          false | cat
        executable: /bin/bash