diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 2d3d160c4..d0471a310 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -42,3 +42,8 @@ repos:
         # Override the default arguments, which include writing back all
         # suggested changes. We don't want false positives to mangle files.
         args: [--force-exclude, --sort]
+-   repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.10.0.1
+    hooks:
+    -   id: shellcheck
+        args: [--severity=warning]
diff --git a/github_scripts/citests.sh b/github_scripts/citests.sh
index 00a590182..6f72f2c5d 100755
--- a/github_scripts/citests.sh
+++ b/github_scripts/citests.sh
@@ -38,6 +38,7 @@ fi
 plugin_output=$(./stash_plugin osdf:///ospool/uc-shared/public/OSG-Staff/validation/test.txt query1)
 rm query1
 
+# shellcheck disable=SC2076
 if ! [[ $plugin_output =~ "TransferUrl = \"osdf:///ospool/uc-shared/public/OSG-Staff/validation/test.txt\"" ]]; then
   echo "TransferUrl not in plugin output"
   to_exit=1
@@ -73,7 +74,7 @@ cleanup() {
 }
 trap cleanup EXIT
 
-for idx in {1..20}; do
+for _idx in {1..20}; do
   if [ -e "$SOCKET_DIR/socket" ]; then
     break
   fi
diff --git a/github_scripts/osx_install.sh b/github_scripts/osx_install.sh
index c702b414c..110643afa 100755
--- a/github_scripts/osx_install.sh
+++ b/github_scripts/osx_install.sh
@@ -1,4 +1,4 @@
-#!/bin/sh -ex
+#!/bin/bash
 # Copyright (C) 2024, Pelican Project, Morgridge Institute for Research
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you
@@ -14,6 +14,8 @@
 # limitations under the License.
 #
 
+set -ex
+
 #
 # This script installs all the xrootd-related dependencies into the
 # Mac OS X instance in GitHub.
@@ -25,7 +27,7 @@ brew install minio ninja coreutils
 
 # The new macos-latest runner has some issues with /usr/local/<lib/include>. Adjust perms ahead of time
 sudo mkdir -p /usr/local/lib && sudo mkdir -p /usr/local/include
-sudo chmod -R 777 /usr/local && sudo chown -R $(whoami):admin /usr/local
+sudo chmod -R 777 /usr/local && sudo chown -R "$(whoami)":admin /usr/local
 
 mkdir dependencies
 pushd dependencies
@@ -71,7 +73,7 @@ mkdir build
 cd build
 cmake .. -GNinja -DCMAKE_INSTALL_PREFIX=$PWD/release_dir
 ninja install
-xrootd_libdir=$(grealpath $(dirname $(grealpath `which xrootd`))/../lib/)
+xrootd_libdir=$(grealpath "$(dirname "$(grealpath "$(which xrootd)")")"/../lib/)
 echo "Will install into: $xrootd_libdir"
 sudo mkdir -p $xrootd_libdir
 sudo ln -s $PWD/release_dir/lib/libXrdHTTPServer-5.so $xrootd_libdir
diff --git a/images/entrypoint.sh b/images/entrypoint.sh
index 38862e574..5415230ea 100644
--- a/images/entrypoint.sh
+++ b/images/entrypoint.sh
@@ -52,7 +52,7 @@ if [ "$2" == "origin" ]; then
 
         shopt -s nullglob
         for fullfile in /opt/scitokens-server/etc/trusted-cas/*.pem; do
-            aliasname=$(basename "$file")
+            filename=$(basename "$fullfile")
             aliasname="${filename%.*}"
             keytool -cacerts -importcert -noprompt -storepass changeit -file "$fullfile" -alias "$aliasname"
         done
@@ -85,7 +85,7 @@ if [ "$2" == "origin" ]; then
     # Tomcat requires us to provide the intermediate chain (which, in Kubernetes, is often in the same
     # file as the host certificate itself.  If there wasn't one provided, try splitting it out.
     if [ ! -e /opt/tomcat/conf/chain.pem ]; then
-        pushd /tmp > /dev/null
+        pushd /tmp > /dev/null || { echo "pushd failed"; exit 1; }
         if csplit -f tls- -b "%02d.crt.pem" -s -z "/opt/tomcat/conf/hostcert.pem" '/-----BEGIN CERTIFICATE-----/' '{1}' 2>/dev/null ; then
             cp /tmp/tls-01.crt.pem /opt/tomcat/conf/chain.pem
             rm /tmp/tls-*.crt.pem
@@ -93,7 +93,7 @@ if [ "$2" == "origin" ]; then
             # No intermediate CAs found.  Create an empty file.
             touch /opt/tomcat/conf/chain.pem
         fi
-        popd > /dev/null
+        popd > /dev/null || { echo "popd failed"; exit 1; }
     fi
 fi
 
@@ -113,7 +113,7 @@ if [ $# -ne 0 ]; then
     case "$program_selector" in
         pelican)
             # Run pelican with the rest of the arguments
-            echo "Running pelican with arguments: $@"
+            echo "Running pelican with arguments: $*"
             exec tini -- /pelican/pelican "$@"
             # we shouldn't get here
             echo >&2 "Exec of tini failed!"
@@ -121,7 +121,7 @@ if [ $# -ne 0 ]; then
             ;;
         osdf)
             # Run osdf with the rest of the arguments
-            echo "Running osdf with arguments: $@"
+            echo "Running osdf with arguments: $*"
             exec tini -- /pelican/osdf "$@"
             # we shouldn't get here
             echo >&2 "Exec of tini failed!"
diff --git a/web_ui/frontend/dev/image/entrypoint.sh b/web_ui/frontend/dev/image/entrypoint.sh
index ddadb727b..97b25f4d4 100644
--- a/web_ui/frontend/dev/image/entrypoint.sh
+++ b/web_ui/frontend/dev/image/entrypoint.sh
@@ -13,5 +13,5 @@ echo "Starting cron"
 cron
 
 # Run the original Docker entrypoint script with any passed arguments
-echo "Running original Docker entrypoint script with arguments: $@"
+echo "Running original Docker entrypoint script with arguments: $*"
 /docker-entrypoint.sh "$@"