shellcheck: clean up shellcheck warnings and enable

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ibc843b98c0fea97a31d3d15b556a32f091bf8e47
diff --git a/.shellcheck b/.shellcheck
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/.shellcheck
diff --git a/build-jenkins.sh b/build-jenkins.sh
index 4f953a7..3c134cc 100755
--- a/build-jenkins.sh
+++ b/build-jenkins.sh
@@ -91,16 +91,16 @@
 j_url=https://repo.jenkins-ci.org/public/org/jenkins-ci/main/jenkins-war/${j_vrsn}/jenkins-war-${j_vrsn}.war
 
 # Make or Clean WORKSPACE
-if [[ -d ${workspace} ]]; then
-  rm -rf ${workspace}/Dockerfile \
-         ${workspace}/docker-jenkins \
-         ${workspace}/plugins.* \
-         ${workspace}/install-plugins.sh \
-         ${workspace}/jenkins.sh \
-         ${workspace}/jenkins-support \
-         ${workspace}/init.groovy
+if [[ -d "${workspace}" ]]; then
+  rm -rf "${workspace}/Dockerfile" \
+         "${workspace}/docker-jenkins" \
+         "${workspace}/plugins.*" \
+         "${workspace}/install-plugins.sh" \
+         "${workspace}/jenkins.sh" \
+         "${workspace}/jenkins-support" \
+         "${workspace}/init.groovy"
 else
-  mkdir -p ${workspace}
+  mkdir -p "${workspace}"
 fi
 
 # Determine the prefix of the Dockerfile's base image
@@ -119,7 +119,7 @@
 esac
 
 # Move Into the WORKSPACE
-cd ${workspace}
+cd "${workspace}"
 
 # Make the Dockerfile
 ################################################################################
@@ -200,31 +200,33 @@
 ################################################################################
 
 # Build the image
-docker build -t ${img_name} .
+docker build -t "${img_name}" .
 
-if [[ ${launch} == "docker" ]]; then
+if [[ "${launch}" == "docker" ]]; then
 
   # Ensure directories that will be mounted exist
-  if [[ ! -z ${host_import_mnt} && ! -d ${host_import_mnt} ]]; then
-      mkdir -p ${host_import_mnt}
+  if [[ -n "${host_import_mnt}" && ! -d "${host_import_mnt}" ]]; then
+      mkdir -p "${host_import_mnt}"
   fi
 
-  if [[ ! -d ${home_mnt} ]]; then
-    mkdir -p ${home_mnt}
+  if [[ ! -d "${home_mnt}" ]]; then
+    mkdir -p "${home_mnt}"
   fi
 
   # Ensure directories that will be mounted are owned by the jenkins user
   if [[ "$(id -u)" != 0 ]]; then
     echo "Not running as root:"
     echo "Checking if j_gid and j_uid are the owners of mounted directories"
-    test_1=$(ls -nd ${home_mnt} | awk '{print $3 " " $4}')
+    # shellcheck disable=SC2012 # use ls to get permissions.
+    test_1="$(ls -nd "${home_mnt}" | awk '{print $3 " " $4}')"
     if [[ "${test_1}" != "${j_uid} ${j_gid}" ]]; then
       echo "Owner of ${home_mnt} is not the jenkins user"
       echo "${test_1} != ${j_uid} ${j_gid}"
       will_fail=1
     fi
-    if [[ ! -z "${host_import_mnt}" ]]; then
-      test_2=$(ls -nd ${host_import_mnt} | awk '{print $3 " " $4}' )
+    if [[ -n "${host_import_mnt}" ]]; then
+      # shellcheck disable=SC2012 # use ls to get permissions.
+      test_2="$(ls -nd "${host_import_mnt}" | awk '{print $3 " " $4}' )"
       if [[ "${test_2}" != "${j_uid} ${j_gid}" ]]; then
         echo "Owner of ${host_import_mnt} is not the jenkins user"
         echo "${test_2} != ${j_uid} ${j_gid}"
@@ -237,27 +239,29 @@
       exit 1
     fi
   else
-    if [[ ! -z ${host_import_mnt} ]]; then
-      chown -R ${j_uid}:${j_gid} ${host_import_mnt}
+    if [[ -n "${host_import_mnt}" ]]; then
+      chown -R "${j_uid}:${j_gid}" "${host_import_mnt}"
     fi
-    chown -R ${j_uid}:${j_gid} ${home_mnt}
+    chown -R "${j_uid}:${j_gid}" "${home_mnt}"
   fi
 
   #If we don't have import mount don't add to docker command
-  if [[ ! -z ${host_import_mnt} ]]; then
+  if [[ -n "${host_import_mnt}" ]]; then
    import_vol_cmd="-v ${host_import_mnt}:${cont_import_mnt}"
   fi
   # Launch the jenkins image with Docker
+  # shellcheck disable=SC2086 # import_vol_cmd is intentially word-split.
   docker run -d \
     ${import_vol_cmd} \
-    -v ${home_mnt}:${j_home} \
-    -p ${http_port}:8080 \
-    -p ${agent_port}:${agent_port} \
-    --env JAVA_OPTS=\"${java_options}\" \
-    --env JENKINS_OPTS=\"${jenkins_options}\" \
-    ${img_name}
+    -v "${home_mnt}:${j_home}" \
+    -p "${http_port}:8080" \
+    -p "${agent_port}:${agent_port}" \
+    --env JAVA_OPTS=\""${java_options}"\" \
+    --env JENKINS_OPTS=\""${jenkins_options}"\" \
+    "${img_name}"
 
 elif [[ ${launch} == "k8s" ]]; then
   # launch using the k8s template
-  source ${build_scripts_dir}/kubernetes/kubernetes-launch.sh Build-Jenkins false false
+  # shellcheck source=kubernetes/kubernetes-launch.sh
+  source "${build_scripts_dir}/kubernetes/kubernetes-launch.sh" Build-Jenkins false false
 fi
diff --git a/build-rootfs-size-docker.sh b/build-rootfs-size-docker.sh
index 5299c64..0503878 100755
--- a/build-rootfs-size-docker.sh
+++ b/build-rootfs-size-docker.sh
@@ -49,9 +49,9 @@
     squashfs-tools
 
 # Final configuration for the workspace
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-RUN mkdir -p $(dirname ${HOME})
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+RUN mkdir -p $(dirname "${HOME}")
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 RUN sed -i '1iDefaults umask=000' /etc/sudoers
 RUN echo "${USER} ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
 
@@ -62,4 +62,4 @@
 ################################# docker img # #################################
 
 # Build above image
-docker build --network=host -t ${DOCKER_IMG_NAME} - <<< "${Dockerfile}"
+docker build --network=host -t "${DOCKER_IMG_NAME}" - <<< "${Dockerfile}"
diff --git a/build-setup.sh b/build-setup.sh
index 2d63f12..6252b77 100755
--- a/build-setup.sh
+++ b/build-setup.sh
@@ -133,16 +133,16 @@
 echo "Build started, $(date)"
 
 # If the obmc_dir directory doesn't exist clone it in
-if [ ! -d ${obmc_dir} ]; then
+if [ ! -d "${obmc_dir}" ]; then
   echo "Clone in openbmc master to ${obmc_dir}"
-  git clone https://github.com/openbmc/openbmc ${obmc_dir}
+  git clone https://github.com/openbmc/openbmc "${obmc_dir}"
 fi
 
 # Make and chown the xtrct_path directory to avoid permission errors
-if [ ! -d ${xtrct_path} ]; then
-  mkdir -p ${xtrct_path}
+if [ ! -d "${xtrct_path}" ]; then
+  mkdir -p "${xtrct_path}"
 fi
-chown ${UID}:${GROUPS} ${xtrct_path}
+chown "${UID}:${GROUPS[0]}" "${xtrct_path}"
 
 # Work out what build target we should be running and set BitBake command
 MACHINE=""
@@ -264,8 +264,8 @@
   ENV LANG=en_US.utf8
   RUN localedef -f UTF-8 -i en_US en_US.UTF-8
 
-  RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-  RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+  RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+  RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 
   USER ${USER}
   ENV HOME ${HOME}
@@ -313,8 +313,8 @@
   ENV LANGUAGE en_US:en
   ENV LC_ALL en_US.UTF-8
 
-  RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-  RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+  RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+  RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 
   USER ${USER}
   ENV HOME ${HOME}
@@ -328,10 +328,10 @@
 export PROXY_HOST=${PROXY_HOST/%:[0-9]*}
 export PROXY_PORT=${http_proxy/#http*:\/\/*:}
 
-mkdir -p ${WORKSPACE}
+mkdir -p "${WORKSPACE}"
 
 # Determine command for bitbake image build
-if [ $no_tar = "false" ]; then
+if [ "$no_tar" = "false" ]; then
     bitbake_target="${bitbake_target} obmc-phosphor-debug-tarball"
 fi
 
@@ -438,13 +438,13 @@
 
 EOF_SCRIPT
 
-chmod a+x ${WORKSPACE}/build.sh
+chmod a+x "${WORKSPACE}/build.sh"
 
 # Give the Docker image a name based on the distro,tag,arch,and target
 img_name=${img_name:-openbmc/${distro}:${img_tag}-${target}-${ARCH}}
 
 # Build the Docker image
-docker build -t ${img_name} - <<< "${Dockerfile}"
+docker build -t "${img_name}" - <<< "${Dockerfile}"
 
 # If obmc_dir or ssc_dir are ${HOME} or a subdirectory they will not be mounted
 mount_obmc_dir="-v ""${obmc_dir}"":""${obmc_dir}"" "
@@ -461,23 +461,24 @@
 fi
 
 # Run the Docker container, execute the build.sh script
+# shellcheck disable=SC2086 # mount commands word-split purposefully
 docker run \
 --cap-add=sys_admin \
 --cap-add=sys_nice \
 --net=host \
 --rm=true \
--e WORKSPACE=${WORKSPACE} \
+-e WORKSPACE="${WORKSPACE}" \
 -w "${HOME}" \
--v "${HOME}":"${HOME}" \
+-v "${HOME}:${HOME}" \
 ${mount_obmc_dir} \
 ${mount_ssc_dir} \
 ${mount_workspace_dir} \
 --cpus="$num_cpu" \
--t ${img_name} \
-${WORKSPACE}/build.sh
+-t "${img_name}" \
+"${WORKSPACE}/build.sh"
 
 # To maintain function of resources that used an older path, add a link
-ln -sf ${xtrct_path}/deploy ${WORKSPACE}/deploy
+ln -sf "${xtrct_path}/deploy" "${WORKSPACE}/deploy"
 
 # Timestamp for build
 echo "Build completed, $(date)"
diff --git a/build-unit-test-docker.sh b/build-unit-test-docker.sh
index a3299c0..81c238b 100755
--- a/build-unit-test-docker.sh
+++ b/build-unit-test-docker.sh
@@ -75,7 +75,7 @@
         grep "refs/heads/$BRANCH" | awk '{ print $1 }' || true)
 
   # If specific branch is not found then try master
-  if [[ ! -n "$tip" ]]; then
+  if [[ -z "$tip" ]]; then
     tip=$(git ls-remote --heads "https://github.com/${package}" |
          grep "refs/heads/master" | awk '{ print $1 }')
   fi
@@ -123,10 +123,11 @@
 )
 
 # Turn the depcache into a dictionary so we can reference the HEAD of each repo
-for line in $(cat "$DEPCACHE_FILE"); do
+while IFS= read -r line; do
+  # shellcheck disable=SC2207 # Expecting to word-split tr results.
   linearr=($(echo "$line" | tr ':' ' '))
   PKG_REV["${linearr[0]}"]="${linearr[1]}"
-done
+done < "$DEPCACHE_FILE"
 
 # Define common flags used for builds
 PREFIX="/usr/local"
@@ -159,7 +160,7 @@
 # We must sort the packages, otherwise we might produce an unstable
 # docker file and rebuild the image unnecessarily
 for pkg in $(echo "${!PKG_REV[@]}" | tr ' ' '\n' | LC_COLLATE=C sort -s); do
-  COPY_CMDS+="COPY --from=$(stagename ${pkg}) ${PREFIX} ${PREFIX}"$'\n'
+  COPY_CMDS+="COPY --from=$(stagename "${pkg}") ${PREFIX} ${PREFIX}"$'\n'
   # Workaround for upstream docker bug and multiple COPY cmds
   # https://github.com/moby/moby/issues/37965
   COPY_CMDS+="RUN true"$'\n'
@@ -498,9 +499,9 @@
 RUN echo '$(LC_COLLATE=C sort -s "$DEPCACHE_FILE" | tr '\n' ',')' > /tmp/depcache
 
 # Final configuration for the workspace
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
 RUN mkdir -p "$(dirname "${HOME}")"
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 RUN sed -i '1iDefaults umask=000' /etc/sudoers
 RUN echo "${USER} ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
 
@@ -517,4 +518,5 @@
 fi
 
 # Build above image
-docker build ${proxy_args} --network=host -t ${DOCKER_IMG_NAME} - <<< "${Dockerfile}"
+# shellcheck disable=SC2086 # proxy_args requires word splitting.
+docker build ${proxy_args} --network=host -t "${DOCKER_IMG_NAME}" - <<< "${Dockerfile}"
diff --git a/docs-build.sh b/docs-build.sh
index a98fd7c..b0f06f8 100755
--- a/docs-build.sh
+++ b/docs-build.sh
@@ -23,7 +23,7 @@
 
 ${PROXY}
 
-ENV DEBIAN_FRONTEND noninteractive 
+ENV DEBIAN_FRONTEND noninteractive
 RUN apt-get update && apt-get install -yy \
 	make \
 	texlive-xetex \
@@ -31,8 +31,8 @@
 	fonts-inconsolata \
 	fonts-linuxlibertine
 
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 
 USER ${USER}
 ENV HOME ${HOME}
@@ -41,8 +41,7 @@
 )
 
 # Build the docker container
-docker build -t linux-build/ubuntu - <<< "${Dockerfile}"
-if [[ "$?" -ne 0 ]]; then
+if ! docker build -t linux-build/ubuntu - <<< "${Dockerfile}" ; then
   echo "Failed to build docker container."
   exit 1
 fi
@@ -52,7 +51,7 @@
 export PROXY_HOST=${PROXY_HOST/%:[0-9]*}
 export PROXY_PORT=${http_proxy/#http*:\/\/*:}
 
-mkdir -p ${WORKSPACE}
+mkdir -p "${WORKSPACE}"
 
 cat > "${WORKSPACE}"/build.sh << EOF_SCRIPT
 #!/bin/bash
@@ -68,8 +67,8 @@
 
 EOF_SCRIPT
 
-chmod a+x ${WORKSPACE}/build.sh
+chmod a+x "${WORKSPACE}/build.sh"
 
 # Run the docker container, execute the build script we just built
-docker run --cap-add=sys_admin --net=host --rm=true -e WORKSPACE=${WORKSPACE} --user="${USER}" \
-  -w "${HOME}" -v "${HOME}":"${HOME}" -t linux-build/ubuntu ${WORKSPACE}/build.sh
+docker run --cap-add=sys_admin --net=host --rm=true -e WORKSPACE="${WORKSPACE}" --user="${USER}" \
+  -w "${HOME}" -v "${HOME}":"${HOME}" -t linux-build/ubuntu "${WORKSPACE}/build.sh"
diff --git a/initramfs-build.sh b/initramfs-build.sh
index 43e9473..af9061e 100755
--- a/initramfs-build.sh
+++ b/initramfs-build.sh
@@ -4,7 +4,7 @@
 #
 
 # Debug
-if grep -q debug <<< $@; then
+if grep -q debug <<< "$@"; then
 	set -x
 fi
 set -o errexit
@@ -84,8 +84,8 @@
 	iputils-ping \
 	locales
 
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 
 RUN locale-gen en_AU.utf8
 
@@ -96,8 +96,7 @@
 )
 
 # Build the docker container
-docker build -t initramfs-build/ubuntu - <<< "${Dockerfile}"
-if [[ "$?" -ne 0 ]]; then
+if ! docker build -t initramfs-build/ubuntu - <<< "${Dockerfile}" ; then
 	echo "Failed to build docker container."
 	exit 1
 fi
diff --git a/jenkins/run-meta-ci b/jenkins/run-meta-ci
index 023b8de..4ce317b 100755
--- a/jenkins/run-meta-ci
+++ b/jenkins/run-meta-ci
@@ -11,7 +11,7 @@
 #  GERRIT_BRANCH:  Branch under test (default is master)
 
 export LANG=en_US.UTF8
-cd $WORKSPACE
+cd "$WORKSPACE"
 
 GERRIT_BRANCH=${GERRIT_BRANCH:-"master"}
 
@@ -20,25 +20,26 @@
 # git clone https://github.com/openbmc/openbmc-test-automation.git --branch ${GERRIT_BRANCH} --single-branch
 git clone https://github.com/openbmc/openbmc-test-automation.git --branch master --single-branch
 
-export META_REPO=`basename $GERRIT_PROJECT`
+META_REPO=$(basename "$GERRIT_PROJECT")
+export META_REPO
 
 # Move the extracted meta layer to a dir based on it's meta-* name
-mv $GERRIT_PROJECT $META_REPO
+mv "$GERRIT_PROJECT" "$META_REPO"
 
 # Remove openbmc dir in prep for full repo clone
 rm -rf openbmc
 
 # Clone openbmc/openbmc
-git clone https://github.com/openbmc/openbmc.git --branch ${GERRIT_BRANCH} --single-branch
+git clone https://github.com/openbmc/openbmc.git --branch "${GERRIT_BRANCH}" --single-branch
 
 # Make sure meta-* directory is there
-mkdir -p ./openbmc/$META_REPO/
+mkdir -p ./openbmc/"$META_REPO"/
 
 # Clean out the dir to handle delete/rename of files
-rm -rf ./openbmc/$META_REPO/*
+rm -rf ./openbmc/"$META_REPO"/*
 
 # Copy the extracted meta code into it
-cp -Rf $META_REPO/* ./openbmc/$META_REPO/
+cp -Rf "$META_REPO"/* ./openbmc/"$META_REPO"/
 
 # Create a dummy commit so code update will pick it up
 cd openbmc
diff --git a/kernel-build-setup.sh b/kernel-build-setup.sh
index 9c5f7cb..972f477 100755
--- a/kernel-build-setup.sh
+++ b/kernel-build-setup.sh
@@ -39,8 +39,8 @@
 	make \
 	uboot-tools xz
 
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 
 USER ${USER}
 ENV HOME ${HOME}
@@ -70,8 +70,8 @@
 	flex \
 	u-boot-tools
 
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 
 USER ${USER}
 ENV HOME ${HOME}
@@ -81,8 +81,7 @@
 fi
 
 # Build the docker container
-docker build -t linux-aspeed/${distro} - <<< "${Dockerfile}"
-if [[ "$?" -ne 0 ]]; then
+if ! docker build -t "linux-aspeed/${distro}" - <<< "${Dockerfile}" ; then
   echo "Failed to build docker container."
   exit 1
 fi
@@ -92,7 +91,7 @@
 export PROXY_HOST=${PROXY_HOST/%:[0-9]*}
 export PROXY_PORT=${http_proxy/#http*:\/\/*:}
 
-mkdir -p ${WORKSPACE}
+mkdir -p "${WORKSPACE}"
 
 cat > "${WORKSPACE}"/build.sh << EOF_SCRIPT
 #!/bin/bash
@@ -124,11 +123,11 @@
 
 EOF_SCRIPT
 
-chmod a+x ${WORKSPACE}/build.sh
+chmod a+x "${WORKSPACE}"/build.sh
 
 # Run the docker container, execute the build script we just built
-docker run --cap-add=sys_admin --net=host --rm=true -e WORKSPACE=${WORKSPACE} --user="${USER}" \
-  -w "${HOME}" -v "${HOME}":"${HOME}" -t linux-aspeed/${distro} ${WORKSPACE}/build.sh
+docker run --cap-add=sys_admin --net=host --rm=true -e WORKSPACE="${WORKSPACE}" --user="${USER}" \
+  -w "${HOME}" -v "${HOME}":"${HOME}" -t linux-aspeed/"${distro}" "${WORKSPACE}"/build.sh
 
 # Timestamp for build
 echo "Build completed, $(date)"
diff --git a/kernel-build.sh b/kernel-build.sh
index 97e7ce8..199075a 100755
--- a/kernel-build.sh
+++ b/kernel-build.sh
@@ -23,7 +23,7 @@
 
 ${PROXY}
 
-ENV DEBIAN_FRONTEND noninteractive 
+ENV DEBIAN_FRONTEND noninteractive
 RUN apt-get update && apt-get install -yy \
 	bc \
 	build-essential \
@@ -39,8 +39,8 @@
 	dwarves \
 	sparse
 
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 
 USER ${USER}
 ENV HOME ${HOME}
@@ -49,8 +49,7 @@
 )
 
 # Build the docker container
-docker build -t linux-build/ubuntu - <<< "${Dockerfile}"
-if [[ "$?" -ne 0 ]]; then
+if ! docker build -t linux-build/ubuntu - <<< "${Dockerfile}" ; then
   echo "Failed to build docker container."
   exit 1
 fi
@@ -60,7 +59,7 @@
 export PROXY_HOST=${PROXY_HOST/%:[0-9]*}
 export PROXY_PORT=${http_proxy/#http*:\/\/*:}
 
-mkdir -p ${WORKSPACE}
+mkdir -p "${WORKSPACE}"
 
 cat > "${WORKSPACE}"/build.sh << EOF_SCRIPT
 #!/bin/bash
@@ -68,7 +67,7 @@
 set -x
 set -e -o pipefail
 
-cd ${WORKSPACE}
+cd "${WORKSPACE}"
 
 # Go into the linux directory (the script will put us in a build subdir)
 cd linux
@@ -96,11 +95,11 @@
 
 EOF_SCRIPT
 
-chmod a+x ${WORKSPACE}/build.sh
+chmod a+x "${WORKSPACE}"/build.sh
 
 # Run the docker container, execute the build script we just built
-docker run --cap-add=sys_admin --net=host --rm=true -e WORKSPACE=${WORKSPACE} --user="${USER}" \
-  -w "${WORKSPACE}" -v "${WORKSPACE}":"${WORKSPACE}" -t linux-build/ubuntu ${WORKSPACE}/build.sh
+docker run --cap-add=sys_admin --net=host --rm=true -e WORKSPACE="${WORKSPACE}" --user="${USER}" \
+  -w "${WORKSPACE}" -v "${WORKSPACE}":"${WORKSPACE}" -t linux-build/ubuntu "${WORKSPACE}"/build.sh
 
 result=${?}
 
diff --git a/openpower-build-setup.sh b/openpower-build-setup.sh
index 7920df6..6785f45 100755
--- a/openpower-build-setup.sh
+++ b/openpower-build-setup.sh
@@ -19,9 +19,9 @@
 echo "Build started, $(date)"
 
 # if there is no open-power directory clone in master into workspace
-if [ ! -e ${WORKSPACE}/op-build ]; then
+if [ ! -e "${WORKSPACE}"/op-build ]; then
         echo "Clone in openpower master to ${WORKSPACE}/op-build"
-        git clone --recursive https://github.com/open-power/op-build ${WORKSPACE}/op-build
+        git clone --recursive https://github.com/open-power/op-build "${WORKSPACE}"/op-build
 fi
 
 # Determine the architecture
@@ -84,8 +84,8 @@
 	zlib-static \
 	iputils-ping
 
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 
 USER ${USER}
 ENV HOME ${HOME}
@@ -127,8 +127,8 @@
         libssl-dev \
 	iputils-ping
 
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 
 USER ${USER}
 ENV HOME ${HOME}
@@ -138,13 +138,12 @@
 fi
 
 # Build the docker container
-docker build -t op-build/${distro} - <<< "${Dockerfile}"
-if [[ "$?" -ne 0 ]]; then
+if ! docker build -t op-build/"${distro}" - <<< "${Dockerfile}" ; then
   echo "Failed to build docker container."
   exit 1
 fi
 
-mkdir -p ${WORKSPACE}
+mkdir -p "${WORKSPACE}"
 
 cat > "${WORKSPACE}"/build.sh << EOF_SCRIPT
 #!/bin/bash
@@ -155,27 +154,27 @@
 # avalaible in this script
 shopt -s expand_aliases
 
-cd ${WORKSPACE}/op-build
+cd "${WORKSPACE}"/op-build
 
 # Source our build env
 . op-build-env
 
 # Configure
-op-build ${target}_defconfig
+op-build "${target}_defconfig"
 
 # Kick off a build
 op-build
 
 EOF_SCRIPT
 
-chmod a+x ${WORKSPACE}/build.sh
+chmod a+x "${WORKSPACE}"/build.sh
 
 # Run the docker container, execute the build script we just built
-docker run --net=host --rm=true -e WORKSPACE=${WORKSPACE} --user="${USER}" \
-  -w "${HOME}" -v "${HOME}":"${HOME}" -t op-build/${distro} ${WORKSPACE}/build.sh
+docker run --net=host --rm=true -e WORKSPACE="${WORKSPACE}" --user="${USER}" \
+  -w "${HOME}" -v "${HOME}":"${HOME}" -t op-build/"${distro}" "${WORKSPACE}"/build.sh
 
 # Create link to images for archiving
-ln -sf ${WORKSPACE}/op-build/output/images ${WORKSPACE}/images
+ln -sf "${WORKSPACE}"/op-build/output/images "${WORKSPACE}"/images
 
 # Timestamp for build
 echo "Build completed, $(date)"
diff --git a/qemu-build.sh b/qemu-build.sh
index 590a535..17111e9 100755
--- a/qemu-build.sh
+++ b/qemu-build.sh
@@ -96,7 +96,7 @@
 
 EOF_SCRIPT
 
-chmod a+x ${WORKSPACE}/build.sh
+chmod a+x "${WORKSPACE}"/build.sh
 
 # Configure docker build
 Dockerfile=$(cat << EOF
@@ -120,24 +120,23 @@
     python3-yaml \
     iputils-ping
 
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 USER ${USER}
 ENV HOME ${HOME}
 EOF
 )
 
-docker build -t ${img_name} - <<< "${Dockerfile}"
-if [[ "$?" -ne 0 ]]; then
+if ! docker build -t ${img_name} - <<< "${Dockerfile}" ; then
   echo "Failed to build docker container."
   exit 1
 fi
 
 docker run \
     --rm=true \
-    -e WORKSPACE=${WORKSPACE} \
+    -e WORKSPACE="${WORKSPACE}" \
     -w "${HOME}" \
     --user="${USER}" \
     -v "${HOME}":"${HOME}" \
     -t ${img_name} \
-    ${WORKSPACE}/build.sh
+    "${WORKSPACE}"/build.sh
diff --git a/run-qemu-robot-test.sh b/run-qemu-robot-test.sh
index 0857c6d..0e90c5f 100755
--- a/run-qemu-robot-test.sh
+++ b/run-qemu-robot-test.sh
@@ -64,7 +64,7 @@
 # The automated test suite needs a real machine type so
 # if we're using versatilepb for our qemu start parameter
 # then we need to just let our run-robot use the default
-if [[ $MACHINE == $DEFAULT_MACHINE ]]; then
+if [[ "$MACHINE" == "$DEFAULT_MACHINE" ]]; then
     MACHINE_QEMU=
 else
     MACHINE_QEMU=${MACHINE}
@@ -76,11 +76,9 @@
 # Determine the prefix of the Dockerfile's base image and the QEMU_ARCH variable
 case ${ARCH} in
   "ppc64le")
-    DOCKER_BASE="ppc64le/"
     QEMU_ARCH="ppc64le-linux"
     ;;
   "x86_64")
-    DOCKER_BASE=""
     QEMU_ARCH="x86_64-linux"
     ;;
   *)
@@ -95,10 +93,11 @@
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 # Create the base Docker image for QEMU and Robot
+# shellcheck source=scripts/build-qemu-robot-docker.sh
 . "$DIR/scripts/build-qemu-robot-docker.sh" "$DOCKER_IMG_NAME"
 
 # Copy the scripts to start and verify QEMU in the workspace
-cp $DIR/scripts/boot-qemu* ${UPSTREAM_WORKSPACE}
+cp "$DIR"/scripts/boot-qemu* "${UPSTREAM_WORKSPACE}"
 
 ################################################################################
 
@@ -109,15 +108,15 @@
   obmc_qemu_docker=$(docker run --detach \
                                 --rm \
                                 --user root \
-                                --env HOME=${OBMC_BUILD_DIR} \
-                                --env QEMU_RUN_TIMER=${QEMU_RUN_TIMER} \
-                                --env QEMU_ARCH=${QEMU_ARCH} \
-                                --env QEMU_BIN=${QEMU_BIN} \
-                                --env MACHINE=${MACHINE} \
+                                --env HOME="${OBMC_BUILD_DIR}" \
+                                --env QEMU_RUN_TIMER="${QEMU_RUN_TIMER}" \
+                                --env QEMU_ARCH="${QEMU_ARCH}" \
+                                --env QEMU_BIN="${QEMU_BIN}" \
+                                --env MACHINE="${MACHINE}" \
                                 --workdir "${OBMC_BUILD_DIR}"           \
                                 --volume "${UPSTREAM_WORKSPACE}":"${OBMC_BUILD_DIR}" \
                                 --tty \
-                                ${DOCKER_IMG_NAME} ${OBMC_BUILD_DIR}/boot-qemu-test.exp)
+                                "${DOCKER_IMG_NAME}" "${OBMC_BUILD_DIR}"/boot-qemu-test.exp)
 
   # We can use default ports because we're going to have the 2
   # docker instances talk over their private network
@@ -129,17 +128,17 @@
   # fine on these errors so just ignore the SIGPIPE
   trap '' PIPE
 
-  DOCKER_QEMU_IP_ADDR="$(docker inspect $obmc_qemu_docker |  \
+  DOCKER_QEMU_IP_ADDR="$(docker inspect "$obmc_qemu_docker" |  \
                        grep "IPAddress\":" | tail -n1 | cut -d '"' -f 4)"
 
   #Now wait for the OpenBMC QEMU Docker instance to get to standby
   delay=5
-  attempt=$(( $QEMU_LOGIN_TIMER / $delay ))
+  attempt=$(( QEMU_LOGIN_TIMER / delay ))
   while [ $attempt -gt 0 ]; do
-    attempt=$(( $attempt - 1 ))
+    attempt=$(( attempt - 1 ))
     echo "Waiting for qemu to get to standby (attempt: $attempt)..."
-    result=$(docker logs $obmc_qemu_docker)
-    if grep -q 'OPENBMC-READY' <<< $result ; then
+    result=$(docker logs "$obmc_qemu_docker")
+    if grep -q 'OPENBMC-READY' <<< "$result" ; then
       echo "QEMU is ready!"
       # Give QEMU a few secs to stabilize
       sleep $delay
@@ -158,34 +157,35 @@
   # Timestamp for job
   echo "Robot Test started, $(date)"
 
-  mkdir -p ${WORKSPACE}
-  cd ${WORKSPACE}
+  mkdir -p "${WORKSPACE}"
+  cd "${WORKSPACE}"
 
   # Copy in the script which will execute the Robot tests
-  cp $DIR/scripts/run-robot.sh ${WORKSPACE}
+  cp "$DIR"/scripts/run-robot.sh "${WORKSPACE}"
 
   # Run the Docker container to execute the Robot test cases
   # The test results will be put in ${WORKSPACE}
   docker run --rm \
              --user root \
-             --env HOME=${HOME} \
-             --env IP_ADDR=${DOCKER_QEMU_IP_ADDR} \
-             --env SSH_PORT=${DOCKER_SSH_PORT} \
-             --env HTTPS_PORT=${DOCKER_HTTPS_PORT} \
-             --env MACHINE=${MACHINE_QEMU} \
-             --workdir ${HOME} \
-             --volume ${WORKSPACE}:${HOME} \
+             --env HOME="${HOME}" \
+             --env IP_ADDR="${DOCKER_QEMU_IP_ADDR}" \
+             --env SSH_PORT="${DOCKER_SSH_PORT}" \
+             --env HTTPS_PORT="${DOCKER_HTTPS_PORT}" \
+             --env MACHINE="${MACHINE_QEMU}" \
+             --workdir "${HOME}" \
+             --volume "${WORKSPACE}":"${HOME}" \
              --tty \
-             ${DOCKER_IMG_NAME} ${HOME}/run-robot.sh
+             "${DOCKER_IMG_NAME}" "${HOME}"/run-robot.sh
 
   # Now stop the QEMU Docker image
-  docker stop $obmc_qemu_docker
+  docker stop "$obmc_qemu_docker"
 
 elif [[ ${LAUNCH} == "k8s" ]]; then
   # Package the Upstream into an image based off the one created by the build-qemu-robot.sh
   # Dockerfile = $( cat << EOF
-  imgname=$DOCKER_IMG_NAME
-  cd $DIR
+  # shellcheck disable=SC2034
+  imgname="$DOCKER_IMG_NAME"
+  cd "$DIR"
   source ./kubernetes/kubernetes-launch.sh QEMU-launch false false deployment
 
   # Xcat Launch (NYI)
diff --git a/run-rootfs-size-docker.sh b/run-rootfs-size-docker.sh
index a114ffe..f47bcae 100755
--- a/run-rootfs-size-docker.sh
+++ b/run-rootfs-size-docker.sh
@@ -44,21 +44,21 @@
 
 if [ ! -d "${WORKSPACE}/${OBMC_BUILD_SCRIPTS}" ]; then
     echo "Clone (${OBMC_BUILD_SCRIPTS}) in ${WORKSPACE}..."
-    git clone https://gerrit.openbmc-project.xyz/openbmc/${OBMC_BUILD_SCRIPTS} ${WORKSPACE}/${OBMC_BUILD_SCRIPTS}
+    git clone https://gerrit.openbmc-project.xyz/openbmc/${OBMC_BUILD_SCRIPTS} "${WORKSPACE}"/${OBMC_BUILD_SCRIPTS}
 fi
 
 if [ ! -d "${WORKSPACE}/${OBMC_TOOLS}" ]; then
     echo "Clone (${OBMC_TOOLS}) in ${WORKSPACE}..."
-    git clone https://gerrit.openbmc-project.xyz/openbmc/${OBMC_TOOLS} ${WORKSPACE}/${OBMC_TOOLS}
+    git clone https://gerrit.openbmc-project.xyz/openbmc/${OBMC_TOOLS} "${WORKSPACE}"/${OBMC_TOOLS}
 fi
 
 # Copy rootfs_size.py script into workspace
-cp ${WORKSPACE}/${OBMC_TOOLS}/${ROOTFS_SIZE_PY_DIR}/${ROOTFS_SIZE_PY} \
-${WORKSPACE}/${ROOTFS_SIZE_PY}
-chmod a+x ${WORKSPACE}/${ROOTFS_SIZE_PY}
+cp "${WORKSPACE}"/${OBMC_TOOLS}/${ROOTFS_SIZE_PY_DIR}/${ROOTFS_SIZE_PY} \
+"${WORKSPACE}"/${ROOTFS_SIZE_PY}
+chmod a+x "${WORKSPACE}"/${ROOTFS_SIZE_PY}
 
 # Configure docker build
-cd ${WORKSPACE}/${OBMC_BUILD_SCRIPTS}
+cd "${WORKSPACE}"/${OBMC_BUILD_SCRIPTS}
 echo "Building docker image with build-rootfs-size-docker.sh"
 
 # Export input env variables
@@ -73,8 +73,9 @@
     --privileged=true \
     -u "$USER" \
     -w "${WORKSPACE}" -v "${WORKSPACE}":"${WORKSPACE}" \
-    -t ${DOCKER_IMG_NAME} \
-    "${WORKSPACE}"/${ROOTFS_SIZE_PY} --build_dir ${WORKSPACE}/ --squashfs_file ${SQUASHFS_FILE}
+    -t "${DOCKER_IMG_NAME}" \
+    "${WORKSPACE}"/${ROOTFS_SIZE_PY} --build_dir "${WORKSPACE}"/ \
+    --squashfs_file "${SQUASHFS_FILE}"
 
 # Timestamp for build
 echo "rootfs_size build completed, $(date)"
diff --git a/run-unit-test-docker.sh b/run-unit-test-docker.sh
index 7427d10..40e1a51 100755
--- a/run-unit-test-docker.sh
+++ b/run-unit-test-docker.sh
@@ -62,28 +62,29 @@
     echo "Package(${OBMC_BUILD_SCRIPTS}) not found in ${WORKSPACE}, exiting..."
     exit 1
 fi
+# shellcheck disable=SC2153 # UNIT_TEST_PKG is not misspelled.
 if [ ! -d "${WORKSPACE}/${UNIT_TEST_PKG}" ]; then
     echo "Package(${UNIT_TEST_PKG}) not found in ${WORKSPACE}, exiting..."
     exit 1
 fi
 
 # Copy unit test script into workspace
-cp ${WORKSPACE}/${OBMC_BUILD_SCRIPTS}/${UNIT_TEST_PY_DIR}/${UNIT_TEST_PY} \
-${WORKSPACE}/${UNIT_TEST_PY}
-chmod a+x ${WORKSPACE}/${UNIT_TEST_PY}
+cp "${WORKSPACE}"/${OBMC_BUILD_SCRIPTS}/${UNIT_TEST_PY_DIR}/${UNIT_TEST_PY} \
+"${WORKSPACE}"/${UNIT_TEST_PY}
+chmod a+x "${WORKSPACE}"/${UNIT_TEST_PY}
 
 # Copy dbus unit test script into workspace
-cp ${WORKSPACE}/${OBMC_BUILD_SCRIPTS}/${UNIT_TEST_PY_DIR}/${DBUS_UNIT_TEST_PY} \
-${WORKSPACE}/${DBUS_UNIT_TEST_PY}
-chmod a+x ${WORKSPACE}/${DBUS_UNIT_TEST_PY}
+cp "${WORKSPACE}"/${OBMC_BUILD_SCRIPTS}/${UNIT_TEST_PY_DIR}/${DBUS_UNIT_TEST_PY} \
+"${WORKSPACE}"/${DBUS_UNIT_TEST_PY}
+chmod a+x "${WORKSPACE}"/${DBUS_UNIT_TEST_PY}
 
 # Copy format code script into workspace
-cp ${WORKSPACE}/${OBMC_BUILD_SCRIPTS}/${UNIT_TEST_PY_DIR}/${FORMAT_CODE_SH} \
-${WORKSPACE}/${FORMAT_CODE_SH}
-chmod a+x ${WORKSPACE}/${FORMAT_CODE_SH}
+cp "${WORKSPACE}"/${OBMC_BUILD_SCRIPTS}/${UNIT_TEST_PY_DIR}/${FORMAT_CODE_SH} \
+"${WORKSPACE}"/${FORMAT_CODE_SH}
+chmod a+x "${WORKSPACE}"/${FORMAT_CODE_SH}
 
 # Configure docker build
-cd ${WORKSPACE}/${OBMC_BUILD_SCRIPTS}
+cd "${WORKSPACE}"/${OBMC_BUILD_SCRIPTS}
 echo "Building docker image with build-unit-test-docker.sh"
 # Export input env variables
 export DOCKER_IMG_NAME
@@ -108,15 +109,15 @@
     -u "$USER" \
     -w "${DOCKER_WORKDIR}" -v "${WORKSPACE}":"${DOCKER_WORKDIR}" \
     -e "MAKEFLAGS=${MAKEFLAGS}" \
-    -t ${DOCKER_IMG_NAME} \
-    "${DOCKER_WORKDIR}"/${DBUS_UNIT_TEST_PY} -u ${UNIT_TEST} \
-    -f ${DBUS_SYS_CONFIG_FILE}
+    -t "${DOCKER_IMG_NAME}" \
+    "${DOCKER_WORKDIR}"/${DBUS_UNIT_TEST_PY} -u "${UNIT_TEST}" \
+    -f "${DBUS_SYS_CONFIG_FILE}"
 
 # Timestamp for build
 echo "Unit test build completed, $(date)"
 
 # Clean up copied scripts.
-rm ${WORKSPACE}/${UNIT_TEST_PY}
-rm ${WORKSPACE}/${DBUS_UNIT_TEST_PY}
-rm ${WORKSPACE}/${FORMAT_CODE_SH}
+rm "${WORKSPACE}"/${UNIT_TEST_PY}
+rm "${WORKSPACE}"/${DBUS_UNIT_TEST_PY}
+rm "${WORKSPACE}"/${FORMAT_CODE_SH}
 
diff --git a/scripts/boot-qemu.sh b/scripts/boot-qemu.sh
index f17ed14..c07112e 100755
--- a/scripts/boot-qemu.sh
+++ b/scripts/boot-qemu.sh
@@ -39,7 +39,7 @@
 echo "QEMU_ARCH = $QEMU_ARCH"
 if [[ -z $QEMU_ARCH ]]; then
     echo "Did not pass in required QEMU arch parameter"
-    exit -1
+    exit 1
 fi
 
 BASE_DIR=${2:-$HOME}
@@ -47,7 +47,7 @@
 echo "BASE_DIR = $BASE_DIR"
 if [[ ! -d $BASE_DIR ]]; then
     echo "No input directory and HOME not set!"
-    exit -1
+    exit 1
 fi
 
 # Set the location of the qemu binary relative to BASE_DIR
@@ -57,18 +57,19 @@
 MACHINE=${MACHINE:-${DEFAULT_MACHINE}}
 
 # Enter the base directory
-cd ${BASE_DIR}
+cd "${BASE_DIR}"
 
 # Find the correct drive file, and save its name.  OpenBMC has 3 different
 # image formats.  The UBI based one, the standard static.mtd one, and the
 # default QEMU basic image (rootfs.ext4).
 
 DEFAULT_IMAGE_LOC="./tmp/deploy/images/"
-if [ -f ${DEFAULT_IMAGE_LOC}/${MACHINE}/obmc-phosphor-image-${MACHINE}.ubi.mtd ]; then
-    DRIVE=obmc-phosphor-image-${MACHINE}.ubi.mtd
-elif [ -f ${DEFAULT_IMAGE_LOC}/${MACHINE}/obmc-phosphor-image-${MACHINE}.static.mtd ]; then
-    DRIVE=obmc-phosphor-image-${MACHINE}.static.mtd
+if [ -f ${DEFAULT_IMAGE_LOC}/"${MACHINE}"/obmc-phosphor-image-"${MACHINE}".ubi.mtd ]; then
+    DRIVE="obmc-phosphor-image-${MACHINE}.ubi.mtd"
+elif [ -f ${DEFAULT_IMAGE_LOC}/"${MACHINE}"/obmc-phosphor-image-"${MACHINE}".static.mtd ]; then
+    DRIVE="obmc-phosphor-image-${MACHINE}.static.mtd"
 else
+    # shellcheck disable=SC2010
     DRIVE=$(ls ${DEFAULT_IMAGE_LOC}/qemuarm | grep rootfs.ext4)
 fi
 
@@ -79,10 +80,10 @@
 
 # The drive file is stored in different locations depending on if we are
 # using the default or real platforms.
-if [ ${MACHINE} = ${DEFAULT_MACHINE} ]; then
-    cp ${DEFAULT_IMAGE_LOC}/qemuarm/${DRIVE} ${TMP_DRIVE_PATH}
+if [ "${MACHINE}" = "${DEFAULT_MACHINE}" ]; then
+    cp ${DEFAULT_IMAGE_LOC}/qemuarm/"${DRIVE}" "${TMP_DRIVE_PATH}"
 else
-    cp ${DEFAULT_IMAGE_LOC}/${MACHINE}/${DRIVE} ${TMP_DRIVE_PATH}
+    cp ${DEFAULT_IMAGE_LOC}/"${MACHINE}"/"${DRIVE}" "${TMP_DRIVE_PATH}"
 fi
 
 # Obtain IP from /etc/hosts if IP is not valid set to localhost
@@ -97,7 +98,7 @@
 
 # Most system only have one NIC so set this as default
 NIC="-net nic,model=ftgmac100,netdev=netdev1 -netdev user,id=netdev1,$NET_FORWARDING"
-if [ ${MACHINE} = "tacoma" ]; then
+if [ "${MACHINE}" = "tacoma" ]; then
     # Tacoma requires us to specify up to four NICs, with the third one being
     # the active device.
     NIC="-net nic,model=ftgmac100,netdev=netdev1 -netdev user,id=netdev1 "
@@ -108,14 +109,14 @@
 
 # The syntax to start old qemu / default version requires different syntax
 # then new qemu with the real platforms
-if [ ${MACHINE} = ${DEFAULT_MACHINE} ]; then
+if [ "${MACHINE}" = "${DEFAULT_MACHINE}" ]; then
     # Launch default QEMU using the qemu-system-arm
     ${QEMU_BIN} \
         -device virtio-net,netdev=mynet \
         -netdev user,id=mynet,hostfwd=tcp:${IP}:22-:22,hostfwd=tcp:${IP}:443-:443,hostfwd=tcp:${IP}:80-:80,hostfwd=tcp:${IP}:2200-:2200,hostfwd=udp:${IP}:623-:623,hostfwd=udp:${IP}:664-:664 \
         -machine versatilepb \
         -m 256 \
-        -drive file=${TMP_DRIVE_PATH},if=virtio,format=raw \
+        -drive file="${TMP_DRIVE_PATH}",if=virtio,format=raw \
         -show-cursor \
         -usb \
         -usbdevice tablet \
@@ -127,9 +128,10 @@
         -append 'root=/dev/vda rw highres=off  console=ttyS0 mem=256M ip=dhcp console=ttyAMA0,115200 console=tty'\
         -dtb ${DEFAULT_IMAGE_LOC}/qemuarm/zImage-versatile-pb.dtb
 else
+    # shellcheck disable=SC2086 # NIC is intentionally word-split.
     ${QEMU_BIN} \
-        -machine ${MACHINE}-bmc \
+        -machine "${MACHINE}"-bmc \
         -nographic \
-        -drive file=${TMP_DRIVE_PATH},format=raw,if=mtd \
+        -drive file="${TMP_DRIVE_PATH}",format=raw,if=mtd \
         ${NIC}
 fi
diff --git a/scripts/build-qemu-robot-docker.sh b/scripts/build-qemu-robot-docker.sh
index 4a55894..d8e4a8f 100755
--- a/scripts/build-qemu-robot-docker.sh
+++ b/scripts/build-qemu-robot-docker.sh
@@ -25,7 +25,7 @@
 PIP_MIRROR=${PIP_MIRROR:-""}
 
 # Determine our architecture, ppc64le or the other one
-if [ $(uname -m) == "ppc64le" ]; then
+if [ "$(uname -m)" == "ppc64le" ]; then
     DOCKER_BASE="ppc64le/"
 else
     DOCKER_BASE=""
@@ -42,7 +42,7 @@
 
 PIP_MIRROR_CMD=""
 if [[ -n "${PIP_MIRROR}" ]]; then
-    PIP_HOSTNAME=$(echo ${PIP_MIRROR} | awk -F[/:] '{print $4}')
+    PIP_HOSTNAME=$(echo "${PIP_MIRROR}" | awk -F[/:] '{print $4}')
     PIP_MIRROR_CMD="RUN mkdir -p \${HOME}/.pip && \
         echo \"[global]\" > \${HOME}/.pip/pip.conf && \
         echo \"index-url=${PIP_MIRROR}\" >> \${HOME}/.pip/pip.conf &&\
@@ -143,8 +143,8 @@
         && mv geckodriver /usr/local/bin \
         && chmod a+x /usr/local/bin/geckodriver
 
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} \
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} \
                     ${USER}
 USER ${USER}
 RUN /bin/bash
@@ -159,4 +159,5 @@
 fi
 
 # Build above image
-docker build ${PROXY_ARGS} -t ${DOCKER_IMG_NAME} - <<< "${Dockerfile}"
+# shellcheck disable=SC2086 # PROXY_ARGS is intentionally word-split.
+docker build ${PROXY_ARGS} -t "${DOCKER_IMG_NAME}" - <<< "${Dockerfile}"
diff --git a/scripts/format-code.sh b/scripts/format-code.sh
index 1bb98a5..4da2174 100755
--- a/scripts/format-code.sh
+++ b/scripts/format-code.sh
@@ -10,7 +10,7 @@
 # Input parmameter must be full path to git repo to scan
 
 DIR=$1
-cd ${DIR}
+cd "${DIR}"
 
 set -e
 
@@ -66,7 +66,7 @@
 done
 
 searchfiles=""
-while read path; do
+while read -r path; do
   # skip ignorefiles
   if [[ $ignorefiles == *"$(basename "${path}")"* ]]; then
     continue
@@ -84,12 +84,14 @@
   if [ "$skip" = true ]; then
    continue
   fi
+  # shellcheck disable=2089
   searchfiles+="\"./${path}\" "
 
 # Get C and C++ files managed by git and skip the mako files
-done <<<$(git ls-files | grep -e '\.[ch]pp$' -e '\.[ch]$' | grep -v '\.mako\.')
+done <<<"$(git ls-files | grep -e '\.[ch]pp$' -e '\.[ch]$' | grep -v '\.mako\.')"
 
 if [[ -f ".clang-format" ]]; then
+  # shellcheck disable=SC2090 disable=SC2086
   echo ${searchfiles} | xargs "${CLANG_FORMAT}" -i
   git --no-pager diff --exit-code
 fi
diff --git a/scripts/run-robot.sh b/scripts/run-robot.sh
index f4fc34e..aad4bfd 100755
--- a/scripts/run-robot.sh
+++ b/scripts/run-robot.sh
@@ -18,6 +18,8 @@
 
 # we don't want to fail on bad rc since robot tests may fail
 
+set -e
+
 MACHINE=${MACHINE:-"qemu"}
 ROBOT_CODE_HOME=${ROBOT_CODE_HOME:-/tmp/$(whoami)/${RANDOM}/obmc-robot/}
 ROBOT_TEST_CMD=${ROBOT_TEST_CMD:-"python3 -m robot\
@@ -27,19 +29,20 @@
     --argumentfile ./test_lists/QEMU_CI ./tests"}
 
 git clone https://github.com/openbmc/openbmc-test-automation.git \
-        ${ROBOT_CODE_HOME}
+        "${ROBOT_CODE_HOME}"
 
-cd ${ROBOT_CODE_HOME}
+cd "${ROBOT_CODE_HOME}"
 
-chmod ugo+rw -R ${ROBOT_CODE_HOME}/*
+chmod ugo+rw -R "${ROBOT_CODE_HOME}"/*
 
 # Execute the CI tests
-"$($ROBOT_TEST_CMD)"
+# shellcheck disable=SC2091 # intentionally executing ROBOT_TEST_CMD.
+$($ROBOT_TEST_CMD)
 
-cp ${ROBOT_CODE_HOME}/*.xml ${HOME}/
-cp ${ROBOT_CODE_HOME}/*.html ${HOME}/
+cp "${ROBOT_CODE_HOME}"/*.xml "${HOME}/"
+cp "${ROBOT_CODE_HOME}"/*.html "${HOME}/"
 if [ -d logs ] ; then
-    cp -Rf ${ROBOT_CODE_HOME}/logs ${HOME}/ ;
+    cp -Rf "${ROBOT_CODE_HOME}"/logs "${HOME}"/ ;
 fi
 
 #rm -rf ${ROBOT_CODE_HOME}
diff --git a/test-distro.sh b/test-distro.sh
index 17f40b8..a7a44bd 100755
--- a/test-distro.sh
+++ b/test-distro.sh
@@ -5,9 +5,9 @@
 
 util_ensure_available() {
   local bin=$1
-  if ! which ${bin}
+  if ! which "${bin}"
   then
-    echo Please install ${bin}
+    echo "Please install ${bin}"
     return 1
   fi
   return 0
@@ -16,10 +16,11 @@
 jenkins_get_job_config() {
   local host="$1"
   local job="$2"
-  local config="$(mktemp --suffix=.xml config.XXXXXX)"
+  local config
+  config="$(mktemp --suffix=.xml config.XXXXXX)"
   local url="https://${host}/job/${job}/config.xml"
   wget --output-document="${config}" "${url}"
-  echo ${config}
+  echo "${config}"
 }
 
 jenkins_get_job_repos() {
@@ -56,16 +57,16 @@
       shift 2
       ;;
     -h|--help)
-      echo USAGE: DISTRO=DOCKERBASE $0 --config config.xml
+      echo "USAGE: DISTRO=DOCKERBASE $0 --config config.xml"
       echo
-      echo DOCKERBASE is the Docker Hub tag of the base image against which to
-      echo build and test the repositories described in config.xml. Individual
-      echo repositories can be tested against DOCKERBASE with the --repository
-      echo option \(in place of --config\).
+      echo "DOCKERBASE is the Docker Hub tag of the base image against which to"
+      echo "build and test the repositories described in config.xml. Individual"
+      echo "repositories can be tested against DOCKERBASE with the --repository"
+      echo "option \(in place of --config\)."
       exit 0
       ;;
     *)
-      (>&2 echo Unrecognised argument \'$1\')
+      (>&2 echo Unrecognised argument \'"$1"\')
       shift
       ;;
   esac
@@ -81,7 +82,8 @@
 
 git_clone_repo() {
   local prj_package="$1"
-  local package="$(basename "${prj_package}")"
+  local package
+  package="$(basename "${prj_package}")"
   local workspace="$2"
   if [ -d "${prj_package}" ]
   then
@@ -91,9 +93,9 @@
   git clone https://gerrit.openbmc-project.xyz/openbmc/"${package}" "${workspace}"/"${package}"
 }
 
-jenkins_get_job_repos "${CONFIG}" | while read GERRIT_PROJECT
+jenkins_get_job_repos "${CONFIG}" | while read -r GERRIT_PROJECT
 do
-  UNIT_TEST_PKG=$(basename ${GERRIT_PROJECT})
+  UNIT_TEST_PKG=$(basename "${GERRIT_PROJECT}")
   WORKSPACE="$(mktemp -d --tmpdir openbmc-build-scripts.XXXXXX)"
   git clone . "${WORKSPACE}"/openbmc-build-scripts
   git_clone_repo "${GERRIT_PROJECT}" "${WORKSPACE}"
diff --git a/trace-kernel-build.sh b/trace-kernel-build.sh
index 7f72dec..d0e3b44 100755
--- a/trace-kernel-build.sh
+++ b/trace-kernel-build.sh
@@ -39,8 +39,8 @@
 	dwarves \
 	sparse
 
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 
 USER ${USER}
 ENV HOME ${HOME}
@@ -49,8 +49,7 @@
 )
 
 # Build the docker container
-docker build -t trace-linux-build/ubuntu - <<< "${Dockerfile}"
-if [[ "$?" -ne 0 ]]; then
+if ! docker build -t trace-linux-build/ubuntu - <<< "${Dockerfile}" ; then
   echo "Failed to build docker container."
   exit 1
 fi
@@ -60,7 +59,7 @@
 export PROXY_HOST=${PROXY_HOST/%:[0-9]*}
 export PROXY_PORT=${http_proxy/#http*:\/\/*:}
 
-mkdir -p ${WORKSPACE}
+mkdir -p "${WORKSPACE}"
 
 cat > "${WORKSPACE}"/build.sh << EOF_SCRIPT
 #!/bin/bash
@@ -97,11 +96,12 @@
 
 EOF_SCRIPT
 
-chmod a+x ${WORKSPACE}/build.sh
+chmod a+x "${WORKSPACE}"/build.sh
 
 # Run the docker container, execute the build script we just built
-docker run --cap-add=sys_admin --net=host --rm=true -e WORKSPACE=${WORKSPACE} --user="${USER}" \
-  -w "${WORKSPACE}" -v "${WORKSPACE}":"${WORKSPACE}" -t trace-linux-build/ubuntu ${WORKSPACE}/build.sh
+docker run --cap-add=sys_admin --net=host --rm=true -e WORKSPACE="${WORKSPACE}" --user="${USER}" \
+  -w "${WORKSPACE}" -v "${WORKSPACE}":"${WORKSPACE}" \
+  -t trace-linux-build/ubuntu "${WORKSPACE}"/build.sh
 
 result=${?}
 
diff --git a/u-boot-build.sh b/u-boot-build.sh
index 79f7238..c1346f9 100755
--- a/u-boot-build.sh
+++ b/u-boot-build.sh
@@ -27,8 +27,8 @@
 RUN apt-get update && apt-get install -yy \
 	make bc gcc gcc-arm-linux-gnueabi
 
-RUN grep -q ${GROUPS} /etc/group || groupadd -g ${GROUPS} ${USER}
-RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS} ${USER}
+RUN grep -q ${GROUPS[0]} /etc/group || groupadd -g ${GROUPS[0]} ${USER}
+RUN grep -q ${UID} /etc/passwd || useradd -d ${HOME} -m -u ${UID} -g ${GROUPS[0]} ${USER}
 
 USER ${USER}
 ENV HOME ${HOME}
@@ -37,8 +37,7 @@
 )
 
 # Build the docker container
-docker build -t u-boot-build/ubuntu - <<< "${Dockerfile}"
-if [[ "$?" -ne 0 ]]; then
+if ! docker build -t u-boot-build/ubuntu - <<< "${Dockerfile}" ; then
   echo "Failed to build docker container."
   exit 1
 fi
@@ -48,14 +47,14 @@
 export PROXY_HOST=${PROXY_HOST/%:[0-9]*}
 export PROXY_PORT=${http_proxy/#http*:\/\/*:}
 
-mkdir -p ${WORKSPACE}
+mkdir -p "${WORKSPACE}"
 
 cat > "${WORKSPACE}"/build.sh << EOF_SCRIPT
 #!/bin/bash
 
 set -x
 
-cd ${WORKSPACE}
+cd "${WORKSPACE}"
 
 gcc --version
 arm-linux-gnueabi-gcc --version
@@ -67,8 +66,9 @@
 
 EOF_SCRIPT
 
-chmod a+x ${WORKSPACE}/build.sh
+chmod a+x "${WORKSPACE}"/build.sh
 
 # Run the docker container, execute the build script we just built
-docker run --rm=true -e WORKSPACE=${WORKSPACE} --user="${USER}" \
-  -w "${HOME}" -v "${HOME}":"${HOME}" -t u-boot-build/ubuntu ${WORKSPACE}/build.sh
+docker run --rm=true -e WORKSPACE="${WORKSPACE}" --user="${USER}" \
+  -w "${HOME}" -v "${HOME}":"${HOME}" -t u-boot-build/ubuntu \
+  "${WORKSPACE}"/build.sh