diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
new file mode 100644
index 000000000000..e340123541b9
--- /dev/null
+++ b/.github/workflows/shellcheck.yml
@@ -0,0 +1,17 @@
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  shellcheck:
+    name: Shellcheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@2.0.0
+        with:
+          ignore_paths: >-
+            ./android/gradlew
+        env:
+          SHELLCHECK_OPTS: --external-sources
diff --git a/ci/ios/buildserver-build-ios.sh b/ci/ios/buildserver-build-ios.sh
index 9a94a442c62b..78449ef07b75 100644
--- a/ci/ios/buildserver-build-ios.sh
+++ b/ci/ios/buildserver-build-ios.sh
@@ -2,7 +2,7 @@
 set -eu
 shopt -s nullglob
 
-TAG_PATTERN_TO_BUILD=("^ios/")
+TAG_PATTERN_TO_BUILD="^ios/"
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 BUILD_DIR="$SCRIPT_DIR/mullvadvpn-app/ios"
 LAST_BUILT_DIR="$SCRIPT_DIR/last-built"
@@ -93,6 +93,8 @@ function run_build_loop() {
 
         run_git fetch --prune --tags 2> /dev/null || continue
         local tags
+
+        # shellcheck disable=SC2207
         tags=( $(run_git tag | grep "$TAG_PATTERN_TO_BUILD") )
 
         for tag in "${tags[@]}"; do
diff --git a/ci/ios/run-in-vm.sh b/ci/ios/run-in-vm.sh
index fb0a719e40a8..9048b528a127 100644
--- a/ci/ios/run-in-vm.sh
+++ b/ci/ios/run-in-vm.sh
@@ -22,9 +22,7 @@ vm_pid=$!
 # Sleep to wait until VM is up
 sleep 10
 
-# apparently, there's a difference between piping into zsh like this and doing
-# a <(echo $SCRIPT).
-cat "$SCRIPT" | ssh admin@"$(tart ip "$VM_NAME")" bash /dev/stdin
+ssh admin@"$(tart ip "$VM_NAME")" bash /dev/stdin < "$SCRIPT"
 script_status=$?
 
 kill $vm_pid
diff --git a/dist-assets/linux/before-remove.sh b/dist-assets/linux/before-remove.sh
index 0a17e3081fb8..7fdc72fc2194 100644
--- a/dist-assets/linux/before-remove.sh
+++ b/dist-assets/linux/before-remove.sh
@@ -10,7 +10,7 @@ pkill -9 -x "mullvad-gui" || true
 is_number_re='^[0-9]+$'
 # Check if we're running during an upgrade step on Fedora
 # https://fedoraproject.org/wiki/Packaging:Scriptlets#Syntax
-if [[ "$1" =~ $is_number_re ]] && [ $1 -gt 0 ]; then
+if [[ "$1" =~ $is_number_re ]] && [ "$1" -gt 0 ]; then
     exit 0;
 fi
 
diff --git a/dist-assets/linux/mullvad-gui-launcher.sh b/dist-assets/linux/mullvad-gui-launcher.sh
index 2c1eb88c44f7..a9ba2ec973e0 100755
--- a/dist-assets/linux/mullvad-gui-launcher.sh
+++ b/dist-assets/linux/mullvad-gui-launcher.sh
@@ -13,10 +13,10 @@ if [ "${XDG_SESSION_TYPE:-""}"  = "wayland" ] && \
     echo " $SUPPORTED_COMPOSITORS " | \
     grep -qi -e " ${XDG_CURRENT_DESKTOP:-""} " -e " ${XDG_SESSION_DESKTOP:-""} "
 then
-    WAYLAND_FLAGS="--ozone-platform=wayland --enable-features=WaylandWindowDecorations"
+    WAYLAND_FLAGS=( "--ozone-platform=wayland" "--enable-features=WaylandWindowDecorations" )
 else
-    WAYLAND_FLAGS=""
+    WAYLAND_FLAGS=()
 fi
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-exec "$SCRIPT_DIR/mullvad-gui" $SANDBOX_FLAG $WAYLAND_FLAGS "$@"
+exec "$SCRIPT_DIR/mullvad-gui" "$SANDBOX_FLAG" "${WAYLAND_FLAGS[@]}" "$@"
diff --git a/dist-assets/pkg-scripts/postinstall b/dist-assets/pkg-scripts/postinstall
index c2e611100df3..d4c42a605912 100755
--- a/dist-assets/pkg-scripts/postinstall
+++ b/dist-assets/pkg-scripts/postinstall
@@ -5,7 +5,7 @@ set -eu
 LOG_DIR=/var/log/mullvad-vpn
 
 mkdir -p $LOG_DIR
-exec 2>&1 > $LOG_DIR/postinstall.log
+exec > $LOG_DIR/postinstall.log 2>&1
 
 echo "Running postinstall at $(date)"
 
diff --git a/dist-assets/pkg-scripts/preinstall b/dist-assets/pkg-scripts/preinstall
index b65f95d3cfe8..c7b1cf13fb36 100755
--- a/dist-assets/pkg-scripts/preinstall
+++ b/dist-assets/pkg-scripts/preinstall
@@ -7,7 +7,7 @@ INSTALL_DIR=$2
 
 mkdir -p $LOG_DIR
 chmod 755 $LOG_DIR
-exec 2>&1 > $LOG_DIR/preinstall.log
+exec > $LOG_DIR/preinstall.log 2>&1
 
 echo "Running preinstall at $(date)"
 
diff --git a/dist-assets/uninstall_macos.sh b/dist-assets/uninstall_macos.sh
index 383dd12c55b7..c4ef471fee63 100755
--- a/dist-assets/uninstall_macos.sh
+++ b/dist-assets/uninstall_macos.sh
@@ -2,7 +2,7 @@
 
 set -ue
 
-read -p "Are you sure you want to stop and uninstall Mullvad VPN? (y/n) "
+read -r -p "Are you sure you want to stop and uninstall Mullvad VPN? (y/n) "
 if [[ "$REPLY" =~ [Yy]$ ]]; then
     echo "Uninstalling Mullvad VPN ..."
 else
@@ -40,7 +40,7 @@ sudo pkgutil --forget net.mullvad.vpn || true
 echo "Removing login item ..."
 osascript -e 'tell application "System Events" to delete login item "Mullvad VPN"' 2>/dev/null || true
 
-read -p "Do you want to delete the log and cache files the app has created? (y/n) "
+read -r -p "Do you want to delete the log and cache files the app has created? (y/n) "
 if [[ "$REPLY" =~ [Yy]$ ]]; then
     sudo rm -rf /var/log/mullvad-vpn /var/root/Library/Caches/mullvad-vpn /Library/Caches/mullvad-vpn
     for user in /Users/*; do
@@ -52,7 +52,7 @@ if [[ "$REPLY" =~ [Yy]$ ]]; then
     done
 fi
 
-read -p "Do you want to delete the Mullvad VPN settings? (y/n) "
+read -r -p "Do you want to delete the Mullvad VPN settings? (y/n) "
 if [[ "$REPLY" =~ [Yy]$ ]]; then
     sudo rm -rf /etc/mullvad-vpn
     for user in /Users/*; do
diff --git a/ios/build-wireguard-go.sh b/ios/build-wireguard-go.sh
index 371d2da9e33c..60b3b0078473 100755
--- a/ios/build-wireguard-go.sh
+++ b/ios/build-wireguard-go.sh
@@ -38,4 +38,5 @@ WIREGUARD_KIT_GO_PATH="$RESOLVED_SOURCE_PACKAGES_PATH/checkouts/wireguard-apple/
 echo "WireGuardKitGo path resolved to $WIREGUARD_KIT_GO_PATH"
 
 # Run make
-/usr/bin/make -C "$WIREGUARD_KIT_GO_PATH" $ACTION
\ No newline at end of file
+# shellcheck disable=SC2086
+/usr/bin/make -C "$WIREGUARD_KIT_GO_PATH" $ACTION
diff --git a/scripts/localization b/scripts/localization
index 097f113a4dc5..f1a8663acc70 100755
--- a/scripts/localization
+++ b/scripts/localization
@@ -5,6 +5,7 @@ set -eu
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd "$SCRIPT_DIR"
 
+# shellcheck disable=SC1091
 source utils/log
 
 function main {
@@ -106,6 +107,8 @@ function download_from_crowdin {
 function verify {
     sync_localizations
     git diff
+
+    # shellcheck disable=SC2251
     ! git status -s | grep .
     local out_of_sync=$?
 
diff --git a/test/ci-runtests.sh b/test/ci-runtests.sh
index 80f70a9f09b1..b4ea11246f3a 100755
--- a/test/ci-runtests.sh
+++ b/test/ci-runtests.sh
@@ -196,7 +196,7 @@ function run_tests_for_os {
 
     RUST_LOG=debug cargo run --bin test-manager \
         run-tests \
-        --account "${ACCOUNT_TOKEN}" \
+        --account "${ACCOUNT_TOKEN:?Error: ACCOUNT_TOKEN not set}" \
         --current-app "${cur_filename}" \
         --previous-app "${prev_filename}" \
         --test-report "$SCRIPT_DIR/.ci-logs/${os}_report" \
diff --git a/wireguard/libwg/build-android.sh b/wireguard/libwg/build-android.sh
index d1d2705c9b36..750438c503dd 100755
--- a/wireguard/libwg/build-android.sh
+++ b/wireguard/libwg/build-android.sh
@@ -41,7 +41,7 @@ for arch in ${ARCHITECTURES:-armv7 aarch64 x86_64 i686}; do
     esac
 
     # Build Wireguard-Go
-    echo "$(pwd)"
+    pwd
     make -f Android.mk clean
     make -f Android.mk
 
@@ -51,7 +51,7 @@ for arch in ${ARCHITECTURES:-armv7 aarch64 x86_64 i686}; do
 
     # Create the directories with RWX permissions for all users so that the build server can clean
     # the directories afterwards
-    mkdir -m 777 -p "$(dirname "$STRIPPED_LIB_PATH")"
+    (umask ugo=rwx; mkdir -p "$(dirname "$STRIPPED_LIB_PATH")")
 
     $ANDROID_STRIP_TOOL --strip-unneeded --strip-debug -o "$STRIPPED_LIB_PATH" "$UNSTRIPPED_LIB_PATH"