Skip to content

Bash Toolset

Enabled by Default

This toolset is enabled by default and should typically remain enabled.

The bash toolset allows Holmes to execute shell commands for troubleshooting and system analysis. Commands are validated against configurable allow/deny lists before execution.

Configuration

Add the following to ~/.holmes/config.yaml. Create the file if it doesn't exist:

toolsets:
  bash:
    enabled: true
    config:
      allow:
        - "kubectl get"
        - "kubectl describe"
        - "kubectl logs"
        - "grep"
        - "cat"
      deny:
        - "kubectl get secret"
        - "kubectl describe secret"

Approved commands are saved to ~/.holmes/bash_approved_prefixes.yaml and persist across sessions.

CLI Flags:

Flag Description
--bash-always-deny Automatically deny commands not in the allow list
--bash-always-allow Automatically approve all commands (use with caution) 
holmes:
  toolsets:
    bash:
      enabled: true
      config:
        include_default_allow_deny_list: true
        allow:
          - "my-custom-command"  # Added to defaults
        deny:
          - "kubectl get secret"  # Added to defaults

With include_default_allow_deny_list: true, Holmes includes a default list of safe read-only commands:

  • Kubernetes: kubectl get, kubectl describe, kubectl logs, kubectl top, kubectl events
  • Text processing: grep, cat, head, tail, sort, uniq, wc, cut, tr
  • JSON: jq, base64
  • File system: ls, find, stat, df, du

See default_lists.py for the complete list.

Command Approval

When Holmes tries to run a command not in your allow list, you'll see a prompt:

Bash command

  kubectl scale deployment nginx --replicas=3
  Scale nginx deployment to 3 replicas

Do you want to proceed?
  1. Yes
  2. Yes, and don't ask again for `kubectl scale deployment nginx` commands
  3. Type here to tell Holmes what to do differently
  • Option 1: Run this command once
  • Option 2: Run and add the prefix to your allow list (saved to ~/.holmes/bash_approved_prefixes.yaml)
  • Option 3: Reject and provide feedback to Holmes

Prefix Matching

Commands are matched by prefix. For example, if kubectl get is in your allow list:

Command Allowed?
kubectl get pods Yes
kubectl get pods -n production Yes
kubectl get deployments --all-namespaces Yes
kubectl delete pod my-pod No (different subcommand)

For piped commands, each segment is checked:

kubectl get pods | grep error | head -10

This requires kubectl get, grep, and head to all be allowed.

Blocked Commands

The following are always blocked and cannot be overridden:

  • sudo and su
  • Subshells: $(...), backticks, <(...), >(...)

Tools

bash

Executes a shell command.

Parameter Type Required Description
command string Yes The command to execute
suggested_prefixes array Yes Prefixes for validation (one per command segment)
timeout integer No Timeout in seconds (default: 30)