diff --git a/.envrc b/.envrc
index 3550a30..0f94eed 100644
--- a/.envrc
+++ b/.envrc
@@ -1 +1,2 @@
+# shellcheck shell=bash
 use flake
diff --git a/formatter.nix b/formatter.nix
index ae1bd3a..e67bc39 100644
--- a/formatter.nix
+++ b/formatter.nix
@@ -7,6 +7,7 @@ inputs.treefmt-nix.lib.evalModule pkgs {
 
     deadnix.enable = true;
     deno.enable = true;
+    shellcheck.enable = true;
   };
 
   settings = {
diff --git a/pkgs/sops-import-keys-hook/sops-import-keys-hook.bash b/pkgs/sops-import-keys-hook/sops-import-keys-hook.bash
index 0224633..c05a96e 100644
--- a/pkgs/sops-import-keys-hook/sops-import-keys-hook.bash
+++ b/pkgs/sops-import-keys-hook/sops-import-keys-hook.bash
@@ -2,7 +2,8 @@ sopsImportKeysHook() {
   local key dir
   if [ -n "${sopsCreateGPGHome}" ]; then
     export GNUPGHOME=${sopsGPGHome:-$(pwd)/.git/gnupg}
-    mkdir -m 700 -p $GNUPGHOME
+    # shellcheck disable=SC2174
+    mkdir -m 700 -p "$GNUPGHOME"
   fi
   for key in ${sopsPGPKeys-}; do
     if [[ -f "$key" ]]; then
diff --git a/scripts/update-vendor-hash.sh b/scripts/update-vendor-hash.sh
index 4cd02a7..bda4a08 100755
--- a/scripts/update-vendor-hash.sh
+++ b/scripts/update-vendor-hash.sh
@@ -1,5 +1,6 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i bash -p nix -p coreutils -p gnused -p gawk
+# shellcheck shell=bash
 
 set -exuo pipefail