sh
sh is a Python library that lets you call system commands (like git, ls, or curl) directly as Python functions instead of using subprocess. It works on Unix-like systems (Linux, macOS, BSD) and supports Python 3.8–3.14, making shell scripting and system automation more Pythonic.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | amoffat/sh |
| Owner | amoffat |
| Primary language | Python |
| License | MIT — OSI-approved |
| Stars | 7.2k |
| Forks | 505 |
| Open issues | 1 |
| Latest release | 2.3.0 (2026-06-09) |
| Last updated | 2026-06-11 |
| Source | https://github.com/amoffat/sh |
What sh is
sh is a subprocess wrapper that dynamically creates Python functions for arbitrary system binaries, allowing natural syntax like `git('status')` instead of `subprocess.run()`. It handles process launching, output capture, streaming, and error handling on Unix platforms only; Windows is unsupported.
Get the sh source
Clone the repository and explore it locally.
git clone https://github.com/amoffat/sh.gitcd sh# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Verify Unix-like OS support before adoption; no Windows compatibility.
- Error handling: sh raises exceptions on non-zero exit codes; wrap calls with try-except and plan recovery paths.
- Output handling: understand streaming vs. capture modes to avoid buffering surprises or large output memory bloat.
- Command injection risk: validate any dynamic parts of command names or arguments if sourced externally.
- Dependency injection: ensure target system binaries (git, docker, etc.) are present and in PATH at runtime.
When to avoid it — and what to weigh
- Windows Deployment Required — sh explicitly does not support Windows. If cross-platform is mandatory, subprocess or platform-specific alternatives are necessary.
- Performance-Critical Binary Calls — sh incurs dynamic lookup and function generation overhead. For frequent, latency-sensitive subprocess calls, direct subprocess.run() may be more efficient.
- Untrusted or User-Supplied Commands — sh's dynamic command invocation can increase attack surface if user input maps directly to system executables. Requires careful input validation and sandboxing.
- Minimal Dependencies & Embedded Contexts — Adding a third-party dependency where subprocess suffices may complicate packaging, container images, or embedded use cases.
License & commercial use
MIT License. Permissive, OSI-approved. Allows commercial use, modification, and distribution with attribution and no liability.
MIT is a standard permissive OSI license. Commercial use is permitted. Ensure attribution as required by MIT terms. No warranty or liability indemnification is provided by the licensor.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
sh wraps system command execution. Key risks: (1) Command injection if user input is interpolated into command names or arguments—use explicit argument passing, not string concatenation. (2) PATH traversal—verify target binaries are from trusted sources. (3) Privilege escalation—subprocess runs with caller's permissions; avoid sudo/setuid patterns without isolation. (4) No built-in secret redaction—credentials in command output may leak to logs. Follow subprocess security best practices (input validation, least privilege, output sanitization).
Alternatives to consider
subprocess (stdlib)
Built-in, no dependency, broader platform support. Less syntactic sugar; requires more boilerplate but more explicit and portable.
invoke
Task-runner library with command execution, Pythonic syntax, and better composability for build/deployment workflows. Heavier-weight than sh.
Popen / subprocess.run (direct)
Lower-level, maximum control, no third-party overhead. Steeper learning curve but more testable and portable.
Build on sh with DEV.co software developers
Evaluate sh for your DevOps workflows. It's lightweight, well-maintained, and ideal for teams automating Unix-based infrastructure. Review the docs, test on a non-Windows platform, and plan for input validation if handling user commands.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
sh FAQ
Does sh work on Windows?
How do I handle command-not-found errors?
Can I stream large command output without loading it all into memory?
Is sh safe for untrusted input?
Software developers & web developers for hire
From first prototype to production, DEV.co delivers software development services around tools like sh. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source devops and beyond.
Ready to Simplify Your System Automation?
Evaluate sh for your DevOps workflows. It's lightweight, well-maintained, and ideal for teams automating Unix-based infrastructure. Review the docs, test on a non-Windows platform, and plan for input validation if handling user commands.