diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 0000000..db46fff
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,30 @@
+name: Shell Script Linter
+
+on:
+  push:
+    branches: [ "main", "test" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  shellcheck:
+    name: Shellcheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install ShellCheck
+        run: sudo apt-get update && sudo apt-get install -y shellcheck
+      - name: Run Shellcheck (Show All Issues & Fail on Errors)
+        run: |
+          set -o pipefail
+
+          echo "--- Checking for all warnings and style issues ---"
+          shellcheck -f gcc ./du_setup.sh | while IFS= read -r line; do
+            file=$(echo "$line" | cut -d: -f1)
+            line_no=$(echo "$line" | cut -d: -f2)
+            message=$(echo "$line" | cut -d: -f4-)
+            echo "::warning file=$file,line=$line_no::$message"
+          done || true
+
+          echo "--- Checking for critical errors ---"
+          shellcheck --severity=error ./du_setup.sh
diff --git a/README.md b/README.md
index 0bd2e79..ec90b47 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,12 @@
 # Debian & Ubuntu Server Setup & Hardening Script
 
-**Version:** v0.59
+[![Shell Script Linter](https://github.com/buildplan/du_setup/actions/workflows/lint.yml/badge.svg)](https://github.com/buildplan/du_setup/actions/workflows/lint.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Compatibility](https://img.shields.io/badge/Compatibility-Debian%2012%20%7C%20Ubuntu%2022.04%20%2F%2024.04-orange)](https://www.debian.org/)
+[![Shell](https://img.shields.io/badge/Shell-Bash%204.4%2B-green)](https://www.gnu.org/software/bash/)
+[![Type](https://img.shields.io/badge/Type-Setup%20%26%20Hardening-blue)](https://github.com/buildplan/du_setup)
+
+**Version:** v0.60
 
 **Last Updated:** 2025-07-15
 
@@ -76,12 +82,12 @@ sha256sum du_setup.sh
 
 Compare the output hash to the one below. They must match exactly.
 
-`9f0430e9d930fbdbd0bb5f148a6db1baa0290c14c697e1d56006630f0c3c19ae`
+`882b87ef9b3f21ed2df0b76c395aa9ed8864f8e1dad3b4bee627c9c9e7f301b0`
 
 Or echo the hash to check, it should output: `du_setup.sh: OK`
 
 ```
-echo 9f0430e9d930fbdbd0bb5f148a6db1baa0290c14c697e1d56006630f0c3c19ae du_setup.sh | sha256sum --check -
+echo 882b87ef9b3f21ed2df0b76c395aa9ed8864f8e1dad3b4bee627c9c9e7f301b0 du_setup.sh | sha256sum --check -
 ```
 
 ### 3\. Run the Script
diff --git a/du_setup.sh b/du_setup.sh
index b29da30..5c0e58f 100644
--- a/du_setup.sh
+++ b/du_setup.sh
@@ -1,8 +1,9 @@
 #!/bin/bash
 
 # Debian 12 and Ubuntu Server Hardening Interactive Script
-# Version: 0.59 | 2025-07-15
+# Version: 0.60 | 2025-07-15
 # Changelog:
+# - v0.60: CI for shellcheck
 # - v0.59: Add a new optional function that applies a set of recommended sysctl security settings to harden the kernel.
 #          Script can now check for update and can run self-update.
 # - v0.58: improved fail2ban to parse ufw logs
@@ -120,7 +121,7 @@ print_header() {
     echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}"
     echo -e "${CYAN}║                                                                 ║${NC}"
     echo -e "${CYAN}║       DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT           ║${NC}"
-    echo -e "${CYAN}║                      v0.59 | 2025-07-15                         ║${NC}"
+    echo -e "${CYAN}║                      v0.60 | 2025-07-15                         ║${NC}"
     echo -e "${CYAN}║                                                                 ║${NC}"
     echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}"
     echo
@@ -864,7 +865,7 @@ rollback_ssh_changes() {
         SSH_SERVICE="ssh.socket"
         print_info "Detected SSH socket activation: using ssh.socket."
         log "Rollback: Using ssh.socket for SSH service."
-    elif ! systemctl list-units --full -all --no-pager | grep -E "[[:space:]]$SSH_SERVICE[[:space:]]" >/dev/null 2>&1; then
+    elif ! systemctl list-units --full -all --no-pager | grep -E "[[:space:]]${SSH_SERVICE}[[:space:]]" >/dev/null 2>&1; then
         SSH_SERVICE="ssh.service" # Fallback for Ubuntu
         print_warning "SSH service $SSH_SERVICE not found, falling back to ssh.service."
         log "Rollback warning: Using fallback SSH service ssh.service."
diff --git a/du_setup.sh.sha256 b/du_setup.sh.sha256
index f2f1370..c974922 100644
--- a/du_setup.sh.sha256
+++ b/du_setup.sh.sha256
@@ -1 +1 @@
-9f0430e9d930fbdbd0bb5f148a6db1baa0290c14c697e1d56006630f0c3c19ae  du_setup.sh
+882b87ef9b3f21ed2df0b76c395aa9ed8864f8e1dad3b4bee627c9c9e7f301b0  du_setup.sh