---
title: Do not for-loop over find command substitution output
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Do not for-loop over find command substitution output
---

# Do not for-loop over find command substitution output

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-code-quality/dont-for-loop-over-find-output`

**Language:** Bash

**Severity:** Warning

**Category:** Code Style

## Description{% #description %}

A `for` loop over `$(find ...)` (or backticks) relies on word splitting. Filenames with spaces or glob characters break the loop or match wrong paths.

Prefer `find -exec`, `find -print0` with `while read -d ''`, or globs where appropriate.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
for f in $(find . -name '*.mp3'); do
  play "$f"
done

for g in `find . -type f`; do
  echo "$g"
done

for h in $(find . 2>/dev/null); do echo "$h"; done
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
find . -name '*.txt' -exec cat {} \;
while IFS= read -r -d '' f; do echo "$f"; done < <(find . -print0)
for f in *.txt; do echo "$f"; done
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}