---
title: Avoid parsing ps output for process matching
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid parsing ps output for process matching
---

# Avoid parsing ps output for process matching

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/avoid-parsing-ps-output`

**Language:** Bash

**Severity:** Warning

**Category:** Security

**CWE**: [88](https://cwe.mitre.org/data/definitions/88.html)

## Description{% #description %}

Text from `ps` depends on locale, column layout, and flags, so piping it into tools that match or reshape lines is easy to get wrong and can match unrelated fields (CWE-88). Prefer `pgrep` / `pkill` when you only need PIDs or simple patterns, or read `/proc` where appropriate. If you need fields `ps` provides, combine `pgrep` to select PIDs with a focused `ps -p` (or similar) instead of grepping full `ps` listings.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
ps ax | grep foo
/bin/ps -ef | grep -v grep
ps aux | awk '{print $2}'
ps -eo pid,cmd | sed -n '1p'
ps | cut -d' ' -f1
ps | perl -ne 'print if /foo/'
ps |& grep bar
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
ps
pgrep -f myservice
pkill -f oldworker
ps -p "$(pgrep -x sshd)" -o user=
psql -c 'select 1' | grep foo
ps -eo user,pid,%cpu,comm | awk -v usr="$user" '$1==usr'
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}