diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c1c05989..0bca13ef 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -205,8 +205,7 @@ gradlew-fdroid:
         - gradlew-fdroid
         - tests/test_gradlew-fdroid
   script:
-    - apt-get install ca-certificates curl default-jdk-headless shellcheck unzip
-    - shellcheck --severity=error --color gradlew-fdroid tests/test_gradlew-fdroid
+    - apt-get install ca-certificates curl default-jdk-headless unzip
     - ./tests/test_gradlew-fdroid
 
 
@@ -232,7 +231,6 @@ lint_format_bandit_checks:
           python3-nose
           python3-pip
           python3-yaml
-          shellcheck
     - $pip install --break-system-packages bandit pylint-gitlab
     - export EXITVALUE=0
     - function set_error() { export EXITVALUE=1; printf "\x1b[31mERROR `history|tail -2|head -1|cut -b 6-500`\x1b[0m\n"; }
@@ -250,8 +248,6 @@ lint_format_bandit_checks:
             tests/*.py
             > pylint-report.json
         || set_error
-    - shellcheck --exclude SC2046,SC2090 --severity=warning --color tests/run-tests
-        || set_error
     - exit $EXITVALUE
   artifacts:
     reports:
@@ -259,6 +255,29 @@ lint_format_bandit_checks:
     when: always
 
 
+shellcheck:
+  image: debian:bookworm-slim
+  rules:
+    - changes:
+        - .gitlab-ci.yml
+        - gradlew-fdroid
+        - hooks/install-hooks.sh
+        - hooks/pre-commit
+        - tests/run-tests
+        - tests/test_gradlew-fdroid
+  <<: *apt-template
+  script:
+    - apt-get install shellcheck
+    # TODO GitLab Code Quality report https://github.com/koalaman/shellcheck/issues/3155
+    - shellcheck --exclude SC2046,SC2090 --severity=warning --color
+        hooks/install-hooks.sh
+        hooks/pre-commit
+        tests/run-tests
+    # TODO make the gradlew things pass the standard above
+    - shellcheck --severity=error --color
+        gradlew-fdroid
+        tests/test_gradlew-fdroid
+
 # Check all the dependencies in Debian to mirror production.  CVEs are
 # generally fixed in the latest versions in pip/pypi.org, so it isn't
 # so important to scan that kind of install in CI.
diff --git a/hooks/install-hooks.sh b/hooks/install-hooks.sh
index 69b314d4..e266301b 100755
--- a/hooks/install-hooks.sh
+++ b/hooks/install-hooks.sh
@@ -2,7 +2,7 @@
 #
 # Install all the client hooks
 
-BASE_DIR="$(cd $(dirname $0); pwd -P)"
+BASE_DIR="$(cd $(dirname $0) || exit; pwd -P)"
 HOOK_NAMES="applypatch-msg pre-applypatch post-applypatch pre-commit prepare-commit-msg commit-msg post-commit pre-rebase post-checkout post-merge pre-receive update post-receive post-update pre-auto-gc"
 HOOK_DIR="$(git rev-parse --show-toplevel)/.git/hooks"
 
diff --git a/hooks/pre-commit b/hooks/pre-commit
index c0859570..039c1b65 100755
--- a/hooks/pre-commit
+++ b/hooks/pre-commit
@@ -36,7 +36,7 @@ else
             *.rb)
                 RB_FILES+=" $f"
                 ;;
-            *.yml|.*.yml|.yamllint)
+            *.yml|*.yaml|.yamllint)
                 YML_FILES+=" $f"
                 ;;
             *)
@@ -66,7 +66,7 @@ cmd_exists() {
 }
 
 find_command() {
-	for name in $@; do
+	for name in "$@"; do
 		for suff in "3" "-3" "-python3" ""; do
 			cmd=${name}${suff}
 			if cmd_exists $cmd; then