Part 1 — Why This Page Exists

I made this page because I’ve typed history | grep ssh so many times it’s become a personal habit. Same pattern every time. I half remember a command, I know it’s in my shell history somewhere, I pipe through grep, I get fifty matches, I scroll, I pick the wrong one, I try again. Somewhere along the line I realised that the problem was not my memory - it was that I never took the time to write the commands down in a place I would look first.

So I exported ~/.zsh_history from both my laptops, went through it and pulled out the commands worth keeping. Some patterns emerged: git and kubectl are the majority, helm is more of a love language than a tool, and I’ve run myip seventy-six times because apparently I can’t remember my own IP for longer than a billing cycle. I also did 344 git cherry-picks against 46 git pushes, which is the kind of ratio you don’t want to look at straight on.

This is what you get. Search box top, categories below, single line per command with minimal context I need to remember why I’d reach for it It’s not exhaustive, it’s the commands I keep typing or keep forgetting. If you arrived here from a search engine, you’re probably very close to making your own, just one history | grep away.


Part 2 — Command Reference

Use the search box above. Categories collapse to whatever you type.

Git

git cherry-pick -x <sha1> <sha2>

-x records the original SHA in the commit message; essential for backports.

git cherry-pick --continue
git cherry-pick --abort
git cherry-pick --skip

— resume, bail, or skip after a conflict.

git reset --soft <sha>
git reset --mixed <sha>
git reset --hard <sha>

— soft keeps changes staged; mixed unstages them; hard discards them.

git restore --staged <file>
git restore <file>

— unstage or revert a file without touching the rest.

git rebase -i <sha> --reapply-cherry-picks

— interactive rewrite; flag keeps commits that already landed via cherry-pick.

git rebase --onto <newbase> <oldbase> <branch>

— move a slice of commits from one base to another.

git stash push -m "WIP before resetting int" -- <path>

— named, path-scoped stash so it’s findable later in git stash list.

git merge <branch> --no-commit --no-ff

— stage the merge but don’t seal it; lets me inspect/edit first.

git branch <new-branch> <sha>
git branch -vv
git branch --merged main

— create a branch at a sha; list with tracking info; show branches already merged.

git worktree add ../feature-x <branch>
git worktree list
git worktree remove ../feature-x

— check out a branch in a separate directory; great for parallel work without stashing.

git fetch --prune origin
git remote prune origin

— drop stale remote-tracking refs.

git log --oneline --graph --all --decorate
git log -p -1 <sha>
git log --since="2 weeks ago" --author="me"
git log -S 'somestring' -p
git log --follow -- path/to/file

— graph view; full patch for one commit; time-bounded; pickaxe search across history; follow a renamed file.

git diff --staged
git diff main..HEAD --name-only
git diff --stat HEAD~5

— see what’s staged, what’s different from main, or a quick churn summary.

git blame -L 100,150 path/to/file

— blame a specific line range instead of the whole file.

git bisect start
git bisect bad HEAD
git bisect good <sha>
git bisect run ./test.sh

— binary-search for the commit that broke something, scripted if possible.

git reflog
git reset --hard HEAD@{2}

— time machine for branch tips; recover from any “wait, what did I just do”.

git show <sha>:path/to/file

— print a file as it was at a specific commit, without checking it out.

git clean -nd
git clean -fd

— dry-run first, then actually remove untracked files and dirs.

git push --set-upstream origin <branch>
git push --force-with-lease

— first push wires up tracking; force-with-lease only force-pushes if no one else moved the branch.

git config --global rerere.enabled true

— remembers conflict resolutions so the same conflict resolves itself next time.

Kubernetes / kubectl

kubectl debug node/<node> -it --image=ubuntu --profile=sysadmin
kubectl debug -it <pod> --image=busybox --target=<container>

— ephemeral debug container on a node or attached to a running pod.

kubectl port-forward -n <ns> svc/<svc> 8080:8080
kubectl port-forward -n <ns> deployment/<name> 8080:8080

— tunnel via Service or Deployment.

kubectl exec -it <pod> -n <ns> -c <container> -- /bin/sh

— interactive shell in a specific container.

kubectl cp <ns>/<pod>:/path/in/pod ./local/path

— copy files in or out of a pod (tar must exist in the container).

kubectl get secret -n <ns> <name> -o jsonpath='{.data.password}' | base64 -d

— pull one secret field and decode in one line.

kubectl logs -n <ns> -l app=foo --previous --tail=100 -c <container>
kubectl logs -f deploy/<name> --max-log-requests=20 --all-containers

— previous crashed container’s logs by selector; tail all containers across a deployment.

kubectl get events -n <ns> --sort-by='.lastTimestamp' | tail -20

— most recent events last; far more useful than default order.

kubectl top pod <name> -n <ns>
kubectl top node

— live CPU/memory; requires metrics-server.

kubectl auth can-i create clusterrolebindings --all-namespaces
kubectl auth can-i --list -n <ns>

— RBAC dry-run; second form lists everything you can do in a namespace.

kubectl config rename-context <long-gke-name> <short-alias>
kubectl config use-context <alias>
kubectl config view --minify --flatten

— rename, switch, or export the active context as a standalone kubeconfig.

kubectl get --raw "/apis/custom.metrics.k8s.io/v1beta1" | jq .

— inspect the custom metrics API (HPA debugging).

kubectl run test-curl --image=curlimages/curl:latest --rm -it --restart=Never -- curl http://<ip>

— one-shot curl from inside the cluster; pod disposed on exit.

kubectl rollout status deployment/<name> -n <ns>
kubectl rollout restart deployment/<name>
kubectl rollout history deployment/<name>
kubectl rollout undo deployment/<name> --to-revision=3

— watch a rollout, force a restart, list revisions, roll back to one.

kubectl scale deployment/<name> --replicas=0
kubectl set image deployment/<name> <container>=<image>:<tag>

— scale to zero (cheap kill); update an image without editing YAML.

kubectl drain <node> --ignore-daemonsets --delete-emptydir-data
kubectl cordon <node>
kubectl uncordon <node>

— evict workloads from a node, mark unschedulable, undo.

kubectl apply -f manifest.yaml --dry-run=server -o yaml
kubectl diff -f manifest.yaml

— see what the server would produce; preview a diff against current state.

kubectl explain pod.spec.containers.resources

— inline docs for any field path; great for “wait what’s that key called”.

kubectl wait --for=condition=Ready pod -l app=foo --timeout=300s

— block until pods are ready; script-friendly.

kubectl get pods -A -o wide --sort-by='.metadata.creationTimestamp'

— all pods, with node/IP, sorted by age.

Helm

helm template <release> ./ -f values.yaml --debug > rendered.yaml

— render manifests locally; --debug shows partial output on template errors.

helm upgrade --install <release> <chart> -f values.yaml -n <ns>
helm upgrade --install <release> <chart> --reuse-values --set env.apiKey=xxx -n <ns>

— idempotent deploy; second form keeps existing values and overrides one key.

helm show values bitnami/redis > redis-values.yaml
helm show chart bitnami/redis
helm show all bitnami/redis

— seed an override file; inspect chart metadata; print everything.

helm repo index . --url https://<user>.github.io/<repo>
helm package ./mychart

— build a Helm repo for GitHub Pages; package a chart into a tgz.

helm get all <release> -n <ns>
helm get values <release> -n <ns> -o yaml
helm get manifest <release> -n <ns>

— full state of a release, or just the values/manifest views.

helm dependencies update
helm dependencies build

— resolve subcharts from Chart.yaml; build from existing lockfile only.

helm history <release> -n <ns>
helm rollback <release> 3 -n <ns>

— see revisions; roll back to revision 3.

helm lint ./mychart
helm test <release> -n <ns>

— validate chart structure; run chart’s test hooks.

helm pull bitnami/redis --untar
helm search repo redis
helm search hub redis

— download and unpack a chart; search local repos or the global hub.

helm diff upgrade <release> <chart> -f values.yaml

— preview an upgrade as a unified diff (helm-diff plugin).

AWS CLI

aws sso login --profile <profile>
aws sts get-caller-identity

— SSO login; confirm which identity is actually active.

aws configure list-profiles
aws configure export-credentials --profile <profile> --format env

— enumerate profiles; export creds as env vars for tools that don’t read the profile.

aws eks update-kubeconfig --name <cluster> --region us-west-2 --profile <profile>

— write kubeconfig context for an EKS cluster.

aws ec2 describe-images \
  --filters "Name=name,Values=*Rocky Linux 8*" "Name=architecture,Values=x86_64" \
  --query 'Images[*].[ImageId,Name,OwnerId,CreationDate]' \
  --output table --region us-east-1

— AMI lookup with JMESPath projection into a table.

aws ec2 describe-instances \
  --filters "Name=tag:Environment,Values=prod" "Name=instance-state-name,Values=running" \
  --query 'Reservations[].Instances[].[InstanceId,PrivateIpAddress,Tags[?Key==`Name`]|[0].Value]' \
  --output table

— filter instances by tag and state; project a useful subset.

aws ec2 stop-instances --instance-ids i-xxx
aws ec2 start-instances --instance-ids i-xxx

— stop/start without going through the console.

aws eks describe-addon --cluster-name <cluster> --addon-name vpc-cni

— inspect EKS-managed addon version/config.

aws codebuild batch-get-fleets --names <fleet> --region us-west-2 \
  --query 'fleets[0].[status,statusCode,computeConfiguration,scalingConfiguration]'

— focused fleet status without paging the full payload.

aws codebuild update-fleet --arn <fleet-arn> --region us-west-2 \
  --scaling-configuration '{"scalingType":"TARGET_TRACKING_SCALING","targetTrackingScalingConfigs":[{"metricType":"FLEET_UTILIZATION_RATE","targetValue":40}],"maxCapacity":10,"desiredCapacity":8}'

— update CodeBuild fleet scaling inline.

aws s3 sync ./local s3://bucket/prefix --dryrun --delete
aws s3 cp file s3://bucket/key --sse aws:kms --sse-kms-key-id <id>

— preview a sync (with deletion); upload with KMS encryption.

aws s3 presign s3://bucket/key --expires-in 3600

— time-limited URL for a private object.

aws logs tail /aws/lambda/<name> --follow --since 5m --format short

tail -f for CloudWatch Logs without the web console.

aws ssm start-session --target i-xxx --profile <profile>
aws ssm send-command --instance-ids i-xxx --document-name AWS-RunShellScript \
  --parameters 'commands=["uname -a","df -h"]'

— shell into an instance without SSH; run a script across instances.

aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin <acct>.dkr.ecr.us-east-1.amazonaws.com

— authenticate Docker to ECR.

aws secretsmanager get-secret-value --secret-id <name> --query SecretString --output text | jq .

— pull and pretty-print a secret JSON blob.

aws iam simulate-principal-policy --policy-source-arn <arn> --action-names s3:GetObject --resource-arns <arn>

— evaluate whether a principal can do an action; great for IAM debugging.

aws cloudformation deploy --template-file t.yaml --stack-name <name> --capabilities CAPABILITY_NAMED_IAM

— idempotent CFN deploy; use --no-execute-changeset to inspect first.

GCP / gcloud

gcloud auth login
gcloud auth application-default login
gcloud auth activate-service-account --key-file=key.json
gcloud auth print-access-token

— interactive, ADC, service-account, and one-off token flows.

gcloud container clusters get-credentials <cluster> --region=<region> --project=<project>

— write kubeconfig for GKE (use --zone for zonal clusters).

gcloud compute ssh <user>@<instance> --zone=<zone> -- -L 8080:localhost:80

— SSH with a local port-forward; -- passes flags through.

gcloud compute start-iap-tunnel <instance> --zone=<zone> 80 --local-host-port=localhost:80

— IAP TCP tunnel; reach an internal-only VM without a public IP.

gcloud compute scp --recurse <instance>:/home/ubuntu/envs ./envs/

— recursive scp wrapper with auth and IAP handled.

gcloud config configurations activate <name>
gcloud config list

— switch between named gcloud configs; show the active one.

gcloud projects add-iam-policy-binding <project> \
  --member=user:<email> --role=roles/container.admin

— grant IAM role at the project level.

gcloud logging read 'severity>=ERROR AND resource.type="k8s_container"' --limit=20 --format=json

— query Cloud Logging from the CLI with Logging filter syntax.

gcloud secrets versions access latest --secret=<name>

— pull the latest Secret Manager value to stdout.

gcloud iam service-accounts list
gcloud iam service-accounts keys list --iam-account=<sa-email>

— enumerate SAs and their keys.

gcloud run deploy <service> --image=<image> --region=<region> --allow-unauthenticated

— deploy to Cloud Run in one line.

Docker

docker run --name migration --rm -p 5438:5432 \
  -e POSTGRES_PASSWORD=pass -e POSTGRES_DB=test \
  -d postgres:15.1

— throwaway Postgres for migration testing.

docker run --rm -it $(docker build -q .)

— build and run anonymously in one shot.

docker run --rm -p 4566:4566 -e SERVICES=dynamodb localstack/localstack

— ad-hoc LocalStack for a single AWS service.

docker run grafana/har-to-k6:latest recording.har > my-k6-script.js

— convert a browser HAR file into a k6 load-test script.

docker compose -f compose.dev.yml up -d
docker compose logs -f --tail=100 <service>
docker compose exec <service> bash

— non-default compose file, follow logs, exec into a service.

docker buildx build --platform linux/amd64,linux/arm64 -t <image> --push .

— multi-arch build + push in one command.

docker system prune -a --volumes
docker image prune -f
docker builder prune -a

— reclaim disk; volume prune included; nuke buildx cache.

docker stats --no-stream

— snapshot of CPU/mem per container instead of a live screen.

docker logs -f --since=10m <container>
docker exec -it <container> /bin/sh
docker cp <container>:/etc/passwd ./passwd

— recent logs, shell in, file out.

docker inspect --format='{{.NetworkSettings.IPAddress}}' <container>
docker image inspect --format='{{.Config.Cmd}}' <image>

— pluck a single field via Go-template instead of grepping JSON.

docker save <image> -o image.tar
docker load -i image.tar

— move an image without a registry.

docker run --network host --rm -it nicolaka/netshoot

— network debugging container on the host’s network stack.

Networking / Debugging

ssh -D 5006 -i <key>.pem <user>@<host>

— SOCKS proxy on localhost:5006 routed through the SSH host.

ssh -L 5432:db.internal:5432 user@bastion
ssh -R 9000:localhost:9000 user@server
ssh -J jump1,jump2 user@target

— local forward; reverse forward; chained jump hosts in one flag.

ssh -o "IdentitiesOnly=yes" -i <key> <user>@<host>
ssh -vvv <host>

— force a specific key; verbose auth debugging.

openssl s_client -connect <host>:443 -servername <host>
openssl s_client -connect <host>:443 -tls1_2
openssl s_client -connect <host>:443 -showcerts < /dev/null

— TLS handshake inspection; pin a version; print the cert chain.

openssl x509 -in cert.pem -text -noout
openssl req -new -newkey rsa:4096 -nodes -keyout key.pem -out csr.pem

— decode a cert; generate a CSR + key non-interactively.

nc -vz <host> <port>
nc -lkp 9000

— TCP reachability probe; listen on a port (-u for UDP).

nslookup -type=txt _mta-sts.<domain>
dig <name> @8.8.8.8 +short
dig +trace <name>
dig +noall +answer ANY <name>

— typed lookup; concise answer; trace the recursive chain; compact ANY query.

curl -vsS --resolve <host>:<port>:127.0.0.1 \
  --cacert <(<cmd-that-emits-pem>) https://<host>:<port>/...

— override DNS and supply CA inline; cluster-internal TLS tests.

curl -w '@curl-format.txt' -o /dev/null -s https://example.com

— latency breakdown (DNS / connect / TLS / TTFB) using a format file.

mtr <host>
traceroute <host>

— continuous traceroute with loss%; one-shot path discovery.

tcpdump -i any -nn -s0 -w cap.pcap 'port 443 and host <ip>'

— targeted packet capture; analyze later in Wireshark.

nmap -p- --min-rate=1000 -T4 <host>
nmap -sV -p 80,443 <host>

— full port scan; service/version detection on specific ports.

socat -d -d TCP-LISTEN:5000,fork,reuseaddr TCP:<remote>:5000

— ad-hoc TCP relay; useful when you can’t change DNS.

scutil --nwi | awk -F': ' '/Network interfaces/ {print $2;exit;}'

— primary active network interface on macOS.

Go Tooling

GOEXPERIMENT=jsonv2 go test ./... -v
GOEXPERIMENT=jsonv2,greenteagc go test -run TestFoo -count=1

— opt into experimental stdlib features; -count=1 defeats test cache.

go test -race -cover ./...
go test -bench=Process -benchmem -benchtime=3s
go test -run TestFoo -v -count=10 -failfast

— race+coverage; benchmark with allocs; flake hunter.

go tool pprof -http=:8080 http://<host>:6060/debug/pprof/heap
go tool pprof -http=:8081 cpu.pprof

— interactive flamegraph UI for a live endpoint or a saved profile.

/usr/bin/time -l go run main.go

— peak RSS and resource usage on macOS (-v on Linux).

go mod why <module>
go mod graph | grep <module>
go list -m -u all

— explain a transitive; full module graph; show available upgrades.

go install ./cmd/foo@latest
go install golang.org/x/tools/cmd/goimports@latest

— install a binary from a module without cloning.

go vet ./...
gofmt -s -w .
goimports -w .
golangci-lint run --fix

— vet; simplify-and-format; fix imports; multi-linter with auto-fix.

govulncheck ./...

— scan code+deps for known Go vulnerabilities.

go build -ldflags='-s -w -X main.version=$(git describe --tags)' -trimpath ./cmd/foo

— strip symbols, embed version, reproducible-ish builds.

go env -w GOFLAGS='-mod=mod' GOPRIVATE='github.com/myorg/*'

— persistent env tweaks; private modules bypass the proxy.

go generate ./...
go mod tidy -compat=1.21

— run //go:generate directives; tidy while keeping older Go compatible.

dlv debug --headless --listen=:2345 --api-version=2 ./cmd/foo

— Delve in headless mode for remote/IDE debugger attach.

Node / npm / pnpm

NODE_OPTIONS=--openssl-legacy-provider npm run build

— workaround for old webpack/CRA hashes under Node 17+ OpenSSL 3.

lsof -ti:3000 | xargs kill -9 || true; npm run dev

— kill whatever holds the dev port, then start.

npm ci
npm install -g @anthropic-ai/claude-code
npx --yes <cli>@latest

— deterministic install from lockfile; global CLI; one-off without installing.

npm pkg get version
npm pkg set scripts.lint='eslint .'

— read/write package.json fields without opening the file.

npm audit fix --force
npm outdated
npm view <pkg> versions --json

— forceful audit fix; dependency drift; list every published version.

pnpm install --frozen-lockfile
pnpm dlx <cli>
pnpm -r build

— CI-style install; one-off CLI; recursive workspace command.

node --inspect-brk script.js
node --prof script.js && node --prof-process isolate-*.log

— attach DevTools; CPU profiling without external tools.

Terraform

terraform plan -out plan1 && terraform show -json plan1 > plan.json
terraform apply plan1

— save a plan, JSON-serialize for review/policy, apply that exact plan.

terraform apply -var=module_version=v6.7.8
terraform apply -var-file=prod.tfvars -auto-approve

— one-off override; file-based vars with no prompt.

terraform output -raw <name>
terraform output -json | jq

— raw scalar for piping; JSON for programmatic consumption.

terraform fmt -recursive
terraform validate

— format the whole tree; check syntax/types without a plan.

terraform state list
terraform state show <addr>
terraform state mv <src> <dst>
terraform state rm <addr>

— inspect, rename, or forget resources without touching cloud state.

terraform import <addr> <real-id>

— bring an existing cloud resource under Terraform management.

terraform workspace list
terraform workspace new staging
terraform workspace select prod

— switch state files via workspaces.

terraform graph | dot -Tsvg > graph.svg

— render the resource dependency graph (requires graphviz).

Security / Supply Chain

trivy k8s --include-namespaces kube-system --report=summary
trivy k8s daemonSet/<name> -n <ns> --report=summary
trivy fs --severity HIGH,CRITICAL --ignore-unfixed .
trivy image --scanners vuln,secret,misconfig <image>

— cluster scope, workload scope, filesystem with severity gate, full image scan.

syft <image> -o spdx-json > sbom.json
syft dir:. -o cyclonedx-json

— generate an SBOM from an image or directory in standard formats.

grype <image>
grype sbom:sbom.json

— vulnerability scan from image or SBOM; pairs naturally with syft.

cosign verify \
  --certificate-identity=[email protected] \
  --certificate-oidc-issuer=https://accounts.google.com <image>
cosign sign --key cosign.key <image>
cosign tree <image>

— keyless verify; sign with a key; show signatures/attestations attached.

curl -sSL <yaml-url> | grep 'gcr.io/' | awk '{print $2}' | sort -u \
  | xargs -n1 cosign verify -o text \
      --certificate-identity=<id> --certificate-oidc-issuer=<issuer>

— extract every image from a manifest and verify each with cosign.

gitleaks detect --source . --redact
gitleaks protect --staged

— scan a repo for committed secrets; pre-commit-style staged check.

trufflehog filesystem . --only-verified
trufflehog git file://. --since-commit HEAD~50

— filesystem and git-history secret scanning, verified hits only.

macOS / Shell

defaults write com.apple.dock autohide-time-modifier -float 0.15; killall Dock
defaults write com.apple.dock autohide-delay -float 0; killall Dock

— faster Dock animation; remove the autohide delay.

defaults write com.apple.screencapture location ~/Pictures/screenshots; killall SystemUIServer
defaults write -g ApplePressAndHoldEnabled -bool false

— move screenshots; restore key-repeat in all apps.

launchctl setenv MTL_HUD_ENABLED 1
launchctl list | grep <name>

— toggle Metal HUD; enumerate launchd services.

networksetup -listallnetworkservices
networksetup -setdnsservers Wi-Fi 1.1.1.1 8.8.8.8

— enumerate or rewrite DNS on a service.

brew install --cask <app>
brew bundle dump --file=~/Brewfile
brew bundle --file=~/Brewfile

— cask installs; snapshot + restore the entire brew state.

xattr -d com.apple.quarantine <file>

— remove the “downloaded from internet” flag that blocks unsigned binaries.

pbcopy < file.txt
pbpaste > out.txt
echo "data" | pbcopy

— clipboard read/write from the shell.

caffeinate -di -t 3600

— prevent sleep for 60 minutes (drop -t to keep awake until ctrl-c).

mdfind -name "*.pem" -onlyin ~

— Spotlight queries from the CLI; honors the existing index.

sw_vers
system_profiler SPHardwareDataType

— OS version; hardware summary.

osascript -e 'display notification "done" with title "build"'
say "build complete"

— banner notification or voice from a script.

tmux

tmux new -s <name>
tmux a -t <name>
tmux a
tmux ls

— named session; attach by name; attach to most recent; list.

tmux kill-session -t <name>
tmux kill-server

— end one session; nuke everything.

tmux new -s <name> -d
tmux send-keys -t <name>:0 'tail -f /var/log/app.log' Enter

— start detached; send keystrokes to a session/window/pane non-interactively.

tmux capture-pane -p -S -2000 -t <name>:0.0 > scrollback.txt

— dump the last 2000 lines of a pane to a file.

tmux source-file ~/.tmux.conf
tmux show-options -g
tmux list-keys

— reload config without restarting; inspect options and key bindings.

tmux rename-window <name>
tmux swap-window -s 2 -t 0
tmux move-window -r

— rename a window; reorder; renumber sequentially.

tmux new-window -n <name>
tmux next-window
tmux previous-window
tmux select-window -t <number>
tmux select-window -t <name>
tmux last-window

— new window with a name; navigate forward/back; jump to window by number or name; return to the last active window.

prefix c      new window
prefix n      next window
prefix p      previous window
prefix l      last (previously active) window
prefix w      visual window/session chooser
prefix 0-9    jump to window by number
prefix ,      rename current window
prefix &      close current window (prompts)

— window navigation bindings; prefix w is the fastest way to jump across many windows.

prefix d      detach
prefix [      copy mode (q to quit, space to start selection, enter to copy)
prefix ?      list keybindings
prefix z      zoom/unzoom pane
prefix !      break pane into its own window
prefix :      command prompt
prefix |  / - split horizontally / vertically (custom)

— the bindings I actually use; the rest is in prefix ?.

find / fd / rg

find . -name '*.go' -not -path './vendor/*'
find . -type f -newer reference.txt
find . -type f -mtime -7
find . -type d -empty -delete
find . -name '*.tmp' -print0 | xargs -0 rm

— pattern with excludes; newer-than; last 7 days; prune empties; safe delete via NUL.

find . -type f -size +100M -exec ls -lh {} +
find . -type f -exec grep -l 'pattern' {} +

— files over 100M; grep across matched files efficiently with +.

fd '\.go$' --exclude vendor
fd -e py -x black {}
fd -t f -H '\.env$'
fd -t d -d 2 node_modules

— extension search with exclude; per-file exec; include hidden; depth-limited dir search.

rg -n 'TODO|FIXME' -t go
rg -l 'pattern'
rg --files -g '!*.test.go' -g '*.go'
rg -A 3 -B 3 'pattern'
rg -P 'foo(?=bar)'
rg --json 'pattern' | jq
rg --type-list

— line numbers + alternation + type filter; files-only; filtered file list; context; PCRE2 lookahead; structured output; supported types.

rg -uuu 'pattern'
rg --hidden --follow 'pattern'

— ignore all .gitignore/excludes; include hidden + follow symlinks.

fzf
rg --files | fzf
history | fzf

— interactive fuzzy picker over anything that emits lines.

Bash Scripting Tricks

set -euo pipefail
IFS=$'\n\t'

— first line of every script: fail loudly on errors, unset vars, or pipe failures.

trap 'rm -rf "$tmpdir"' EXIT INT TERM
tmpdir=$(mktemp -d)

— clean up temp dirs even on ctrl-c.

: "${VAR:?must be set}"
: "${TIMEOUT:=30}"
echo "${MAYBE:-default}"
echo "${PATH//:/$'\n'}"

— assert required; default-if-unset; default-in-expression; substitution.

diff <(cmd-a) <(cmd-b)
comm -23 <(sort a) <(sort b)

— diff outputs without temp files; lines only in A using sorted process subs.

echo "$json" | jq -r '.items[] | select(.active) | .name'
jq -s '.[0] * .[1]' a.json b.json
yq -p yaml -o json '.spec.containers[].image' deploy.yaml

— filter + project; deep-merge two JSON files; YAML query that outputs JSON.

xargs -P 8 -n 1 -I{} sh -c 'do_thing "{}"' < list.txt
parallel -j 8 'do_thing {}' ::: a b c d

— 8-way parallel exec from a file; same with GNU parallel.

while IFS=$'\t' read -r col1 col2; do
  echo "$col1 -> $col2"
done < input.tsv

— safely iterate tab-separated input without word-splitting surprises.

mapfile -t lines < <(cmd)
arr=("a b" "c d")
printf '%s\n' "${arr[@]}"

— read lines into an array; iterate quoted; print one-per-line.

( cd subdir && do_thing )

— subshell cd — no need to remember to cd - afterwards.

exec > >(tee -a log.txt) 2>&1

— redirect the whole script’s stdout+stderr to a tee’d log.

command1 |& grep error

— pipe both stdout and stderr.

time { do_a; do_b; do_c; }

— time a group of commands as a unit.

read -rp "Confirm (y/N): " ans
[[ "$ans" =~ ^[Yy]$ ]] || exit 1

— gated confirmation prompt with safe default-no.

declare -A m=( [a]=1 [b]=2 )
for k in "${!m[@]}"; do echo "$k=${m[$k]}"; done

— associative arrays; iterate keys.

getopts ':n:vh' opt
case "$opt" in
  n) name=$OPTARG ;;
  v) verbose=1 ;;
  h) usage; exit 0 ;;
  *) usage; exit 1 ;;
esac

— POSIX-style flag parsing without an external dep.

Misc One-liners

kubectl get deployments -A -o json \
  | jq -r '[["NS","Name","CPUreq","CPUlim","Memreq","Memlim"],
       (.items[]|[.metadata.namespace,.metadata.name,
         (.spec.template.spec.containers|map(.resources.requests.cpu//"None")|join(",")),
         (.spec.template.spec.containers|map(.resources.limits.cpu//"None")|join(",")),
         (.spec.template.spec.containers|map(.resources.requests.memory//"None")|join(",")),
         (.spec.template.spec.containers|map(.resources.limits.memory//"None")|join(","))])]|@tsv' \
  | column -t

— cluster-wide resource matrix as an aligned table.

seq 0 10 | jq -sR '[split("\n")[:-1] | map(tonumber)]'

— turn shell sequence output into a JSON number array.

gh api --method POST -H "Accept: application/vnd.github+json" \
  /repos/<owner>/<repo>/actions/runs/<id>/force-cancel
gh run list --workflow=<file>.yml --limit=1 --json=databaseId --jq '.[0].databaseId'
gh run view <run-id> --json status,conclusion,jobs --jq '.jobs[] | {name, conclusion}'
gh pr checks --watch
gh pr create --fill --draft

— force-cancel a stuck run; latest run id; focused run view; live-watch checks; quick draft PR.

gh search commits --author "$(gh api user --jq .login)" --owner <org> \
  -L 1000 --json url,message,repository

— pull every commit you authored across an org.

find <dir>/ -type f -size +100k -exec ls -lh {} \;

— files over a size threshold with human-readable listing.

openssl rand -base64 32
openssl rand -hex 16
uuidgen

— random tokens in various shapes.

kubectl get secret <name> -n <ns> -o jsonpath='{.data.tls\.crt}' \
  | base64 -d | openssl x509 -text -noout

— inspect a TLS secret’s certificate.

date -u +"%Y-%m-%dT%H:%M:%SZ"
date -u -v-7d +%Y-%m-%d

— RFC3339 UTC now; seven days ago (macOS date syntax).

python3 -m http.server 8000
python3 -c 'import json,sys; print(json.dumps(json.load(sys.stdin), indent=2))'

— quick static file server; pretty-print JSON without jq.

column -t -s ','  <(cat file.csv)
paste <(cmd1) <(cmd2)

— align CSV into a table; merge two streams column-wise.