diff --git a/hack/dind b/hack/dind
index 3254f9dbe7..4188c1befe 100755
--- a/hack/dind
+++ b/hack/dind
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/sh
 set -e
 
 # DinD: a wrapper script which allows docker to be run inside a docker container.
diff --git a/hack/dockerfile/install/containerd.installer b/hack/dockerfile/install/containerd.installer
index 98b06d0b8a..5d78c8471d 100755
--- a/hack/dockerfile/install/containerd.installer
+++ b/hack/dockerfile/install/containerd.installer
@@ -28,9 +28,9 @@ install_containerd() {
 		make
 	)
 
-	mkdir -p ${PREFIX}
+	mkdir -p "${PREFIX}"
 
-	cp bin/containerd ${PREFIX}/containerd
-	cp bin/containerd-shim ${PREFIX}/containerd-shim
-	cp bin/ctr ${PREFIX}/ctr
+	cp bin/containerd "${PREFIX}/containerd"
+	cp bin/containerd-shim "${PREFIX}/containerd-shim"
+	cp bin/ctr "${PREFIX}/ctr"
 }
diff --git a/hack/dockerfile/install/dockercli.installer b/hack/dockerfile/install/dockercli.installer
index ae3aa0dd45..03435fe54b 100755
--- a/hack/dockerfile/install/dockercli.installer
+++ b/hack/dockerfile/install/dockercli.installer
@@ -8,14 +8,13 @@ install_dockercli() {
 
 	arch=$(uname -m)
 	# No official release of these platforms
-	if [[ "$arch" != "x86_64" ]] && [[ "$arch" != "s390x" ]]; then
+	if [ "$arch" != "x86_64" ] && [ "$arch" != "s390x" ]; then
 		build_dockercli
 		return
 	fi
 
 	url=https://download.docker.com/linux/static
-	curl -Ls $url/$DOCKERCLI_CHANNEL/$arch/docker-$DOCKERCLI_VERSION.tgz | \
-	tar -xz docker/docker
+	curl -Ls "${url}/${DOCKERCLI_CHANNEL}/${arch}/docker-${DOCKERCLI_VERSION}.tgz" | tar -xz docker/docker
 	mkdir -p ${PREFIX}
 	mv docker/docker ${PREFIX}/
 	rmdir docker
@@ -27,5 +26,5 @@ build_dockercli() {
 	git checkout -q "v$DOCKERCLI_VERSION"
 	mkdir -p "$GOPATH/src/github.com/docker"
 	mv components/cli "$GOPATH/src/github.com/docker/cli"
-	go build -buildmode=pie -o ${PREFIX}/docker github.com/docker/cli/cmd/docker
+	go build -buildmode=pie -o "${PREFIX}/docker" "github.com/docker/cli/cmd/docker"
 }
diff --git a/hack/dockerfile/install/gometalinter.installer b/hack/dockerfile/install/gometalinter.installer
index d921fd739a..461850f936 100755
--- a/hack/dockerfile/install/gometalinter.installer
+++ b/hack/dockerfile/install/gometalinter.installer
@@ -7,6 +7,6 @@ install_gometalinter() {
 	go get -d github.com/alecthomas/gometalinter
 	cd "$GOPATH/src/github.com/alecthomas/gometalinter"
 	git checkout -q "$GOMETALINTER_COMMIT"
-	go build -buildmode=pie -o ${PREFIX}/gometalinter github.com/alecthomas/gometalinter
-	GOBIN=${PREFIX} ${PREFIX}/gometalinter --install
+	go build -buildmode=pie -o "${PREFIX}/gometalinter" "github.com/alecthomas/gometalinter"
+	GOBIN=${PREFIX} "${PREFIX}/gometalinter" --install
 }
diff --git a/hack/dockerfile/install/install.sh b/hack/dockerfile/install/install.sh
index a0ff09da55..5e4a396789 100755
--- a/hack/dockerfile/install/install.sh
+++ b/hack/dockerfile/install/install.sh
@@ -26,5 +26,5 @@ if [ ! -f "${dir}/${bin}.installer" ]; then
 	exit 1
 fi
 
-. $dir/$bin.installer
-install_$bin "$@"
+. ${dir}/${bin}.installer
+install_${bin} "$@"
diff --git a/hack/dockerfile/install/proxy.installer b/hack/dockerfile/install/proxy.installer
index b8c19ef0c1..06643a435d 100755
--- a/hack/dockerfile/install/proxy.installer
+++ b/hack/dockerfile/install/proxy.installer
@@ -32,7 +32,7 @@ _install_proxy() {
 	git clone https://github.com/docker/libnetwork.git "$GOPATH/src/github.com/docker/libnetwork"
 	cd "$GOPATH/src/github.com/docker/libnetwork"
 	git checkout -q "$LIBNETWORK_COMMIT"
-	go build $BUILD_MODE -ldflags="$PROXY_LDFLAGS" -o ${PREFIX}/docker-proxy github.com/docker/libnetwork/cmd/proxy
+	go build ${BUILD_MODE} -ldflags="$PROXY_LDFLAGS" -o ${PREFIX}/docker-proxy github.com/docker/libnetwork/cmd/proxy
 }
 
 
diff --git a/hack/dockerfile/install/runc.installer b/hack/dockerfile/install/runc.installer
index c6d28982f4..21462686a7 100755
--- a/hack/dockerfile/install/runc.installer
+++ b/hack/dockerfile/install/runc.installer
@@ -25,6 +25,6 @@ install_runc() {
 		target="$1"
 	fi
 	make BUILDTAGS="$RUNC_BUILDTAGS" "$target"
-	mkdir -p ${PREFIX}
-	cp runc ${PREFIX}/runc
+	mkdir -p "${PREFIX}"
+	cp runc "${PREFIX}/runc"
 }
diff --git a/hack/dockerfile/install/tini.installer b/hack/dockerfile/install/tini.installer
index 34f43f15f4..c622357365 100755
--- a/hack/dockerfile/install/tini.installer
+++ b/hack/dockerfile/install/tini.installer
@@ -9,6 +9,6 @@ install_tini() {
 	git checkout -q "$TINI_COMMIT"
 	cmake .
 	make tini-static
-	mkdir -p ${PREFIX}
-	cp tini-static ${PREFIX}/docker-init
+	mkdir -p "${PREFIX}"
+	cp tini-static "${PREFIX}/docker-init"
 }
diff --git a/hack/dockerfile/install/tomlv.installer b/hack/dockerfile/install/tomlv.installer
index 8ec6812255..cbf23c8e33 100755
--- a/hack/dockerfile/install/tomlv.installer
+++ b/hack/dockerfile/install/tomlv.installer
@@ -8,5 +8,5 @@ install_tomlv() {
 	echo "Install tomlv version $TOMLV_COMMIT"
 	git clone https://github.com/BurntSushi/toml.git "$GOPATH/src/github.com/BurntSushi/toml"
 	cd "$GOPATH/src/github.com/BurntSushi/toml" && git checkout -q "$TOMLV_COMMIT"
-	go build -v -buildmode=pie -o ${PREFIX}/tomlv github.com/BurntSushi/toml/cmd/tomlv
+	go build -v -buildmode=pie -o "${PREFIX}/tomlv" "github.com/BurntSushi/toml/cmd/tomlv"
 }
diff --git a/hack/dockerfile/install/vndr.installer b/hack/dockerfile/install/vndr.installer
index e6a94e7071..d53fadaf7a 100755
--- a/hack/dockerfile/install/vndr.installer
+++ b/hack/dockerfile/install/vndr.installer
@@ -7,5 +7,5 @@ install_vndr() {
 	git clone https://github.com/LK4D4/vndr.git "$GOPATH/src/github.com/LK4D4/vndr"
 	cd "$GOPATH/src/github.com/LK4D4/vndr"
 	git checkout -q "$VNDR_COMMIT"
-	go build -buildmode=pie -v -o ${PREFIX}/vndr .
+	go build -buildmode=pie -v -o "${PREFIX}/vndr" .
 }
diff --git a/hack/make.sh b/hack/make.sh
index 62c72a09e2..e1e3dc46fa 100755
--- a/hack/make.sh
+++ b/hack/make.sh
@@ -148,7 +148,7 @@ EXTLDFLAGS_STATIC='-static'
 ORIG_BUILDFLAGS=( -tags "autogen netgo osusergo static_build $DOCKER_BUILDTAGS" -installsuffix netgo )
 # see https://github.com/golang/go/issues/9369#issuecomment-69864440 for why -installsuffix is necessary here
 
-BUILDFLAGS=( $BUILDFLAGS "${ORIG_BUILDFLAGS[@]}" )
+BUILDFLAGS=( ${BUILDFLAGS} "${ORIG_BUILDFLAGS[@]}" )
 
 # Test timeout.
 if [ "${DOCKER_ENGINE_GOARCH}" == "arm64" ] || [ "${DOCKER_ENGINE_GOARCH}" == "arm" ]; then
diff --git a/hack/make/.binary b/hack/make/.binary
index 010c2c11da..ff33e18cab 100644
--- a/hack/make/.binary
+++ b/hack/make/.binary
@@ -68,7 +68,7 @@ go build \
 		$LDFLAGS_STATIC_DOCKER
 		$DOCKER_LDFLAGS
 	" \
-	$GO_PACKAGE
+	${GO_PACKAGE}
 )
 
 echo "Created binary: $DEST/$BINARY_FULLNAME"
diff --git a/hack/make/.go-autogen b/hack/make/.go-autogen
index 6397cdc2d3..ef5c6a40f2 100644
--- a/hack/make/.go-autogen
+++ b/hack/make/.go-autogen
@@ -67,7 +67,7 @@ if [ "$(go env GOOS)" = "windows" ]; then
 	[ ! -z $GITCOMMIT ]    && defs="$defs -D DOCKER_COMMIT=\"$GITCOMMIT\""
 
 	function makeres {
-		$WINDRES \
+		${WINDRES} \
 			-i hack/make/.resources-windows/$1 \
 			-o $3 \
 			-F $2 \
@@ -76,7 +76,7 @@ if [ "$(go env GOOS)" = "windows" ]; then
 			$defs
 	}
 
-	$WINDMC \
+	${WINDMC} \
 		hack/make/.resources-windows/event_messages.mc \
 		-h autogen/winresources/tmp \
 		-r autogen/winresources/tmp
diff --git a/hack/make/.integration-daemon-start b/hack/make/.integration-daemon-start
index 20801fccee..aaa573b741 100644
--- a/hack/make/.integration-daemon-start
+++ b/hack/make/.integration-daemon-start
@@ -86,8 +86,8 @@ if [ -z "$DOCKER_TEST_HOST" ]; then
 			--storage-driver "$DOCKER_GRAPHDRIVER" \
 			--pidfile "$DEST/docker.pid" \
 			--userland-proxy="$DOCKER_USERLANDPROXY" \
-			$storage_params \
-			$extra_params \
+			${storage_params} \
+			${extra_params} \
 				&> "$DEST/docker.log"
 	) &
 else
@@ -97,7 +97,7 @@ fi
 # give it a little time to come up so it's "ready"
 tries=60
 echo "INFO: Waiting for daemon to start..."
-while ! $TEST_CLIENT_BINARY version &> /dev/null; do
+while ! ${TEST_CLIENT_BINARY} version &> /dev/null; do
 	(( tries-- ))
 	if [ $tries -le 0 ]; then
 		printf "\n"
@@ -106,7 +106,7 @@ while ! $TEST_CLIENT_BINARY version &> /dev/null; do
 			echo >&2 "  check $DEST/docker.log for details"
 		else
 			echo >&2 "error: daemon at $DOCKER_HOST fails to '$TEST_CLIENT_BINARY version':"
-			$TEST_CLIENT_BINARY version >&2 || true
+			${TEST_CLIENT_BINARY} version >&2 || true
 			# Additional Windows CI debugging as this is a common error as of
 			# January 2016
 			if [ "$(go env GOOS)" = 'windows' ]; then
diff --git a/hack/make/.integration-test-helpers b/hack/make/.integration-test-helpers
index 149b653800..d9196b9c49 100644
--- a/hack/make/.integration-test-helpers
+++ b/hack/make/.integration-test-helpers
@@ -5,7 +5,7 @@
 #
 #     TESTFLAGS='-check.f DockerSuite.TestBuild*' ./hack/make.sh binary test-integration
 #
-if [ -z $MAKEDIR ]; then
+if [ -z ${MAKEDIR} ]; then
 	export MAKEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 fi
 source "$MAKEDIR/.go-autogen"
@@ -26,11 +26,11 @@ run_test_integration() {
 
 run_test_integration_suites() {
 	local flags="-test.v -test.timeout=${TIMEOUT} $TESTFLAGS"
-	for dir in $integration_api_dirs; do
+	for dir in ${integration_api_dirs}; do
 		if ! (
-			cd $dir
+			cd "$dir"
 			echo "Running $PWD"
-			test_env ./test.main $flags
+			test_env ./test.main ${flags}
 		); then exit 1; fi
 	done
 }
@@ -50,7 +50,7 @@ build_test_suite_binaries() {
 		return
 	fi
 	build_test_suite_binary ./integration-cli "test.main"
-	for dir in $integration_api_dirs; do
+	for dir in ${integration_api_dirs}; do
 		build_test_suite_binary "$dir" "test.main"
 	done
 }
@@ -70,7 +70,7 @@ cleanup_test_suite_binaries() {
 }
 
 repeat() {
-	for i in $(seq 1 $TEST_REPEAT); do
+	for i in $(seq 1 ${TEST_REPEAT}); do
 		echo "Running integration-test (iteration $i)"
 		$@
 	done
@@ -115,7 +115,7 @@ error_on_leaked_containerd_shims() {
 	            awk '$2 == "containerd-shim" && $4 ~ /.*\/bundles\/.*\/test-integration/ { print $1 }')
 	if [ -n "$leftovers" ]; then
 		ps aux
-		kill -9 $leftovers 2> /dev/null
+		kill -9 ${leftovers} 2> /dev/null
 		echo "!!!! WARNING you have left over shim(s), Cleanup your test !!!!"
 		exit 1
 	fi
diff --git a/hack/make/cross b/hack/make/cross
index 497f02ae4b..47cb667af2 100644
--- a/hack/make/cross
+++ b/hack/make/cross
@@ -2,28 +2,28 @@
 set -e
 
 # if we have our linux/amd64 version compiled, let's symlink it in
-if [ -x "$DEST/../binary-daemon/dockerd-$VERSION" ]; then
+if [ -x "${DEST}/../binary-daemon/dockerd-${VERSION}" ]; then
 	arch=$(go env GOHOSTARCH)
 	mkdir -p "$DEST/linux/${arch}"
 	(
-		cd "$DEST/linux/${arch}"
+		cd "${DEST}/linux/${arch}"
 		ln -sf ../../../binary-daemon/* ./
 	)
-	echo "Created symlinks:" "$DEST/linux/${arch}/"*
+	echo "Created symlinks:" "${DEST}/linux/${arch}/"*
 fi
 
 DOCKER_CROSSPLATFORMS=${DOCKER_CROSSPLATFORMS:-"linux/amd64 windows/amd64"}
 
-for platform in $DOCKER_CROSSPLATFORMS; do
+for platform in ${DOCKER_CROSSPLATFORMS}; do
 	(
 		export KEEPDEST=1
-		export DEST="$DEST/$platform" # bundles/VERSION/cross/GOOS/GOARCH/docker-VERSION
+		export DEST="${DEST}/${platform}" # bundles/VERSION/cross/GOOS/GOARCH/docker-VERSION
 		export GOOS=${platform%/*}
 		export GOARCH=${platform##*/}
 
-		echo "Cross building: $DEST"
-		mkdir -p "$DEST"
-		ABS_DEST="$(cd "$DEST" && pwd -P)"
+		echo "Cross building: ${DEST}"
+		mkdir -p "${DEST}"
+		ABS_DEST="$(cd "${DEST}" && pwd -P)"
 		source "${MAKEDIR}/binary-daemon"
 
 		source "${MAKEDIR}/cross-platform-dependent"
diff --git a/hack/make/cross-platform-dependent b/hack/make/cross-platform-dependent
index 52632c3036..21824ed7c9 100644
--- a/hack/make/cross-platform-dependent
+++ b/hack/make/cross-platform-dependent
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 set -e
 
-if [ $platform == "windows/amd64" ]; then
+if [ ${platform} == "windows/amd64" ]; then
 	source "${MAKEDIR}/containerutility"
 fi
diff --git a/hack/make/run b/hack/make/run
index 3254280260..eff7dd95aa 100644
--- a/hack/make/run
+++ b/hack/make/run
@@ -35,10 +35,10 @@ fi
 
 args="--debug \
 	--host tcp://0.0.0.0:${listen_port} --host unix:///var/run/docker.sock \
-	--storage-driver "$DOCKER_GRAPHDRIVER" \
-	--userland-proxy="$DOCKER_USERLANDPROXY" \
+	--storage-driver "${DOCKER_GRAPHDRIVER}" \
+	--userland-proxy="${DOCKER_USERLANDPROXY}" \
 	$storage_params \
 	$extra_params"
 
-echo dockerd $args
-exec dockerd $args
+echo dockerd ${args}
+exec dockerd ${args}
diff --git a/hack/make/test-integration b/hack/make/test-integration
index c807cd4978..6908935d1f 100755
--- a/hack/make/test-integration
+++ b/hack/make/test-integration
@@ -8,7 +8,7 @@ source hack/make/.integration-test-helpers
 	bundle .integration-daemon-start
 	bundle .integration-daemon-setup
 
-	local testexit=0
+	testexit=0
 	( repeat run_test_integration ) || testexit=$?
 
 	# Always run cleanup, even if the subshell fails
@@ -16,6 +16,6 @@ source hack/make/.integration-test-helpers
 	cleanup_test_suite_binaries
 	error_on_leaked_containerd_shims
 
-	exit $testexit
+	exit ${testexit}
 
 ) 2>&1 | tee -a "$DEST/test.log"
diff --git a/hack/test/unit b/hack/test/unit
index ac27f68c30..d79c8a4bfb 100755
--- a/hack/test/unit
+++ b/hack/test/unit
@@ -24,7 +24,7 @@ for pkg in $pkg_list; do
         -cover \
         -coverprofile=profile.out \
         -covermode=atomic \
-        $TESTFLAGS \
+        ${TESTFLAGS} \
         "${pkg}"
 
     if test -f profile.out; then
diff --git a/hack/validate/all b/hack/validate/all
index 9d95c2d2fd..8e3cbfcd3b 100755
--- a/hack/validate/all
+++ b/hack/validate/all
@@ -4,5 +4,5 @@
 
 export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-. $SCRIPTDIR/default
-. $SCRIPTDIR/vendor
+. ${SCRIPTDIR}/default
+. ${SCRIPTDIR}/vendor
diff --git a/hack/validate/dco b/hack/validate/dco
index f391001601..9e1ed80f77 100755
--- a/hack/validate/dco
+++ b/hack/validate/dco
@@ -21,7 +21,7 @@ check_dco() {
 	grep -qE "$dcoRegex"
 }
 
-if [ $adds -eq 0 -a $dels -eq 0 ]; then
+if [ ${adds} -eq 0 -a ${dels} -eq 0 ]; then
 	echo '0 adds, 0 deletions; nothing to validate! :)'
 else
 	commits=( $(validate_log --format='format:%H%n') )
diff --git a/hack/validate/default b/hack/validate/default
index 8ec978876d..4ca7e91476 100755
--- a/hack/validate/default
+++ b/hack/validate/default
@@ -4,14 +4,14 @@
 
 export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-. $SCRIPTDIR/dco
-. $SCRIPTDIR/default-seccomp
-. $SCRIPTDIR/gometalinter
-. $SCRIPTDIR/pkg-imports
-. $SCRIPTDIR/swagger
-. $SCRIPTDIR/swagger-gen
-. $SCRIPTDIR/test-imports
-. $SCRIPTDIR/toml
-. $SCRIPTDIR/changelog-well-formed
-. $SCRIPTDIR/changelog-date-descending
-. $SCRIPTDIR/deprecate-integration-cli
+. ${SCRIPTDIR}/dco
+. ${SCRIPTDIR}/default-seccomp
+. ${SCRIPTDIR}/gometalinter
+. ${SCRIPTDIR}/pkg-imports
+. ${SCRIPTDIR}/swagger
+. ${SCRIPTDIR}/swagger-gen
+. ${SCRIPTDIR}/test-imports
+. ${SCRIPTDIR}/toml
+. ${SCRIPTDIR}/changelog-well-formed
+. ${SCRIPTDIR}/changelog-date-descending
+. ${SCRIPTDIR}/deprecate-integration-cli
diff --git a/hack/validate/gometalinter b/hack/validate/gometalinter
index 8f42597fce..0c0ae0d7ee 100755
--- a/hack/validate/gometalinter
+++ b/hack/validate/gometalinter
@@ -10,4 +10,4 @@ SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 gometalinter \
 	${GOMETALINTER_OPTS} \
-	--config $SCRIPTDIR/gometalinter.json ./...
+	--config ${SCRIPTDIR}/gometalinter.json ./...