diff --git a/Dockerfile b/Dockerfile
index 92d0912b2d..a9748fc210 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -200,6 +200,15 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
         PREFIX=/build ./install.sh $INSTALL_BINARY_NAME
 
+FROM base AS shfmt
+ENV INSTALL_BINARY_NAME=shfmt
+ARG SHFMT_COMMIT
+COPY hack/dockerfile/install/install.sh ./install.sh
+COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+        PREFIX=/build ./install.sh $INSTALL_BINARY_NAME
+
 FROM dev-base AS dockercli
 ENV INSTALL_BINARY_NAME=dockercli
 ARG DOCKERCLI_CHANNEL
@@ -304,6 +313,7 @@ COPY --from=criu          /build/ /usr/local/
 COPY --from=vndr          /build/ /usr/local/bin/
 COPY --from=gotestsum     /build/ /usr/local/bin/
 COPY --from=golangci_lint /build/ /usr/local/bin/
+COPY --from=shfmt         /build/ /usr/local/bin/
 COPY --from=runc          /build/ /usr/local/bin/
 COPY --from=containerd    /build/ /usr/local/bin/
 COPY --from=rootlesskit   /build/ /usr/local/bin/
diff --git a/hack/dockerfile/install/shfmt.installer b/hack/dockerfile/install/shfmt.installer
new file mode 100755
index 0000000000..8361f7cc24
--- /dev/null
+++ b/hack/dockerfile/install/shfmt.installer
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+: "${SHFMT_COMMIT:=01725bdd30658db1fe1b9e02173c3060061fe86f}" # v3.0.2
+
+install_shfmt() {
+	echo "Install shfmt version $SHFMT_COMMIT"
+	git clone https://github.com/mvdan/sh.git "$GOPATH/src/github.com/mvdan/sh"
+	cd "$GOPATH/src/github.com/mvdan/sh" || exit 1
+	git checkout -q "$SHFMT_COMMIT"
+	GO111MODULE=on go build -buildmode=pie -v -o "${PREFIX}/shfmt" ./cmd/shfmt
+}
diff --git a/hack/validate/default b/hack/validate/default
index 16609d4e85..b91390f691 100755
--- a/hack/validate/default
+++ b/hack/validate/default
@@ -14,3 +14,4 @@ export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 . "${SCRIPTDIR}"/changelog-date-descending
 . "${SCRIPTDIR}"/deprecate-integration-cli
 . "${SCRIPTDIR}"/golangci-lint
+. "${SCRIPTDIR}"/shfmt
diff --git a/hack/validate/shfmt b/hack/validate/shfmt
new file mode 100755
index 0000000000..3a3901cb74
--- /dev/null
+++ b/hack/validate/shfmt
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -e -o pipefail
+
+shfmtflags="-bn -ci -sr"
+# NOTE: `git grep '^#!'` may also pick up non-shell script files.
+# Add exceptional files to `egrep -v` if any false-positive is detected.
+if git grep --name-only '^#!' | egrep -v '(vendor|\.go|Jenkinsfile)' \
+	| xargs shfmt -d $shfmtflags; then
+	echo 'Congratulations! The shell scripts are properly formatted.'
+else
+	echo "Please reformat the shell scripts with \`shfmt -w ${shfmtflags}\`."
+	exit 1
+fi