diff --git a/lib/functions/compilation/kernel-debs.sh b/lib/functions/compilation/kernel-debs.sh
index 91f6fa229..aef0e48a7 100644
--- a/lib/functions/compilation/kernel-debs.sh
+++ b/lib/functions/compilation/kernel-debs.sh
@@ -151,6 +151,9 @@ function create_kernel_deb() {
 	#display_alert "Package dir" "for package ${package_name}" "debug"
 	#run_host_command_logged tree -C -h -d --du "${package_directory}"
 
+	# Run shellcheck on the produced DEBIAN/xxx scripts
+	dpkg_deb_run_shellcheck_on_scripts "${package_directory}"
+
 	# @TODO: hmm, why doesn't this use fakeroot_dpkg_deb_build() ?
 	declare final_deb_filename="${deb_output_dir}/${package_name}_${REVISION}_${ARCH}.deb"                                   # for compatibility with non-artifacts
 	run_host_command_logged dpkg-deb ${DEB_COMPRESS:+-Z$DEB_COMPRESS} --build "${package_directory}" "${final_deb_filename}" # not KDEB compress, we're not under a Makefile
diff --git a/lib/functions/compilation/packages/utils-dpkgdeb.sh b/lib/functions/compilation/packages/utils-dpkgdeb.sh
index d77ba2938..bff1f5833 100644
--- a/lib/functions/compilation/packages/utils-dpkgdeb.sh
+++ b/lib/functions/compilation/packages/utils-dpkgdeb.sh
@@ -18,5 +18,37 @@ function fakeroot_dpkg_deb_build() {
 	# Show the total human size of the source package directory.
 	display_alert "Source package size" "${first_arg}: $(du -sh "${first_arg}" | cut -f1)" "debug"
 
+	# find the DEBIAN scripts (postinst, prerm, etc) and run shellcheck on them.
+	dpkg_deb_run_shellcheck_on_scripts "${first_arg}"
+
 	run_host_command_logged_raw fakeroot dpkg-deb -b "-Z${DEB_COMPRESS}" "${orig_args[@]}"
 }
+
+function dpkg_deb_run_shellcheck_on_scripts() {
+	declare pkg_dir="$1"
+	[[ -z "${pkg_dir}" ]] && exit_with_error "dpkg_deb_run_shellcheck_on_scripts: no package directory specified"
+	[[ ! -d "${pkg_dir}" ]] && exit_with_error "dpkg_deb_run_shellcheck_on_scripts: pkg dir '${pkg_dir}' doesn't exist"
+	[[ ! -d "${pkg_dir}/DEBIAN" ]] && exit_with_error "dpkg_deb_run_shellcheck_on_scripts: pkg dir '${pkg_dir}'/DEBIAN doesn't exist"
+
+	# parse the DEBIAN/control script to find the name of the package
+	declare pkg_name
+	pkg_name=$(grep -E "^Package:" "${pkg_dir}/DEBIAN/control" | cut -d: -f2 | tr -d '[:space:]')
+	[[ -z "${pkg_name}" ]] && exit_with_error "dpkg_deb_run_shellcheck_on_scripts: can't find package name in ${pkg_dir}/DEBIAN/control"
+
+	# use "find" to find executable files in the package directory
+	declare -a executables=($(find "${pkg_dir}/DEBIAN" -type f -executable || true))
+
+	# @TODO: also include other, executable, shells scripts found in the dir; e.g. /usr/bin, /usr/sbin, etc.
+
+	# if more than zero items in array...
+	if [[ ${#executables[@]} -gt 0 ]]; then
+		display_alert "Running shellcheck on package scripts" "${executables[*]}" "debug"
+		if shellcheck_debian_control_scripts "${executables[@]}"; then
+			display_alert "shellcheck found no problems in package scripts" "shellchecked ${#executables[@]} scripts in '${pkg_name}'" "info"
+		else
+			display_alert "shellcheck found problems in package scripts; see above" "shellcheck failed for '${pkg_name}'" "wrn"
+		fi
+	else
+		display_alert "shellcheck found no problems in package scripts" "no scripts found for '${pkg_name}'" "info"
+	fi
+}
diff --git a/lib/functions/general/shellcheck.sh b/lib/functions/general/shellcheck.sh
index 23113a85b..ab2175eaf 100644
--- a/lib/functions/general/shellcheck.sh
+++ b/lib/functions/general/shellcheck.sh
@@ -1,3 +1,43 @@
+function shellcheck_debian_control_scripts() {
+	declare SEVERITY="${SEVERITY:-"critical"}"
+	declare -a params=(--check-sourced --color=always --external-sources --format=tty --shell=bash --wiki-link-count=0)
+	case "${SEVERITY}" in
+		important)
+			params+=("--severity=warning")
+			excludes+=(
+				"SC2034" # "appears unused" -- bad, but no-one will die of this
+			)
+			;;
+
+		critical)
+			params+=("--severity=warning")
+			excludes+=(
+				"SC2034" # "appears unused" -- bad, but no-one will die of this
+				"SC2207" # "prefer mapfile" -- bad expansion, can lead to trouble; a lot of legacy pre-next code hits this
+				"SC2046" # "quote this to prevent word splitting" -- bad expansion, variant 2, a lot of legacy pre-next code hits this
+				"SC2086" # "quote this to prevent word splitting" -- bad expansion, variant 3, a lot of legacy pre-next code hits this
+				"SC2206" # (warning): Quote to prevent word splitting/globbing, or split robustly with mapfile or read -a.
+			)
+			;;
+
+		*)
+			params=("--severity=${SEVERITY}")
+			;;
+	esac
+
+	for exclude in "${excludes[@]}"; do
+		params+=(--exclude="${exclude}")
+	done
+
+	if run_tool_shellcheck "${params[@]}" "${@}"; then
+		display_alert "Congrats, no ${SEVERITY}'s detected." "SHELLCHECK" "debug"
+		return 0
+	else
+		display_alert "SHELLCHECK found ${SEVERITY}'s." "SHELLCHECK" "debug"
+		return 1
+	fi
+}
+
 function run_tool_shellcheck() {
 	# Default version
 	SHELLCHECK_VERSION=${SHELLCHECK_VERSION:-0.9.0} # https://github.com/koalaman/shellcheck/releases