diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 31cd487..4cfbfb9 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -43,3 +43,4 @@ repos:
     rev: 528d713e620bdf4b41849db93cb489c4fef9f5c5 # v0.6.0
     hooks:
       - id: misspell
+        exclude: '^example\.pre-commit-config\.yaml$'
diff --git a/example.pre-commit-config.yaml b/example.pre-commit-config.yaml
index d22473f..e10000a 100644
--- a/example.pre-commit-config.yaml
+++ b/example.pre-commit-config.yaml
@@ -6,8 +6,13 @@ repos:
   - repo: https://github.com/chainguard-dev/pre-commit-hooks
     rev: 71fca50bcd1006b5cbcf71f03a3b493f48c4af7f
     hooks:
-      # Not quite ready for prime time yet, due to a tool dependency outside the pre-commit managed environment.
-      #- id: shellcheck-run-steps
+      - id: shellcheck-run-steps
+        files: '^[^.][^/]*\.yaml$' # matches non-hidden .yaml files at the top level only
+        args:
+          - "--" # options to hook before this, options to shellcheck after
+          - "-S"
+          - "error"
+          - "--" # terminates shellcheck options, rest will be filenames
       - id: check-for-epoch-bump
         files: |
           (?x)^(
diff --git a/pre_commit_hooks/shellcheck_run_steps.py b/pre_commit_hooks/shellcheck_run_steps.py
index c685cd4..afd8e1d 100644
--- a/pre_commit_hooks/shellcheck_run_steps.py
+++ b/pre_commit_hooks/shellcheck_run_steps.py
@@ -13,6 +13,10 @@
 
 yaml = ruamel.yaml.YAML(typ="safe")
 
+# Please provide the output of `grype koalaman/shellcheck@sha256:<newhash>`
+# in your PR when bumping. Referenced by SHA for safety.
+DefaultShellCheckImage = "koalaman/shellcheck@sha256:652a5a714dc2f5f97e36f565d4f7d2322fea376734f3ec1b04ed54ce2a0b124f"
+
 
 def do_shellcheck(
     melange_cfg: Mapping[str, Any],
@@ -55,7 +59,7 @@ def do_shellcheck(
             shfile.write(step["runs"])
             shfile.close()
         subprocess.check_call(
-            ["/usr/bin/shellcheck"]
+            shellcheck
             + shellcheck_args
             + ["--shell=busybox", "--"]
             + [os.path.basename(f.name) for _, f in all_steps],
@@ -68,8 +72,7 @@ def main(argv: Sequence[str] | None = None) -> int:
     parser.add_argument(
         "filenames",
         nargs="*",
-        help="Filenames to check. You can also pass "
-        "arguments to shellcheck before a '--' separator.",
+        metavar="[-- SHELLCHECK ARGS -- ] FILENAMES",
     )
     parser.add_argument(
         "--shellcheck",
@@ -79,7 +82,7 @@ def main(argv: Sequence[str] | None = None) -> int:
             f"--volume={os.getcwd()}:/mnt",
             "--rm",
             "-it",
-            "koalaman/shellcheck:latest",
+            DefaultShellCheckImage,
         ],
         nargs="*",
         help="shellcheck command",