diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0c7d87b..96cf67c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+* bkctld-check-incs: Correct shellsheck warnings
+
 ### Deprecated
 
 ### Removed
@@ -19,6 +21,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 * tests: clean jail configuration after each test
+* bkctld-check-incs: Protect `jail_config_epoch`
 
 ### Security
 
diff --git a/lib/bkctld-check-incs b/lib/bkctld-check-incs
index 1a1f5c3..a395796 100755
--- a/lib/bkctld-check-incs
+++ b/lib/bkctld-check-incs
@@ -7,7 +7,7 @@
 set -u
 
 # shellcheck source=./includes
-LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes"
+LIBDIR="$(dirname "$0")" && . "${LIBDIR}/includes"
 
 # default return value is 0 (succes)
 rc=0
@@ -20,14 +20,14 @@ for jail_name in $("${LIBDIR}/bkctld-list"); do
     # Today in ISO format
     today_iso=$(date +"%Y-%m-%d")
 
-    # get jail last configuration date
-    jail_config_epoch=$(date --date "$(stat -c %y ${incs_policy_file})" +"%s")
-
     if [ -n "${incs_policy_file}" ]; then
-        # loop for each line in jail configuration
-        for line in $(cat ${incs_policy_file}); do
+        # get jail last configuration date
+        jail_config_epoch=$(date --date "$(stat -c %y "${incs_policy_file}")" +"%s")
+
+        # read each line in jail configuration
+        while IFS= read -r line < "${incs_policy_file}"; do
             # inc date in ISO format
-            inc_iso=$(relative_date ${line})
+            inc_iso=$(relative_date "${line}")
             # inc date in seconds from epoch
             inc_epoch=$(date --date "${inc_iso}" +"%s")