diff --git a/pkgs/development/tools/build-managers/bazel/default.nix b/pkgs/development/tools/build-managers/bazel/default.nix
index e9ce95c1609..352b79f21b6 100644
--- a/pkgs/development/tools/build-managers/bazel/default.nix
+++ b/pkgs/development/tools/build-managers/bazel/default.nix
@@ -208,6 +208,7 @@ stdenv.mkDerivation rec {
             # about why to create a subdir for the workspace.
             cp -r ${workspaceDir} wd && chmod u+w wd && cd wd
 
+            BAZEL_EXTRACTED=${be.install_dir}
             ${bazelScript}
 
             touch $out
@@ -223,6 +224,7 @@ stdenv.mkDerivation rec {
       };
 
     in {
+      shebang = callPackage ./shebang-test.nix { inherit runLocal bazelTest distDir; };
       bashTools = callPackage ./bash-tools-test.nix { inherit runLocal bazelTest distDir; };
       cpp = callPackage ./cpp-test.nix { inherit runLocal bazelTest bazel-examples distDir; };
       java = callPackage ./java-test.nix { inherit runLocal bazelTest bazel-examples distDir; };
diff --git a/pkgs/development/tools/build-managers/bazel/shebang-test.nix b/pkgs/development/tools/build-managers/bazel/shebang-test.nix
new file mode 100644
index 00000000000..98ec9a67c15
--- /dev/null
+++ b/pkgs/development/tools/build-managers/bazel/shebang-test.nix
@@ -0,0 +1,47 @@
+{
+  bazel
+, bazelTest
+, distDir
+, runLocal
+, unzip
+}:
+
+# Tests that all shebangs are patched appropriately.
+# #!/usr/bin/... should be replaced by Nix store references.
+# #!.../bin/env python should be replaced by Nix store reference to the python interpreter.
+
+let
+
+  workspaceDir = runLocal "our_workspace" {} "mkdir $out";
+
+  testBazel = bazelTest {
+    name = "bazel-test-shebangs";
+    inherit workspaceDir;
+    bazelPkg = bazel;
+    bazelScript = ''
+      set -ueo pipefail
+      FAIL=
+      check_shebangs() {
+        local dir="$1"
+        { grep -Re '#!/usr/bin' $dir && FAIL=1; } || true
+        { grep -Re '#![^[:space:]]*/bin/env python' $dir && FAIL=1; } || true
+      }
+      check_shebangs $BAZEL_EXTRACTED
+      while IFS= read -r -d "" zip; do
+        unzipped="./$zip/UNPACKED"
+        mkdir -p "$unzipped"
+        unzip -qq $zip -d "$unzipped"
+        check_shebangs "$unzipped"
+        rm -rf unzipped
+      done < <(find $BAZEL_EXTRACTED -type f -name '*.zip' -or -name '*.jar' -print0)
+      if [[ $FAIL = 1 ]]; then
+        echo "Found files in the bazel distribution with illegal shebangs." >&2
+        echo "Replace those by explicit Nix store paths." >&2
+        echo "Python scripts should not use \`bin/env python' but the Python interpreter's store path." >&2
+        exit 1
+      fi
+    '';
+    buildInputs = [ unzip ];
+  };
+
+in testBazel