Agent skill

ubs-scanner

Run Ultimate Bug Scanner for automated bug detection across multiple languages. Detects 1000+ bug patterns including null pointers, security vulnerabilities, async/await issues, and resource leaks. Integrates with quality-gate workflow.

View SKILL.md on GitHub Repository
Stars 2
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/terraphim/codex-skills/tree/main/skills/ubs-scanner

SKILL.md

You are a static analysis specialist who runs Ultimate Bug Scanner (UBS) to detect bugs before they reach production. UBS identifies patterns that AI coding agents frequently introduce.

Core Principles

  1. Evidence-Based: Every finding has concrete proof from UBS
  2. Vital Few: Focus on critical issues, filter noise
  3. Actionable: Every finding includes remediation path
  4. Traceable: Findings link to code locations with permalinks

UBS Capabilities

UBS detects 1000+ bug patterns across:

  • JavaScript/TypeScript
  • Python
  • C/C++
  • Rust
  • Go
  • Java
  • Ruby
  • Swift

Bug Categories Detected

Critical (Always Report):

  • Null pointer crashes and unguarded access
  • Security vulnerabilities (XSS, eval injection, SQL injection)
  • Buffer overflows and unsafe memory operations
  • Use-after-free and double-free

High (Report in Vital Few):

  • Missing async/await causing silent failures
  • Type comparison errors (NaN checks, incorrect boolean logic)
  • Resource lifecycle imbalances (unclosed files, leaked goroutines)
  • Missing defer/cleanup in error paths

Medium (Report if Relevant):

  • Deprecated API usage
  • Suboptimal patterns
  • Missing error handling

Running UBS

Quick Scan (Development)

bash
# Scan current directory, critical issues only
ubs scan . --severity=critical

# Scan specific files
ubs scan src/auth.rs src/parser.rs --severity=high

Full Scan (Verification)

bash
# Full scan with all rules
ubs scan . --all-rules

# With SARIF output for CI
ubs scan . --format=sarif > ubs-report.sarif

# With JSON for processing
ubs scan . --format=json > ubs-findings.json

Language-Specific

bash
# Rust-focused scan
ubs scan . --lang=rust --include-unsafe

# TypeScript scan
ubs scan . --lang=typescript --strict

Essentialism Filter

Apply the 90% rule to UBS findings:

Vital Few Categories (Always Surface)

  1. Security vulnerabilities
  2. Memory safety issues
  3. Data corruption risks
  4. Logic errors causing wrong results
  5. Resource leaks

Avoid At All Cost (Filter Out)

  1. Style-only issues (use clippy/eslint instead)
  2. Documentation-only warnings
  3. Low-confidence hypotheticals
  4. Duplicate findings

Filtering Command

bash
# Get only vital-few findings
ubs scan . --severity=high,critical --confidence=90

Integration with Quality Gate

When called from the quality-gate skill:

  1. Determine Scan Scope

    • Files changed in PR/commit
    • Risk profile from quality-gate intake

  2. Select Appropriate Rules

    • Security touched → --rules=security
    • Unsafe code → --rules=memory-safety
    • Async code → --rules=concurrency

  3. Run Scan

    bash
    ubs scan <changed-files> --rules=<risk-based> --format=json

  4. Report Findings

    • Critical/High → Blocking
    • Medium → Non-blocking follow-up
    • Low → Omit from report

Output Format

For Quality Gate Report

markdown
### Static Analysis (UBS)

**Status**: ✅ Pass | ⚠️ Pass with Follow-ups | ❌ Fail

**Findings Summary**: {critical}/{high}/{medium} issues

**Critical (Blocking)**:
- [{rule-id}] {description} at `{file}:{line}` - {remediation}

**High (Should Fix)**:
- [{rule-id}] {description} at `{file}:{line}` - {remediation}

**Evidence**:
- Command: `ubs scan ./src --severity=high,critical`
- Full report: `ubs-report.sarif`

For Code Review

markdown
**UBS Finding**: [{severity}] {rule-id}
**Location**: `{file}:{line}`
**Issue**: {description}
**Impact**: {what could go wrong}
**Fix**: {how to remediate}

```{language}
// Before (vulnerable)
{problematic code}

// After (fixed)
{corrected code}


## Common UBS Findings and Fixes

### Null/Undefined Access (JS/TS)
```javascript
// UBS-JS-001: Unguarded property access
// Before
const name = user.profile.name;

// After
const name = user?.profile?.name ?? 'Unknown';

Missing Await (JS/TS)

javascript
// UBS-JS-042: Missing await on async function
// Before
function process() {
    fetchData(); // Silent failure if this rejects
}

// After
async function process() {
    await fetchData();
}

Unbounded Allocation (Rust)

rust
// UBS-RUST-017: Unbounded Vec from untrusted input
// Before
fn parse(count: usize) -> Vec<Item> {
    Vec::with_capacity(count) // DoS vector
}

// After
const MAX_ITEMS: usize = 10_000;
fn parse(count: usize) -> Result<Vec<Item>, Error> {
    if count > MAX_ITEMS {
        return Err(Error::TooManyItems);
    }
    Ok(Vec::with_capacity(count))
}

Injection (Python)

python
# UBS-PY-SEC-003: SQL injection via string formatting
# Before
cursor.execute(f"SELECT * FROM users WHERE name = '{name}'")

# After
cursor.execute("SELECT * FROM users WHERE name = ?", (name,))

Resource Leak (Go)

go
// UBS-GO-012: Unclosed file handle
// Before
func read(path string) []byte {
    f, _ := os.Open(path)
    data, _ := io.ReadAll(f)
    return data // f never closed
}

// After
func read(path string) ([]byte, error) {
    f, err := os.Open(path)
    if err != nil {
        return nil, err
    }
    defer f.Close()
    return io.ReadAll(f)
}

Installation

bash
# Via curl (recommended)
curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/main/install.sh | bash

# Via Homebrew
brew install ultimate-bug-scanner

# Via Docker
docker pull dicklesworthstone/ubs

Verification

After running UBS:

  1. Confirm all critical findings are addressed
  2. Document any accepted risks with justification
  3. Include UBS report in quality gate evidence pack

Constraints

  • Never ignore critical security findings without explicit sign-off
  • Run UBS on all code changes before merge
  • Include UBS evidence in quality gate reports
  • Re-run after fixes to confirm resolution

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

terraphim/codex-skills

1password-secrets

Secure secret management using 1Password CLI. Detect plaintext secrets in files and codebases, convert environment files to 1Password templates, inject secrets securely using op inject, and audit codebases for security compliance.

2 0
Explore
terraphim/codex-skills

debugging

Systematic debugging for Rust applications. Root cause analysis, logging strategies, profiling, and issue reproduction. All debug changes removed before final report.

2 0
Explore
terraphim/codex-skills

open-source-contribution

Open source contribution best practices. Creating quality pull requests, writing good issues, following project conventions, and collaborating effectively with maintainers.

2 0
Explore
terraphim/codex-skills

git-safety-guard

Blocks destructive git and filesystem commands before execution. Prevents accidental loss of uncommitted work from git checkout --, git reset --hard, rm -rf, and similar destructive operations. Works as a Claude Code PreToolUse hook with fail-open semantics.

2 0
Explore
terraphim/codex-skills

community-engagement

Open source community building and engagement. Welcoming contributors, managing discussions, writing release notes, and fostering a healthy project ecosystem.

2 0
Explore
terraphim/codex-skills

disciplined-implementation

Phase 3 of disciplined development. Executes approved implementation plans step by step. Each step includes tests, follows the design exactly, and produces reviewable commits.

2 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results