santosomar/static-bug-detector
skills/debugging/static-bug-detector/SKILL.md
Identifies bugs through static code analysis (null dereferences, type mismatches, control flow issues) without executing the program. Use when scanning code for defects before running tests, when the user asks for static analysis, or when integrating with CI for defect detection.
development
Updated Apr 13, 2026
$ install --global
skillsauthnpx skillsauth add santosomar/general-secure-coding-agent-skills static-bug-detectorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 13, 2026, 4:16 AM10.4s1 file scanned
SKILL.md
- name:
- static-bug-detector
- description:
- Identifies bugs through static code analysis (null dereferences, type mismatches, control flow issues) without executing the program. Use when scanning code for defects before running tests, when the user asks for static analysis, or when integrating with CI for defect detection.
- license:
- Apache-2.0
- category:
- debugging
- suite:
- general-secure-coding-agent-skills
- version:
- 0.3.0
- related:
- semantic-bug-detector, bug-localization
Static Bug Detector
Find bugs that are syntactically provable without running the code. This is the fast, shallow pass: it won't catch design bugs, but everything it catches is real (or should be — see FP suppression below).
Signal catalog
| Defect class | What to look for | False-positive trap |
| ----------------------- | ------------------------------------------------------------- | ------------------------------------------------ |
| Null/undefined deref | Path where x could be null and is dereferenced | Framework guarantees non-null (Spring @Autowired, DI) |
| Uninitialized read | Variable read before any assignment on some path | Language zero-initializes (Go, Java fields) |
| Dead store | Assignment never read before reassign/return/scope-end | Intentional — value used by debugger/reflection |
| Unreachable code | Statements after unconditional return/throw/break | Intentional dead-switch-default for exhaustiveness |
| Resource leak | open/acquire with no close/release on all exit paths | Ownership transferred to caller (factory pattern) |
| Unchecked return | err/Result/error-returning API call ignored | Intentionally best-effort (_ = file.Close()) |
| Always-true/false cond | Condition provably constant via value-range or type | Defensive belt-and-suspenders after earlier guard |
| Identical branches | if/else bodies are syntactically identical | Copy-paste placeholder during dev — rarely intentional |
| Self-assignment / no-op | x = x, list.remove(x); list.add(x) with no side effect | Rarely intentional; near-always a bug |
| Format string mismatch | printf/format arg count or type mismatch | Almost never a false positive |
| Integer over/underflow | Arithmetic that provably exceeds type range | Intentional wraparound (hash, checksum) |
Ranking heuristic
Sort findings by severity × confidence × reachability:
- Severity: crash (3) > data corruption (3) > leak (2) > dead code (1)
- Confidence: intraprocedural proof (1.0) > interprocedural with summaries (0.7) > heuristic pattern (0.4)
- Reachability: in a hot path / entry point (1.0) > library code (0.6) > test code (0.2)
FP suppression
Before reporting, check each finding against the FP-trap column above. Then:
- Grep for suppression comments near the finding (
// NOSONAR,# noqa,// SAFETY:). If someone already justified it, lower confidence to 0. - Check the type system. If the language guarantees the property (Rust borrow checker, TypeScript
strictNullChecks), you're fighting the compiler. - Look for a test that exercises this path and passes. If covered and green, the "bug" might be a spec, not a defect.
Worked example
Code:
public String getDisplayName(User u) {
if (u.getNickname() != null) {
return u.getNickname();
}
return u.getFullName().toUpperCase(); // line 12
}
Finding:
src/User.java:12 NULL_DEREFERENCE severity=high confidence=0.7
`u.getFullName()` may return null (no @NonNull annotation, and UserBuilder
permits `fullName` to be unset), and `.toUpperCase()` would NPE.
Callers checked: 3/3 pass non-null `u`, so the outer `u` is safe.
But no caller guarantees `u.fullName` is set.
Suggested fix:
return Optional.ofNullable(u.getFullName()).map(String::toUpperCase).orElse("");
Edge cases
- Generated code: Suppress. Nobody will fix
*.pb.goor*_generated.ts. Report the generator config instead if the pattern is dangerous. - Dynamic languages with no type info: Fall back to name heuristics (
xOrNull,maybe_x,Optional[X]in docstrings) and flow-sensitive narrowing. Accept the lower confidence. - Macros / metaprogramming: Analyze the expansion, not the source. If you can't expand, report as
confidence=lowand note why.
Do not
- Do not report dead code in
if DEBUG:or#ifdefblocks as bugs. It's conditional, not dead. - Do not flag a null-check before a deref as "redundant" just because you also see a deref after. The check might be the only thing saving the deref.
- Do not report findings in vendored/third-party directories. Nobody will fix
node_modules/. - Do not emit more than ~50 findings per run without also emitting a summary histogram. Walls of findings get ignored.
Output format
Emit SARIF if the consumer is CI. Otherwise:
<file>:<line> <RULE_ID> severity=<low|med|high> confidence=<0.0-1.0>
<one-line explanation of why this is a bug>
<one-line suggested fix, or "manual review required">
Related Skills
santosomar/verified-pseudocode-extractor
development
VerifiedTrustedCommunity
Extracts human-readable pseudocode from a verified formal artifact (Dafny, Lean, TLA+) while preserving the verified properties as annotations, so the proof-carrying logic can be reimplemented in a production language. Use when porting verified code to an unverified target, when documenting what a formal spec actually does, or when handing a verified algorithm to an implementer.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-spec-generator
development
VerifiedTrustedCommunity
Translates natural-language or pseudocode descriptions of concurrent and distributed systems into TLA+ specifications ready for the TLC model checker. Identifies state variables, actions, type invariants, safety properties, and liveness properties from the description. Use when formalizing a protocol, when the user describes a distributed algorithm to verify, when designing a consensus or locking scheme, or when starting formal verification of a concurrent system.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-model-reduction
testing
VerifiedTrustedCommunity
Reduces a TLA+ model so TLC can actually check it — shrinks constants, adds state constraints, abstracts data, or applies symmetry — when the state space is too large to enumerate. Use when TLC runs out of memory, when checking takes hours, or when a spec works at N=2 and you need confidence at larger scale.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-guided-code-repair
development
VerifiedTrustedCommunity
TLA+-specific instance of model-guided repair — reads a TLC error trace, identifies the enabling condition that should have been false, strengthens the corresponding action, and maps the fix to source code. Use when TLC reports an invariant violation or deadlock and you have the code-to-TLA+ mapping from extraction.
SKILL.mdUpdated Apr 13, 2026