santosomar/szz-bug-identifier
skills/debugging/szz-bug-identifier/SKILL.md
Applies the SZZ algorithm to VCS history to identify which commits introduced bugs by correlating bug-fix commits with earlier changes. Use when mining a repository for bug-introducing commits, when building a defect-prediction dataset, or when the user asks which commit introduced a given fixed bug.
development
Updated Apr 13, 2026
$ install --global
skillsauthnpx skillsauth add santosomar/general-secure-coding-agent-skills szz-bug-identifierInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:44 PM1.8s1 file scanned
SKILL.md
- name:
- szz-bug-identifier
- description:
- Applies the SZZ algorithm to VCS history to identify which commits introduced bugs by correlating bug-fix commits with earlier changes. Use when mining a repository for bug-introducing commits, when building a defect-prediction dataset, or when the user asks which commit introduced a given fixed bug.
- license:
- Apache-2.0
- category:
- debugging
- suite:
- general-secure-coding-agent-skills
- version:
- 0.3.0
- related:
- semantic-szz-analyzer, regression-root-cause-analyzer
SZZ Bug Identifier
SZZ (Śliwerski, Zimmermann, Zeller, 2005) answers: given a bug-fix commit, which earlier commit introduced the bug? It works by blaming the lines the fix touched.
The algorithm — classic SZZ
- Identify the fix commit. Usually via a link to an issue tracker (
Fixes #1234,BUG-567) or a message keyword (fix,bug,patch). - Extract the deleted/modified lines. In the fix's diff, every line removed or changed is a line that was (potentially) buggy.
- Blame each of those lines.
git blame <fix>^ -- <file>on each modified line to find the commit that last touched it before the fix. - Those blamed commits are bug-introducing candidates.
That's the whole algorithm. The rest is noise filtering.
Noise filters — classic SZZ's known weaknesses
| Noise source | Why it's wrong | Filter |
| --------------------------------- | -------------------------------------------------------- | ------------------------------------------------------ |
| Whitespace / formatting changes | Blame hits a prettier run, not the real introducer | git blame -w; ignore commits that only touch formatting |
| Comment-only changes | The fix edited a comment too — that line is not the bug | Strip comment lines before blaming |
| Large refactor commits | Every line blames to the Great Refactor of 2019 | git blame --ignore-rev with a curated ignore-list |
| The line was added by the fix | No blame target — added lines didn't exist before | Only blame deleted/modified lines, not added |
| Bug predates the repo | Blame hits the initial import commit | Flag — can't attribute |
| Moved file | Blame stops at the git mv | git blame -C -M to follow moves/copies |
| Blamed commit is newer than bug report | The bug existed before that commit; blame is wrong | Discard candidates with commit-date > bug-report-date |
Worked example
Fix commit: c4a9f1b — Fix: null check in getUserEmail (closes #892)
public String getUserEmail(long id) {
User u = repo.find(id);
- return u.getEmail();
+ if (u == null) return null;
+ return u.getEmail();
}
Step 2: Modified line is return u.getEmail(); (the old version).
Step 3: git blame c4a9f1b^ -- UserService.java at that line → a17d3e0 — Add UserService (Jane, 2021-03-04).
Step 4: Candidate = a17d3e0.
Filters:
- Whitespace? No, it's a real code line. ✓
- Comment? No. ✓
- Refactor in ignore-list? No. ✓
- Added by the fix? No — this is the old version of a modified line. ✓
- Newer than bug report? Issue #892 opened 2023-11-01;
a17d3e0is 2021. ✓
Verdict: a17d3e0 introduced the bug. The null-check was never there.
Edge cases
- Multi-line fix where lines blame to different commits: Each blamed commit is a candidate. Usually one is the real introducer and the rest are incidental; →
semantic-szz-analyzerto distinguish. - Fix is a one-line addition (no deletion): Classic SZZ has nothing to blame. Heuristic: blame the surrounding lines (the ones the added line sits between). Low confidence.
- The fix reverts an earlier commit entirely:
git revert— the reverted commit IS the bug-introducer, definitionally. Shortcut: check if the fix is a revert before running SZZ. - Cherry-picked commits: The blame may point at the cherry-pick, not the original. Check for
(cherry picked from commit …)trailers and follow the chain.
Do not
- Do not treat SZZ output as ground truth. Published precision is 40–70% without filters. It's a candidate generator for human review.
- Do not run SZZ on a repo without a curated
.git-blame-ignore-revs. Without it, every result blames the last formatting pass. - Do not use commit-message keyword matching (
fix,bug) as your only fix-identification signal. False-positive rate is brutal. Prefer issue-tracker links. - Do not run SZZ at bug-fix time for a single bug — that's what →
regression-root-cause-analyzeris for (bisect is more precise). SZZ is for batch mining.
Output format
fix: <sha> — <subject>
candidates:
<sha> — <subject> (<date>, <author>)
blamed from: <file>:<line>
filters passed: whitespace ✓ comment ✓ date ✓
confidence: <high|medium|low>
...
Related Skills
santosomar/verified-pseudocode-extractor
development
VerifiedTrustedCommunity
Extracts human-readable pseudocode from a verified formal artifact (Dafny, Lean, TLA+) while preserving the verified properties as annotations, so the proof-carrying logic can be reimplemented in a production language. Use when porting verified code to an unverified target, when documenting what a formal spec actually does, or when handing a verified algorithm to an implementer.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-spec-generator
development
VerifiedTrustedCommunity
Translates natural-language or pseudocode descriptions of concurrent and distributed systems into TLA+ specifications ready for the TLC model checker. Identifies state variables, actions, type invariants, safety properties, and liveness properties from the description. Use when formalizing a protocol, when the user describes a distributed algorithm to verify, when designing a consensus or locking scheme, or when starting formal verification of a concurrent system.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-model-reduction
testing
VerifiedTrustedCommunity
Reduces a TLA+ model so TLC can actually check it — shrinks constants, adds state constraints, abstracts data, or applies symmetry — when the state space is too large to enumerate. Use when TLC runs out of memory, when checking takes hours, or when a spec works at N=2 and you need confidence at larger scale.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-guided-code-repair
development
VerifiedTrustedCommunity
TLA+-specific instance of model-guided repair — reads a TLC error trace, identifies the enabling condition that should have been false, strengthens the corresponding action, and maps the fix to source code. Use when TLC reports an invariant violation or deadlock and you have the code-to-TLA+ mapping from extraction.
SKILL.mdUpdated Apr 13, 2026