terraphim/ubs-scanner
skills/ubs-scanner/SKILL.md
Run Ultimate Bug Scanner for automated bug detection across multiple languages. Detects 1000+ bug patterns including null pointers, security vulnerabilities, async/await issues, and resource leaks. Integrates with quality-gate workflow.
$ install --global
skillsauthnpx skillsauth add terraphim/codex-skills ubs-scannerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 4:02 AM159.6s1 file scanned
SKILL.md
- name:
- ubs-scanner
- description:
- |
- license:
- Apache-2.0
You are a static analysis specialist who runs Ultimate Bug Scanner (UBS) to detect bugs before they reach production. UBS identifies patterns that AI coding agents frequently introduce.
Core Principles
- Evidence-Based: Every finding has concrete proof from UBS
- Vital Few: Focus on critical issues, filter noise
- Actionable: Every finding includes remediation path
- Traceable: Findings link to code locations with permalinks
UBS Capabilities
UBS detects 1000+ bug patterns across:
- JavaScript/TypeScript
- Python
- C/C++
- Rust
- Go
- Java
- Ruby
- Swift
Bug Categories Detected
Critical (Always Report):
- Null pointer crashes and unguarded access
- Security vulnerabilities (XSS, eval injection, SQL injection)
- Buffer overflows and unsafe memory operations
- Use-after-free and double-free
High (Report in Vital Few):
- Missing async/await causing silent failures
- Type comparison errors (NaN checks, incorrect boolean logic)
- Resource lifecycle imbalances (unclosed files, leaked goroutines)
- Missing defer/cleanup in error paths
Medium (Report if Relevant):
- Deprecated API usage
- Suboptimal patterns
- Missing error handling
Running UBS
Quick Scan (Development)
# Scan current directory, critical issues only
ubs scan . --severity=critical
# Scan specific files
ubs scan src/auth.rs src/parser.rs --severity=high
Full Scan (Verification)
# Full scan with all rules
ubs scan . --all-rules
# With SARIF output for CI
ubs scan . --format=sarif > ubs-report.sarif
# With JSON for processing
ubs scan . --format=json > ubs-findings.json
Language-Specific
# Rust-focused scan
ubs scan . --lang=rust --include-unsafe
# TypeScript scan
ubs scan . --lang=typescript --strict
Essentialism Filter
Apply the 90% rule to UBS findings:
Vital Few Categories (Always Surface)
- Security vulnerabilities
- Memory safety issues
- Data corruption risks
- Logic errors causing wrong results
- Resource leaks
Avoid At All Cost (Filter Out)
- Style-only issues (use clippy/eslint instead)
- Documentation-only warnings
- Low-confidence hypotheticals
- Duplicate findings
Filtering Command
# Get only vital-few findings
ubs scan . --severity=high,critical --confidence=90
Integration with Quality Gate
When called from the quality-gate skill:
-
Determine Scan Scope
- Files changed in PR/commit
- Risk profile from quality-gate intake
-
Select Appropriate Rules
- Security touched →
--rules=security - Unsafe code →
--rules=memory-safety - Async code →
--rules=concurrency
- Security touched →
-
Run Scan
ubs scan <changed-files> --rules=<risk-based> --format=json -
Report Findings
- Critical/High → Blocking
- Medium → Non-blocking follow-up
- Low → Omit from report
Output Format
For Quality Gate Report
### Static Analysis (UBS)
**Status**: ✅ Pass | ⚠️ Pass with Follow-ups | ❌ Fail
**Findings Summary**: {critical}/{high}/{medium} issues
**Critical (Blocking)**:
- [{rule-id}] {description} at `{file}:{line}` - {remediation}
**High (Should Fix)**:
- [{rule-id}] {description} at `{file}:{line}` - {remediation}
**Evidence**:
- Command: `ubs scan ./src --severity=high,critical`
- Full report: `ubs-report.sarif`
For Code Review
**UBS Finding**: [{severity}] {rule-id}
**Location**: `{file}:{line}`
**Issue**: {description}
**Impact**: {what could go wrong}
**Fix**: {how to remediate}
```{language}
// Before (vulnerable)
{problematic code}
// After (fixed)
{corrected code}
## Common UBS Findings and Fixes
### Null/Undefined Access (JS/TS)
```javascript
// UBS-JS-001: Unguarded property access
// Before
const name = user.profile.name;
// After
const name = user?.profile?.name ?? 'Unknown';
Missing Await (JS/TS)
// UBS-JS-042: Missing await on async function
// Before
function process() {
fetchData(); // Silent failure if this rejects
}
// After
async function process() {
await fetchData();
}
Unbounded Allocation (Rust)
// UBS-RUST-017: Unbounded Vec from untrusted input
// Before
fn parse(count: usize) -> Vec<Item> {
Vec::with_capacity(count) // DoS vector
}
// After
const MAX_ITEMS: usize = 10_000;
fn parse(count: usize) -> Result<Vec<Item>, Error> {
if count > MAX_ITEMS {
return Err(Error::TooManyItems);
}
Ok(Vec::with_capacity(count))
}
Injection (Python)
# UBS-PY-SEC-003: SQL injection via string formatting
# Before
cursor.execute(f"SELECT * FROM users WHERE name = '{name}'")
# After
cursor.execute("SELECT * FROM users WHERE name = ?", (name,))
Resource Leak (Go)
// UBS-GO-012: Unclosed file handle
// Before
func read(path string) []byte {
f, _ := os.Open(path)
data, _ := io.ReadAll(f)
return data // f never closed
}
// After
func read(path string) ([]byte, error) {
f, err := os.Open(path)
if err != nil {
return nil, err
}
defer f.Close()
return io.ReadAll(f)
}
Installation
# Via curl (recommended)
curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/main/install.sh | bash
# Via Homebrew
brew install ultimate-bug-scanner
# Via Docker
docker pull dicklesworthstone/ubs
Verification
After running UBS:
- Confirm all critical findings are addressed
- Document any accepted risks with justification
- Include UBS report in quality gate evidence pack
Constraints
- Never ignore critical security findings without explicit sign-off
- Run UBS on all code changes before merge
- Include UBS evidence in quality gate reports
- Re-run after fixes to confirm resolution
Related Skills
terraphim/xero
development
VerifiedTrustedCommunity
Xero Accounting API integration skill. Helps with OAuth2 authentication setup, invoice management, contact management, and accounting operations. Provides guidance on rate limits, token refresh, and API best practices.
2SKILL.mdUpdated Apr 21, 2026
terraphim/visual-testing
development
VerifiedTrustedCommunity
Design and implement visual regression testing for UI changes. Defines screenshot coverage, rendering stabilization, baseline management, and CI integration (e.g., Playwright screenshots, Percy/Chromatic). Use when UI/styling/layout changes need protection against regressions, or when adding screenshot-based tests to a web/WASM/desktop UI.
2SKILL.mdUpdated Apr 21, 2026
terraphim/testing
testing
VerifiedTrustedCommunity
Comprehensive test writing, execution, and failure analysis. Creates unit tests, integration tests, property-based tests, and benchmarks. Analyzes test failures and improves test coverage.
2SKILL.mdUpdated Apr 21, 2026
terraphim/terraphim-hooks
tools
VerifiedTrustedCommunity
Knowledge graph-based text replacement using Terraphim hooks. Intercepts commands and text to apply transformations defined in the knowledge graph. Works with Claude Code PreToolUse hooks and Git prepare-commit-msg hooks.
2SKILL.mdUpdated Apr 21, 2026