AgentSkillsCN

ubs-bug-scan

【何】使用Ultimate Bug Scanner(UBS)进行静态分析——多语言AST级漏洞检测。 【如何】仅对变更或暂存的文件运行UBS,按漏洞严重程度进行解析,并在代码中即时修复关键问题。 【何时】在每次提交前、PR评审时,或当被要求扫描漏洞、进行静态分析、提升代码质量时使用。 【为何】能够及时捕获资源泄漏、空指针解引用、类型缩小漏洞,以及并发编程中的常见缺陷——这些往往是传统Lint工具难以察觉的。

SKILL.md
--- frontmatter
name: ubs-bug-scan
description: |
  [WHAT] Static analysis gate using Ultimate Bug Scanner (UBS) — multi-language AST-level bug detection.
  [HOW] Runs `ubs` scoped to changed/staged files, parses findings by severity, fixes critical issues inline.
  [WHEN] Before every commit. On PR review. When asked to scan for bugs, static analysis, or code quality.
  [WHY] Catches resource leaks, null derefs, type narrowing gaps, and concurrency bugs that linters miss.
skill_type: workflow
related_skills: [pr-review, security-best-practices, clean-code]
allowed_tools: Read, Bash, Glob, Grep
user_invocable: true

UBS Bug Scan

Prerequisites

bash
# Install UBS
brew install dicklesworthstone/tap/ubs

# Verify
ubs --version

If command -v ubs fails, emit the install one-liner above and stop.


Workflow

1. Determine Scope

Pick the narrowest scope that covers the work:

SituationCommandSpeed
Pre-commit (staged files)ubs --staged<1s
Working tree changesubs --diff<1s
Specific filesubs src/file.ts src/other.ts<1s
Full projectubs .~30s

Speed tip: Always scope to changed files. Full-project scans are for baselines only.

2. Run Scan

bash
# Agent-parseable output (JSON)
ubs --staged --format=json --ci

# Token-efficient output (text, truncated)
ubs --staged --ci 2>&1 | tail -40

# Language-scoped
ubs --staged --only=js,python --ci

3. Parse Output

Findings have three severities:

SeverityActionExit code
criticalMust fix before commitnon-zero
warningShould fix, judgment callnon-zero with --fail-on-warning
infoOptional improvementzero

JSON output structure:

json
{
  "summary": { "critical": 0, "warning": 1, "info": 3 },
  "findings": [
    {
      "file": "src/foo.ts",
      "line": 42,
      "severity": "warning",
      "category": "resource-lifecycle",
      "message": "File handle opened but never closed"
    }
  ]
}

4. Fix Findings

For each finding:

  1. Navigate to file:line
  2. Verify it's not a false positive (check surrounding context)
  3. Fix the root cause (not just the symptom)
  4. Re-run ubs <file> to confirm the fix
  5. Repeat until exit 0

5. Commit Gate

bash
# Golden rule: run before every commit
ubs --staged --ci
# Exit 0 = safe to commit
# Exit >0 = fix findings first

Useful Flags

FlagPurpose
--format=jsonMachine-parseable output
--format=sarifSARIF for IDE integration
--ciStable timestamps, CI-friendly
--only=js,pythonRestrict to specific languages
--exclude=rustSkip specific languages
--category=resource-lifecycleFocus on category packs
--fail-on-warningTreat warnings as failures
--stagedScan only git-staged files
--diffScan only modified files (working tree vs HEAD)
--comparison=baseline.jsonDiff against a baseline
--html-report=report.htmlGenerate shareable HTML report
--suggest-ignoreShow directories to add to .ubsignore

Anti-Patterns

  • Running ubs . on every commit (slow, noisy)
  • Ignoring critical findings with UBS_SKIP=1
  • Fixing symptoms instead of root causes
  • Not re-running after fixes to confirm resolution

Reference

See references/ubs-quickref.md for condensed command reference and severity guide.