UBS - Ultimate Bug Scanner
Static analysis tool built for AI coding workflows. Catches bugs that AI agents commonly introduce: null safety, async/await issues, security holes, memory leaks. Scans JS/TS, Python, Go, Rust, Java, C++, Ruby, Swift in 3-5 seconds.
Why This Exists
AI agents move fast. Bugs move faster. You're shipping features in minutes, but:
- Null pointer crashes slip through
- Missing causes silent failures
- XSS vulnerabilities reach production
- Memory leaks accumulate
UBS is the quality gate: scan before commit, fix before merge.
Golden Rule
bash
ubs <changed-files> --fail-on-warning
Exit 0 = safe to commit. Exit 1 = fix and re-run.
Essential Commands
Quick Scans (Use These)
bash
ubs file.ts file2.py # Specific files (< 1s)
ubs $(git diff --name-only --cached) # Staged files
ubs --staged # Same, cleaner syntax
ubs --diff # Working tree vs HEAD
Full Project Scans
bash
ubs . # Current directory
ubs /path/to/project # Specific path
ubs --only=js,python src/ # Language filter (faster)
CI/CD Mode
bash
ubs --ci --fail-on-warning . # Strict mode for CI
ubs --format=json . # Machine-readable
ubs --format=sarif . # GitHub code scanning
Output Format
⚠️ Category (N errors)
file.ts:42:5 – Issue description
💡 Suggested fix
Exit code: 1
Parse:
→ location |
→ how to fix | Exit 0/1 → pass/fail
The 18 Detection Categories
Critical (Always Fix)
| Category | What It Catches |
|---|
| Null Safety | Unguarded property access, missing null checks |
| Security | XSS, injection, prototype pollution, hardcoded secrets |
| Async/Await | Missing await, unhandled rejections, race conditions |
| Memory Leaks | Event listeners without cleanup, timer leaks |
| Type Coercion | vs , without radix, NaN comparison |
Important (Production Risk)
| Category | What It Catches |
|---|
| Division Safety | Division without zero check |
| Resource Lifecycle | Unclosed files, connections, context managers |
| Error Handling | Empty catch blocks, swallowed errors |
| Promise Chains | without |
| Array Mutations | Mutating during iteration |
Code Quality (Contextual)
| Category | What It Catches |
|---|
| Debug Code | , , statements |
| TODO Markers | , , comments |
| Type Safety | TypeScript usage |
| Readability | Complex ternaries, deep nesting |
Language-Specific Detection
| Language | Key Patterns |
|---|
| JavaScript/TypeScript | innerHTML XSS, eval(), missing await, React hooks deps |
| Python | eval(), open() without with, missing encoding=, None checks |
| Go | Nil pointer, goroutine leaks, defer symmetry, context cancel |
| Rust | panics, blocks, Option handling |
| Java | Resource leaks (try-with-resources), null checks, JDBC |
| C/C++ | Buffer overflows, strcpy(), memory leaks, use-after-free |
| Ruby | eval(), send(), instance_variable_set |
| Swift | Force unwrap (!), ObjC bridging issues |
Profiles
bash
ubs --profile=strict . # Fail on warnings, enforce high standards
ubs --profile=loose . # Skip TODO/debug nits when prototyping
Category Packs (Focused Scans)
bash
ubs --category=resource-lifecycle . # Python/Go/Java resource hygiene
Narrows scan to relevant languages and suppresses unrelated categories.
Comparison Mode (Regression Detection)
bash
# Capture baseline
ubs --ci --report-json .ubs/baseline.json .
# Compare against baseline
ubs --ci --comparison .ubs/baseline.json --report-json .ubs/latest.json .
Useful for CI to detect regressions vs. main branch.
Output Formats
| Format | Flag | Use Case |
|---|
| text | (default) | Human-readable terminal output |
| json | | Machine parsing, scripting |
| jsonl | | Line-delimited, streaming |
| sarif | | GitHub code scanning |
| html | | PR attachments, dashboards |
Inline Suppression
When a finding is intentional:
javascript
eval(trustedCode); // ubs:ignore
// ubs:ignore-next-line
dangerousOperation();
Exit Codes
| Code | Meaning |
|---|
| No critical issues (safe to commit) |
| Critical issues or warnings (with ) |
| Environment error (missing ast-grep, etc.) |
Doctor Command
bash
ubs doctor # Check environment
ubs doctor --fix # Auto-fix missing dependencies
Checks: curl/wget, ast-grep, ripgrep, jq, typos, Node.js + TypeScript.
Agent Integration
UBS auto-configures hooks for coding agents during install:
| Agent | Hook Location |
|---|
| Claude Code | .claude/hooks/on-file-write.sh
|
| Cursor | |
| Codex CLI | |
| Gemini | |
| Windsurf | |
| Cline | |
Claude Code Hook Pattern
bash
#!/bin/bash
# .claude/hooks/on-file-write.sh
if [[ "$FILE_PATH" =~ \.(js|jsx|ts|tsx|py|go|rs|java|rb)$ ]]; then
echo "🔬 Quality check running..."
if ubs "${PROJECT_DIR}" --ci 2>&1 | head -30; then
echo "✅ No critical issues"
else
echo "⚠️ Issues detected - review above"
fi
fi
Git Pre-Commit Hook
bash
#!/bin/bash
# .git/hooks/pre-commit
echo "🔬 Running bug scanner..."
if ! ubs . --fail-on-warning 2>&1 | tail -30; then
echo "❌ Critical issues found. Fix or: git commit --no-verify"
exit 1
fi
echo "✅ Quality check passed"
Performance
Small (5K lines): 0.8 seconds
Medium (50K lines): 3.2 seconds
Large (200K lines): 12 seconds
Huge (1M lines): 58 seconds
10,000+ lines per second. Use
to control parallelism.
Speed Tips
- Scope to changed files: (< 1s) vs (30s)
- Use --staged or --diff: Only scan what you're committing
- Language filter: skips irrelevant scanners
- Skip categories: to skip debug/TODO markers
Fix Workflow
1. Read finding → category + fix suggestion
2. Navigate file:line:col → view context
3. Verify real issue (not false positive)
4. Fix root cause (not symptom)
5. Re-run ubs <file> → exit 0
6. Commit
Bug Severity Guide
- Critical (always fix): Null safety, XSS/injection, async/await, memory leaks
- Important (production): Type narrowing, division-by-zero, resource leaks
- Contextual (judgment): TODO/FIXME, console logs
Common Anti-Patterns
| Don't | Do |
|---|
| Ignore findings | Investigate each |
| Full scan per edit | Scope to changed files |
| Fix symptom () | Fix root cause () |
| Suppress without understanding | Verify false positive first |
Installation
bash
# One-liner (recommended)
curl -fsSL "https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/master/install.sh?$(date +%s)" | bash -s -- --easy-mode
# Manual
curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/master/ubs \
-o /usr/local/bin/ubs && chmod +x /usr/local/bin/ubs
Custom AST Rules
bash
mkdir -p ~/.config/ubs/rules
cat > ~/.config/ubs/rules/no-console.yml <<'EOF'
id: custom.no-console
language: javascript
rule:
pattern: console.log($$$)
severity: warning
message: "Remove console.log before production"
EOF
ubs . --rules=~/.config/ubs/rules
Excluding Paths
bash
ubs . --exclude=legacy,generated,vendor
Auto-ignored:
,
,
,
,
, editor caches.
Session Logs
bash
ubs sessions --entries 1 # View latest install session
Integration with Flywheel
| Tool | Integration |
|---|
| BV | exports findings for Beads |
| CASS | Search past sessions for similar bug patterns |
| CM | Extract rules from UBS findings |
| Agent Mail | Notify agents of scan results |
| DCG | UBS runs inside DCG protection |
Troubleshooting
| Error | Fix |
|---|
| "Environment error" (exit 2) | |
| "ast-grep not found" | or |
| Too many false positives | Use or |
| Slow scans | Scope to files: not |