This project addresses the challenge of rapidly identifying over 1000 bug patterns across multiple programming languages, specifically designed to integrate seamlessly with AI coding agents. It offers a fast, zero-configuration solution for developers and AI agents to catch critical bugs early, saving significant debugging time and improving code quality. The primary benefit is enabling faster, more confident development cycles, especially when leveraging AI-generated code.

How It Works

The tool employs a multi-language, multi-layered analysis engine. It auto-detects and scans JavaScript/TypeScript, Python, Go, Rust, Java, C/C++, Ruby, Swift, C#, and Elixir using a combination of fast regex-based pattern matching (via ripgrep) and deep Abstract Syntax Tree (AST) analysis (via ast-grep). This approach reduces false positives and enables semantic understanding of code. Supply-chain safeguards include pinned SHA-256 checksums for downloaded modules and optional minisign verification, ensuring integrity. Results from all languages are merged into a single, consistent output format for easy consumption by CI systems and AI agents.

Quick Start & Requirements

Installation is streamlined via a single curl command piping to bash, or via Homebrew (brew install dicklesworthstone/tap/ubs). An --easy-mode flag automates dependency installation and agent integration. Windows users require Git Bash or WSL. Key dependencies include ast-grep (auto-provisioned), ripgrep (optional, for speed), jq (for merging reports), and optionally Node.js/TypeScript for deep type-narrowing analysis.

Highlighted Details

• AI Agent Integration: Designed for AI coding agents (Claude Code, Cursor, Copilot, etc.) with automatic guardrail setup and machine-readable output formats (JSON, TOON).
• Multi-Language Support: Scans 10 popular languages in a single pass, unifying findings.
• Speed: Achieves sub-5-second scan times for medium-sized projects, enabling tight iteration loops.
• AST-Based Analysis: Utilizes semantic code understanding beyond regex for deeper bug detection, including resource lifecycle tracking and type narrowing.
• Shareable Reports: Generates JSON, JSONL, SARIF, and HTML reports, with comparison features to track regressions.
• Supply-Chain Security: Pinned checksums and optional signature verification for downloaded scanner modules.

Maintenance & Community

The project explicitly states a policy of not accepting outside contributions due to bandwidth constraints, though bug reports and PRs for illustration are welcome. The primary maintainer will review and integrate fixes independently. This approach prioritizes velocity for the maintainer but may represent a bus factor risk for external users.

Licensing & Compatibility

The project is released under the MIT License, allowing for unrestricted use, modification, and distribution, including commercial applications.

Limitations & Caveats

The "no outside contributions" policy could impact long-term maintenance and responsiveness to community needs. While dependencies are auto-managed, their absence (e.g., ast-grep download failure) can lead to reduced accuracy or exit code 2 errors. Full functionality, particularly deep type analysis, relies on optional dependencies like Node.js and TypeScript.