whatisgithub

What is bumblebee?

perplexityai/bumblebee — explained in plain English

Analysis updated 2026-05-18

1,523GoAudience · ops devopsComplexity · 3/5Setup · easy

In one sentence

Bumblebee is a read-only Go scanner that checks developer machines for installed packages, extensions, and dev-tool configs matching a supply-chain advisory.

Mindmap

mindmap
  root((bumblebee))
    What it does
      Reads package metadata files
      Detects supply-chain exposure
      Outputs NDJSON records
      Never executes package managers
    Tech stack
      Go
      Single static binary
    Use cases
      Baseline fleet inventory
      Project directory sweep
      Incident response deep scan
    Audience
      Security responders
      DevOps teams

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Check which developer machines have a package version named in a supply-chain security advisory.

USE CASE 2

Run a lightweight baseline scan of global tools, editor extensions, and browser extensions on a fleet.

USE CASE 3

Sweep known project directories for installed npm, PyPI, Go, RubyGems, or Composer packages.

USE CASE 4

Perform a deep, incident-response scan of a specific path or an entire home directory.

What is it built with?

Go

How does it compare?

perplexityai/bumblebeedevenjarvis/lathef/mcptools
Stars1,5231,5601,590
LanguageGoGoGo
Last pushed2026-06-27
MaintenanceActive
Setup difficultyeasyeasyeasy
Complexity3/52/52/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Single static Go binary with zero dependencies, install with go install and run bumblebee selftest to verify.

The README does not state a license.

So what is it?

Bumblebee is a read-only scanning tool that answers one specific security question: when a software supply-chain advisory names a dangerous package or version, which developer machines in your organization actually have it installed right now? It scans the files that package managers leave on disk, such as lockfiles, installed package metadata, and extension manifests, and produces a structured list of everything it finds. It never executes package manager commands or reads application source code, only the metadata files. The tool covers a wide range of package ecosystems including npm, pnpm, Yarn, Bun, Python packages, Go modules, RubyGems, and PHP Composer. It also scans editor extensions for VS Code, Cursor, and similar tools, browser extensions for Chrome-family and Firefox, and configuration files for AI coding tools that use the MCP protocol. It deliberately skips any credentials or environment variables that appear in those config files and does not include them in its output. Three scan profiles match different situations. The baseline profile does a lightweight pass over globally installed tools, language runtimes, and editor and browser extensions. The project profile sweeps configured development directories where your code repositories live. The deep profile walks any path you specify, including your entire home folder, and is designed for incident response when you already know you are looking for something specific. Baseline and project refuse to scan the home directory directly to avoid accidentally slowing down a routine scan. Output is formatted as NDJSON, one record per line, where each record describes a found package along with the machine it came from, where the evidence was found, and how confident the scanner is about the version. When you provide an exposure catalog (a JSON file listing the packages and versions under investigation), the tool emits additional finding records that flag exact matches and can suppress the full package list to show only hits. The binary is a single file with no external dependencies, built in Go. A built-in self-test command verifies the installation works correctly using embedded test data that makes no network calls. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
Show me how to run bumblebee scan --profile baseline and pipe the output to inventory.ndjson.
Prompt 2
Explain how bumblebee's exposure-catalog matching works and how to build a catalog.json file.
Prompt 3
Walk me through installing bumblebee with go install and running its selftest command.
Prompt 4
How does bumblebee avoid capturing credentials when it parses MCP host config files?

Frequently asked questions

What is bumblebee?

Bumblebee is a read-only Go scanner that checks developer machines for installed packages, extensions, and dev-tool configs matching a supply-chain advisory.

What language is bumblebee written in?

Mainly Go. The stack also includes Go.

What license does bumblebee use?

The README does not state a license.

How hard is bumblebee to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is bumblebee for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.