The Lens

Bumblebee answers one question fast: which of my machines have a known-compromised package installed? It's a read-only scanner from Perplexity that inventories what's on a developer's laptop or server, npm, PyPI, Go modules, RubyGems, Composer, browser and editor extensions, MCP configs, and flags anything matching a catalog of known-bad versions. Free, Apache-2.0, written in Go.

The read-only part matters. It never runs a package manager, never reads your source, and deliberately won't print credential values out of MCP configs. It just reads lockfiles and metadata. That makes it safe to run across a fleet during an incident, which is exactly the job it's built for: supply-chain incident response, not continuous scanning.

The catch: it's narrow on purpose. You supply the catalog of compromised packages, and Bumblebee matches against it. It won't find unknown vulnerabilities or do what a full SCA tool like Snyk does. For 'a bad package just hit the news, who's exposed,' it's perfect. For ongoing dependency security, it's not the whole answer.

Explore Further

GitHub Repository

Source code, issues, README

Reddit Discussions

Community opinions and use cases

Hacker News

HN threads and discussions

Dev.to Articles

Tutorials and write-ups

Tutorials & Guides

Getting started resources

bumblebee

The Lens

Free vs Self-Hosted vs Paid

License: Apache License 2.0

About

Explore Further

More tools in the directory

career-ops

kitty

owncast