Tools/perplexityai/bumblebee

bumblebee

Read-only developer endpoint scanner for on-disk package, extension, and developer-tool metadata, built to check exposure to known software supply-chain compromises.

4.8k+58/wkemergingGoApache License 2.0new this week

The Lens

Bumblebee answers one question fast: which of my machines have a known-compromised package installed? It's a read-only scanner from Perplexity that inventories what's on a developer's laptop or server, npm, PyPI, Go modules, RubyGems, Composer, browser and editor extensions, MCP configs, and flags anything matching a catalog of known-bad versions. Free, Apache-2.0, written in Go.

The read-only part matters. It never runs a package manager, never reads your source, and deliberately won't print credential values out of MCP configs. It just reads lockfiles and metadata. That makes it safe to run across a fleet during an incident, which is exactly the job it's built for: supply-chain incident response, not continuous scanning.

The catch: it's narrow on purpose. You supply the catalog of compromised packages, and Bumblebee matches against it. It won't find unknown vulnerabilities or do what a full SCA tool like Snyk does. For 'a bad package just hit the news, who's exposed,' it's perfect. For ongoing dependency security, it's not the whole answer.

Free vs Self-Hosted vs Paid

fully free

Free: Apache-2.0, free, go install. No tiers.

Self-hosted: Runs locally as a read-only scanner. Nothing to host.

Paid: No paid version. It's an open source project from Perplexity.

Free and open source. A narrow incident-response tool, not a full SCA scanner.

Self-hosting ops:trivial

Get tools like this every Wednesday

One featured tool, three on the radar. No fluff.

Score
69/100 · B
Adoption17/30
Maintenance22/25
Community5/20
License15/15
Analysis10/10

License: Apache License 2.0

Use freely. Patent grant included.

Commercial use: ✓ Yes

About

Owner
Perplexity (Organization)
Stars
4,761
Forks
430

Explore Further

More tools in the directory