perplexityai

perplexityai / bumblebee

Public

Read-only inventory collector for package, extension, and developer-tool metadata on macOS and Linux developer endpoints, built for fast supply-chain exposure checks.

golang package-inventory supply-chain-security
146
8
89% credibility
Found May 22, 2026 at 147 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Go
AI Summary

Bumblebee is a security scanning tool that helps IT and security teams quickly answer a critical question after a supply-chain attack: which of our developer machines have this compromised package installed? It works by reading through the various places where packages and tools are recorded on a developer's machine—without executing any package managers or touching sensitive data—and produces a clean, structured inventory. Security teams can then compare this inventory against known-bad package lists to immediately identify affected machines and begin remediation. The tool runs entirely read-only, respects privacy by never capturing credentials from configuration files, and outputs results in a format that works with existing security pipelines.

How It Works

1
🔍 You hear about a compromised package

A security advisory names a malicious package version that was found in the wild, and you need to find out if any of your team's machines are affected.

2
📦 You install Bumblebee on your fleet

You deploy a single small program to every developer machine in your organization, either manually or through your existing management tools.

3
Bumblebee automatically discovers installed packages

Without disturbing anyone or touching any credentials, it quietly reads through all the places where packages hide: project files, tool configurations, and extension directories.

4
Choose how thorough you want to scan
🏠
Quick sweep

Check the common places where packages live on every machine, perfect for regular inventory checks.

📁
Project scan

Look through specific folders where your team keeps their work, ideal for daily checks.

🔬
Deep investigation

Search everywhere on a machine when you're investigating a specific incident or threat.

5
🎯 You feed it a list of bad packages

You point it to a simple list of known-compromised packages, and it flags every match it finds across your entire fleet.

6
📊 Results arrive as clean records

Every finding comes with exactly where it was found, which machine, and proof of the match, so you know exactly who to notify and what to fix.

You know exactly which machines need attention

Within minutes, you have a clear picture of your exposure and can start remediating before the attackers get ahead of you.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 147 to 146 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is bumblebee?

Bumblebee is a read-only inventory scanner that catalogs every package, extension, and developer tool sitting on a developer's machine. Point it at a directory (or let it scan common locations automatically), and it reads lockfiles, metadata files, and config manifests to produce a structured inventory of what's installed. Built in Go as a single static binary with no external dependencies, it outputs NDJSON records that you can pipe to any log aggregator or SIEM. When you pair it with an exposure catalog, it flags exact matches for fast supply-chain response.

Why is it gaining traction?

Supply-chain security teams need to answer one question fast: which machines have a vulnerable package? Bumblebee answers it without running a single package manager command. It reads only the on-disk metadata that already exists, so it's fast, quiet, and leaves no trace. The three scan profiles let you balance breadth versus depth depending on whether you're doing daily baseline sweeps or incident response. The exposure catalog format is dead simple JSON, and there's a maintained threat_intel directory with real campaign data you can pull in via PR.

Who should use this?

Security and incident response teams who need to scope exposure to a new advisory across their fleet. DevOps engineers running recurring inventory via cron or MDM. Compliance teams that need to prove what developer tools are installed. If you're already using SBOMs for shipped software, Bumblebee fills the gap for the messier question of what's sitting on developer workstations right now.

Verdict

Bumblebee is a focused, well-scoped tool that does one thing well. The read-only approach and zero-dependency binary make it trivial to deploy anywhere. At 146 stars it's early-stage, but the test coverage is thorough and the documentation is clear. The 0.8999999761581421% credibility score reflects that maturity -- this is production-ready for the narrow use case it targets, but the ecosystem coverage is still expanding. Worth evaluating if you're building supply-chain response tooling.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.