Analysis updated 2026-05-18
Check which developer machines have a package version named in a supply-chain security advisory.
Run a lightweight baseline scan of global tools, editor extensions, and browser extensions on a fleet.
Sweep known project directories for installed npm, PyPI, Go, RubyGems, or Composer packages.
Perform a deep, incident-response scan of a specific path or an entire home directory.
| perplexityai/bumblebee | devenjarvis/lathe | f/mcptools | |
|---|---|---|---|
| Stars | 1,523 | 1,560 | 1,590 |
| Language | Go | Go | Go |
| Last pushed | — | 2026-06-27 | — |
| Maintenance | — | Active | — |
| Setup difficulty | easy | easy | easy |
| Complexity | 3/5 | 2/5 | 2/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Single static Go binary with zero dependencies, install with go install and run bumblebee selftest to verify.
Bumblebee is a read-only scanning tool that answers one specific security question: when a software supply-chain advisory names a dangerous package or version, which developer machines in your organization actually have it installed right now? It scans the files that package managers leave on disk, such as lockfiles, installed package metadata, and extension manifests, and produces a structured list of everything it finds. It never executes package manager commands or reads application source code, only the metadata files. The tool covers a wide range of package ecosystems including npm, pnpm, Yarn, Bun, Python packages, Go modules, RubyGems, and PHP Composer. It also scans editor extensions for VS Code, Cursor, and similar tools, browser extensions for Chrome-family and Firefox, and configuration files for AI coding tools that use the MCP protocol. It deliberately skips any credentials or environment variables that appear in those config files and does not include them in its output. Three scan profiles match different situations. The baseline profile does a lightweight pass over globally installed tools, language runtimes, and editor and browser extensions. The project profile sweeps configured development directories where your code repositories live. The deep profile walks any path you specify, including your entire home folder, and is designed for incident response when you already know you are looking for something specific. Baseline and project refuse to scan the home directory directly to avoid accidentally slowing down a routine scan. Output is formatted as NDJSON, one record per line, where each record describes a found package along with the machine it came from, where the evidence was found, and how confident the scanner is about the version. When you provide an exposure catalog (a JSON file listing the packages and versions under investigation), the tool emits additional finding records that flag exact matches and can suppress the full package list to show only hits. The binary is a single file with no external dependencies, built in Go. A built-in self-test command verifies the installation works correctly using embedded test data that makes no network calls. The full README is longer than what was shown.
Bumblebee is a read-only Go scanner that checks developer machines for installed packages, extensions, and dev-tool configs matching a supply-chain advisory.
Mainly Go. The stack also includes Go.
The README does not state a license.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.