Perplexity Releases Bumblebee As An Open Source Scanner For Dev Teams

Software supply‑chain attacks have moved from build servers to the laptops where code is written. While SBOM generators catalog what ships in a product and EDR solutions monitor runtime behavior, they often leave a blind spot: the local metadata that developers accumulate across package managers, editor plugins, and AI‑assistant configurations. When a vulnerability advisory names a specific version, security teams need to know instantly which workstations are exposed. Tools that can enumerate that information without installing agents are becoming essential for rapid containment.

Perplexity’s Bumblebee fills that gap with a read‑only scanner written in Go that runs on macOS and Linux. It parses lockfiles, manifest files and supported MCP JSON configs, turning raw entries into structured NDJSON records that include machine name, OS, package name, version, source file and a confidence rating. Because it never invokes package managers or executes code, the risk of triggering malicious install scripts is eliminated. The tool can be scheduled via cron, launchd or systemd, making it easy to embed in existing fleet‑management or CI pipelines.

For DevSecOps teams, Bumblebee provides a fast, evidence‑based inventory that can be cross‑referenced with internal vulnerability catalogs, reducing the time from advisory to remediation. Its open‑source Apache 2.0 license encourages community contributions and integration with AI‑driven incident response platforms, such as Perplexity’s own Computer, to trigger deeper analyses automatically. As AI assistants become embedded in development workflows, visibility into local configuration will be a critical control point, and tools like Bumblebee are likely to become standard components of a layered supply‑chain defense strategy.