Supply-chain scanners keep making the same mistake: they find real risk, then dump it into a format humans do not want to read.
That is a shame, because the developer machine has become part of the supply chain. Package managers pull from everywhere. AI coding agents run inside repositories. Editor extensions sit close to source code. A poisoned dependency does not need to wait for CI if it is already cached on the laptop where the work happens.
Perplexity’s security and AI engineering teams open-sourced Bumblebee to attack that problem locally. It is a fast, read-only scanner for developer endpoints. It sweeps local caches for npm, Go modules, PyPI, editor extensions, and AI agent configs, then checks them against exposure catalogs.
The read-only part matters. Bumblebee parses lockfiles and manifests without executing sketchy postinstall scripts. That is the right posture for a tool whose job is to inspect a potentially compromised machine.
The CLI is fast. The output is honest. The interface is still a wall of NDJSON.
A developer should not need custom jq scripts to know whether their laptop is carrying a poisoned package. So I built Bumblebee UI, an open-source desktop interface on top of Perplexity’s scanner.

The Engine Was Fine. The Surface Was Missing.
Bumblebee UI does not pretend to replace the scanner. The deterministic matching, file parsing, and threat catalogs still come from Perplexity’s bumblebee CLI.
The UI adds the missing product layer: a control center for seeing what was scanned, what was found, and how the machine’s exposure changes over time.
That matters because security output has a job: change behavior.
Make Triage Immediate
The dashboard answers the first question fast: is this machine clean enough to keep working?
It shows scan duration, verified roots, package records, and known exposure matches. Baseline, Project, and Deep scans are available from the same surface, because triage should not start with memorizing command flags.

Make Inventory Searchable
Bumblebee tracks a lot: Go modules, Python packages, npm caches, VS Code extensions, and more. Raw output is technically complete, but it is bad at answering a simple operational question:
Where is this package, and which version is installed?
The Inventory view turns the scan into a searchable table. If github.com/charmbracelet/bubbletea is sitting somewhere on disk, you can find its path and version without spelunking through logs.

Make Detection Rules Visible
Bumblebee relies on dynamic JSON exposure catalogs. That is good architecture, but catalogs are only useful if teams can see which ones are active.
The Threat Intel module lets you sync upstream from Perplexity’s GitHub catalog or add custom JSON catalogs for proprietary threats. Detection rules become easier to trust when teams can see which ones are active.

Make Exposure a Timeline
A one-shot scanner tells you what is true now. A useful security workflow also needs to know what changed.
The History tab stores prior runs as point-in-time snapshots. When a new advisory lands, you can look back and see whether the package appeared yesterday, last week, or long before anyone noticed.

Make the Tool Easy to Keep Open
Security tools do not get extra credit for being hostile. If developers are expected to look at a scanner regularly, the scanner should be comfortable to look at.
The app includes themes like Command, Terminal, and Daylight. This belongs to the same argument: tools that feel punishing get ignored.
The Point
Perplexity did the hard systems work by building the scanner. This UI is a smaller, practical bet: local endpoint security gets better when the result is visible enough for developers to act on.
The code and setup instructions are on GitHub:
🔗 https://github.com/drmhse/bumblebee-ui
If the CLI is where the truth lives, the UI is where the truth becomes hard to ignore.


