Problem
Running bumblebee scan --profile deep --root $HOME on macOS causes bumblebee to blindly traverse the entire home directory, including macOS TCC-protected paths like:
~/Library/Application Support/AddressBook
~/Library/Application Support/CallHistoryDB
~/Library/AppleMediaServices
~/.Trash
These directories are irrelevant to supply-chain scanning (malware lives in package registries and dev tooling, not contacts databases), but the full traversal triggers macOS privacy permission dialogs attributed to the scanning process and produces noisy "operation not permitted" diagnostics in the output.
Proposed solution
Option A — Multiple --root flags
Allow --root to be specified multiple times so users can target exactly where packages live:
bumblebee scan --profile deep \
--root ~/.npm \
--root ~/.local/lib \
--root ~/.claude \
--root ~/go/pkg \
--root ~/Dev \
--exposure-catalog /tmp/advisory.json
Option B — Built-in scoped profile (preferred UX)
Add a --profile scoped (or similar) that bakes in a sensible OS-aware default list of known package roots — e.g. on macOS:
~/.npm, ~/.pnpm-store, ~/node_modules~/.local/lib/python*, ~/.venv~/go/pkg/mod~/.cargo/registry~/.claude (MCP configs)~/.vscode/extensions, ~/.cursor/extensions- Common project directories
This way users get safe, targeted scanning without needing to know the full list themselves, and without triggering OS-level permission prompts for irrelevant protected directories.
Environment
- macOS (darwin/arm64)
- bumblebee v0.1.1
- Scan command:
bumblebee scan --profile deep --root $HOME --exposure-catalog <catalog> --findings-only
Problem
Running
bumblebee scan --profile deep --root $HOMEon macOS causes bumblebee to blindly traverse the entire home directory, including macOS TCC-protected paths like:These directories are irrelevant to supply-chain scanning (malware lives in package registries and dev tooling, not contacts databases), but the full traversal triggers macOS privacy permission dialogs attributed to the scanning process and produces noisy "operation not permitted" diagnostics in the output.
Proposed solution
Option A — Multiple
--rootflagsAllow
--rootto be specified multiple times so users can target exactly where packages live:Option B — Built-in scoped profile (preferred UX)
Add a
--profile scoped(or similar) that bakes in a sensible OS-aware default list of known package roots — e.g. on macOS:~/.npm,~/.pnpm-store,~/node_modules~/.local/lib/python*,~/.venv~/go/pkg/mod~/.cargo/registry~/.claude(MCP configs)~/.vscode/extensions,~/.cursor/extensionsThis way users get safe, targeted scanning without needing to know the full list themselves, and without triggering OS-level permission prompts for irrelevant protected directories.
Environment
bumblebee scan --profile deep --root $HOME --exposure-catalog <catalog> --findings-only