SBOMPLAY
Abstract
SBoM Play is a SBoM Exploration and Intelligence extraction platform. SBoM Play exists because “we have SBOMs” does not automatically mean “we can use SBOMs.” Most teams either end up with heavy tooling, custom scripts, or workflows that require uploading dependency data somewhere just to explore it. I wanted a tool that makes SBOM exploration fast, local, and practical, so you can answer real questions and move on.
SBoM Play is browser-first and privacy-aware. It runs entirely in the browser, so there is no server-side setup and no backend to maintain. It can import SBoM’s or extract SBOMs from GitHub repositories, then enrich what you see using sources like osv.dev, deps.dev, and ecosyste.ms. The main focus is a unified view across repositories and organizations so you can stop treating SBOMs as one-project-at-a-time artifacts.
This session shows SBOM usage beyond vulnerability tracking. We will use SBoM Play to surface tech debt patterns, redundant packages, version drift and sprawl, license posture, SBOM quality gaps, and maintainer risk. The tool is actively developed and the latest features will be demoed live during the talk. SBoM Play was presented at Black Hat Europe 2025, and since then newer releases have added more coverage and depth that will be reflected in this session.
Feature highlights Dependency tree up to 10 levels deep (configurable) Vulnerabilities mapped to dependencies (OSV) Version drift and version sprawl across an org License visibility across dependencies SBOM quality audit and scoring SBOM benchmarking against frameworks like CISA minimum elements, BSI TR-03183, and CERT-In End-of-life and end-of-support package visibility Dependency confusion indicators Aggregated authors and maintainers view to spot single points of failure Maintainer funding and sponsorship signals Reference links
Repo: https://github.com/cyfinoid/sbomplay
Live: https://cyfinoid.github.io/sbomplay/
Tool Information License : GPL 3.0 Programming Language used : HTML/JS/CSS