# SBoM Play

By: Anant Shrivastava

Conference: Blackhat
Year: 2026
Date: 2026-04-24

Tags: sbom, supply-chain-security, sca, open-source-security, software-composition-analysis


## Resources
- Conference Link: https://blackhat.com/asia-26/arsenal/schedule/index.html#sbom-play-50411
- Source Code: https://github.com/cyfinoid/sbomplay



SBoM Play is a SBoM Exploration and Intelligence extraction platform. SBoM Play exists because "we have SBOMs" does not automatically mean "we can use SBOMs." Most teams either end up with heavy tooling, custom scripts, or workflows that require uploading dependency data somewhere just to explore it. I wanted a tool that makes SBOM exploration fast, local, and practical, so you can answer real questions and move on.

SBoM Play is browser-first and privacy-aware. It runs entirely in the browser, so there is no server-side setup and no backend to maintain. It can import SBoM's or extract SBOMs from GitHub repositories, then enrich what you see using sources like osv.dev, deps.dev, and ecosyste.ms. The main focus is a unified view across repositories and organizations so you can stop treating SBOMs as one-project-at-a-time artifacts.

This session shows SBOM usage beyond vulnerability tracking. We will use SBoM Play to surface tech debt patterns, redundant packages, version drift and sprawl, license posture, SBOM quality gaps, and maintainer risk. The tool is actively developed and the latest features will be demoed live during the talk. SBoM Play was presented at Black Hat Europe 2025, and since then newer releases have added more coverage and depth that will be reflected in this session.

Feature highlights
Dependency tree up to 10 levels deep (configurable)
Vulnerabilities mapped to dependencies (OSV)
Version drift and version sprawl across an org
License visibility across dependencies
SBOM quality audit and scoring
SBOM benchmarking against frameworks like CISA minimum elements, BSI TR-03183, and CERT-In
End-of-life and end-of-support package visibility
Dependency confusion indicators
Aggregated authors and maintainers view to spot single points of failure
Maintainer funding and sponsorship signals
Reference links

Repo: https://github.com/cyfinoid/sbomplay

Live: https://cyfinoid.github.io/sbomplay/

Tool Information
License : GPL 3.0
Programming Language used : HTML/JS/CSS