SBoM Play
A presentation at Black Hat Europe 2025 in in London, UK by Anant Shrivastava
SBOM Play Anant Shrivastava Cyfinoid Research #BHEU @BlackHatEvents
SBOM Play • SBOM Exploration and intelligence extraction platform • IN-Browser • Fully client side
Creation Idea • SBOM is just an inventory • Using SBOM in non-infosec scenarios • Showing is better then talking
One Field : As simple as it can get
SBoM Play: Input • A Github organization / user / repository • Either in shortform user/repo or org/repo or username or org • Or full github url https://github.com/cyfinoid/sbomplay • P.S. We just need Dependency Graph enabled on repositories.
Under the Hood
Nested SBOM Creation
Dashboard : 10K Feet view
Dependency View
Vulnerability View
Repository View
License Compliance
License Change
Author Details
Geographical View
Version Sprawl
Beyond Vulnerabilities
SBOM Play in 1 Image
Thanks you for listening • anant@cyfinoid.com • @anantshri • https://cyfinoid.github.io/sbomplay/ • https://github.com/cyfinoid/sbomplay/ Live URL
SBOMPlay is a browser-first, privacy-aware SBOM visualization and enrichment tool designed to showcase the real potential of SBOMs beyond just vulnerability tracking.
Instead of relying on server-side infrastructure or custom scripts, SBOMPlay runs entirely in the browser. It enables users to extract SBOMs from GitHub repositories, enrich them with data from osv.dev, and analyze dependencies across repositories and organizations in a unified view.
Whether it’s reducing tech debt, surfacing redundant packages, or evaluating license compliance, SBOMPlay makes software inventory exploration accessible to developers, security engineers, and decision-makers alike.
The tool is actively developed, and the latest features will be demonstrated live during the session.
Resources
The following resources were mentioned during the presentation or are useful additional information.
-
Live URL
Tool is live here.
-
Source Code
Full Source Code available here
