SBOMs (Software Bill of Materials) have become a key asset in managing software supply chain risks. But despite the buzz, many teams still find it hard to start using SBOMs meaningfully—especially without installing complex tools or giving up control over their data.
We wanted to change that. So we built something lightweight, usable, and privacy-respecting.
💡 Meet SBOM Play
SBOM Play is a simple yet powerful browser-based tool to visualize and explore SBOMs. It adds essential context like vulnerability data, license analysis, and component trends—with zero setup required.
🧠 Think of it as your SBOM viewer with superpowers, made for developers, researchers, and security teams alike.
SBOM Play in Action
🚀 Key Features
- ✅ Dependency Graphs Across Repos: Understand which third-party packages appear across multiple repositories
- 🔁 Major & Minor Dependency Trends: Spot commonly reused dependencies and high-risk packages
- 📜 License Breakdown: Identify components with missing, non-compliant, or incompatible licenses
- 🏢 Cross-Organization Insights: Compare SBOMs across multiple orgs to see systemic patterns
- 🛡️ Vulnerability Mapping: View which packages bring in the most known CVEs
- 🔐 Privacy by Design: 100% client-side—no data leaves your browser
🔍 How It Works
No backend. No tracking. No servers required
SBOM Play is a pure HTML + JavaScript tool that runs entirely in your browser. All processing happens locally using localStorage for data handling. This means:
- You don’t need to upload files anywhere
- Your analysis is yours alone
- You can inspect the code or deploy it locally
📂 Open Source & Ready to Use
- GitHub Repository: https://github.com/cyfinoid/sbomplay
- Live: https://cyfinoid.github.io/sbomplay/
We believe in building transparent, inspectable tools so the entire codebase is open source under the [MIT License].
🛠️ What’s Next?
This is just the beginning. We’re already working on:
- 📦 SBOM merging across multiple sources
- 📈 Time-series trends of dependency shifts
- 🔄 Exportable reports & visualizations
- ⚙️ CI-compatible integrations for automated SBOM review
Got ideas or feature requests? Open an issue on GitHub or connect with us.
🔗 Explore Now
Whether you’re a developer exploring your stack, a security engineer doing due diligence, or a privacy-conscious open-source user—SBOM Play is built for you.
<SelfPromotion>
Software Supply Chain is one of our core research areas and we also offer various trainings on this Domain. Below are some of our upcoming trainings.
</SelfPromotion>