SBOMPlay v0.0.7

Put work out in the open, and the feedback turns into a roadmap.

SBOMPlay was presented at Black Hat EU Arsenal 2025.

The best part was not the stage time. It was the conversations that followed both during the demo and afterwards.

We got a steady stream of questions, edge cases, and “what if” scenarios from people who actually wanted to use the tool in their own workflows. That instantly expanded the idea pool and clarified what we should prioritize next.

So before we posted anything publicly about the Arsenal release, we took a short pause, put our heads down, and shipped the updates.

At the event, we demoed SBOMPlay v0.0.4.

Today, we are releasing SBOMPlay v0.0.7, an enhanced build with significantly more capability than what we showed at Arsenal.

In GitHub terms, the change set from v0.0.4 to v0.0.7 was 61 files changed, with 19,893 additions and 8,992 deletions.

What is new in v0.0.7

Each of the updates below will be accompanied with a screenshot in the final post.

Custom SBOM support

Improved SBOM auditor that checks against baselines like CISA Minimum Elements and CERT-In

EOX detection (EOL and EOS)

Dependency confusion detection

Clear rate limit warnings

Explicit list of outbound hosts for paranoid self-hosting or air-gapped deployment
Details: https://cyfinoid.github.io/sbomplay/about.html#:~:text=Paranoid%20Self%2DHost%20/%20Airgapped%20Deployment

With that said Now its time for you to play with

Links

• Live: https://cyfinoid.github.io/sbomplay/
• Source code: https://github.com/cyfinoid/sbomplay/tree/main