Open Source Review Toolkit
Automate & Orchestrate Your Open Source Compliance & Security
The Open Source Review Toolkit (ORT) is an open-source software policy automation and orchestration toolkit designed to help you strategically, safely, and efficiently manage third-party open-source software dependencies.
Why Use ORT?
ORT simplifies and automates open source software (OSS) compliance and security processes, allowing you to:
✅ Generate SBOMs & Compliance Documentation
-
Create CycloneDX or SPDX Software Bill of Materials (SBOMs)
-
Generate custom FOSS attribution documentation for your projects
✅ Enforce Open Source Policies Automatically
-
Use Policy as Code to check for licensing compliance, security vulnerabilities, InnerSource usage, and engineering standards
✅ Ensure Long-Term Accessibility & Compliance
-
Archive source code for your projects and dependencies to meet licensing requirements and maintain a local copy
✅ Improve Metadata & Licensing Accuracy
-
Correct package metadata and licensing findings manually, via InnerSource, or with community contributions
Flexible & Customizable
ORT can be integrated into your workflow in multiple ways:
-
As a library for programmatic use
-
Through a command-line interface (CLI) for scripted execution
-
Via CI/CD integrations for automated pipeline enforcement
Powerful Tooling for Open Source Governance
ORT consists of multiple tools that can be combined into a highly customizable pipeline, giving you full control over your OSS policy automation.
Analyzer - determines the dependencies of projects and their metadata, abstracting which package managers or build systems are actually being used.
Downloader - retrieves source code of the projects and their dependencies, abstracting which Version Control System (VCS) or other means are used to retrieve the source code.
Scanner - uses configured source code scanners to detect license / copyright findings, abstracting the type of scanner.
Advisor - retrieves security advisories for used dependencies from configured vulnerability data services.
Evaluator - evaluates custom policy rules along with custom license classifications against the data gathered in preceding stages and returns a list of policy violations, e.g. to flag license findings.
Reporter - presents results in various formats such as visual reports, Open Source notices or Bill-Of-Materials (BOMs) to easily identify dependencies, licenses, copyrights or policy rule violations.
The relationship between Components is shown below
Source Code Control ORT Services
Source Code Control offer a range of services to help organisations implement, train, support and maintain ORT.
We also can offer ORT as a Service (hosted ORT) complete with a intuitive interface wrapper.
The wrapper in this context serves as a combined interface that integrates all six tools of the OSS Review Toolkit (ORT) into a single, streamlined platform(webpage). It simplifies the scanning process by providing a centralized system for running compliance checks, analysing dependencies, and generating reports.
Since this is a SaaS-based solution, it is hosted on a webpage where users can access the scanning services without the need for local installation. The system will be accessible from anywhere and will support repository scanning via cloud platforms like GitHub, Bitbucket, and other VCS tools, as well as on-premises file selection
Dependency Graph Visualization
Coming soon. The Dependency Graph Visualization aims to provide a clear and intuitive representation of dependencies, helping users identify risks, hidden dependencies, and vulnerabilities at a glance. Inspired by the Bitsea visualization concept, this solution will incorporate graphical representations, color-coded risk indicators, and interactive filtering to enhance software compliance and security assessments. By leveraging an SBOM-based approach, the visualization will enable seamless tracking of third-party components, licensing requirements, and potential conflicts.