Automate & Orchestrate Your Open Source Compliance & Security
The Open Source Review Toolkit (ORT) is an open-source software policy automation and orchestration toolkit designed to help you strategically, safely, and efficiently manage third-party open-source software dependencies.
Why Use ORT?
ORT simplifies and automates open source software (OSS) compliance and security processes, allowing you to:
Flexible and Customisable
ORT can be integrated into your workflow in multiple ways:
As a library for programmatic use
Through a command-line interface (CLI) for scripted execution
Via CI/CD integrations for automated pipeline enforcement
Powerful Tooling for Open Source Governance
ORT consists of multiple tools that can be combined into a highly customizable pipeline, giving you full control over your OSS policy automation.
Analyzer – determines the dependencies of projects and their metadata, abstracting which package managers or build systems are actually being used.
Downloader – retrieves source code of the projects and their dependencies, abstracting which Version Control System (VCS) or other means are used to retrieve the source code.
Scanner – uses configured source code scanners to detect license / copyright findings, abstracting the type of scanner.
Advisor – retrieves security advisories for used dependencies from configured vulnerability data services.
Evaluator – evaluates custom policy rules along with custom license classifications against the data gathered in preceding stages and returns a list of policy violations, e.g. to flag license findings.
Reporter – presents results in various formats such as visual reports, Open Source notices or Bill-Of-Materials (BOMs) to easily identify dependencies, licenses, copyrights or policy rule violations.
The relationship between Components is shown below:
Source Code Control ORT Services
Source Code Control offer a range of services to help organisations implement, train, support and maintain ORT.
We also can offer ORT as a Service (hosted ORT) complete with a intuitive interface wrapper.
The wrapper in this context serves as a combined interface that integrates all six tools of the OSS Review Toolkit (ORT) into a single, streamlined platform(webpage). It simplifies the scanning process by providing a centralised system for running compliance checks, analysing dependencies, and generating reports.
Since this is a SaaS-based solution, it is hosted on a webpage where users can access the scanning services without the need for local installation. The system will be accessible from anywhere and will support repository scanning via cloud platforms like GitHub, Bitbucket, and other VCS tools, as well as on-premises file selection
Dependency Graph Visualisation
Coming soon. The Dependency Graph Visualisation aims to provide a clear and intuitive representation of dependencies, helping users identify risks, hidden dependencies, and vulnerabilities at a glance. Inspired by the Bitsea visualisation concept, this solution will incorporate graphical representations, color-coded risk indicators, and interactive filtering to enhance software compliance and security assessments. By leveraging an SBOM-based approach, the visualisation will enable seamless tracking of third-party components, licensing requirements, and potential conflicts.