{"id":13510417,"url":"https://github.com/oss-review-toolkit/ort","last_synced_at":"2026-04-23T10:03:59.368Z","repository":{"id":36955861,"uuid":"107540288","full_name":"oss-review-toolkit/ort","owner":"oss-review-toolkit","description":"A suite of tools to automate software compliance checks.","archived":false,"fork":false,"pushed_at":"2025-05-09T14:03:20.000Z","size":145795,"stargazers_count":1739,"open_issues_count":289,"forks_count":334,"subscribers_count":39,"default_branch":"main","last_synced_at":"2025-05-09T15:23:06.988Z","etag":null,"topics":["compliance","copyright","cra","cyclonedx","dependencies","dependency-graph","dora","hacktoberfest","license","license-management","open-source-licensing","ospo","oss-compliance","package-manager","sbom","sbom-generator","sca","spdx"],"latest_commit_sha":null,"homepage":"https://oss-review-toolkit.org","language":"Kotlin","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oss-review-toolkit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-10-19T11:59:49.000Z","updated_at":"2025-05-09T14:03:25.000Z","dependencies_parsed_at":"2023-09-22T01:10:29.150Z","dependency_job_id":"33d4da98-236d-4467-8391-c036fd01f19d","html_url":"https://github.com/oss-review-toolkit/ort","commit_stats":{"total_commits":16452,"total_committers":106,"mean_commits":"155.20754716981133","dds":0.4780573790420618,"last_synced_commit":"e5c6e0cf4ef9b08dcf1229983fd754697f3a7bca"},"previous_names":["heremaps/oss-review-toolkit"],"tags_count":97,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oss-review-toolkit%2Fort","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oss-review-toolkit%2Fort/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oss-review-toolkit%2Fort/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oss-review-toolkit%2Fort/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oss-review-toolkit","download_url":"https://codeload.github.com/oss-review-toolkit/ort/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254076849,"owners_count":22010611,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compliance","copyright","cra","cyclonedx","dependencies","dependency-graph","dora","hacktoberfest","license","license-management","open-source-licensing","ospo","oss-compliance","package-manager","sbom","sbom-generator","sca","spdx"],"created_at":"2024-08-01T02:01:38.100Z","updated_at":"2026-04-23T10:03:59.362Z","avatar_url":"https://github.com/oss-review-toolkit.png","language":"Kotlin","funding_links":[],"categories":["Kotlin","Dependency intelligence","Official projects","Software Composition Analysis","package-manager","Licensing","OSS and Dependency management","Software","hacktoberfest","Security and Supply Chain"],"sub_categories":["SCA and SBOM","Tools (and [classification](https://ntia.gov/sites/default/files/publications/ntia_sbom_tooling_taxonomy-2021mar30_0.pdf))","Tools \u0026 libs","Streaming Operations"],"readme":"![OSS Review Toolkit Logo](./logos/ort.png)\n\n\u0026nbsp;\n\n[![Slack][1]][2]\n\n[![Static Analysis][3]][4] [![Build and Test][5]][6] [![Code coverage][7]][8]\n\n[![REUSE status][9]][10] [![OpenSSF Best Practices][11]][12] [![OpenSSF Scorecard][13]][14]\n\n[1]: https://img.shields.io/badge/Join_us_on_Slack!-ort--talk-blue.svg?longCache=true\u0026logo=slack\n[2]: http://slack.oss-review-toolkit.org\n[3]: https://github.com/oss-review-toolkit/ort/actions/workflows/static-analysis.yml/badge.svg\n[4]: https://github.com/oss-review-toolkit/ort/actions/workflows/static-analysis.yml\n[5]: https://github.com/oss-review-toolkit/ort/actions/workflows/build-and-test.yml/badge.svg\n[6]: https://github.com/oss-review-toolkit/ort/actions/workflows/build-and-test.yml\n[7]: https://codecov.io/gh/oss-review-toolkit/ort/branch/main/graph/badge.svg?token=QD2tCSUTVN\n[8]: https://app.codecov.io/gh/oss-review-toolkit/ort\n[9]: https://api.reuse.software/badge/github.com/oss-review-toolkit/ort\n[10]: https://api.reuse.software/info/github.com/oss-review-toolkit/ort\n[11]: https://www.bestpractices.dev/projects/4618/badge\n[12]: https://www.bestpractices.dev/projects/4618\n[13]: https://api.scorecard.dev/projects/github.com/oss-review-toolkit/ort/badge\n[14]: https://scorecard.dev/viewer/?uri=github.com/oss-review-toolkit/ort\n\n# Introduction\n\nThe OSS Review Toolkit (ORT) is a FOSS policy automation and orchestration toolkit that you can use to manage your (open source) software dependencies in a strategic, safe and efficient manner.\n\nYou can use it to:\n\n* Generate CycloneDX, SPDX SBOMs, or custom FOSS attribution documentation for your software project\n* Automate your FOSS policy using risk-based Policy as Code to do licensing, security vulnerability, InnerSource and engineering standards checks for your software project and its dependencies\n* Create a source code archive for your software project and its dependencies to comply with certain licenses or have your own copy as nothing on the internet is forever\n* Correct package metadata or licensing findings yourself, using InnerSource or with the help of the FOSS community\n\nORT can be used as a library (for programmatic use), via a command line interface (for scripted use), or via its CI integrations.\nIt consists of the following tools which can be combined into a *highly customizable* pipeline:\n\n* [*Analyzer*](https://oss-review-toolkit.org/ort/docs/tools/analyzer):\n  Determines the dependencies of projects and their metadata, abstracting which package managers or build systems are actually being used.\n* [*Downloader*](https://oss-review-toolkit.org/ort/docs/tools/downloader):\n  Fetches all source code of the projects and their dependencies, abstracting which Version Control System (VCS) or other means are used to retrieve the source code.\n* [*Scanner*](https://oss-review-toolkit.org/ort/docs/tools/scanner):\n  Uses configured source code scanners to detect license / copyright findings, abstracting the type of scanner.\n* [*Advisor*](https://oss-review-toolkit.org/ort/docs/tools/advisor):\n  Retrieves security advisories for used dependencies from configured vulnerability data services.\n* [*Evaluator*](https://oss-review-toolkit.org/ort/docs/tools/evaluator):\n  Evaluates custom policy rules along with custom license classifications against the data gathered in preceding stages and returns a list of policy violations, e.g. to flag license findings.\n* [*Reporter*](https://oss-review-toolkit.org/ort/docs/tools/reporter):\n  Presents results in various formats such as visual reports, Open Source notices or Bill-Of-Materials (BOMs) to easily identify dependencies, licenses, copyrights or policy rule violations.\n* *Notifier*:\n  Sends result notifications via different channels (like [emails](./examples/example.notifications.kts) and / or JIRA tickets).\n\nAlso see the [list of related tools](https://oss-review-toolkit.org/ort/docs/related-tools) that help with running ORT.\n\n## Documentation\n\nFor detailed information, see the documentation on the [ORT Website](https://oss-review-toolkit.org/ort/).\n\n# Installation\n\n## System requirements\n\nORT is being continuously used on Linux, Windows and macOS by the [core development team](https://github.com/orgs/oss-review-toolkit/people), so these operating systems are considered to be well-supported.\n\nTo run the ORT binaries (also see [Installation from binaries](#from-binaries)) at least Java 21 is required.\nMemory and CPU requirements vary depending on the size and type of project(s) to analyze / scan, but the general recommendation is to configure Java with 8 GiB of memory and to use a CPU with at least 4 cores.\n\n```shell\n# This will give the Java Virtual Machine 8GB Memory.\nexport JAVA_OPTS=\"$JAVA_OPTS -Xmx8g\"\n```\n\nIf ORT requires external tools to analyze a project, these tools are listed by the `ort requirements` command.\nIf a package manager is not listed there, support for it is integrated directly into ORT and does not require any external tools to be installed.\n\n## From binaries\n\n### CLI distribution\n\nHead over to the [releases](https://github.com/oss-review-toolkit/ort/releases) page.\nFrom the \"Assets\" section of your chosen release, download the distribution archive of the desired type.\nTypically that is `.zip` for Windows and `.tgz` otherwise; but the contents of the archives are the same.\nThe `ort-*` archives contain the [ORT main](./cli/) distribution, while the `orth-*` archives contain the [ORT helper](./cli-helper/) distribution.\nUnpack the archive to an installation directory.\nThe scripts to run ORT are located at `bin/ort` and `bin\\ort.bat`, or `bin/orth` and `bin\\orth.bat`, respectively.\n\n### Docker distribution\n\nIn addition to the CLI, ORT is also distributed as a Docker image that contains all tools required by ORT (see the `ort requirements` command).\nTo run ORT from the latest version of that image (which will be downloaded if needed) use:\n\n```shell\ndocker run ghcr.io/oss-review-toolkit/ort --help\n```\n\n## From sources\n\nInstall the following basic prerequisites:\n\n* Git (any recent version will do).\n\nThen clone this repository.\n\n```shell\ngit clone https://github.com/oss-review-toolkit/ort\n# If you intend to run tests, you have to clone the submodules too.\ncd ort\ngit submodule update --init --recursive\n```\n\n### Build using Docker\n\nInstall the following basic prerequisites:\n\n* Docker 18.09 or later (and ensure its daemon is running).\n* Enable [BuildKit](https://docs.docker.com/develop/develop-images/build_enhancements/#to-enable-buildkit-builds) for Docker.\n\nChange into the directory with ORT's source code and run `docker build -t ort .`.\nAlternatively, use the script at `scripts/docker_build.sh` which also sets the ORT version from the Git revision.\n\n### Build natively\n\nInstall these additional prerequisites:\n\n* Java Development Kit (JDK) version 21 or later; also remember to set the `JAVA_HOME` environment variable accordingly.\n\nChange into the directory with ORT's source code and run `./gradlew :cli:installDist` (on the first run this will bootstrap Gradle and download all required dependencies).\n\n## Basic usage\n\nDepending on how ORT was installed, it can be run in the following ways:\n\n* If the Docker image was built locally as described above, use\n\n  ```shell\n  docker run ort --help\n  ```\n\n  You can find further hints for using ORT with Docker in the [documentation](./website/docs/guides/docker.md).\n\n* If the ORT distribution was built from sources, use\n\n  ```shell\n  ./cli/build/install/ort/bin/ort --help\n  ```\n\n* If running directly from sources via Gradle, use\n\n  ```shell\n  ./gradlew -q :cli:run --args=\"--help\"\n  ```\n\n  Note that in this case the working directory used by ORT is that of the `cli` project, not the directory `gradlew` is located in (see https://github.com/gradle/gradle/issues/6074).\n\n# Contributing\n\nAll contributions are welcome.\nIf you are interested in contributing code, please read our [contributing guide](https://github.com/oss-review-toolkit/.github/blob/main/CONTRIBUTING.md).\nFor everything from reporting bugs to asking questions, please go through the [issue workflow](https://github.com/oss-review-toolkit/ort/issues/new/choose).\n\n## Statistics\n\n![Alt](https://repobeats.axiom.co/api/embed/39cfad4ac09c3b4a361a1365ccf1a65c612a8ed0.svg \"Repobeats analytics image\")\n\n# License\n\nCopyright (C) 2017-2026 [The ORT Project Copyright Holders](./NOTICE).\n\nSee the [LICENSE](./LICENSE) file in the root of this project for license details.\n\nOSS Review Toolkit (ORT) is a [Linux Foundation project](https://www.linuxfoundation.org/) and part of [ACT](https://automatecompliance.org/).\nTo learn more on how the project is governed, including its charter, see the [ort-governance](https://github.com/oss-review-toolkit/ort-governance) repository.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foss-review-toolkit%2Fort","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foss-review-toolkit%2Fort","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foss-review-toolkit%2Fort/lists"}