The OSS Review Toolkit (ORT) is a comprehensive FOSS policy automation and orchestration suite written in Kotlin that enables organizations to manage open source software dependencies strategically and securely. The project addresses critical compliance, licensing, and supply chain security challenges by automating checks that would otherwise require manual effort across large dependency trees.
ORT's core functionality revolves around a modular pipeline of specialized tools. The Analyzer determines project dependencies and metadata while abstracting away differences between package managers and build systems. The Downloader fetches source code from various version control systems and other sources. The Scanner applies configured source code scanners to detect license and copyright findings. The Advisor retrieves security vulnerability data from configured services. The Evaluator applies custom policy rules and license classifications to flag violations. The Reporter generates output in multiple formats including CycloneDX and SPDX SBOMs, custom attribution documentation, and visual reports. A Notifier component sends results through channels like email and JIRA tickets.
The toolkit can be deployed as a library for programmatic integration, via command line interface for scripted workflows, or through CI system integrations, making it adaptable to diverse development environments. Users can generate compliance documentation, automate FOSS policy enforcement through risk-based Policy as Code, create source code archives for license compliance, and correct package metadata through community contributions.
According to GitGenius activity tracking, the project shows sustained engagement with 829 tracked issues and pull requests. The median response latency across these items is 7776.4 hours with a mean of 13069.0 hours, reflecting the project's volunteer-driven nature and the complexity of compliance-related discussions. The most active issue labels are analyzer with 284 occurrences, reporter with 140, and scanner with 110, indicating these components receive the most attention. Core contributors sschuberth, fviernau, and tsteenbe drive development with 2559, 414, and 128 tracked events respectively.
The project maintains cross-repository connections with major open source initiatives including microsoft/vscode, rust-lang/rust, and microsoft/typescript through overlapping contributors, suggesting ORT's adoption in significant software projects. ORT is classified across ten distinct domains including software compliance, license management, dependency analysis, vulnerability scanning, supply chain security, code scanning, policy enforcement, software composition, bill of materials generation, and auditing.
ORT requires Java 25 or later and recommends 8 GiB of memory with at least 4 CPU cores for typical usage. The toolkit is distributed as binaries in ZIP and TGZ formats, as Docker images containing all required external tools, and can be built from source using Gradle. It runs on Linux, Windows, and macOS with equal support across platforms. The project is governed as a Linux Foundation initiative and part of the Automate Compliance Tooling (ACT) program, with governance details maintained in a separate ort-governance repository.