Integrate the OSS Review Toolkit (ORT) with Vulnetix. Run the ORT pipeline to analyse dependencies, scan licences, and export results as CycloneDX or SPDX SBOM for Vulnetix upload.
CLI toolSARIFCycloneDXSPDXJSON
Install & scan
$ # Docker (recommended) docker pull ghcr.io/oss-review-toolkit/ort # Or via Homebrew brew install oss-review-toolkit $ # Step 1: Analyse dependencies docker run --rm -v $(pwd):/project ghcr.io/oss-review-toolkit/ort --info analyze -f JSON -i /project -o /project/.ort/analyzer # Step 2: Generate CycloneDX SBOM report docker run --rm -v $(pwd):/project ghcr.io/oss-review-toolkit/ort --info report -f CycloneDx -i /project/.ort/analyzer/analyzer-result.json -o /project/.ort/reports
Run OSS Review Toolkit in CI
Scan on every push and upload the results to Vulnetix:
- name: Run ORT analyze
run: |
docker run --rm -v $PWD:/project ghcr.io/oss-review-toolkit/ort analyze -f JSON -i /project -o /project/.ort/analyzer
- name: Generate CycloneDX SBOM
run: |
docker run --rm -v $PWD:/project ghcr.io/oss-review-toolkit/ort report -f CycloneDx -i /project/.ort/analyzer/analyzer-result.json -o /project/.ort/reports
- name: Upload to Vulnetix
run: vulnetix upload --file .ort/reports/bom.cyclonedx.json
Centralise OSS Review Toolkit results in Vulnetix
Upload OSS Review Toolkit SARIF, CycloneDX, SPDX, JSON output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.