ORT Insight for Visual Studio Code
Integrate the OSS Review Toolkit (ORT) directly into your development workflow. ORT Insight lets you analyze open-source dependencies, check license compliance, generate SBOMs, and scan for security vulnerabilities -- all without leaving VS Code.
[Screenshot placeholder]
Features
- Dependency Analysis -- Run the ORT Analyzer on any project with a supported package manifest. View a color-coded dependency tree with license risk indicators (green for permissive, yellow for weak copyleft, red for strong copyleft).
- License Compliance Dashboard -- Interactive webview dashboard showing license distribution, package counts, risk summaries, and top licenses at a glance.
- SBOM Generation -- Export a Software Bill of Materials in CycloneDX or SPDX format with a single command.
- ORT HTML Reports -- Generate ORT's native StaticHTML or WebApp reports for sharing with stakeholders.
- Vulnerability Advisories -- Query the OSV vulnerability database through ORT Advisor and view CVE details, severity ratings, and references.
- Inline Diagnostics -- See real-time warnings on import statements when a dependency has a problematic license.
- Status Bar Integration -- A persistent status bar item shows your current compliance posture and provides one-click access to the dashboard.
- Policy Evaluation -- Run ORT's Evaluator engine with customizable Kotlin-based policy rules to enforce license compliance, flag copyleft dependencies, detect missing licenses, and report policy violations with severity levels and remediation guidance.
- Setup Wizard -- A guided first-run experience that auto-detects Java and ORT installations across Windows, macOS, and Linux.
Prerequisites
Java 21+
ORT requires Java 21 or later. We recommend Eclipse Temurin.
| Platform |
Install Command |
| Windows |
winget install EclipseAdoptium.Temurin.21.JDK |
| macOS |
brew install --cask temurin@21 |
| Ubuntu/Debian |
sudo apt install temurin-21-jdk |
Download the latest release from ORT GitHub Releases. Extract the archive and note the path to the ort (or ort.bat on Windows) executable inside the bin/ directory.
Verify both prerequisites are working:
java -version # Should show 21.x or later
ort --version # Should print the ORT version
Installation
Install ORT Insight from the VS Code Marketplace:
- Open VS Code.
- Go to the Extensions view (
Ctrl+Shift+X / Cmd+Shift+X).
- Search for ORT Insight.
- Click Install.
Alternatively, install from a .vsix file:
code --install-extension ort-insight-0.1.0.vsix
Quick Start
- Open a project that contains a package manifest (
package.json, pom.xml, build.gradle, requirements.txt, go.mod, etc.).
- Open the Command Palette (
Ctrl+Shift+P / Cmd+Shift+P).
- Run ORT Insight: Run ORT Analyzer.
- Wait for the analysis to complete (the first run may take several minutes while ORT resolves dependencies).
- Browse results in the ORT Insight sidebar panel, or click the status bar item to open the dashboard.
If this is your first time using the extension, the Setup Wizard will open automatically to help you configure Java and ORT paths.
Commands
All commands are available through the Command Palette under the ORT Insight category.
| Command |
Description |
| ORT Insight: Run ORT Analyzer |
Analyze project dependencies and licenses |
| ORT Insight: Show License Dashboard |
Open the visual compliance dashboard |
| ORT Insight: Generate SBOM |
Export an SBOM in CycloneDX or SPDX format |
| ORT Insight: Generate ORT HTML Report |
Create a StaticHTML or WebApp report |
| ORT Insight: Check Vulnerability Advisories |
Run ORT Advisor against the OSV database |
| ORT Insight: Refresh Dependency Tree |
Reload analysis results into the tree view |
| ORT Insight: Clear ORT Cache |
Remove cached analysis data from the workspace |
| ORT Insight: Evaluate Policies |
Run policy rules against analysis results |
| ORT Insight: Initialize Policy Rules Templates |
Create customizable policy rule templates in your workspace |
| ORT Insight: Setup Wizard |
Open the guided setup and environment check |
Configuration
Configure ORT Insight under Settings > Extensions > ORT Insight, or edit settings.json directly.
| Setting |
Type |
Default |
Description |
ortInsight.ortPath |
string |
"ort" |
Path to the ORT executable. Defaults to ort on PATH. |
ortInsight.timeout |
number |
900000 |
Timeout for ORT commands in milliseconds (default 15 minutes). |
ortInsight.sbomFormat |
string |
"CycloneDX" |
Preferred SBOM format (CycloneDX or SPDX). |
ortInsight.permissiveLicenses |
array |
["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "0BSD"] |
Licenses classified as permissive (green). |
ortInsight.weakCopyleftLicenses |
array |
["LGPL-2.0", "LGPL-2.1", "LGPL-3.0", "MPL-1.1", "MPL-2.0", "EPL-1.0", "EPL-2.0"] |
Licenses classified as weak copyleft (yellow). |
ortInsight.strongCopyleftLicenses |
array |
["GPL-2.0", "GPL-3.0", "AGPL-3.0"] |
Licenses classified as strong copyleft (red). |
ortInsight.enableDiagnostics |
boolean |
true |
Enable inline diagnostics for problematic licenses in source files. |
ortInsight.policyRulesFile |
string |
"" |
Path to custom evaluator rules file (.rules.kts). Leave empty to use .ort-config/evaluator.rules.kts. |
ortInsight.licenseClassificationsFile |
string |
"" |
Path to custom license classifications file (.yml). Leave empty to use .ort-config/license-classifications.yml. |
Supported Package Managers
ORT Insight supports every package manager that ORT supports, including:
- JavaScript/TypeScript: npm, Yarn, pnpm
- Java/Kotlin: Maven, Gradle
- Python: pip, Poetry, Pipenv
- Go: Go Modules
- Rust: Cargo
- Ruby: Bundler
- PHP: Composer
- C/C++: Conan
- .NET: NuGet
- Swift: SwiftPM, CocoaPods
See the ORT documentation for the full list.
Troubleshooting
ORT not found
Make sure ORT is installed and either available on your system PATH or configured via ortInsight.ortPath. Run the Setup Wizard (ORT Insight: Setup Wizard) to auto-detect the installation.
Java not found
ORT requires Java 21 or later. Verify with java -version. If Java is installed but not detected, set the JAVA_HOME environment variable. ORT Insight will also attempt to auto-detect common Java installation locations.
Analysis times out
For large projects, increase the timeout:
{
"ortInsight.timeout": 1800000
}
This sets the timeout to 30 minutes. You can also check the ORT Insight output channel (View > Output > ORT Insight) to monitor progress.
No results displayed
- Open the ORT Insight output channel to check for errors.
- Verify that the project contains a recognized package manifest file.
- Try running
ort analyze -i . -o .ort -f JSON manually in a terminal to see detailed output.
Advisor fails with network errors
The ORT Advisor needs internet access to query the OSV vulnerability database. If you are behind a corporate proxy or firewall, configure your proxy settings in your environment variables (HTTP_PROXY, HTTPS_PROXY) before starting VS Code.
Inline diagnostics not appearing
- Confirm that
ortInsight.enableDiagnostics is true in settings.
- Run an analysis first -- diagnostics require analysis results.
- Diagnostics appear on source files with import statements, not on configuration files.
Not a git repository warning
ORT works best when the project is inside a git repository. If you see this warning, you can let ORT Insight initialize git for you, or continue without it. Some ORT features may produce incomplete results without git metadata.
Resources
Disclaimer
This extension was developed as a personal project in free time. It is not affiliated with, endorsed by, or officially connected to the OSS Review Toolkit (ORT) project or any employer.
License
This extension is released under the MIT License.
