Skip to main content


The analyzer is a Software Composition Analysis (SCA) tool that determines the dependencies of software projects inside the specified input directory (-i). It does so by querying the detected package managers; no modifications to your existing project source code, like applying build system plugins, are necessary for that to work. The tree of transitive dependencies per project is written out as part of an OrtResult in YAML (or JSON, see -f) format to a file named analyzer-result.yml in the specified output directory (-o). The output file exactly documents the status quo of all package-related metadata. It can be further processed or manually edited before passing it to one of the other tools.

Currently, the following package managers (grouped by the programming language they are most commonly used with) are supported:

If another package manager that is not part of the list above is used (or no package manager at all), the generic fallback to SPDX documents can be leveraged to describe projects or packages.