CLI Reference
All Ankos CLI commands, flags, and behaviors — for engineers who want to drive the CLI from a terminal or pipeline.
The Ankos CLI is a single binary (ankos) that collects PCI DSS evidence
from your AWS, GCP, GitHub, Okta, Microsoft Entra ID, and Kubernetes
environments using your local credentials. It runs read-only, never
modifies infrastructure, and never transmits credentials to Ankos.
New here?
This page is a per-command reference. To see how the commands fit together end to end, read From scan to audit-ready.
At a glance
Evidence collection + verification
| Command | What it does |
|---|---|
ankos scan | Run evidence collectors against your cloud account |
ankos collectors | List available collectors with PCI requirement mappings |
ankos verify-integrity | Verify evidence integrity against the SHA-256 manifest (formerly ankos verify) |
Analysis + reporting (operates on scan output)
| Command | What it does |
|---|---|
ankos report | PCI DSS readiness report — text, JSON, CSV, or HTML; CI-friendly exit codes |
ankos drift | Compare current state against a baseline; flag posture regressions |
ankos remediate | Generate prioritized remediation guidance and a sprint plan |
ankos docs | Generate Word policy documents pre-filled with your scan data |
ankos export | Bundle evidence into an audit-ready package for QSA hand-off (see ankos export --help) |
ankos questionnaire | Auto-fill SIG / CAIQ security questionnaires from scan evidence (see --help) |
Pre-assessment + scoping
| Command | What it does |
|---|---|
ankos accounts discover | Start here — read-only estate sweep that flags risks and recommends which accounts are in PCI scope |
ankos init | Guided AWS onboarding — verify access, detect environment, create scope files (see --help) |
ankos triage | Pre-assessment triage — determine your SAQ type (or ROC) and run gap analysis (formerly ankos assess; see --help) |
ankos scope | Manage .ankosscope (define what's in your CDE) |
ankos ignore | Manage .ankosignore (accept findings with reason + approver) |
ankos accounts | Multi-account AWS configuration for scans + drift |
ankos explain | Plain-English reference for PCI DSS requirements (see --help) |
Auth + meta
| Command | What it does |
|---|---|
ankos auth set-key | Set the API key for uploading to your Ankos ledger |
ankos auth whoami | Show the currently authenticated user / org |
ankos version | Print version, commit, build date |
ankos completion | Generate shell completion scripts (bash, zsh, fish, powershell) |
Commands marked "see --help" don't have dedicated documentation pages
yet — run ankos <command> --help for full flag references. The Long:
text on every command covers the gist.
Global behaviors
These hold across every command unless noted otherwise:
- Read-only credentials. The CLI uses your existing AWS / GCP credentials, GitHub / Okta / Entra read-only tokens, or kubeconfig context, and only calls read APIs. It never modifies your resources.
- Credentials stay local. Your AWS access keys, GCP service-account
JSON, GitHub / Okta / Entra tokens, kubeconfig, or session tokens are
never transmitted to Ankos. Evidence output stays on your machine
unless you explicitly
--upload. - Per-collector isolation. A single collector failing (e.g. an insufficient IAM permission for one service) does not fail the whole scan. The other collectors run and the failure is reported in the summary.
- Integrity by default. Every scan emits a
manifest.jsonwith a SHA-256 hash for each output file. The hash is computable independently using standard tools (shasum -a 256) — Ankos can be removed from the trust path at verification time.
Provider selection
By default the CLI runs against AWS. Pass --provider to scan a different
source. The collector registry is shared but each collector advertises its
provider — the --provider flag filters the ones that run. Accepted
values: aws, gcp, github, okta, entra, k8s.
# AWS (default)
ankos scan
# GCP
ankos scan --provider gcp --gcp-project my-project-id
# GitHub
ankos scan --provider github --github-org my-org
# Okta / Entra (identity providers)
ankos scan --provider okta --okta-org-url https://acme.okta.com --okta-token <token>
ankos scan --provider entra --entra-tenant <id> --entra-client-id <id> --entra-client-secret <secret>
# Kubernetes
ankos scan --provider k8sSee ankos scan for each provider's
flags and Collectors for the full list
per provider.
Where to go next
ankos scan
The main collection command. Flags, examples, output layout.
Collectors
Every collector, what it pulls, and which PCI requirement it maps to.
ankos verify-integrity
Independently verify a scan's integrity using shasum.
ankos report
PCI readiness report from a scan — text/JSON/CSV/HTML with CI exit codes.
ankos drift
Compare current state against a baseline; catch posture regressions between assessments.
ankos docs
Generate Word policy documents pre-filled with your AWS data.
ankos remediate
Turn findings into prioritized guidance and a sprint plan.
Scan output
What's in the evidence package — JSON shape, manifest, file structure.
CI/CD integration
Run scans on a schedule in GitHub Actions / GitLab CI to catch drift.
Installation
Install via the official shell installer or download a binary directly.
Settings
Profile, organization, billing, categories, notifications, and password management.
ankos accounts discover
A fast, read-only sweep across your AWS accounts that inventories resources, flags risks, and recommends which accounts are likely in PCI scope — the natural first step before a full scan.