ankos ignore
Manage the .ankosignore file — the persistent, reviewable record of findings your team has accepted, each with a reason, an approver, and an optional expiry.
ankos ignore manages the .ankosignore file — the persistent record of
findings your team has reviewed and accepted, each with a reason, an
approver, and an optional expiry date. Accepted findings are excluded from
the ankos report active backlog by
default, keeping it focused on what still needs work.
The .ankosignore is plain YAML and lives in your repo, so the
acceptance history is reviewable, diffable, and survives team turnover.
Accepting a finding records your team's risk decision (who signed off, why, and until when) so it travels with the evidence. It is not a determination by Ankos that the finding is resolved, and the QSA still reviews each accepted item. The reason and approver are required for exactly this reason.
Synopsis
ankos ignore <subcommand> [flags]Subcommands
| Subcommand | What it does |
|---|---|
add | Add an accepted finding (requires --check, --reason, --approved-by). |
list | List all currently-accepted findings, marking any past their expiry. |
expired | Show only acceptances past their --expires date that need re-review. |
Quick start
# Accept a finding with a reason and approver
ankos ignore add --check "EBS volumes encrypted" \
--reason "Dev environment" \
--approved-by "leo@company.com"
# List every accepted finding
ankos ignore list
# Show acceptances that have expired and need re-review
ankos ignore expiredFlags
--file is a persistent flag — it applies to every subcommand.
| Flag | Default | Description |
|---|---|---|
--file | .ankosignore | Path to the ignore file. |
add flags
| Flag | Default | Description |
|---|---|---|
--check | (none) | Check name to accept. Required. |
--reason | (none) | Justification for the acceptance. Required. |
--approved-by | (none) | Email of the approver. Required. |
--resource | (none) | A specific resource ID to scope the acceptance to. |
--expires | (none) | Expiry date in YYYY-MM-DD format. |
The approval date is set automatically to the day you run add. An
--expires value that is not a valid YYYY-MM-DD date is rejected.
Examples
Accept a whole-check finding
ankos ignore add --check "EBS volumes encrypted" \
--reason "Dev environment" \
--approved-by "leo@company.com"Accept a single resource with an expiry
ankos ignore add --check "EC2 instances enforce IMDSv2" \
--resource "i-0abc123" \
--reason "Legacy app" \
--approved-by "security@co.com" \
--expires "2026-09-30"Scoping to --resource accepts the finding for that one resource only;
the same check on other resources still surfaces.
Review the acceptance log
ankos ignore listAccepted findings (.ankosignore):
1. EC2 instances enforce IMDSv2 [active]
Resource: i-0abc123
Reason: Legacy app
Approved: security@co.com (2026-06-01)
Expires: 2026-09-30Each entry is tagged active or expired based on its --expires date.
Find acceptances due for re-review
ankos ignore expired⚠ 1 expired acceptance(s) need re-review:
✗ EBS volumes encrypted
Reason: Dev environment
Expired: 2026-01-31
Approved: leo@company.com (2025-07-31)Wire ankos ignore expired into CI so an acceptance that has lapsed
resurfaces instead of silently staying suppressed.
How acceptances feed the report
ankos report reads the ignore file via its
--ignore-file flag (default .ankosignore). Accepted findings are kept
out of the active backlog and annotated with their reason, so the
acceptance is visible in the evidence rather than hidden. An expired
acceptance no longer suppresses its finding.
Exit codes
| Code | Meaning |
|---|---|
0 | The subcommand completed |
1 | A required flag was missing, --expires was malformed, or the file could not be read or written |
ankos scope
Manage the .ankosscope file — the declarative definition of which resources are inside your PCI cardholder data environment (CDE). Applied at report time, not scan time.
ankos scan
Run evidence collectors against your AWS or GCP account. Outputs structured JSON evidence per collector plus a SHA-256 integrity manifest.