ankos scan
Run evidence collectors against your AWS or GCP account. Outputs structured JSON evidence per collector plus a SHA-256 integrity manifest.
ankos scan is the primary command. It runs the registered evidence
collectors against your cloud account using your local credentials, writes
the results into an output directory, and computes a SHA-256 manifest so
the evidence can be independently verified.
Synopsis
ankos scan [flags]Quick start
# Scan AWS with default settings (us-east-1, all AWS collectors)
ankos scan
# Scan a specific GCP project
ankos scan --provider gcp --gcp-project my-project-id
# Scan only specific collectors
ankos scan --collectors iam,vpc,s3,kms
# Scan all enabled AWS regions
ankos scan --all-regions
# Validate without making API calls
ankos scan --dry-runFlags
Collector selection
| Flag | Default | Description |
|---|---|---|
--collectors | (all) | Comma-separated collector names. See Collectors for the full list. |
--provider | aws | Cloud provider: aws or gcp. Filters which collectors run. |
AWS-specific
| Flag | Default | Description |
|---|---|---|
--region | us-east-1 | AWS region(s) to scan, comma-separated. |
--all-regions | false | Scan all enabled AWS regions in the account. Overrides --region. |
--profile | (none) | AWS profile name from ~/.aws/credentials / ~/.aws/config. |
GCP-specific
| Flag | Default | Description |
|---|---|---|
--gcp-project | (none) | GCP project ID. Required when --provider gcp. Falls back to GOOGLE_CLOUD_PROJECT env var. |
Output
| Flag | Default | Description |
|---|---|---|
--output / -o | ankos-evidence-<timestamp>/ | Output directory for evidence files. |
--format | text | Output format for terminal: text (human-readable progress) or json (machine-readable, suitable for piping). |
Upload to Ankos cloud
| Flag | Default | Description |
|---|---|---|
--upload | false | After scanning, upload evidence to the Ankos ledger using the configured API key. Requires ankos auth set-key first. With `-o pointing to an existing scan, uploads without re-scanning. |
--upload-dry-run | false | Preview what would be uploaded without actually sending. |
--seed-ledger | false | After uploading, also seed your Ankos Ledger with the remediation plan as checklist items (Team plan). The same as running remediate --seed-ledger — just chained onto the upload. Enable it permanently with ankos config seed-on-upload on. |
--local-only | true | Save evidence locally only (the default). Mutually exclusive with --upload. |
Multi-account (AWS)
| Flag | Default | Description |
|---|---|---|
--all-accounts | false | Scan all PCI-scoped accounts listed in the accounts file. |
--accounts | (none) | Comma-separated account names from the accounts file to scan. |
--accounts-file | .ankosaccounts | Path to the accounts configuration file. |
Multi-account scanning uses STS AssumeRole against each account's
configured role ARN. See ankos accounts --help for setup.
Validation + exit codes
| Flag | Default | Description |
|---|---|---|
--dry-run | false | Print which collectors would run and against which regions, without making any cloud API calls. |
--fail-on | (none) | Exit non-zero on collector failures. any exits with code 2 if any collector fails. |
Examples
Single-region AWS scan, default collectors
ankos scanOutput: ankos-evidence-20260526-153045/ containing one JSON file per
collector, an aggregate evidence.json, and a manifest.json.
Multi-region scan
ankos scan --region us-east-1,eu-west-1 --collectors iam,cloudtrail,kmsEach collector runs in each region. The output filenames include the
region for disambiguation (e.g. iam-us-east-1.json).
GCP scan with a subset of collectors
ankos scan --provider gcp \
--gcp-project acme-prod \
--collectors gcp-iam,gcp-kms,gcp-gcsScan + upload in one command
ankos auth set-key --key <your-api-key> # one-time setup
ankos scan --uploadThe scan runs locally first, then the evidence is uploaded to your Ankos ledger and attached to the matching entries in your active cycle.
Seed the ledger in the same step (Team)
ankos scan --upload --seed-ledgerOn the Team plan, add --seed-ledger to also push the remediation plan onto
the matching ledger entries as checklist items — no separate
remediate --seed-ledger run. The plan is
built locally, so it respects your .ankosscope and .ankosignore, and it
seeds every actionable finding (use remediate --severity … --seed-ledger
if you want to seed only a subset).
Prefer it always on? Flip it once and plain scan --upload will do it:
ankos config seed-on-upload onSeeding never blocks the upload — your evidence is already safe; if seeding fails (e.g. you're not on the Team plan) you'll see a warning, not an error.
Upload an existing scan without re-running
ankos scan --upload -o ./ankos-evidence-20260526-153045/If -o points to a directory that already contains a manifest.json,
the CLI skips the scan and uploads what's already there.
CI-friendly mode
ankos scan --format json --fail-on any --output ./out--format json emits structured progress to stdout so other tools can
parse it. --fail-on any makes the command exit non-zero if anything
failed — useful for build pipelines.
Output
Every scan produces a directory like this:
ankos-evidence-20260526-153045/
├── manifest.json # SHA-256 hashes + scan metadata
├── evidence.json # Full package as a single JSON document
├── iam.json # Per-collector evidence (one per collector)
├── vpc.json
├── kms.json
├── ... (one per successful collector)See Scan output for the JSON shapes.
Authentication
The CLI uses your existing local credentials — the same ones the AWS
CLI or gcloud reads. It does not prompt for or store credentials.
- AWS: standard provider chain (env vars →
~/.aws/credentials→ IAM role on EC2/ECS/Lambda → SSO). Use--profileto pin to a named profile. - GCP: Application Default Credentials (ADC). Run
gcloud auth application-default loginor setGOOGLE_APPLICATION_CREDENTIALSto a service-account JSON path. The CLI uses read-only scopes where the service offers them.
Permissions required
All collectors are read-only. For AWS, the broadest scope is
SecurityAudit plus ViewOnlyAccess. For GCP, project-level Viewer plus
the relevant service-specific viewer roles is sufficient.
If a collector hits a permission error on a specific call, it reports the
failure and continues — other collectors still produce evidence. Use
--dry-run ahead of time to validate which collectors are wired up.
Exit codes
| Code | Meaning |
|---|---|
0 | Scan completed; either all collectors ran cleanly or --fail-on was unset |
1 | Setup error — invalid flags, missing credentials, can't reach a cloud API at all |
2 | One or more collectors failed and --fail-on any was set |
ankos ignore
Manage the .ankosignore file — the persistent, reviewable record of findings your team has accepted, each with a reason, an approver, and an optional expiry.
ankos verify
Independently verify the integrity of an evidence package against its SHA-256 manifest. Catches corruption, tampering, or accidental modification.