ankos scope
Manage the .ankosscope file — the declarative definition of which resources are inside your PCI cardholder data environment (CDE). Applied at report time, not scan time.
ankos scope manages the .ankosscope file — the declarative
definition of which resources are inside your PCI cardholder data
environment (CDE). The file is plain YAML and lives in your repo, so the
scope decision is reviewable, diffable, and survives team turnover.
Scope is applied at report time, not scan time. Scans always collect everything across your account for completeness; the scope file controls which resources show up in the active findings list versus the out of scope appendix. This separation means you can re-scope without re-running an expensive cloud API sweep.
The .ankosscope file records your scoping decision so it travels with
the evidence. It is not a scope determination by Ankos: the QSA-agreed
cardholder data environment is the source of truth. Use
ankos accounts discover to get
a starting point, then confirm the boundary with your assessor.
Synopsis
ankos scope <subcommand> [flags]Subcommands
| Subcommand | What it does |
|---|---|
init | Write a default .ankosscope template. |
show | Print the resolved current scope. |
validate | Check .ankosscope syntax and summarize the rule counts. |
Quick start
# Create a template at .ankosscope
ankos scope init
# Print the current scope
ankos scope show
# Validate a scope file at a non-default path
ankos scope validate --file ./prod-scope.yamlFlags
--file is a persistent flag — it applies to every subcommand.
| Flag | Default | Description |
|---|---|---|
--file | .ankosscope | Path to the scope definition file. |
What scope can match
A .ankosscope file declares include / exclude rules across four
dimensions. A resource is in scope if it matches the include rules and is
not excluded:
- Tags — AWS resource tags, as
include/excludelists ofkey+valuepairs. A resource with any included tag pair is in scope. - VPCs —
include/excludelists of VPC IDs. - Accounts —
include/excludelists of account IDs. - Collectors —
include/excludelists of collector names (emptyincludemeans all collectors).
With no rules defined, every resource is in scope.
The .ankosscope file
ankos scope init writes this template:
# .ankosscope — PCI DSS Cardholder Data Environment scope definition
# Resources matching these criteria are in PCI scope.
# Everything else is reported as "OUT OF SCOPE" separately.
#
# Scope is applied at REPORT time, not scan time.
# Scans always collect everything for completeness.
scope:
# Include by AWS resource tags
# Resources with ANY of these tag key:value pairs are in scope
tags:
include: []
# - key: "pci-scope"
# value: "true"
# - key: "environment"
# value: "production"
exclude: []
# - key: "environment"
# value: "dev"
# Include/exclude by VPC ID
vpcs:
include: []
exclude: []
# Include/exclude by account ID
accounts:
include: []
exclude: []
# Include/exclude specific collectors
collectors:
include: [] # empty = all collectors
exclude: []
# - "macie"init refuses to overwrite an existing file — point --file at a new
path to create a second scope.
Examples
Inspect the resolved scope
ankos scope showPCI DSS Scope (.ankosscope):
Tag includes:
pci-scope = true
Account includes: [123456789012]
Collector excludes: [macie]With no rules defined, show reports No scope filters defined — all resources are in scope.
Validate syntax before a report
ankos scope validate✓ .ankosscope is valid
1 tag rule(s), 0 VPC rule(s), 1 account rule(s), 1 collector rule(s)validate confirms the file parses and prints how many rules it found per
dimension.
How scope feeds the report
ankos report reads the scope file via its
--scope-file flag (default .ankosscope). In-scope resources drive the
active findings; out-of-scope resources are listed separately so the
evidence shows you scoped deliberately rather than by omission.
ankos accounts discover --generate-scope
writes a starter .ankosscope you can refine.
Exit codes
| Code | Meaning |
|---|---|
0 | The subcommand completed (template written, scope shown, or file valid) |
1 | The file could not be written, read, or parsed, or it failed validation |
ankos accounts
Configure and validate multiple AWS accounts in .ankosaccounts so a single scan can sweep all of them in one run via STS AssumeRole.
ankos ignore
Manage the .ankosignore file — the persistent, reviewable record of findings your team has accepted, each with a reason, an approver, and an optional expiry.