Ankos
Getting Started

Quickstart

Run your first Ankos scan and see your AWS environment mapped to PCI DSS requirements in under five minutes.

This guide walks you through installing the Ankos CLI and running your first PCI DSS evidence scan against your AWS account. The CLI is free and requires no signup.

Scanning GCP, GitHub, Okta/Entra, or Kubernetes instead? The steps are identical — just change --provider and pass that provider's flags. See provider selection and the ankos scan flags.

1. Install the CLI

curl -sSL https://get.ankos.dev | sh

Verify the install:

ankos version

2. Configure AWS credentials

Ankos uses your existing AWS credentials — the same ones the AWS CLI uses. You can use a named profile or environment variables.

# Using a profile
export AWS_PROFILE=my-profile

# Or environment variables
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_REGION=us-east-1

Ankos only needs read-only permissions. Your credentials stay on your machine — we never transmit or store AWS keys.

Before scanning, get a high-level map of your AWS estate and which accounts likely matter for PCI:

ankos accounts discover

In a few seconds you get a per-account resource inventory, risk flags (public S3, users without MFA, missing audit logging), and a LIKELY IN PCI SCOPE / OUT OF SCOPE recommendation — so you scan only what counts. Add --generate-scope to write a starter .ankosscope from the results. See ankos accounts discover.

4. Run your first scan

ankos scan -o ./evidence

The CLI will scan your AWS environment across all in-scope services (IAM, S3, KMS, VPC, CloudTrail, GuardDuty, RDS, and more) and write the structured evidence to ./evidence/ — one JSON file per collector plus a SHA-256 integrity manifest.

5. Generate a report

ankos report ./evidence --format html -o ./ankos-report.html

Supported formats: text (default), json, csv, html, and github (for CI job summaries). See ankos report for the full flag reference including --severity, --top, --trend, and CI-friendly --fail-on exit codes.

6. Explore results

Open ankos-report.html in your browser. You'll see:

  • Evidence coverage — "Evidence collected for N of 12 applicable requirements" plus the per-status counts (ready / action needed / review). Readiness, not a graded compliance number.
  • Severity-graded findingsREADY, ACTION NEEDED, REVIEW, and INFO rows, color-coded with CRITICAL / HIGH / MEDIUM severity badges
  • PCI requirement mapping — every finding tagged with the exact PCI DSS 4.0.1 sub-requirement(s) it maps to (e.g. 1.3.1, 10.2.1)
  • Remediation guidance — plain-English guidance on what to fix and why it matters for each ACTION NEEDED item
  • Self-contained — single HTML file with embedded CSS, no external assets, no install required. Your QSA opens it in any browser.

View a sample report

The actual output of `ankos report --format html` against a real AWS account, sanitized for publication. Opens in a new tab.

Next steps

From scan to audit-ready

The full workflow — discover, scan, report, remediate, verify, hand off to your QSA.

Full CLI Reference

All commands, flags, and collectors.

Scan output

What's in the evidence directory — JSON shape, manifest, file structure.

CI/CD integration

Schedule scans in GitHub Actions / GitLab CI to catch PCI drift between assessments.

Upgrade to the Team plan

Get the full Ankos Ledger with 60-day free trial.

Getting Started

Install the Ankos CLI, run your first scan, and see your cloud, identity, source-control, or Kubernetes environment mapped to PCI DSS requirements.

Installation

Install the Ankos CLI on macOS, Linux, or Windows.

On this page

1. Install the CLI2. Configure AWS credentials3. See what's in scope (recommended)4. Run your first scan5. Generate a report6. Explore resultsNext steps