Ankos
Guides

From scan to audit-ready

The end-to-end Ankos CLI workflow — discover your AWS estate, collect evidence, see where you stand, close the gaps, and hand an integrity-verified package to your QSA. Free, local, and read-only.

Three weeks before a QSA assessment, most teams can't say whether they're 60% ready or 95%. The Ankos CLI closes that gap: in an afternoon it maps your estate, collects PCI DSS evidence, shows you exactly where you stand, and packages it for your QSA — free, local, and read-only.

This guide walks the whole loop end to end. Each step links to its full command reference.

Ankos prepares evidence; it never renders a compliance verdict. Everything below gives you a head start: your infrastructure evidence organized and integrity-verified for hand-off. The manual evidence and policy narrative are still on you, and your QSA makes the final determination.

The flow at a glance

accounts discover → scan → report → remediate → (re-)scan

                          verify  ←  export  ←───────┘

                            └──→  hosted ledger: sign-off + QSA review

Discover what's in scope → collect evidence → see where you stand → close the gaps → re-scan to confirm → verify integrity → hand off to your QSA.

1. Map your estate and scope

Start by seeing what you actually have. ankos accounts discover is a fast, read-only sweep that inventories resources, flags obvious risks, and recommends which accounts are likely in PCI scope — so you don't spend time scanning accounts that don't matter.

ankos accounts discover

# …or across every account in .ankosaccounts, writing a starter scope file:
ankos accounts discover --all-accounts --generate-scope

--generate-scope writes a .ankosscope you can refine to lock in your cardholder data environment. See ankos accounts discover.

2. Collect evidence

Run the collectors against the in-scope accounts. Each writes structured JSON, and the package includes a SHA-256 manifest so it can be independently verified.

ankos scan -o ./evidence

# multi-account:
ankos scan --all-accounts -o ./evidence

See ankos scan and scan output.

3. See where you stand

ankos report turns the evidence into a readiness picture: an at-a-glance PCI Score, per-requirement rollups, coverage ("evidence collected for N of 12 requirements"), and the top items to address first.

ankos report ./evidence

# a self-contained HTML dashboard to share:
ankos report ./evidence --format html -o ./pci-report.html

The PCI Score is an evidence-readiness signal, not a compliance grade. See ankos report.

4. Close the gaps

ankos remediate turns the findings into an actionable plan — copy-paste AWS CLI commands, Terraform, Kubernetes manifests, or a sprint plan with effort estimates, prioritized by risk.

ankos remediate ./evidence

# a sprint plan, or infrastructure-as-code you can apply:
ankos remediate ./evidence --format plan --team-size 3 --sprint-weeks 2
ankos remediate ./evidence --format terraform -o ./fixes/

See ankos remediate.

5. Re-scan and watch it move

Once you've fixed things, scan again and compare. --diff shows what changed (and the PCI Score delta); --trend shows the score over time.

ankos scan -o ./evidence-new
ankos report ./evidence-new --diff ./evidence    # what changed since last run
ankos report ./evidence-new --trend              # score over time

6. Verify integrity and hand off

Before the package leaves your hands, prove it hasn't changed. ankos verify re-checks every file against the manifest — and flags any altered, missing, or planted file. Then bundle it for your QSA.

ankos verify ./evidence
ankos export ./evidence --format qsa-package

verify needs nothing but shasum to reproduce, so Ankos can be removed from the trust path entirely. See ankos verify.

7. Take it further — sign-off and QSA review

The CLI gets your infrastructure evidence organized and integrity-verified — a head start, not the whole assessment. The hosted Ankos ledger is where your team carries it the rest of the way: attach the manual evidence and policy narrative, assign owners, sign off each item, and have your QSA review and accept it — tracking cycle progress along the way.

Cycle progress is a different thing from the CLI's PCI Score. The score is a point-in-time read on your evidence; the ledger tracks how far your assessment workflow has advanced (signed off → reviewed → accepted).

ankos scan --upload    # push evidence straight into your active ledger cycle

See the hosted ledger for the team + QSA workflow.

Keep it honest over time

Compliance drifts between assessments — a new public bucket, a disabled CloudTrail, an over-permissive role added during an incident. Wire the CLI into CI so drift shows up within a day, not at your next QSA visit:

ankos report ./evidence --format github --fail-on action-needed
  • CI drift detection — schedule a scan + report; report --format github posts a readiness summary to the GitHub job summary, and --fail-on breaks the build on action-needed findings. See CI/CD integration and ankos drift.
  • Across cycles — when the next assessment comes around, carry-forward reuses still-valid evidence so you're not starting from zero.

Next steps

ankos accounts discover

Estate sweep + scope recommendation — step 1.

ankos report

Scores, formats, diff, trend, and CI gating.

CI/CD integration

Schedule scans to catch drift between assessments.

The hosted ledger

Sign-off + QSA review when you're ready to take it further.

CI/CD Integration

Run Ankos scans on a schedule in your pipeline to catch PCI drift between quarterly assessments.

The QSA review workflow

How a QSA reviews your cycle inside Ankos — invite them as a reviewer, submit signed-off entries, and work the In Place / Returned-for-revision loop entry by entry, with a full decision trail.

On this page

The flow at a glance1. Map your estate and scope2. Collect evidence3. See where you stand4. Close the gaps5. Re-scan and watch it move6. Verify integrity and hand off7. Take it further — sign-off and QSA reviewKeep it honest over timeNext steps