AnkosDocs
The App

Evidence sources

Three ways evidence gets into the ledger — automated CLI scans, manual uploads, and attested carry-forward from previous cycles.

Every piece of evidence in your ledger comes from one of three sources. The source is reflected in the entry's state so a reviewer can see at a glance how the evidence arrived.

1. Automated CLI scan

The Ankos CLI connects to your AWS account with read-only credentials and collects evidence for infrastructure-heavy entries — IAM configuration, KMS keys, S3 bucket policies, VPC security groups, CloudTrail status, and more.

ankos scan --upload --api-key <your-key>

This uploads the scan results directly into your current cycle. Entries that a collector populated advance to evidence_collected. Roughly 48% of DRL categories are fully or partially automatable this way.

Entries populated by a scan carry the collector name and the scan timestamp so a reviewer can always trace where the evidence came from.

Your AWS credentials never leave your machine. The CLI runs locally and uploads only the structured scan results.

See the CLI reference for scan options and the list of collectors.

2. Manual upload

Many evidence categories are inherently manual — policies, training rosters, signed attestations, network diagrams, change records. For these, open the entry and drag a file into the upload area, or click to select.

Every entry shows:

  • Expected evidence — what the QSA is looking for
  • Accepted formats — PDF, PNG, DOCX, CSV, and so on
  • Upload instructions — specific tips for this category (for example, for DIA-01, what the network diagram should depict)
  • Screenshot target — for console-based evidence, exactly what to capture

A successful upload advances the entry to evidence_uploaded and records who uploaded the file and when.

3. Carry-forward

Most evidence doesn't change every quarter. Your acceptable use policy, your incident response plan, your vendor list — these stay valid until something changes. Carry-forward lets you reuse evidence from a previous cycle with an explicit attestation that it's still valid.

From an entry, click Carry forward from previous cycle. You'll be prompted for an attestation note ("reviewed 2026-Q1, no changes") and the entry advances to carried_forward.

Your QSA sees the original upload date, the carry-forward attestations, and the list of cycles the evidence has spanned.

See Carry-forward for the full flow.

When to use each

SituationSource
AWS IAM, KMS, CloudTrail, VPC, S3 configurationCLI scan
Security policies, training records, signed attestationsManual upload
Network diagrams, data-flow diagramsManual upload
Unchanged evidence from the previous cycleCarry-forward
Evidence a collector flagged with a concernManual follow-up (state becomes needs_attention)

Next steps

Sign-off

How a reviewer marks an entry as ready for QSA.

Carry-forward

The full flow for reusing evidence between cycles.

The Compliance Ledger

Cycles, entries, DRL categories, custom categories, and the six states every entry moves through.

Sign-off

Sign-off is the readiness gate — the explicit signal that a reviewer has looked at an entry's evidence and considers it ready for QSA review. Independent of state.

On this page

1. Automated CLI scan2. Manual upload3. Carry-forwardWhen to use eachNext steps