Report Structure
Every AnkerCode Evidence Report has seven sections in German. Here is what each section contains and why it matters.
Section 1: Zusammenfassung
Section titled “Section 1: Zusammenfassung”A key-metrics table at the top of the report:
| Kennzahl | Bedeutung |
|---|---|
| Scan-Datum | When the scan was run |
| Branch / Commit | Git context for reproducibility |
| Gefundene Schwachstellen (gesamt) | Total CVE count across all severities |
| Davon Kritisch/Hoch (offen) | The number that matters most to auditors |
| Secrets-Treffer | Exposed credentials found by Gitleaks |
| Lizenzen erfasst | Total license findings |
| Akzeptierte Risiken | Findings with a documented risk acceptance |
This section is what a CTO reads first. Keep the “Kritisch/Hoch (offen)” number low.
Section 2: SBOM-Zusammenfassung
Section titled “Section 2: SBOM-Zusammenfassung”A reference to the CycloneDX SBOM generated by Syft, including:
- SBOM format (always CycloneDX in Phase 0)
- SHA-256 hash of the SBOM file (first 16 chars)
- Local file path
The hash lets an auditor verify the SBOM file hasn’t been altered after generation.
Section 3: Schwachstellen
Section titled “Section 3: Schwachstellen”All open CVE findings grouped by severity:
| Severity | Color | Description |
|---|---|---|
| Kritisch | Red ● | CVSS 9.0–10.0. Immediate action required. |
| Hoch | Orange ● | CVSS 7.0–8.9. Should be fixed within the sprint. |
| Mittel | Yellow ● | CVSS 4.0–6.9. Fix in next release cycle. |
| Niedrig | Blue ● | CVSS 0.1–3.9. Fix when convenient. |
| Info | Gray ● | Informational. No immediate risk. |
Each finding shows: CVE ID, affected package + version, whether a fix is available (and what version to upgrade to), and the manifest file where the dependency was found.
Findings covered by a VEX not_affected statement or a risk acceptance do not appear in this section — they appear in Sections 5 and 6 instead.
Section 4: Lizenz-Risiko
Section titled “Section 4: Lizenz-Risiko”Two parts:
- Summary table — each license detected and how many packages use it
- Per-license package list — for each license, the packages using it
Common “safe” licenses (MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC) require no action. Flag licenses to watch for: GPL-2.0, GPL-3.0, AGPL-3.0, LGPL (copyleft implications), BUSL-1.1, and any UNKNOWN entries.
Section 5: Vulnerability-Handling-Nachweis
Section titled “Section 5: Vulnerability-Handling-Nachweis”Your documented VEX statements from ankercode.decisions.yaml. For each:
- Finding ID (short)
- Status (not_affected / affected / fixed / under_investigation)
- Justification or prose statement
- Author (the human responsible)
This section is what demonstrates to an auditor that your team analyzed findings rather than ignoring them. It is the core of CRA Article 13’s vulnerability handling requirement.
Section 6: Akzeptierte Risiken
Section titled “Section 6: Akzeptierte Risiken”Your documented risk acceptances from ankercode.decisions.yaml. For each:
- Finding ID (short)
- Reason for accepting
- Who accepted it
- Expiry date (or “unbegrenzt”)
Accepted risks without an expiry date should be reviewed periodically — add a reminder to your issue tracker.
Section 7: Methodik und Scanner-Versionen
Section titled “Section 7: Methodik und Scanner-Versionen”The final section records exactly which scanner versions were used:
| Scanner | Version |
|---|---|
| Syft | 1.46.0 |
| Trivy | 0.72.0 |
| Gitleaks | 8.30.1 |
This is what makes the report reproducible. Running ankercode report again with the same findings.json + same decisions.yaml always produces the same output.
The section ends with the legal disclaimer: this report is machine-generated and does not constitute a conformity declaration. A human is responsible for review and signature.
