Introduction
AnkerCode is a local-first CRA/BSI compliance evidence layer for German software teams. It runs existing open-source scanners on your machine, normalizes the results into an open-format evidence model, and produces audit-ready German-language compliance reports.
Source code never leaves your machine by default. Only normalized findings, SBOMs, hashes, and package metadata may leave — and only when you explicitly opt in.
What problem it solves
Section titled “What problem it solves”The EU Cyber Resilience Act (CRA) requires manufacturers of products with digital elements to maintain a Software Bill of Materials, handle vulnerabilities systematically, and be able to file a 24-hour incident report from September 2026. Full applicability begins December 2027.
Most companies in German Mittelstand — Maschinenbau, IoT, Industrie 4.0, MedTech — don’t have a dedicated security team. They have a CTO, a dev team, and a growing pile of compliance questions from customers and auditors.
AnkerCode gives them two commands to go from “I have a repository” to “I have a PDF I can show my auditor.”
What it is not
Section titled “What it is not”AnkerCode is not a scanner. It wraps Syft, Trivy, Gitleaks, and (from Phase 1) Semgrep for code-level deprecation analysis. Its value is normalization, prioritization, and evidence packaging, not CVE detection.
AnkerCode is not a compliance certificate. It produces inputs for your compliance process. A human is responsible for reviewing and signing the evidence.
AnkerCode is not a SaaS platform (yet). Phase 0 is a CLI that runs on your machine. A dashboard is planned for Phase 1 once design partners need cross-run history.
The two core commands
Section titled “The two core commands”# 1. Scan + generate all reports in one stepankercode check /path/to/your/project
# 2. Or run them separatelyankercode scan /path/to/your/projectankercode report /path/to/your/project --pdfThe result: a ankercode/ folder inside your project containing findings.json, sbom.cyclonedx.json, and a dated PDF report in German.
Language and compliance framing
Section titled “Language and compliance framing”AnkerCode uses precise language around compliance. You will never see the phrase “Mit AnkerCode sind Sie CRA-konform.” The approved framing:
- CRA Readiness — not “CRA compliance”
- Evidence Pack — the collection of artifacts produced
- SBOM Quality Check — evaluation of your Software Bill of Materials
- Vulnerability-Handling-Nachweis — documented evidence of your vulnerability handling process
- Technische Unterstützung für Compliance-Prozesse — technical support for compliance processes
A tool produces inputs. A human decides and signs.
