Quick Start
This guide gets you from a fresh install to a full Evidence Report on a real repository.
1. Install AnkerCode
Section titled “1. Install AnkerCode”bash install.shSee Installation for full details.
2. (Optional) Initialize triage decisions
Section titled “2. (Optional) Initialize triage decisions”If this is the first time you’re scanning a project, create the decisions file:
ankercode init /path/to/your/projectThis creates ankercode.decisions.yaml in your project root. Commit this file — it makes your reports reproducible. You can leave it empty for now and fill it in after you see the findings.
3. Run the full check
Section titled “3. Run the full check”ankercode check /path/to/your/projectThis runs all scanners and generates PDF, HTML, and DOCX reports in one step.
Output:
AnkerCode check — /path/to/your/project Scanning... ✓ Wrote findings.json (47 findings) Wrote sbom.cyclonedx.json Generating PDF... → ankercode/report-2026-06-30.pdf Generating HTML... → ankercode/report-2026-06-30.html Generating DOCX... → ankercode/report-2026-06-30.docx4. Open the report
Section titled “4. Open the report”xdg-open /path/to/your/project/ankercode/report-2026-06-30.pdf # Linuxopen /path/to/your/project/ankercode/report-2026-06-30.pdf # macOSThe report contains seven sections in German:
- Zusammenfassung — key metrics at a glance
- SBOM-Zusammenfassung — CycloneDX SBOM reference + hash
- Schwachstellen — all CVEs grouped by severity (Critical → Info)
- Lizenz-Risiko — license inventory
- Vulnerability-Handling-Nachweis — your VEX statements
- Akzeptierte Risiken — documented risk acceptances
- Methodik — scanner versions used (for reproducibility)
5. Triage findings
Section titled “5. Triage findings”Open ankercode/findings.json or the HTML report and copy finding IDs for anything you want to document. Then edit ankercode.decisions.yaml:
vex: - findingId: "abc123def456abcd" status: not_affected justification: vulnerable_code_not_in_execute_path statement: "Die betroffene Funktion wird in unserem Deployment nicht aufgerufen." author: "Vorname Nachname" timestamp: "2026-06-30T10:00:00.000Z"
riskAcceptances: - findingId: "def456abc789def0" reason: "Nur in der Entwicklungsumgebung vorhanden." acceptedBy: "Vorname Nachname" expiresAt: "2027-01-01"Regenerate the report — it now includes your documented decisions:
ankercode report /path/to/your/project --pdfWhat gets written to disk
Section titled “What gets written to disk”Everything is written under ankercode/ inside your project:
your-project/ ankercode/ findings.json ← normalized findings (all scanners) sbom.cyclonedx.json ← CycloneDX SBOM from Syft audit.jsonl ← append-only audit log report-2026-06-30.pdf ← German Evidence Report report-2026-06-30.html ← standalone HTML version report-2026-06-30.docx ← Word version ankercode.decisions.yaml ← your triage decisions (commit this)The ankercode/ folder (except ankercode.decisions.yaml) is gitignored by default. Commit the decisions file and the reports you want to keep.
