Skip to content

Report Structure

Every AnkerCode Evidence Report has seven sections in German. Here is what each section contains and why it matters.


A key-metrics table at the top of the report:

Kennzahl Bedeutung
Scan-Datum When the scan was run
Branch / Commit Git context for reproducibility
Gefundene Schwachstellen (gesamt) Total CVE count across all severities
Davon Kritisch/Hoch (offen) The number that matters most to auditors
Secrets-Treffer Exposed credentials found by Gitleaks
Lizenzen erfasst Total license findings
Akzeptierte Risiken Findings with a documented risk acceptance

This section is what a CTO reads first. Keep the “Kritisch/Hoch (offen)” number low.


A reference to the CycloneDX SBOM generated by Syft, including:

  • SBOM format (always CycloneDX in Phase 0)
  • SHA-256 hash of the SBOM file (first 16 chars)
  • Local file path

The hash lets an auditor verify the SBOM file hasn’t been altered after generation.


All open CVE findings grouped by severity:

Severity Color Description
Kritisch Red ● CVSS 9.0–10.0. Immediate action required.
Hoch Orange ● CVSS 7.0–8.9. Should be fixed within the sprint.
Mittel Yellow ● CVSS 4.0–6.9. Fix in next release cycle.
Niedrig Blue ● CVSS 0.1–3.9. Fix when convenient.
Info Gray ● Informational. No immediate risk.

Each finding shows: CVE ID, affected package + version, whether a fix is available (and what version to upgrade to), and the manifest file where the dependency was found.

Findings covered by a VEX not_affected statement or a risk acceptance do not appear in this section — they appear in Sections 5 and 6 instead.


Two parts:

  1. Summary table — each license detected and how many packages use it
  2. Per-license package list — for each license, the packages using it

Common “safe” licenses (MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC) require no action. Flag licenses to watch for: GPL-2.0, GPL-3.0, AGPL-3.0, LGPL (copyleft implications), BUSL-1.1, and any UNKNOWN entries.


Section 5: Vulnerability-Handling-Nachweis

Section titled “Section 5: Vulnerability-Handling-Nachweis”

Your documented VEX statements from ankercode.decisions.yaml. For each:

  • Finding ID (short)
  • Status (not_affected / affected / fixed / under_investigation)
  • Justification or prose statement
  • Author (the human responsible)

This section is what demonstrates to an auditor that your team analyzed findings rather than ignoring them. It is the core of CRA Article 13’s vulnerability handling requirement.


Your documented risk acceptances from ankercode.decisions.yaml. For each:

  • Finding ID (short)
  • Reason for accepting
  • Who accepted it
  • Expiry date (or “unbegrenzt”)

Accepted risks without an expiry date should be reviewed periodically — add a reminder to your issue tracker.


The final section records exactly which scanner versions were used:

Scanner Version
Syft 1.46.0
Trivy 0.72.0
Gitleaks 8.30.1

This is what makes the report reproducible. Running ankercode report again with the same findings.json + same decisions.yaml always produces the same output.

The section ends with the legal disclaimer: this report is machine-generated and does not constitute a conformity declaration. A human is responsible for review and signature.