How are application snapshots retained?

For specific use cases such as Software Composition Analysis (OSS IP risks, CVEs) of third-party components, CAST Highlight is often used to monitor applications and prevent risks at the earliest stage possible. Ideally, our users do not want vulnerable component versions or Cloud blockers to be deployed in production. Hence, the need to analyze applications at the end of a sprint or in their nightly builds. This is easy to achieve by integrating our command line within their CI/CD pipeline so that every build runs a CAST Highlight scan and publishes updated results in the dashboards.

However, over time the usability of some CAST Highlight dashboards, such as TRENDS at the portfolio level, will degrade as it is impractical to view a data point for every scan for the last three, four or five years! Therefore, we recently implemented an application scan retention policy.

The application snapshot retention policy is described below:

• One snapshot per day will be maintained online for scan results less than 1 week old
• One snapshot per week will be maintained online for scan results more than 1 week and less than 3 months old
• One snapshot per month will be maintained online for scan results more than 3 months and less than 1 year old
• One snapshot per quarter will be maintained online for scan results more than 1 year old
• One snapshot per year will be kept online for scan results more than 3 years old

How and when does this apply?

The scan retention policy is not automatically enabled for all portfolios. Depending on the number of applications and the scanning frequency of each application, portfolios are regularly checked by CAST for eligibility. If your portfolio meets these criteria, a ‘SCAN RESULT RETENTION’ menu entry will appear under the ‘COMPANY’ menu. This view will preview which applications will be maintained or archived.

This retention policy will be applied on a quarterly basis on your portfolio.