Feature Focus: Data Retention Policy and Notifications

Some of our clients use CAST Highlight to analyze their applications and generate Software Intelligence insights on a weekly or daily basis. Over time, this generates a significant amount of data available in the CAST Highlight portal. In order to improve clarity in results and maintain an optimized user experience, CAST Highlight has implemented a scan retention policy. This article explains the retention policy and how to preview application snapshot changes in your portfolio, if the policy is applicable.

How are application snapshots retained?

For specific use cases such as Software Composition Analysis (OSS IP risks, CVEs) of third-party components, CAST Highlight is often used to monitor applications and prevent risks at the earliest stage possible. Ideally, our users do not want vulnerable component versions or Cloud blockers to be deployed in production. Hence, the need to analyze applications at the end of a sprint or in their nightly builds. This is easy to achieve by integrating our command line within their CI/CD pipeline so that every build runs a CAST Highlight scan and publishes updated results in the dashboards.

However, over time the usability of some CAST Highlight dashboards, such as TRENDS at the portfolio level, will degrade as it is impractical to view a data point for every scan for the last three, four or five years! Therefore, we recently implemented an application scan retention policy.

The application snapshot retention policy is described below:

  • One snapshot per day will be maintained online for scan results less than 1 week old
  • One snapshot per week will be maintained online for scan results more than 1 week and less than 3 months old
  • One snapshot per month will be maintained online for scan results more than 3 months and less than 1 year old
  • One snapshot per quarter will be maintained online for scan results more than 1 year old
  • One snapshot per year will be kept online for scan results more than 3 years old


How and when does this apply?

The scan retention policy is not automatically enabled for all portfolios. Depending on the number of applications and the scanning frequency of each application, portfolios are regularly checked by CAST for eligibility. If your portfolio meets these criteria, a CAST consultant will contact you and the scan retention policy will be enabled by CAST for your portfolio so that you can preview which applications will be maintained or archived.

This retention policy will be applied on a quarterly basis on your portfolio, archived CSV scan results being accessible as a ZIP file on demand.