Retention Strategy

Why retention matters

SBOMs are evidence. Auditors ask for them to prove provenance, regulators expect them to demonstrate control, and security teams use them to explain why a fix shipped. Keeping every SBOM generated by every build quickly becomes noise. Retention policies let you deliberately decide which versions stay searchable and which can be archived.

Balancing history and signal

High-frequency build pipelines can emit hundreds of SBOMs per day. You rarely need all of them: the most recent one captures the current state, and a small history shows how it changed. Retention policies help you avoid drowning in duplicates while still keeping enough artifacts to reproduce a release or satisfy an investigation.

Aligning with supply chain governance

Different applications carry different risk. Critical customer-facing services might keep the latest 20 SBOMs, while an internal tool keeps only the most recent copy. Highly regulated workloads may need “milestone” SBOMs tied to each signed release. Treat retention like any other control: define tiers, document the rationale, and review them alongside your broader supply-chain program.

Next steps

• Decide on retention tiers for each application or workspace, based on risk and regulatory expectations.
• Use the CLI or UI to apply those policies during upload.
• Review the technical behavior and CLI flags in the Retention Policies reference before rolling out automation.