19 lines
823 B
Markdown
19 lines
823 B
Markdown
# SBOM ledger retention policy
|
|
|
|
## Purpose
|
|
Retention keeps ledger history bounded while preserving audit trails for compliance.
|
|
|
|
## Configuration
|
|
Settings are bound from `SbomService:Ledger` (env prefix `SBOM_SbomService__Ledger__`):
|
|
- `MaxVersionsPerArtifact`: max ledger versions retained per artifact (default 50).
|
|
- `MaxAgeDays`: prune versions older than N days (0 disables age pruning).
|
|
- `MinVersionsToKeep`: minimum versions always retained per artifact.
|
|
|
|
## Operations
|
|
- `POST /internal/sbom/retention/prune` applies retention rules and returns a summary.
|
|
- `GET /internal/sbom/ledger/audit?artifact=<ref>` returns audit entries for create/prune actions.
|
|
|
|
## Guarantees
|
|
- Audit entries are append-only and preserved even when versions are pruned.
|
|
- Deterministic ordering is used when selecting versions to prune.
|