Understanding Veracode Rules for Data Retention and Archiving
Veracode retains your uploaded binaries according to specific rules.
Veracode uses retention rules for these categories of user-provided and system-generated data:
- Perform results-quality investigations upon request
- Support rescan without re-uploading modules with issues or errors
Veracode sets these default retention periods for these files:
- 45 days for binaries for a submitted scan.
- 90 days for scans you started, but did not submit. This status can occur if:
- The prescan completed, but you did not click Submit.
- The prescan did not complete because it found errors.
- You created the scan, but did not upload any files.
These periods are subject to change. Veracode may decrease these retention periods for your Veracode account.
When Veracode deletes an uploaded binary, it adds an entry to the activity log for the scan. The activity log identifies the binaries deleted for a specific scan. After deleting the uploaded binary, Veracode cycles the encryption key.
Veracode sets the default retention period for template files to 60 days, but this period is subject to change. Veracode may decrease this retention period for your Veracode Platform account.
Veracode generates a datapath for certain types of static findings. This datapath includes a list of source files and line numbers in the application through which your data passes to the potentially-vulnerable line. Veracode retains this datapath information by keeping either of these collections, whichever has the larger number of scans:
- The last three scans
- All scans from the last three months
If a scan is older than the retention timeframe, Veracode automatically removes its datapath information. If the finding remains open, you can view the datapath in results for the latest scan.
Sandbox Scan Results
Veracode retains sandbox scan results according to the time-to-live setting for the sandbox. After the time-to-live period expires, Veracode archives sandbox scan results to Veracode Analytics.
After you delete sandbox information, you cannot recover it.