WebRiskOps

Artifact retention

Use Artifact retention to check artifact_retention_status, retained_until and missing artifact reasons before relying on screenshots, HTML snapshots, reports or exports.

Customers, agencies, developers and security reviewers

Feature availability

Product, package, provider and deployment boundaries for this page.

Available from
Current documentation
Deployment modes
cloudself-hosted

Product screenshots

Current customer-safe screenshots are generated from the application so examples do not drift from the product.

Generated customer-safe screenshot of the scan detail worker readiness and artifact availability state.

Before checking artifact retention

Use this page before depending on a screenshot, HTML snapshot, report evidence record, public report export or ticket export artifact. Retention state explains whether evidence is still available, redacted, expired or missing.

  • Review retention status
  • Check `retained_until`, `artifact_retention_status`, `screenshot_path` and `html_snapshot_path` before depending on an artifact.
  • Keep artifact decisions tied to the accepted scan, report, account and project that created the evidence.
  • Stop sharing when `ARTIFACT_RETENTION_POLICY`, `ARTIFACT_REDACTED`, `EVIDENCE_ARTIFACT_MISSING` or `RETENTION_EXPIRED` applies.

Confirm retention before sharing evidence

Follow the path `Scan detail → Artifact availability → Report evidence → Retention status → Share, rescan or stop`.

  1. Open `/scans/{scanRun}` or `/reports/{report}` before relying on an artifact. Result: the evidence source and artifact state are checked before a report, export or ticket leaves WebRiskOps.
  2. Check `artifact_retention_status` and `retained_until`. Result: reviewers know whether the screenshot, HTML snapshot or evidence record is current, redacted, expired or scheduled for removal.
  3. Open Worker readiness → Artifacts on the scan detail page. Result: `screenshot_path`, `html_snapshot_path` and missing artifact notes are visible beside scan coverage.
  4. Compare artifact paths with Data collected and excluded. Result: retained screenshots and HTML snapshots stay tied to accepted public pages, not private or out-of-scope content.
  5. Open the report evidence panel before publishing or exporting. Result: the visible evidence and `report_export_status` match the artifact that will be shared.
  6. If `retained_until` has passed or the path is missing, stop and open Missing evidence. Result: `EVIDENCE_ARTIFACT_MISSING` stays visible instead of hiding an evidence gap.
  7. If an artifact was redacted, keep `ARTIFACT_REDACTED` visible and use Privacy redaction before sharing. Result: the recipient understands that sensitive values were removed.
  8. Avoid copying private screenshots, HTML snapshots or provider export files outside approved product storage. Result: retention policy remains enforceable and stale copies do not become a separate record.
  9. When the website changed after evidence was retained, run a new accepted scan instead of reusing old artifacts. Result: findings and reports use current evidence with a new retention window.
  10. Continue to Secret handling or Report evidence after the artifact state is clear. Result: credential exposure and report-sharing decisions use the same retention boundary.

Artifacts that can be retained

Retained artifacts should support a specific WebRiskOps workflow and stay linked to their source record.

  • Screenshots and HTML snapshots tied to accepted scan pages.
  • Issue evidence, fingerprints, severity, confidence and report publication state.
  • Report export references, public report tokens and ticket export references without provider secret payloads.
  • Scan coverage notes, skipped-page reasons and missing artifact reasons.
  • Audit records that explain when an artifact was captured, redacted, expired or removed.

Artifacts that must not be retained

Retention should not turn unsafe data into a long-lived artifact.

  • Passwords, tokens, API keys, private keys, webhook secrets, session cookies or payment details.
  • Screenshots of admin, account, checkout, logout, employee-only or out-of-scope pages.
  • Provider credentials, private repository contents or customer records that are not needed for the selected workflow.
  • Local copies that bypass WebRiskOps retention, redaction or account access controls.
  • Expired artifacts presented as current evidence.

Ready and blocked retention states

Use these states to decide whether an artifact can support a report, export or customer handoff.

  • Retention ready means `artifact_retention_status` is current, `retained_until` is in the future, and artifact paths still resolve to customer-safe evidence.
  • Redacted and shareable means `ARTIFACT_REDACTED` is explained and the remaining screenshot, HTML snapshot or report evidence is still useful.
  • Retention policy blocked means `ARTIFACT_RETENTION_POLICY` prevents sharing because the artifact is expired, unsupported, unsafe or outside the workflow.
  • Artifact missing means `EVIDENCE_ARTIFACT_MISSING` or `missing_artifact_reason` requires a new accepted scan, a fresh report export or a visible limitation note.
  • Retention expired means `RETENTION_EXPIRED` applies and old artifact references should not be used as current evidence.

Continue after retention review

When retention is current, continue to Report evidence for customer-facing evidence checks or Screenshots and HTML snapshots for artifact availability. If retention is blocked, use Missing evidence for the next customer action, Privacy redaction for sensitive artifacts and Secret handling when credentials or tokens appear in evidence.

Related documentation

Data collected and excludedSecret handlingScreenshots and HTML snapshotsPrivacy redactionMissing evidenceReport evidence

Was this page helpful?

Feedback goes into the product documentation review queue.