Skip to main content

prune

Descriptionโ€‹

Performs the package cleanup operation by removing package versions created in a specific time range.

In a project in your package store, prune can do the following:

  • remove all versions that match the specified time range, regardless of the package they are associated with
  • remove versions of a specific package that match the specified time range
  • remove reproducible build artifacts of one or more versions without removing the main package version artifact

The prune command is most useful in CI/CD deployments where package versions aren't strictly tracked (for example, because commit hashes are used for versioning). In those cases, some package versions may be left "dangling" for a long time. It's recommended to regularly prune all such versions older than two weeks.

WARNING

Removing package versions from the store is a destructive operation. After the data is removed from the package store, you will not be able to restore it without a prior backup!

When a package version is removed from the store, all its metadata including analysis reports and any reproducible build artifacts are also removed.

How is prune different from remove?โ€‹

The key differences between remove and prune commands are:

  • prune deletes only package versions (analyzed files and their metadata), but leaves packages and projects intact in the package store structure. The remove command can delete projects and packages entirely from the package store.

  • prune can match and delete package versions by their age. The remove command doesn't support any options for specifying timestamps or package version age.

Use prune to remove stale or unnecessary package versions from a package store based on their age. Package age is calculated from the time when they were first scanned and registered in the package store, up to the time when the command is executed. You can combine different options to specify the criteria for pruning package versions.

By default, the prune command requires you to confirm your actions before proceeding. To skip the confirmation prompt, use the --silent option.

tip

You can use the prune command in automated workflows to schedule cleanup jobs. Make sure to include the --silent option when creating a scheduled job to skip confirmation prompts for removing package versions.

Usageโ€‹

rl-secure prune <purl> [<options>]

rl-secure prune --purl=<purl> [<options>]

Optionsโ€‹

OptionDescription
-p, --purlRequired. Package URL to prune. Must be in the format [pkg:type/]<project>[/<package>[@<version>]]. You must at least specify the project for the prune command to run.
?build=reproRemove reproducible build artifacts for a package version without removing the main package version artifact itself. This option must be appended to the package URL in the format [pkg:type/]<project></package><@version?build=repro>. Wildcard matching with * and ? characters is supported.
--after-dateRemove everything matching the package URL and created after the specified timestamp (ISO-8601).
--before-date ย  ย  ย  ย Remove everything matching the package URL and created before the specified timestamp (ISO-8601).
--days-olderRemove everything matching the package URL and older than the specified number of days.
--hours-olderRemove everything matching the package URL and older than the specified number of hours.
--check-onlyUse dry-run mode and only display what would be removed, without actually removing anything.
--silentDon't prompt for removal confirmation.
-h, --helpDisplay usage information and exit.
-s, --rl-storePath to an initialized package store containing the package URL. If you don't specify the path, the current directory is used.

Examplesโ€‹

Prune reproducible builds for all versionsโ€‹

This example removes all reproducible build artifacts for all package versions in the store, regardless of their age or project they're associated with. We're using wildcard matching to target all package versions in the store.

The directory structure created for the projects and packages, along with any YARA rules and custom policy settings, is preserved.

The main package version artifacts are also preserved, together with their analysis results. Because we're using the build=repro option, only the reproducible build artifacts are removed. If a package version doesn't have any reproducible build artifacts, it is automatically skipped.

The command expects the package store to exist in the current directory. Use the -s or --rl-store options to provide an alternative path to the package store.

rl-secure prune */*@*?build=repro

Prune all versions older than a weekโ€‹

This example removes all package versions older than 7 days from a project in a previously initialized package store.

The directory structure created for the project, along with any YARA rules and custom policy settings, is preserved.

The command expects the package store to exist in the current directory. Use the -s or --rl-store options to provide an alternative path to the package store.

rl-secure prune pkg:rl/my-project --days-older=7

Prune versions created in a specific periodโ€‹

This example checks if any versions of a package frontend in a project releases were created between December 25 and January 1, and removes them.

To successfully use the prune command in this example, first we have to convert those dates to ISO-8601 timestamps.

The directory structure created for the project, along with any YARA rules and custom policy settings, is preserved.

The command expects the package store to exist in the current directory. Use the -s or --rl-store options to provide an alternative path to the package store.

rl-secure prune pkg:rl/releases/frontend --after-date=2023-12-25T00:00:00+01:00 --before-date=2024-01-01T00:00:00+01:00