Using the Analysis Archive

As mentioned in concepts, there are two locations for image analysis to be stored:

The working set: also known as the active set, this is the standard state after analysis completes. In this location, the image is fully loaded and available for policy evaluation, content, and vulnerability queries.
The archive set: a location to keep image analysis data that cannot be used for policy evaluation or queries but can use cheaper storage and less db space and can be reloaded into the working set as needed.

By default, the archive set is stored within the Postgres database. However, for better scalability and lower costs, it can be configured to point to an external S3-compatible object store. For detailed instructions on switching storage backends, see Object Store: Analysis Archive.

You can manage the lifecycle of your image analysis data in two ways: manually, by using CLI commands or API calls to archive and restore specific images, or automatically with archive rules, which allow you to define global or account-level policies for data transition.

Note that these methods offer different behaviors regarding data retention: while archive rules are designed to automatically move data (deleting it from the working set upon archiving), manual archiving creates a copy in the archive but does not automatically delete the image from the working set. These methods are detailed in the Working with the archive manually and Working with Archive rules sections below.

Before using the Archiving capability, it is worth reviewing the Artifact Lifecycle Policies (ALP) to choose the best solution for your use case.

If you just want to flush data out: Use Artifact Lifecycle Policies to go directly to delete. This is the recommended starting point for all users to prevent database bloat and maintain system performance.
If you need data retention: Use Archive Rules. Only if you have a specific requirement to retain analysis data for long periods (without keeping it in the active working set) should you add archive rules.

Working with the Archive manually

Manual archive operations allow for granular control over individual image analyses, enabling you to list, archive, or restore specific data as needed outside of automated rule cycles.

Listing images in the archive

You can retrieve a list of all archived images and also retrieve archive metadata for an image using the AnchoreCTL.

List all archived images:

anchorectl archive image list
 ✔ Fetched archive-images
┌─────────────────────────────────────────────────────────────────────────┬──────────────────────────────────────┬──────────┬──────────────┬──────────────────────┐
│ IMAGE DIGEST                                                            │ TAGS                                 │ STATUS   │ ARCHIVE SIZE │ ANALYZED AT          │
├─────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────┼──────────┼──────────────┼──────────────────────┤
│ sha256:85f2b723e106c34644cd5851d7e81ee87da98ac54672b29947c052a45d31dc2f │ docker.io/alpine:latest              │ archived │ 131 kB       │ 2025-10-17T12:43:02Z │
│ sha256:2bd144364d2cb06b08953ce5764cdbf236bbcd63cea214583c4ed011b4685453 │ docker.io/redhat/ubi9-minimal:latest │ archived │ 801 kB       │ 2026-03-04T14:49:55Z │
└─────────────────────────────────────────────────────────────────────────┴──────────────────────────────────────┴──────────┴──────────────┴──────────────────────┘

Return the archive metadata record identifying the image and tags for the analysis in the archive.

anchorectl archive image get sha256:85f2b723e106c34644cd5851d7e81ee87da98ac54672b29947c052a45d31dc2f
 ✔ Fetched image
Image Digest: sha256:85f2b723e106c34644cd5851d7e81ee87da98ac54672b29947c052a45d31dc2f
Parent Digest: sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412
Tags:
  - docker.io/alpine:latest
Status: archived
Archive Size: 131 kB
Annotations:  {}
Archived At: 2026-03-16T08:39:58Z
Analyzed At: 2025-10-17T12:43:02Z
Last Updated: 2026-03-16T08:39:58Z

Adding an image to the archive

To add an image to the archive, use the digest. All analysis, policy evaluations, and tags will be added to the archive set.

Find the digest:

anchorectl image list
 ✔ Fetched images
┌───────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────┬──────────┬────────┐
│ TAG                                                   │ DIGEST                                                                  │ ANALYSIS │ STATUS │
├───────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────┼──────────┼────────┤
│ docker.io/ubuntu:latest                               │ sha256:33bca6883412038cc4cbd3ca11406076cf809c1dd1462a144ed2e38a7e79378a │ analyzed │ active │
│ docker.io/ubuntu:latest                               │ sha256:42ba2dfce475de1113d55602d40af18415897167d47c2045ec7b6d9746ff148f │ analyzed │ active │
│ docker.io/localimage:latest                           │ sha256:74c6eb3bbeb683eec0b8859bd844620d0b429a58d700ea14122c1892ae1f2885 │ analyzed │ active │
│ docker.io/nginx:latest                                │ sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc │ analyzed │ active │
└───────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────┴──────────┴────────┘

Archive the specific image using the digest:

anchorectl archive image add sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc
 ✔ Added image to archive
┌─────────────────────────────────────────────────────────────────────────┬──────────┬────────────────────────┐
│ DIGEST                                                                  │ STATUS   │ DETAIL                 │
├─────────────────────────────────────────────────────────────────────────┼──────────┼────────────────────────┤
│ sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc │ archived │ Completed successfully │
└─────────────────────────────────────────────────────────────────────────┴──────────┴────────────────────────┘

Manual archiving with anchorectl archive image add does not automatically remove an image from the working set. To fully migrate an image, you must archive it first and then delete it from the working set via the CLI or API.

Note: To delete a recently archived image, ensure it has no active subscriptions. You can either manually remove subscriptions using anchorectl subscription delete before deleting the image, or use the --force flag with anchorectl image delete to automatically disable all subscriptions during the deletion process.

Restoring an image from the archive

This will not delete the archive entry, only add it back to the working set.

Restore an image to working set from the archive set:

anchorectl archive image restore sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc
 ✔ Restore image
┌────────────────────────┬─────────────────────────────────────────────────────────────────────────┬──────────┬────────┐
│ TAG                    │ DIGEST                                                                  │ ANALYSIS │ STATUS │
├────────────────────────┼─────────────────────────────────────────────────────────────────────────┼──────────┼────────┤
│ docker.io/nginx:latest │ sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc │ analyzed │ active │
└────────────────────────┴─────────────────────────────────────────────────────────────────────────┴──────────┴────────┘

To view the restored image:

anchorectl image get sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc
Tag: docker.io/nginx:latest
Digest: sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc
ID: 2b7d6430f78d432f89109b29d88d4c36c868cdbf15dc31d2132ceaa02b993763
Analysis: analyzed
Status: active

Analyzing the same image digest whilst it exists in the Analysis Archive will not automatically restore the image. This will count as a new analysis. However, restoring the image first will not count as a new analysis and if you then force analyze an image to get a newer SBOM, this will then also count as a re-analysis.

Deleting an image from the archive

You can manually delete a specific archived image analysis using the API or AnchoreCTL. Deleting from the archive is permanent and the analysis cannot be restored unless the image is re-analyzed in the working set.

anchorectl archive image delete sha256:8322d7b010ecb6ff7bf0d7f8914c1b095e0b855562473d22db4b481b5e4720d9
 ✔ Deleted image

Working with Archive rules

Archive rules allow for the automated transition of images from the working set to the archive, or the deletion of images from the archive based on age or the number of newer tags available.

Unlike manual archiving, when an image matches an archive rule, it is moved to the archive and subsequently removed from the active working set. Archive rules can be easily controlled via AnchoreCTL commands, the --help option will show the arguments, options and descriptions of valid values. Note: By default, archive rules are processed every 12 hours. This interval is governed by the catalog service and can be adjusted in your configuration file under anchoreConfig.catalog.cycle_timers.archive_tasks.

Please review the Archive Rules concepts documentation for more details on utilizing rules to achieve your desired configuration.

Listing the Archive rules

anchorectl archive rule list
 ✔ Fetched rules
┌──────────────────────────────────┬────────────┬──────────────┬────────────────────┬────────────┬─────────┬───────┬──────────────────┬──────────────┬─────────────┬──────────────────┬────────┬──────────────────────┐
│ ID                               │ TRANSITION │ ANALYSIS AGE │ TAG VERSIONS NEWER │ REGISTRY   │ REPO    │ TAG   │ REGISTRY EXCLUDE │ REPO EXCLUDE │ TAG EXCLUDE │ EXCLUDE EXP DAYS │ GLOBAL │ LAST UPDATED         │
├──────────────────────────────────┼────────────┼──────────────┼────────────────────┼────────────┼─────────┼───────┼──────────────────┼──────────────┼─────────────┼──────────────────┼────────┼──────────────────────┤
│ 2ca9284202814f6aa41916fd8d21ddf2 │ archive    │ 90d          │ 90                 │ *          │ *       │ *     │                  │              │             │ -1               │ false  │ 2022-08-19T17:58:38Z │
│ 6cb4011b102a4ba1a86a5f3695871004 │ archive    │ 90d          │ 90                 │ foobar.com │ myimage │ mytag │ barfoo.com       │ *            │ *           │ -1               │ false  │ 2022-08-22T18:47:32Z │
└──────────────────────────────────┴────────────┴──────────────┴────────────────────┴────────────┴─────────┴───────┴──────────────────┴──────────────┴─────────────┴──────────────────┴────────┴──────────────────────┘

Adding an Archive rule

anchorectl archive rule add --transition archive --analysis-age-days 90 --tag-versions-newer 1 --selector-registry 'docker.io' --selector-repository 'library/*' --selector-tag 'latest'
 ✔ Added rule
ID: 0031546b9ce94cf0ae0e60c0f35b9ea3
Transition: archive
Analysis Age: 90d
Tag Versions Newer: 1
Selector:
  Registry: docker.io
  Repo: library/*
  Tag: latest
Exclude:
  Selector:
    Registry Exclude:
    Repo Exclude:
    Tag Exclude:
  Exclude Exp Days: -1
Global: false
Last Updated: 2022-08-24T22:57:51Z

The required parameters are: minimum age of analysis in days, number of tag versions newer, and the transition to use.

There is also an optional --system-global flag available for admin account users that makes the rule apply to all accounts in the system. As a non-admin user (test1user below) you can see global rules but you cannot update/delete them (will get a 404):

ANCHORECTL_USERNAME=test1user ANCHORECTL_PASSWORD=password ANCHORECTL_ACCOUNT=test1acct anchorectl archive rule list
 ✔ Fetched rules
┌──────────────────────────────────┬────────────┬──────────────┬────────────────────┬───────────┬───────────┬────────┬──────────────────┬──────────────┬─────────────┬──────────────────┬────────┬──────────────────────┐
│ ID                               │ TRANSITION │ ANALYSIS AGE │ TAG VERSIONS NEWER │ REGISTRY  │ REPO      │ TAG    │ REGISTRY EXCLUDE │ REPO EXCLUDE │ TAG EXCLUDE │ EXCLUDE EXP DAYS │ GLOBAL │ LAST UPDATED         │
├──────────────────────────────────┼────────────┼──────────────┼────────────────────┼───────────┼───────────┼────────┼──────────────────┼──────────────┼─────────────┼──────────────────┼────────┼──────────────────────┤
│ 16dc38cef54e4ce5ac87d00e90b4a4f2 │ archive    │ 90d          │ 1                  │ docker.io │ library/* │ latest │                  │              │             │ -1               │ true   │ 2022-08-24T23:01:05Z │
└──────────────────────────────────┴────────────┴──────────────┴────────────────────┴───────────┴───────────┴────────┴──────────────────┴──────────────┴─────────────┴──────────────────┴────────┴──────────────────────┘

ANCHORECTL_USERNAME=test1user ANCHORECTL_PASSWORD=password ANCHORECTL_ACCOUNT=test1acct anchorectl archive rule delete 16dc38cef54e4ce5ac87d00e90b4a4f2
 ⠙ Deleting rule
error: 1 error occurred:
	* unable to delete rule:
{
  "detail": {
    "error_codes": []
  },
  "httpcode": 404,
  "message": "Rule not found"
}

ANCHORECTL_USERNAME=test1user ANCHORECTL_PASSWORD=password ANCHORECTL_ACCOUNT=test1acct anchorectl archive rule get 16dc38cef54e4ce5ac87d00e90b4a4f2
 ✔ Fetched rule
ID: 16dc38cef54e4ce5ac87d00e90b4a4f2
Transition: archive
Analysis Age: 90d
Tag Versions Newer: 1
Selector:
  Registry: docker.io
  Repo: library/*
  Tag: latest
Exclude:
  Selector:
    Registry Exclude:
    Repo Exclude:
    Tag Exclude:
  Exclude Exp Days: -1
Global: true
Last Updated: 2022-08-24T23:01:05Z

Deleting an Archive rule

anchorectl archive rule delete 16dc38cef54e4ce5ac87d00e90b4a4f2
 ✔ Deleted rule
No results

Last modified March 31, 2026