Data Management and Storage Best Practices

The IQ Server is fairly lightweight, but managing your IQ Server's disk usage is important because:

Follow these best practices to manage your IQ Server's data efficiently.

Deploy IQ Server into an environment with an appropriate amount of disk space

Sonatype recommends that you have between 500 GB and 1 TB of storage available for the IQ Server.
- Your disk usage is largely a product of (the number of apps x the number of scan events). Therefore, scanning lots of apps frequently will fill up disk space fast.
- Customers who rely heavily on SCM integrations may benefit from more storage. Use sparse checkout file types with your SCM integrations to address this.
- To maximize your storage space, get the best performance, and for overall ease of management, use the Postgres database option.

Your organization may have guidelines for storing assets long-term. Always heed and follow those guidelines.
If you don't have data retention guidelines, consider putting some in place for IQ Server assets specifically.
- Reports for internal dev builds typically become irrelevant after a few months.
- Reports for a release/production version of your app should be kept for longer.

Some stakeholders may require specific data. For example, your Legal team may want to hold on to some key reports forever. Make sure you know what your stakeholders need, and have a way for them to request that some files never get deleted.

Large-scale cleanup efforts should include your database administrator. Mismatches between your sonatype-work directory and your database can cause hiccups in the browser UI.

If you need to save a report for longer than 5 years, move it out of your work directory.
Reports can be transformed into SBOMs for more efficient storage.
Reports may contain sensitive information, including things like application names, component names, file extensions, and vulnerability data.

Data Retention handles much of the regular cleanup associated with managing an IQ Server for you. It's on by default—leave it on!
Data Retention can trigger based on age or based on the total number of reports in a given stage. Consider what stages you generally scan at, and configure accordingly.
- For example, if you rely heavily on SCM integrations, you'll likely have many scans at the Source stage. In that scenario, make sure the number of maximum reports at the Source stage is high enough that new reports aren't deleting old reports that you still need.
Purged files are placed into a separate trash folder. By default, this is sonatype-work/clm-server/trash.
- Files in the trash folder are not deleted automatically – they must be deleted manually.
- Whenever convenient, check the trash folder and delete the files therein.
The contents of your trash directory may contain sensitive data. Compress reports still contain things like application names, component names, file extensions, and vulnerability data.

Sparse checkouts of your SCM repositories only clone the files that IQ Server requires in order to perform a full scan. This can dramatically decrease the amount of disk space your IQ Server requires.