pci dss – Do I need to keep production Docker/container images?

Context

My company is developing a SaaS solution that needs to conform to PCI-DSS L1 for sure, and possibly FedRAMP and other frameworks later.

We can do continuous deployment with feature flagged/canary releases, with multiple releases a day. Because of that, we don’t really need explicit versioning of the releases (we do version the interfaces, APIs), so we tag our container images with the short Git SHA.

Question

Are you aware of a PCI-DSS requirement (or another widely used governance framework) that expects keeping the container images to be around e.g. 18 months?

We are concerned about the number of container images that will hang around for no practical use. We already know the Git SHA for historical investigation, and we are able to rebuild the image using that if necessary.