Starting August 25, 2026, GitHub will introduce a data retention policy for closed Dependabot security alerts. This policy gives you a clear commitment for how long your alert data stays accessible and where you can find it. It applies to Dependabot security alerts on github.com, including GitHub Enterprise Cloud (GHEC). It does not apply to GitHub Enterprise Server (GHES). The policy will roll out gradually across security alert types, beginning with Dependabot.

GitHub security alert data retention policy

GitHub keeps your Dependabot alerts available for the life of your account.

  • Open alerts stay fully accessible in the UI and API, regardless of age.
  • Closed alerts stay fully accessible in the UI and API for two years after they are closed.
  • Alerts closed two or more years ago move to archival storage. Enterprise, organization, and repository administrators and security managers can download them as a CSV from the security alerts page at the corresponding level.
  • Alert data is removed when the associated repository, organization, or account is deleted, or when an enterprise agreement ends.

GitHub keeps archived alerts at full fidelity for the life of your account, so your historical remediation records stay available to support regulatory requirements. If you use GitHub Enterprise Cloud with data residency, this policy does not change where your alert data is stored. Archived alerts remain in the same region as the rest of your data.

What’s changing and when

On August 25, 2026, closed Dependabot alerts closed two or more years ago will move to archival storage and will no longer appear in the UI or API. Open alerts and alerts closed within the last two years are not affected. Dependabot is the first alert type to adopt this policy. Exact timing for each alert type is still being finalized, and we will announce the changes through the changelog with at least 60 days of advance notice before they take effect. Before August 25, query closed Dependabot alerts through the REST API, review whether any of your queries rely on alerts older than two years, and plan to use the downloadable archive instead.

Join the discussion within GitHub Community.

!social