GitHub to implement data retention for closed security alerts
GitHub will introduce a data retention policy for closed Dependabot security alerts starting August 25, 2026, affecting GitHub Enterprise Cloud users. This policy will move alerts closed over two years ago to archival storage, accessible via CSV download, while open and recently closed alerts remain in the UI/API. Users should review their current queries and plan for the archival change.
- →Data retention policy for closed security alerts
- →Archived alerts remain accessible
- →Policy rollout and future announcements
- →User actions before policy implementation
Deprecations (1) ›
- Data retention policy for closed security alerts
Starting August 25, 2026, closed Dependabot security alerts older than two years will move to archival storage and be removed from the UI/API. Open alerts and those closed within the last two years are unaffected. This policy aims to provide clarity on data accessibility and location.
Notes (3) ›
- Archived alerts remain accessible
Alerts moved to archival storage can still be downloaded as a CSV from the security alerts page for enterprise, organization, and repository administrators. Archived alerts are retained for the life of the account to support regulatory requirements.
- Policy rollout and future announcements
Dependabot alerts are the first type to adopt this policy, with exact timings for other alert types still being finalized. GitHub will provide at least 60 days' advance notice for changes affecting other alert types via the changelog.
- User actions before policy implementation
Users are advised to query closed Dependabot alerts through the REST API before August 25, 2026, review reliance on alerts older than two years, and prepare to use the downloadable archive.
https://github.blog/changelog/2026-06-30-cloud-data-retention-policy-for-closed-security-alerts