GitHub is updating its cloud data retention practices by implementing a policy to manage closed Dependabot security alert data lifecycle. This will affect how long closed alert data remains accessible via UI and API, with significant implications for developer workflows and observability in cloud-hosted repositories.
- Closed Dependabot alerts over two years old move to archival storage.
- Open and recent alerts remain fully visible and queryable.
- Policy applies to GitHub Enterprise Cloud, excluding Enterprise Server.
Infrastructure signal
GitHub's forthcoming data retention policy signals a shift towards managing long-term storage costs by migrating older closed alerts to archival tiers. This approach balances ongoing access needs with cloud cost optimization through tiered data storage. Archival storage maintains the full historical fidelity of alerts but removes them from active UI and API indexing, reducing live system load and improving operational efficiency.
The policy ensures that alerts for GitHub Enterprise Cloud customers with data residency requirements remain stored regionally, aligning with data sovereignty demands. However, GitHub Enterprise Server users remain unaffected, preserving their current infrastructure and data handling paradigms.
Developer impact
Developers and security teams will need to adjust their workflows as closed Dependabot alerts older than two years will no longer be accessible through typical user interfaces or APIs. Historical alert queries must transition to archived data downloads, requiring integration of offline archival data handling in observability and compliance tooling.
Open and recently closed alerts (within two years) remain fully accessible, so real-time monitoring and remediation workflows face no immediate disruption. However, teams should review existing API queries and reports for dependencies on older alert data to avoid unexpected gaps starting August 25, 2026.
What teams should watch
Security and compliance teams should proactively inventory their usage of Dependabot alert data, especially queries or audit processes relying on closed alerts older than two years. Planning for archival data access will be critical to ensure continuous compliance reporting and historical review capabilities without UI or API visibility.
Developer platform teams should monitor GitHub's changelog for subsequent retention policies rolling out to other alert types, giving at least 60 days' notice before enforcement. Additionally, developers maintaining integrations with GitHub's security alert APIs must adapt to the upcoming phased changes to avoid disruptions in data ingestion and alert management.