Starting August 25, 2026, GitHub will introduce a data retention policy for closed Dependabot security alerts. This policy gives you a clear commitment for how long your alert data stays accessible and where you can find it. It applies to Dependabot security alerts on github.com, including GitHub Enterprise Cloud (GHEC). It does not apply to GitHub Enterprise Server (GHES). The policy will roll out gradually across security alert types, beginning with Dependabot.

GitHub security alert data retention policy

GitHub keeps your Dependabot alerts available for the life of your account.

Open alerts stay fully accessible in the UI and API, regardless of age.

Closed alerts stay fully accessible in the UI and API for two years after they are closed.