Audit Dependabot alert exports before GitHub moves old closed alerts out of the API

GitHub changelog image for product improvements.GitHub Changelog
GitHub changelog image for product improvements.GitHub Changelog
Tools & Apps

GitHub will move closed Dependabot security alerts older than two years into archival storage on August 25, 2026, changing how security teams query older remediation records.

GitHub has confirmed a new retention policy for closed Dependabot security alerts on github.com and GitHub Enterprise Cloud. Confidence level: confirmed for the policy date and scope. The practical deadline is August 25, 2026, when closed Dependabot alerts that are two or more years old move out of the normal UI and API path.

GitHub product improvement illustration
GitHub product improvement illustration
Source: GitHub Changelog.

What changed

GitHub says open Dependabot alerts will stay fully accessible in the UI and API regardless of age. Closed Dependabot alerts will remain fully accessible for two years after closure. Older closed alerts will move to archival storage and become downloadable as CSV from the security alerts page.

The policy applies to Dependabot security alerts on github.com, including GitHub Enterprise Cloud. GitHub says it does not apply to GitHub Enterprise Server. Dependabot is the first alert type covered, with other security alert types expected later after at least 60 days of changelog notice.

Alert stateUI/API accessArchive accessAction before August 25
Open alertsFully available regardless of ageNot the main pathKeep existing triage flows
Closed under two yearsFully availableNot needed yetCheck dashboards and API filters
Closed two years or olderMoves out of normal UI/APICSV download for admins/security managersUpdate exports and compliance evidence flows

Why this is early

The policy was posted in the GitHub Changelog on June 30, 2026, with the effective date set for August 25, 2026. That gives security teams a short planning window before older closed Dependabot alerts stop appearing in the same UI and API queries.

This is not a vulnerability disclosure. It is an operational change to how historical remediation records are accessed. The risk is reporting breakage, missing compliance evidence, or dashboards that silently lose older closed-alert rows after the policy takes effect.

Key takeaways

  • Closed Dependabot alerts older than two years move to archival storage on August 25, 2026.
  • Open alerts and closed alerts newer than two years keep normal UI and API access.
  • GitHub says archived alerts stay at full fidelity for the life of the account.
  • Data residency customers keep archived alert data in the same region as the rest of their data.
  • GitHub Enterprise Server is outside this specific policy.

Availability and access

No feature flag is required. The change is scheduled by GitHub for github.com and GitHub Enterprise Cloud. Enterprise, organization, and repository administrators, plus security managers, will be able to download older archived alerts as CSV from the relevant security alerts page.

Teams that rely on the REST API for closed Dependabot alerts should query the older data before August 25 and decide whether the CSV archive replaces the existing workflow. GitHub's Dependabot docs remain the baseline for what alerts are, how they appear, and how teams remediate vulnerable dependencies.

Practical LinkLoot angle

This is a cleanup job for security operations, not a panic item. Find dashboards, SIEM imports, compliance reports, and quarterly remediation reviews that query closed Dependabot alerts older than two years. Then test whether archived CSV exports preserve the fields your auditors or risk owners expect.

For teams tightening agent-assisted remediation and dependency workflows, pair this with a review of your broader automation stack. LinkLoot's AI workflow automation guide is a useful adjacent hub: /guides/ai-workflow-automation.

What to verify before you act

  • Identify API jobs that query closed Dependabot alerts older than two years.
  • Export sample closed-alert data now and compare it with the planned CSV archive fields after rollout.
  • Confirm which admins or security managers can download archives at enterprise, organization, and repository level.
  • Check whether your compliance controls require UI/API access or accept archived CSV evidence.
  • Watch GitHub's changelog for the next security alert type added to the retention policy.

Source check

Confirmed by: GitHub's June 30, 2026 changelog entry gives the policy date, scope, two-year threshold, archive behavior, data residency note, and GHES exclusion.

Supporting context: GitHub's Dependabot documentation explains the purpose of Dependabot alerts and how teams use them to find and remediate vulnerable dependencies. The docs support the operational impact, while the changelog is the policy source.

FAQ

GitHub says the policy starts on August 25, 2026.