GitHub Introduces Rate Limiting to Enterprise Audit Log

The new limit will restrict users to 15 queries per minute, with the possibility of further limiting in the future.

-owned platform has announced that it will introduce rate limiting to the audit log available to users of its Enterprise Cloud. The change, set to take effect from August 1st, 2023, aims to prevent “significant strain” on data stores.

New Limit of 15 Queries Per Minute

The new limit will restrict users to 15 queries per minute, with the possibility of further limiting in the future. GitHub audit log is a feature that allows to track and review the actions performed by users and integrations in an organization or repository. Users can use the audit log to monitor security events, troubleshoot issues, and analyze trends. The audit log records events such as user , repository creation and deletion, team and member management, webhooks, permission changes, user account actions, codespace creation and deletion, repository cloning, IP allow list changes, SSH key changes, repository visibility changes, and more.

GitHub has noted that some users have been getting too close to real-time monitoring or have too many different processes accessing the audit logs. As a result, the company has stated that “query cost is a crucial consideration, and in the future, the audit log may impose further rate limiting for high-cost queries that place significant strain on our data stores.”

Suggested Actions for Customers

Customers are advised to prepare to handle HTTP 429 responses, which indicate “too many requests.” If “near real-time data” is a requirement, customers are encouraged to stream the audit log to another service and then query that service instead. This means that the customer, rather than GitHub, will pay for resource usage other than the stream itself. Audit log streaming supports Amazon S3, Azure Blob Storage or Event Hub, Datadog, Splunk, or Google Cloud storage.

The Complexity of GitHub Rate Limits

Rate limits are not new to GitHub. There are always rate limits for API calls, and there is even an API for users to get their rate limit status. However, the GraphQL API is particularly problematic because a “single complex GraphQL call could be the equivalent of thousands of REST requests,” GitHub states. It has a points system in place to calculate the cost of queries in order to apply limits.

While rate limits can be annoying, they are important to keep GitHub responsive to its millions of users. With 94 million developers reported last year, GitHub faces unique challenges in maintaining a highly responsive platform. If rate-limiting is part of the solution, developers may feel it is a worthwhile trade.