Vanta MCP Server

A Model Context Protocol server that provides access to Vanta's automated security compliance platform. Vanta helps organizations achieve and maintain compliance with security frameworks like SOC 2, ISO 27001, HIPAA, GDPR, and others through automated monitoring, evidence collection, and continuous security testing. This MCP server enables AI assistants to interact with Vanta's API to retrieve compliance test results, manage security findings, and access framework requirements.

⚠️ Important Disclaimer: This experimental server is currently in public preview and provides AI assistants with access to your Vanta compliance data. You may encounter bugs, errors or unexpected results. Always verify the accuracy and appropriateness of AI-generated responses before taking any compliance or security actions. Users are responsible for reviewing all outputs and ensuring they meet their organization's security and compliance requirements.

Features

Controls

List security controls or fetch a specific control by ID
Discover which automated tests validate each control
Review evidence documents mapped to controls

Tool Name	Description
`controls`	Access security controls in your Vanta account. Provide controlId to get a specific control, or omit to list all controls with optional framework filtering.
`list_control_tests`	Enumerate automated tests that validate a specific security control, including status and failing entity details.
`list_control_documents`	List documents that provide evidence for a specific security control so you can quickly locate supporting artifacts.

Documents

Enumerate compliance documents across your organization
Inspect the controls, links, or uploads associated with a document

Tool Name	Description
`documents`	List documents in your Vanta account or retrieve a specific document by ID with metadata for compliance and evidence management.
`document_resources`	Retrieve resources linked to a document (controls, links, uploads) by specifying the desired resource type.

Frameworks

Review framework adoption and progress metrics across your organization
Drill into the controls required by each framework

Tool Name	Description
`frameworks`	List compliance frameworks available in your Vanta account along with completion status and progress metrics.
`list_framework_controls`	Retrieve the controls associated with a framework, including descriptions, implementation guidance, and current compliance status.

Integrations

Enumerate connected integrations and review their metadata
Explore supported resource kinds and fetch integration resources on demand

Tool Name	Description
`integrations`	List integrations connected to your Vanta account or fetch details for a specific integration, including supported resource kinds and connection status.
`integration_resources`	Access integration resources by selecting the desired operation (`list_kinds`, `get_kind_details`, `list_resources`, or `get_resource`).

People

List or retrieve people for compliance and access reviews

Tool Name	Description
`people`	List people in your Vanta account or retrieve a specific person by ID, including role, email, and group membership metadata.

Risks

Track risk scenarios, their status, scoring, and treatment plans

Tool Name	Description
`risks`	List risk scenarios managed in your risk register or fetch a specific scenario by ID to review status, scoring, and treatment information.

Tests

Monitor automated security tests running in your environment
Investigate the entities associated with a specific test

Tool Name	Description
`tests`	Retrieve Vanta's automated security and compliance tests. Filter by status, integration, or framework to understand which controls are passing or failing.
`list_test_entities`	Get the resources monitored by a specific security test, including failing entities that require remediation.

Vulnerabilities

Review vulnerabilities surfaced by Vanta, including CVE metadata and affected assets

Tool Name	Description
`vulnerabilities`	List vulnerabilities detected across your infrastructure or retrieve a specific vulnerability by ID with CVE details, severity, and impacted asset information.

Multi-Region Support

US, EU, and AUS regions with region-specific API endpoints
Global compliance support for distributed organizations

Tools

Tool Name	Description
`tests`	Retrieve Vanta's automated security and compliance tests. Filter by status, integration, or framework to understand pass/fail posture quickly.
`list_test_entities`	Get resources monitored by a particular test, including failing entities that need remediation.
`controls`	List security controls in your Vanta account or retrieve a specific control by ID with framework mapping details.
`list_control_tests`	Enumerate automated tests that validate a specific control, complete with status and failing entity information.
`list_control_documents`	List documents mapped to a control to locate supporting evidence quickly.
`documents`	List compliance documents or fetch details for a specific document, including metadata.
`document_resources`	Retrieve resources linked to a document (controls, links, uploads) by choosing the desired resource type.
`integrations`	List integrations connected to your Vanta account or fetch details for a specific integration, including resource kinds and connection status.
`integration_resources`	Inspect integration resource kinds, schema information, full resource lists, or a specific resource by selecting from the supported operations.
`frameworks`	List compliance frameworks with completion status and progress metrics for each.
`list_framework_controls`	Retrieve the controls associated with a compliance framework, including descriptions and implementation guidance.
`people`	List people across your organization or look up a specific person by ID with role, email, and group membership metadata.
`risks`	List risk scenarios under management or fetch a specific scenario to review status, scoring, and treatment plans.
`vulnerabilities`	List detected vulnerabilities or retrieve a specific item with CVE metadata, severity, and impacted assets.

Configuration

Vanta OAuth Credentials

Create OAuth credentials from Vanta's developer dashboard

Save the client_id and client_secret to an env file:

{
  "client_id": "your_client_id_here",
  "client_secret": "your_client_secret_here"
}

Note: Vanta currently allows only a single active access_token per Application. More info here

Usage with Claude Desktop

Add the server to your claude_desktop_config.json:

{
  "mcpServers": {
    "vanta": {
      "command": "npx",
      "args": ["-y", "@vantasdk/vanta-mcp-server"],
      "env": {
        "VANTA_ENV_FILE": "/absolute/path/to/your/vanta-credentials.env"
      }
    }
  }
}

If you are unfamiliar with setting up MCP servers in Claude Desktop, here is an example in the official MCP documentation.

Usage with Cursor

Add the server to your Cursor MCP settings:

{
  "mcpServers": {
    "Vanta": {
      "command": "npx",
      "args": ["-y", "@vantasdk/vanta-mcp-server"],
      "env": {
        "VANTA_ENV_FILE": "/absolute/path/to/your/vanta-credentials.env"
      }
    }
  }
}

Environment Variables

VANTA_ENV_FILE (required): Absolute path to the JSON file containing your OAuth credentials
REGION (optional): API region - us, eu, or aus (defaults to us)

Installation

NPX (Recommended)

npx @vantasdk/vanta-mcp-server

Global Installation

npm install -g @vantasdk/vanta-mcp-server
vanta-mcp-server

From Source

git clone https://github.com/VantaInc/vanta-mcp-server.git
cd vanta-mcp-server
npm install
npm run build
npm start

Build from Source

To build from source:

npm run build

This will:

Compile TypeScript to JavaScript
Make the output executable
Place built files in the build/ directory

Now you can configure Claude Desktop or Cursor to use the built executable:

{
  "mcpServers": {
    "Vanta": {
      "command": "node",
      "args": ["/absolute/path/to/vanta-mcp-server/build/index.js"],
      "env": {
        "VANTA_ENV_FILE": "/absolute/path/to/your/vanta-credentials.env"
      }
    }
  }
}

Development

This server is built with TypeScript and includes the following development tools:

TypeScript: For type safety and better development experience
ESLint: For code quality and consistency
Automated Tool Registry: Zero-maintenance tool registration system
DRY Utilities: Centralized utilities to reduce code duplication

Project Structure

vanta-mcp-server/
├── src/
│   ├── operations/              # MCP tool implementations
│   │   ├── index.ts            # Barrel export for all operations
│   │   ├── common/             # Shared utilities and infrastructure
│   │   │   ├── descriptions.ts # Centralized parameter descriptions
│   │   │   ├── imports.ts      # Common imports barrel for operations
│   │   │   └── utils.ts        # DRY utilities and request handlers
│   │   ├── controls.ts         # Control-related operations
│   │   ├── vendors.ts          # Vendor-related operations
│   │   ├── people.ts           # People-related operations
│   │   ├── documents.ts        # Document-related operations
│   │   ├── frameworks.ts       # Framework-related operations
│   │   ├── risks.ts            # Risk scenario operations
│   │   ├── tests.ts            # Test-related operations
│   │   ├── integrations.ts     # Integration-related operations (consolidated)
│   │   ├── discovered-vendors.ts # Discovery operations (consolidated)
│   │   ├── trust-centers.ts    # Trust Center operations
│   │   └── ...                 # Other resource operations (18 total)
│   ├── eval/                   # Evaluation and testing framework
│   │   ├── eval.ts            # LLM evaluation test cases
│   │   └── README.md          # Evaluation documentation
│   ├── api.ts                  # Base API configuration
│   ├── auth.ts                 # Authentication handling
│   ├── config.ts               # Control enabled tools
│   ├── index.ts                # Main server entry point
│   ├── registry.ts             # Automated tool registration
│   └── types.ts                # Type definitions
├── build/                      # Compiled JavaScript output
└── README.md                   # This file

Architecture Highlights

Consolidated Tool Pattern: Single tools intelligently handle both list and get operations with optional ID parameters
Reduced Complexity: 43 tools (down from 53) through smart consolidation while maintaining full functionality
Clean Organization: Operations files are cleanly separated from infrastructure code
Common Subdirectory: All shared utilities, imports, and descriptions are organized in operations/common/
Automated Registry: New tools are automatically discovered and registered without manual configuration
DRY Principles: Extensive code reuse through centralized utilities and schema factories
Type Safety: Full TypeScript coverage with comprehensive type definitions

For detailed architecture documentation, see src/operations/README.md.

Debugging

You can use the MCP Inspector to debug the server:

npx @modelcontextprotocol/inspector npx @vantasdk/vanta-mcp-server

The inspector will open in your browser, allowing you to test tool calls and inspect the server's behavior.

If you want to test a local build you can do so using:

npx @modelcontextprotocol/inspector node path/to/build/index.js

In the browser window you will then need to add the environment variable "VANTA_ENV_FILE": "/absolute/path/to/your/vanta-credentials.env"

Example Usage

Get failing AWS tests for SOC2

{
  "tool": "list_tests",
  "arguments": {
    "statusFilter": "NEEDS_ATTENTION",
    "integrationFilter": "aws",
    "frameworkFilter": "soc2",
    "pageSize": 50
  }
}

License

This project is licensed under the terms of the MIT open source license. Please refer to LICENSE file for details.