Query Vanta compliance data directly from your IDE using the Model Context Protocol.
An MCP server that connects AI assistants (Cursor, Claude Desktop, etc.) to your Vanta instance, enabling engineers to query compliance tests, view affected resources, and get remediation guidance without leaving their editor.
-
Download
vanta-mcp-server.zipfrom Releases -
Unzip to a location on your machine (e.g.,
~/vanta-mcp-server) -
Run the setup script:
cd ~/vanta-mcp-server ./setup.sh
The script will:
- Install dependencies
- Prompt for your Vanta API credentials
- Configure Cursor/Claude Desktop automatically
Or manually:
cd ~/vanta-mcp-server
npm install --production
# Then configure your IDE (see below)git clone https://github.com/your-org/vanta-mcp-server.git
cd vanta-mcp-server/mcp-vanta-server
npm install
npm run build- Go to Vanta → Settings → Developer console
- Click + Create to create a new application
- Select "Manage Vanta" as the app type
- Copy your Client ID and Client Secret
The MCP server is configured globally — once set up, it works in all your projects.
Create or edit the global config file:
| OS | Location |
|---|---|
| macOS/Linux | ~/.cursor/mcp.json |
| Windows | %USERPROFILE%\.cursor\mcp.json |
Add the following (replace paths and credentials):
{
"mcpServers": {
"vanta": {
"command": "node",
"args": ["/Users/YOUR_USERNAME/vanta-mcp-server/dist/index.js"],
"env": {
"VANTA_CLIENT_ID": "your_client_id",
"VANTA_CLIENT_SECRET": "your_client_secret",
"VANTA_SCOPES": "vanta-api.all:read"
}
}
}
}Create or edit the global config file:
| OS | Location |
|---|---|
| macOS | ~/Library/Application Support/Claude/claude_desktop_config.json |
| Windows | %APPDATA%\Claude\claude_desktop_config.json |
Add the following (replace paths and credentials):
{
"mcpServers": {
"vanta": {
"command": "node",
"args": ["/Users/YOUR_USERNAME/vanta-mcp-server/dist/index.js"],
"env": {
"VANTA_CLIENT_ID": "your_client_id",
"VANTA_CLIENT_SECRET": "your_client_secret",
"VANTA_SCOPES": "vanta-api.all:read"
}
}
}
}Restart your IDE to load the MCP server.
| Tool | Description |
|---|---|
list_failing_tests |
Get all failing compliance tests |
get_test_details |
Get details on a specific test |
list_affected_assets |
List resources failing a specific test |
suggest_remediation |
Get remediation guidance for a test |
Once configured, ask your AI assistant:
What compliance tests are failing?
Show me details on the screenlock test
Which resources are affected by test X?
How do I fix this compliance issue?
flowchart LR
subgraph ide [IDE]
AI[AI Assistant]
end
subgraph server [MCP Server]
Tools[Tool Handlers]
Client[Vanta Client]
end
subgraph vanta [Vanta]
API[Vanta API]
end
AI <--> Tools
Tools --> Client
Client --> API
| Variable | Required | Description |
|---|---|---|
VANTA_CLIENT_ID |
Yes | OAuth client ID from Vanta Developer Console |
VANTA_CLIENT_SECRET |
Yes | OAuth client secret |
VANTA_SCOPES |
No | API scopes (default: vanta-api.all:read) |
# Install dependencies
npm install
# Run in development mode
npm run dev
# Type check
npx tsc --noEmit
# Build
npm run buildThe GitHub Actions workflow (.github/workflows/release.yml) runs on every push and PR:
| Check | Tool | Purpose |
|---|---|---|
| Type checking | TypeScript | Catch type errors before runtime |
| Build validation | tsc | Ensure the server compiles |
| Security scan | mcp-security-scanner | Check for MCP-specific vulnerabilities |
Releases are created automatically when you push a version tag:
git tag v1.0.0
git push origin v1.0.0This creates a GitHub Release with a downloadable vanta-mcp-server.zip artifact.
- Create a new file in
src/tools/:
// src/tools/listFrameworks.ts
import { vantaFetch } from "../data/vantaClient.js";
export async function listFrameworks() {
try {
const response = await vantaFetch<any>("/v1/frameworks");
const frameworks = response.results?.data || response;
return {
content: [{ type: "text", text: JSON.stringify(frameworks, null, 2) }],
};
} catch (error: any) {
return {
content: [{ type: "text", text: `Error: ${error.message}` }],
isError: true,
};
}
}- Register it in
src/index.ts:
// Add to imports
import { listFrameworks } from "./tools/listFrameworks.js";
// Add to tools array in ListToolsRequestSchema handler
{
name: "list_frameworks",
description: "List all compliance frameworks in your Vanta account",
inputSchema: { type: "object", properties: {} },
}
// Add to switch statement in CallToolRequestSchema handler
case "list_frameworks":
return listFrameworks();- Rebuild and restart your IDE.
| Tool | Description | Vanta API Endpoint |
|---|---|---|
list_frameworks |
Show active compliance frameworks (SOC 2, ISO 27001, etc.) | /v1/frameworks |
list_controls |
List controls and their status | /v1/controls |
get_person_tasks |
Get security tasks for a specific person | /v1/people/{id}/tasks |
list_vulnerabilities |
Show open vulnerabilities | /v1/vulnerabilities |
list_vendors |
List third-party vendors and their review status | /v1/vendors |
get_audit_status |
Get upcoming audit deadlines and progress | /v1/audits |
list_computers |
Show computers and their compliance status | /v1/computers |
create_exception |
Request a temporary exception for a test | POST /v1/exceptions |
See the Vanta API Documentation for available endpoints and data models.
| Scope | Access |
|---|---|
vanta-api.all:read |
Read access to all resources |
vanta-api.all:write |
Read/write access to all resources |
vanta-api.vendors:read |
Read vendor data only |
vanta-api.documents:read |
Read documents only |
- Store credentials in environment variables, never in code
- Use read-only scopes (
vanta-api.all:read) unless write access is needed - Credentials in
mcp.jsonare local to your machine - Rotate credentials if exposed
MIT