Skip to main content
POST
/
audits
/
{auditId}
/
controls
/
custom-controls
TypeScript
import { Vanta } from "vanta-auditor-api-sdk";

const vanta = new Vanta({
  bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
});

async function run() {
  const result = await vanta.audits.createCustomControl({
    auditId: "<id>",
    createCustomControlInput: {
      externalId: "<id>",
      name: null,
      description: "yet plus utter queasily what juvenile wound",
      effectiveDate: new Date("2024-11-10T13:58:54.564Z"),
      category: "CLOUD_SECURITY",
    },
  });

  console.log(result);
}

run();
{
  "id": "a2f7e1b9d0c3f4e5a6c7b8d9",
  "externalId": "CRY-104",
  "name": "Data encryption utilized",
  "description": "Access reviews are performed to ensure that access is appropriate for the user's role and responsibilities.",
  "source": "Vanta",
  "domains": [
    "CRYPTOGRAPHIC_PROTECTIONS"
  ],
  "owner": {
    "id": "65e1efde08e8478f143a8ff9",
    "emailAddress": "example-person@email.com",
    "displayName": "Example Owner"
  },
  "role": "CONTROLLER",
  "customFields": [
    {
      "label": "Additional context",
      "value": "This control is critical for GDPR compliance"
    }
  ],
  "creationDate": null,
  "modificationDate": null
}

Documentation Index

Fetch the complete documentation index at: https://vanta.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

auditId
string
required

Body

application/json
externalId
string
required

The external id of the control.

name
string | null
required

The name of the control.

description
string
required

The description of the control.

effectiveDate
string<date-time>
required

The effective date of the control.

category
enum<string>
required

The category of the control. See the ControlDomain enum for possible values.

Available options:
ARTIFICIAL_&_AUTONOMOUS_TECHNOLOGY,
ASSET_MANAGEMENT,
BUSINESS_CONTINUITY_&_DISASTER_RECOVERY,
CAPACITY_&_PERFORMANCE_PLANNING,
CHANGE_MANAGEMENT,
CLOUD_SECURITY,
COMPLIANCE,
CONFIGURATION_MANAGEMENT,
CONTINUOUS_MONITORING,
CRYPTOGRAPHIC_PROTECTIONS,
DATA_CLASSIFICATION_&_HANDLING,
EMBEDDED_TECHNOLOGY,
ENDPOINT_SECURITY,
HUMAN_RESOURCES_SECURITY,
IDENTIFICATION_&_AUTHENTICATION,
INCIDENT_RESPONSE,
INFORMATION_ASSURANCE,
MAINTENANCE,
MOBILE_DEVICE_MANAGEMENT,
NETWORK SECURITY,
PHYSICAL_&_ENVIRONMENTAL_SECURITY,
PRIVACY,
PROJECT_&_RESOURCE MANAGEMENT,
RISK_MANAGEMENT,
SECURE_ENGINEERING_&_ARCHITECTURE,
SECURITY_AWARENESS_&_TRAINING,
SECURITY_OPERATIONS,
SECURITY_&_PRIVACY_GOVERNANCE,
TECHNOLOGY_DEVELOPMENT_&_ACQUISITION,
THIRD-PARTY_MANAGEMENT,
THREAT_MANAGEMENT,
VULNERABILITY_&_PATCH_MANAGEMENT,
WEB_SECURITY,
ADMINISTRATIVE,
PHYSICAL,
TECHNICAL,
BASIC,
DERIVED
sections
object[] | null

Framework sections that the control should be mapped to.

role
enum<string>

The GDPR role of the control, which specifies whether the data is being "collected" or "processed". See the GdprRole enum for possible values. This field should only be included for controls that are to be mapped to the GDPR framework.

Available options:
BOTH,
CONTROLLER,
PROCESSOR

Response

201 - application/json

Custom control created

id
string
required

The control's unique ID.

externalId
string | null
required

The control's external ID.

name
string
required

The control's name.

description
string
required

The control's description.

source
enum<string>
required

The control's source, either "VANTA" or "CUSTOM".

Available options:
Vanta,
Custom
domains
string[]
required

The security domains that the control belongs to.

owner
object
required

The control's owner.

customFields
object[]
required

The control's custom field values, if control custom fields is included in your Vanta instance.

creationDate
string<date-time> | null
required

When the control was created. Returns null for Vanta library controls.

modificationDate
string<date-time> | null
required

When the control was last modified. Returns null for Vanta library controls.

role
string | null

The control's GDPR role, if the control is a GDPR control.