Skip to main content

Documentation Index

Fetch the complete documentation index at: https://vanta.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

By the end of this quickstart you’ll have the Vanta Claude Code plugin installed and you’ll have used it to surface failing compliance tests, inspect the resources causing them to fail, and generate a pull request that fixes one.

Before you begin

Make sure you have:
  • A Vanta account with admin access.
  • Claude Code installed.
  • A repository that Claude Code can read — the plugin uses your local codebase to generate targeted fixes.
  • At least one Vanta integration connected (AWS, GCP, GitHub, etc.) — most test endpoints return data only when integrations are active.
This quickstart uses the Claude Code plugin, which adds the /vanta:fix-test and /vanta:list-tests slash commands on top of the hosted MCP server. If you want to connect a different client (Cursor, Perplexity, or Claude Code without the plugin), see Vanta MCP server instead. If you want to automate Vanta with code, see Manage Vanta via API.
1

Install the Vanta plugin

In Claude Code, run the following three commands in sequence. You can paste them one at a time or chain them:
/plugin marketplace update anthropics/claude-plugins-official
/plugin install vanta-mcp-plugin@claude-plugins-official
/reload-plugins
After /reload-plugins completes, run /mcp, select Vanta, choose your region (US, EU, or AUS), and complete the OAuth flow in your browser. Click Allow when Vanta asks for authorization.
The plugin may not have loaded yet. Run /reload-plugins again and wait a few seconds before running /mcp. If Vanta still doesn’t appear, confirm that the install command exited without errors — re-run it if needed.
Claude Code may have blocked the redirect. Manually open the authorization URL printed in the terminal. If the URL has already expired, run /mcp, select Vanta, and choose Reconnect to start a fresh flow.
2

List failing tests for your repository

Once authenticated, ask Claude to find the failing tests that are most relevant to your codebase. Type the following prompt in Claude Code (or run the /vanta:list-tests slash command, which does the same thing):
Show me the highest-priority failing Vanta tests relevant to this repository.
Claude calls the tests MCP tool with statusFilter: NEEDS_ATTENTION, reads your repository to match tests to the tech stack it finds, and returns a prioritized list. You should see output similar to:
Found 12 failing tests. Here are the 5 most relevant to this repository:

1. AWS S3 buckets should have server-side encryption enabled
   Test ID: aws-s3-bucket-server-side-encryption-enabled
   Failing resources: 4  |  Framework: SOC 2 CC6.1, ISO 27001 A.10.1
   Severity: HIGH

2. AWS IAM password policy should require minimum length of 14
   Test ID: aws-iam-password-policy-minimum-length
   Failing resources: 1  |  Framework: SOC 2 CC6.1
   Severity: MEDIUM
...
Either all tests are passing (great news!) or your Vanta integrations haven’t finished syncing. In the Vanta dashboard, open Tests and confirm that at least one test shows Needs attention. If the dashboard shows failures but the MCP call doesn’t, your OAuth token may have expired — re-authenticate via /mcp → Vanta → Reconnect.
The plugin uses your open repository for context. Confirm that Claude Code has the correct project open (/project shows the active root), then re-run the prompt. If your repository doesn’t contain infrastructure code, Claude will still list the highest-severity failing tests by default.
3

Inspect the failing resources for one test

Pick a test from the list — start with a HIGH severity one — and ask Claude to show you which specific resources are failing it. Replace the test name below with one from your output:
Show me which specific resources are failing the "ADD YOUR TEST NAME" test.
Claude calls list_test_entities with the testId from the previous step and returns the individual failing resources:
4 resources are failing this test:

• my-company-assets (ID: s3::us-east-1:my-company-assets)
  Integration: AWS (account: 123456789012)
  Failing reason: SSE not configured

• my-company-logs (ID: s3::us-east-1:my-company-logs)
  Integration: AWS (account: 123456789012)
  Failing reason: SSE not configured
...
You now know exactly what resource types are failing. This context will be used for the next step.
Check the Integration field — resources from child AWS accounts or linked GCP projects are listed alongside your primary account’s resources. If you manage multiple accounts, filter by the account ID you own before opening a PR.
4

Generate a fix and open a pull request

Run the /vanta:fix-test slash command, or type the following prompt:
Fix the "ADD TEST NAME" test.
Generate the Terraform changes needed and open a draft pull request.
The plugin’s remediation skill will:
  1. Read your Terraform (or CloudFormation / CDK) files to understand your existing module structure.
  2. Call list_test_entities again to confirm which resource IDs to target.
  3. Generate minimal, targeted changes — for example, adding server_side_encryption_configuration blocks to the affected aws_s3_bucket resources.
  4. Open a draft pull request against your current branch with a description that links back to the Vanta test ID.
Claude prints the PR URL when it’s done:
Opened draft PR #47: "fix: enable SSE on 4 S3 buckets (Vanta aws-s3-bucket-sse)"
https://github.com/your-org/your-repo/pull/47
Review the diff before marking it ready for review — the plugin generates a best-effort fix based on your existing module patterns, so spot-check variable references and backend state before merging.
The plugin searches for .tf files in the repository root and common subdirectories (infra/, terraform/, ops/). If your IaC lives elsewhere, tell Claude: “The Terraform files are in platform/infra/aws/.” Claude will re-scope its search.
The plugin targets the branch currently checked out in your repository. Switch to your feature or fix branch before running /vanta:fix-test, then re-run the command.
The plugin supports Terraform, CloudFormation (YAML/JSON), and AWS CDK (TypeScript). Tell Claude which framework you use and it will adjust the generated fix. For CDK, Claude generates a construct-level change rather than editing synthesized templates directly.
5

Verify it worked

Open the PR in GitHub and confirm:
  • The changed files correspond to the resources listed in Step 3.
  • The PR description references the Vanta test ID and links to the failing resources.
  • The diff is minimal — only the resources identified as failing should be modified.
After the PR is merged and your CI/CD pipeline applies the change, Vanta will re-evaluate the test on its next sync cycle (usually within 24 hours). You can also ask Claude to check the current test status at any time:
What is the current status of the "AWS S3 buckets should have server-side
encryption enabled" test in Vanta?
ScenarioWhat you should see
SuccessDraft PR exists with targeted diff; description includes the Vanta test ID and failing resource IDs
Auth failureClaude reports a tool error — re-authenticate via /mcp → Vanta → Reconnect and re-run the prompt
No IaC foundClaude asks for the path to your infrastructure code — provide it and re-run
Test still failing after mergeChanges haven’t been applied yet, or the sync cycle hasn’t run — check your pipeline and wait for Vanta’s next sync

Congratulations

You have the Vanta Claude Code plugin connected and you’ve used it to surface failing tests, inspect the failing resources, and open a PR to fix one. From here you can:
  • Fix more tests — run /vanta:list-tests at any time to get an updated priority list and repeat the fix flow.
  • Explore other compliance data — ask Claude about controls, vendors, vulnerabilities, or frameworks in plain English.
  • Connect additional clients — add the Vanta MCP server to Cursor or Perplexity using the Vanta MCP server reference.

More things to try

Once you’re connected, ask Claude any of the following in plain English: 
Show me my SOC 2 controls, how many are complete versus in progress,
and which controls have the most failing tests.
Claude calls frameworks to get overall SOC 2 progress, then list_framework_controls to break it down by control, and finally list_control_tests on the weakest controls to surface the specific tests dragging them down.
List every CRITICAL vulnerability in my integration whose remediation
deadline is in the next 30 days, and tell me which ones are already assigned.
Claude calls vulnerabilities with severity and integration filters, then sorts by deadline and checks the owner assignment on each result.
Which failing tests are mapped to both SOC 2 and ISO 27001? Show me the
failing resource count for each so I can prioritize cross-framework wins.
Claude calls tests filtered to NEEDS_ATTENTION, then cross-references the frameworkCodes field on each test to identify ones that appear in both framework mappings.
Who is the owner of the "Encryption at rest" control, and which automated
tests validate it?
Claude calls controls to find the control by name, then list_control_tests to enumerate its associated tests and their current pass/fail status.

Next steps

Vanta MCP server

Connect Cursor, Perplexity, or Claude Code (without the plugin) to the same Vanta MCP tools.

Query failing tests via API

Pull test results programmatically using the REST API — useful for CI pipelines and dashboards.

Triage vulnerabilities

Surface vulnerable assets with approaching SLA deadlines — via MCP or the API.

Manage Vanta via API

Get an API token and automate your Vanta account with code.