@mindstone/mcp-server-vanta

Vanta compliance MCP server — read and write vulnerabilities, tests, controls, evidence, resources, people, vendors, and compliance summaries via the Vanta API.

One-click install

After clicking the button, your host will prompt you to fill: VANTA_CLIENT_ID, VANTA_CLIENT_SECRET, VANTA_REGION, VANTA_REQUEST_TIMEOUT_MS.

Manual config for Claude Desktop / Claude Code / Goose / Continue.dev (Vanta)

{
  "mcpServers": {
    "Vanta": {
      "command": "npx",
      "args": [
        "-y",
        "@mindstone/mcp-server-vanta"
      ],
      "env": {
        "VANTA_CLIENT_ID": "",
        "VANTA_CLIENT_SECRET": "",
        "VANTA_REGION": "us",
        "VANTA_REQUEST_TIMEOUT_MS": "60000"
      }
    }
  }
}

Status

Version: 0.1.0 · npm
Auth: OAuth client-credentials grant (VANTA_CLIENT_ID + VANTA_CLIENT_SECRET)
Tools: 18 (13 read + 5 write across vulnerabilities, tests, controls, resources, evidence, people, vendors, documents, compliance summary)
Surface: cloud-api
Regions: US, EU, AUS (set via VANTA_REGION)

Installation

npx -y @mindstone/mcp-server-vanta

Configuration

Set these environment variables before starting the server:

VANTA_CLIENT_ID — Vanta OAuth Client ID (required)
VANTA_CLIENT_SECRET — Vanta OAuth Client Secret (required)
VANTA_REGION — us (default), eu, or aus
VANTA_REQUEST_TIMEOUT_MS — request timeout in milliseconds (default 60000)

To generate credentials, open the Vanta Developer Console, create a new OAuth client with the "Manage Vanta" (read-write) scope, and copy the Client ID and Client Secret.

Tools

Read

vanta_list_vulnerabilities / vanta_get_vulnerability
vanta_list_tests / vanta_get_test
vanta_list_controls / vanta_get_control
vanta_list_resources
vanta_list_evidence
vanta_list_people
vanta_query_test_results
vanta_get_compliance_summary
vanta_list_vendors / vanta_get_vendor

Write

vanta_create_vendor
vanta_update_vendor
vanta_attach_vendor_document
vanta_update_vulnerability
vanta_upload_document

Safety

This server enforces:

HTTPS-only URL validation on document attachment tools (rejects file:, localhost, RFC1918, link-local, and other internal addresses).
60-requests-per-minute rate limiting with single-flight token exchange.
Response truncation at 25 KB with binary-search trimming.
Bearer-token redaction in all error messages.

License

FSL-1.1-MIT