> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# List of vendors who are in scope for this audit

> Returns a list of vendors who are in scope for this audit.

End of life — this endpoint works for classic audits only; it does not support
controlled audit view. It remains available for existing classic audits but will be removed once
classic audits are fully phased out, so do not build new integrations on it.

Rate limit: 10 requests / minute.



## OpenAPI

````yaml https://spec.speakeasy.com/vanta/vanta/conduct-an-audit-with-code-samples get /audits/{auditId}/vendors
openapi: 3.0.0
info:
  title: Conduct an audit
  version: 1.0.0
  description: >-
    The Auditor API lets audit firms conduct audits from a tool outside of
    Vanta. Unlock data syncing with Vanta through this API.


    **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)`
    from the server dropdown to issue requests against
    `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the
    commercial host — replace it with `https://api.vanta-gov.com/oauth/token`.
  termsOfService: https://www.vanta.com/terms
  license:
    name: UNLICENSED
  contact:
    name: API Support
    url: https://help.vanta.com/
    email: support@vanta.com
servers:
  - url: https://api.vanta.com/v1
    description: US Region API
  - url: https://api.vanta-gov.com/v1
    description: Vanta Gov (FedRAMP)
security: []
paths:
  /audits/{auditId}/vendors:
    get:
      tags:
        - Audits
      summary: List of vendors who are in scope for this audit
      description: >-
        Returns a list of vendors who are in scope for this audit.


        End of life — this endpoint works for classic audits only; it does not
        support

        controlled audit view. It remains available for existing classic audits
        but will be removed once

        classic audits are fully phased out, so do not build new integrations on
        it.


        Rate limit: 10 requests / minute.
      operationId: ListVendorsInAuditScope
      parameters:
        - in: path
          name: auditId
          required: true
          schema:
            type: string
        - in: query
          name: pageSize
          required: false
          schema:
            $ref: '#/components/schemas/PageSize'
        - in: query
          name: pageCursor
          required: false
          schema:
            $ref: '#/components/schemas/PageCursor'
      responses:
        '200':
          description: Ok
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PaginatedResponse_Vendor_'
              examples:
                Example 1:
                  value:
                    results:
                      data:
                        - id: a2f7e1b9d0c3f4e5a6c7b8d8
                          name: Vanta
                          websiteUrl: https://www.vanta.com/
                          accountManagerName: John Doe
                          accountManagerEmail: john@doe.com
                          servicesProvided: SaaS
                          additionalNotes: >-
                            Automate compliance and streamline security reviews
                            with the leading trust management platform.
                          authDetails:
                            method: O_AUTH
                            passwordMFA: true
                            passwordRequiresNumber: true
                            passwordRequiresSymbol: true
                            passwordMinimumLength: 16
                          securityOwnerUserId: 6626afa6490ec920099773e7
                          businessOwnerUserId: 6626afb14c912f0a50e85619
                          contractStartDate: '2024-02-01T00:00:00.000Z'
                          contractRenewalDate: '2025-02-01T00:00:00.000Z'
                          contractTerminationDate: null
                          lastSecurityReviewCompletionDate: '2024-01-01T00:00:00.000Z'
                          nextSecurityReviewDueDate: '2025-01-01T00:00:00.000Z'
                          isVisibleToAuditors: true
                          isRiskAutoScored: true
                          category:
                            displayName: cloudMonitoring
                          riskAttributeIds:
                            - 6626b0298acc44f8674390da
                            - 6626b02ea4cd9ba80d773c20
                          status: MANAGED
                          inherentRiskLevel: HIGH
                          residualRiskLevel: MEDIUM
                          vendorHeadquarters: USA
                          contractAmount:
                            amount: 1000000
                            currency: USD
                          customFields: null
                          latestDecision:
                            status: APPROVED
                            lastUpdatedAt: '2024-01-01T00:00:00.000Z'
                          linkedTaskTrackerTaskProcurementRequest:
                            service: jira
                            url: >-
                              https://random-company.atlassian.net/browse/PROJ-123
                      pageInfo:
                        hasNextPage: false
                        hasPreviousPage: false
                        startCursor: 6696ea0595df50d5cd6ec3b7
                        endCursor: 6696ece48eb1f98ff3d927c6
      deprecated: true
      security:
        - bearerAuth: []
components:
  schemas:
    PageSize:
      type: integer
      format: int32
      default: 10
      description: >-
        Controls the maximum number of items returned in one response from the
        API.
      minimum: 1
      maximum: 100
    PageCursor:
      type: string
      description: >-
        A marker or pointer, telling the API where to start fetching items for
        the subsequent page in a paginated dataset.

        Note that the requested page will not include the item that corresponds
        to this cursor but will start from the one immediately

        after this cursor.
    PaginatedResponse_Vendor_:
      properties:
        results:
          properties:
            data:
              items:
                $ref: '#/components/schemas/Vendor'
              type: array
            pageInfo:
              $ref: '#/components/schemas/PageInfo'
          required:
            - data
            - pageInfo
          type: object
      required:
        - results
      type: object
      additionalProperties: false
    Vendor:
      properties:
        id:
          type: string
          description: The vendor's unique ID.
        name:
          type: string
          description: The vendor's display name.
        websiteUrl:
          type: string
          nullable: true
          description: The vendor's website URL.
        accountManagerName:
          type: string
          nullable: true
          description: The vendor's external account manager name.
        accountManagerEmail:
          type: string
          nullable: true
          description: The vendor's external account manager email.
        servicesProvided:
          type: string
          nullable: true
          description: Services provided by the vendor.
        additionalNotes:
          type: string
          nullable: true
          description: Any additional notes about the vendor
        securityOwnerUserId:
          type: string
          nullable: true
          description: The vendor's security owner's Vanta user ID.
        businessOwnerUserId:
          type: string
          nullable: true
          description: The vendor's business owner's Vanta user ID.
        contractStartDate:
          type: string
          format: date-time
          nullable: true
          description: The date the contract with the vendor began.
        contractRenewalDate:
          type: string
          format: date-time
          nullable: true
          description: The date the contract with the vendor is up for renewal.
        contractTerminationDate:
          type: string
          format: date-time
          nullable: true
          description: The date the contract with the vendor was terminated.
        nextSecurityReviewDueDate:
          type: string
          format: date-time
          nullable: true
          description: The next due date for a security review.
        lastSecurityReviewCompletionDate:
          type: string
          format: date-time
          nullable: true
          description: The most recent date a security review was completed.
        isVisibleToAuditors:
          type: boolean
          nullable: true
          description: Whether or not auditors can view this vendor.
        isRiskAutoScored:
          type: boolean
          nullable: true
          description: Whether or not the vendor's risk is automatically scored.
        riskAttributeIds:
          items:
            type: string
          type: array
          description: The list of risk attribute IDs the vendor has been assigned to.
        category:
          properties:
            displayName:
              type: string
          required:
            - displayName
          type: object
          nullable: true
          description: The vendor's category.
        authDetails:
          properties:
            passwordMinimumLength:
              type: number
              format: double
              nullable: true
              description: >-
                Minimum number for chacters required for passwords for this
                vendor.
            passwordRequiresSymbol:
              type: boolean
              nullable: true
              description: Whether or not the vendor requires passwords to have a symbol.
            passwordRequiresNumber:
              type: boolean
              nullable: true
              description: Whether or not the vendor requires passwords to have a number.
            passwordMFA:
              type: boolean
              nullable: true
              description: >-
                Whether or not the vendor requires passwords to have multi
                factor authentication.
            method:
              allOf:
                - $ref: '#/components/schemas/VendorAuthenticationMethod'
              nullable: true
              description: The vendor's authentication method.
          required:
            - passwordMinimumLength
            - passwordRequiresSymbol
            - passwordRequiresNumber
            - passwordMFA
            - method
          type: object
          description: The vendor's authentication details.
        status:
          $ref: '#/components/schemas/VendorStatus'
          description: The vendor's current status.
        inherentRiskLevel:
          $ref: '#/components/schemas/VendorRiskLevel'
          description: The vendor's risk level.
        residualRiskLevel:
          $ref: '#/components/schemas/VendorRiskLevel'
          description: The vendor's residual risk level.
        vendorHeadquarters:
          allOf:
            - $ref: '#/components/schemas/CountryCode'
          nullable: true
          description: The vendor's headquarters.
        contractAmount:
          allOf:
            - $ref: '#/components/schemas/VendorContractAmount'
          nullable: true
          description: The contract amount for the vendor.
        customFields:
          items:
            $ref: '#/components/schemas/CustomField'
          type: array
          nullable: true
          description: The vendor's custom fields.
        latestDecision:
          allOf:
            - $ref: '#/components/schemas/VendorDecision'
          nullable: true
          description: >-
            The vendor's latest decision status. Null means no decision has been
            made.
        linkedTaskTrackerTaskProcurementRequest:
          properties:
            url:
              type: string
            service:
              type: string
          required:
            - url
            - service
          type: object
          nullable: true
          description: >-
            The task tracker procurement request associated with this vendor (if
            linked).
      required:
        - id
        - name
        - websiteUrl
        - accountManagerName
        - accountManagerEmail
        - servicesProvided
        - additionalNotes
        - securityOwnerUserId
        - businessOwnerUserId
        - contractStartDate
        - contractRenewalDate
        - contractTerminationDate
        - nextSecurityReviewDueDate
        - lastSecurityReviewCompletionDate
        - isVisibleToAuditors
        - isRiskAutoScored
        - riskAttributeIds
        - category
        - authDetails
        - status
        - inherentRiskLevel
        - residualRiskLevel
        - vendorHeadquarters
        - contractAmount
        - customFields
        - latestDecision
        - linkedTaskTrackerTaskProcurementRequest
      type: object
      additionalProperties: false
    PageInfo:
      description: Provides information about the pagination of a dataset.
      properties:
        endCursor:
          type: string
          nullable: true
          description: >-
            The cursor that points to the end of the current page, or null if
            there is no such cursor.
        hasNextPage:
          type: boolean
          description: Indicates if there is another page after the current page.
        hasPreviousPage:
          type: boolean
          description: Indicates if there is a page before the current page.
        startCursor:
          type: string
          nullable: true
          description: >-
            The cursor that points to the start of the current page, or null if
            there is no such cursor.
      required:
        - endCursor
        - hasNextPage
        - hasPreviousPage
        - startCursor
      type: object
      additionalProperties: false
    VendorAuthenticationMethod:
      description: >-
        The authentication method a vendor uses:

        - AUTH_0: The vendor authenticates using Auth0

        - AZURE_AD: The vendor authenticates using Azure Active Directory

        - G_SUITE: The vendor authenticates using Google Workspace

        - O_AUTH: The vendor authenticates using OAuth

        - O365: The vendor authenticates using Office 365

        - OKTA: The vendor authenticates using Okta

        - ONE_LOGIN: The vendor authenticates using OneLogin

        - OWA: The vendor authenticates using OWA

        - SSO: The vendor authenticates using SSO

        - USERNAME_PASSWORD: The vendor authenticates using usernames and
        passwords
      enum:
        - AUTH_0
        - AZURE_AD
        - GOOGLE_WORKSPACE
        - O_AUTH
        - O365
        - OKTA
        - ONE_LOGIN
        - OWA
        - SSO
        - USERNAME_PASSWORD
        - OTHER
      type: string
    VendorStatus:
      description: |-
        The current state of a vendor:
        - MANAGED: The vendor is actively managed.
        - ARCHIVED: The vendor has been archived
        - IN_PROCUREMENT: The vendor is in the procurement process
      enum:
        - MANAGED
        - ARCHIVED
        - IN_PROCUREMENT
      type: string
    VendorRiskLevel:
      description: |-
        The risk level of a vendor:
        - CRITICAL: The vendor has a critical security risk
        - HIGH: The vendor has a high security risk
        - MEDIUM: The vendor has a medium security risk
        - LOW: The vendor has a low security risk
        - UNSCORED: The vendor has not been given a risk level
      enum:
        - CRITICAL
        - HIGH
        - LOW
        - MEDIUM
        - UNSCORED
      type: string
    CountryCode:
      enum:
        - EUE
        - AND
        - ARE
        - AFG
        - ATG
        - AIA
        - ALB
        - ARM
        - AGO
        - ATA
        - ARG
        - ASM
        - AUT
        - AUS
        - ABW
        - ALA
        - AZE
        - BIH
        - BRB
        - BGD
        - BEL
        - BFA
        - BGR
        - BHR
        - BDI
        - BEN
        - BLM
        - BMU
        - BRN
        - BOL
        - BES
        - BRA
        - BHS
        - BTN
        - BVT
        - BWA
        - BLR
        - BLZ
        - CAN
        - CCK
        - COD
        - CAF
        - COG
        - CHE
        - CIV
        - COK
        - CHL
        - CMR
        - CHN
        - COL
        - CRI
        - CUB
        - CPV
        - CUW
        - CXR
        - CYP
        - CZE
        - DEU
        - DJI
        - DNK
        - DMA
        - DOM
        - DZA
        - ECU
        - EST
        - EGY
        - ESH
        - ERI
        - ESP
        - ETH
        - FIN
        - FJI
        - FLK
        - FSM
        - FRO
        - FRA
        - GAB
        - ENG
        - SCT
        - GBR
        - WAL
        - NIR
        - GRD
        - GEO
        - GUF
        - GGY
        - GHA
        - GIB
        - GRL
        - GMB
        - GIN
        - GLP
        - GNQ
        - GRC
        - SGS
        - GTM
        - GUM
        - GNB
        - GUY
        - HKG
        - HMD
        - HND
        - HRV
        - HTI
        - HUN
        - IDN
        - IRL
        - ISR
        - IMN
        - IND
        - IOT
        - IRQ
        - IRN
        - ISL
        - ITA
        - JEY
        - JAM
        - JOR
        - JPN
        - KEN
        - KGZ
        - KHM
        - KIR
        - COM
        - KNA
        - PRK
        - KOR
        - KWT
        - CYM
        - KAZ
        - LAO
        - LBN
        - LCA
        - LIE
        - LKA
        - LBR
        - LSO
        - LTU
        - LUX
        - LVA
        - LBY
        - MAR
        - MCO
        - MDA
        - MNE
        - MAF
        - MDG
        - MHL
        - MKD
        - MLI
        - MMR
        - MNG
        - MAC
        - MNP
        - MTQ
        - MRT
        - MSR
        - MLT
        - MUS
        - MDV
        - MWI
        - MEX
        - MYS
        - MOZ
        - NAM
        - NCL
        - NER
        - NFK
        - NGA
        - NIC
        - NLD
        - NOR
        - NPL
        - NRU
        - NIU
        - NZL
        - OMN
        - PAN
        - PER
        - PYF
        - PNG
        - PHL
        - PAK
        - POL
        - SPM
        - PCN
        - PRI
        - PSE
        - PRT
        - PLW
        - PRY
        - QAT
        - REU
        - ROU
        - SRB
        - RUS
        - RWA
        - SAU
        - SLB
        - SYC
        - SDN
        - SWE
        - SGP
        - SHN
        - SVN
        - SJM
        - SVK
        - SLE
        - SMR
        - SEN
        - SOM
        - SUR
        - SSD
        - STP
        - SLV
        - SXM
        - SYR
        - SWZ
        - TCA
        - TCD
        - ATF
        - TGO
        - THA
        - TJK
        - TKL
        - TLS
        - TKM
        - TUN
        - TON
        - TUR
        - TTO
        - TUV
        - TWN
        - TZA
        - UKR
        - UGA
        - UMI
        - USA
        - URY
        - UZB
        - VAT
        - VCT
        - VEN
        - VGB
        - VIR
        - VNM
        - VUT
        - WLF
        - WSM
        - YEM
        - MYT
        - ZAF
        - ZMB
        - ZWE
      type: string
    VendorContractAmount:
      properties:
        amount:
          type: number
          format: double
          description: The amount of the contract.
        currency:
          $ref: '#/components/schemas/CurrencyCode'
          description: The currency of the contract.
      required:
        - amount
        - currency
      type: object
      additionalProperties: false
    CustomField:
      properties:
        label:
          type: string
        value:
          anyOf:
            - type: string
            - items:
                type: string
              type: array
      required:
        - label
        - value
      type: object
      additionalProperties: false
    VendorDecision:
      description: The decision for a vendor.
      properties:
        status:
          $ref: '#/components/schemas/VendorDecisionStatus'
        lastUpdatedAt:
          type: string
          format: date-time
      required:
        - status
        - lastUpdatedAt
      type: object
      additionalProperties: false
    CurrencyCode:
      enum:
        - ARS
        - AUD
        - BRL
        - CAD
        - COP
        - CZK
        - DKK
        - EUR
        - GBP
        - ILS
        - INR
        - JPY
        - MXN
        - NOK
        - NZD
        - PHP
        - PKR
        - PLN
        - RSD
        - SEK
        - SGD
        - UAH
        - USD
        - ZAR
      type: string
    VendorDecisionStatus:
      enum:
        - APPROVED
        - CONDITIONALLY_APPROVED
        - NOT_APPROVED
      type: string
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

````