> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# List vendors for an audit

> Retrieves vendor population data for an audit.

This endpoint provides access to vendor records visible to auditors
during an audit engagement.

Supports filtering by:
- `search`: Searches vendor names (case-insensitive)
- `vendorStatusesMatchesAny`: Filters by vendor status (ACTIVE, ARCHIVED, IN_PROCUREMENT)
- `inherentRiskMatchesAny`: Filters by inherent risk level

Results are sorted by name (ascending) by default.
Use `orderBy` and `orderDirection` to customize sorting.
Sort parameters must remain consistent across paginated requests.

Uses cursor-based pagination. To paginate:
1. Make initial request with desired `pageSize`
2. Check `results.pageInfo.hasNextPage`
3. Use `results.pageInfo.endCursor` as `pageCursor` for next request

Rate limit: 10 requests / minute.



## OpenAPI

````yaml https://spec.speakeasy.com/vanta/vanta/conduct-an-audit-with-code-samples get /audits/{auditId}/managed-vendors
openapi: 3.0.0
info:
  title: Conduct an audit
  version: 1.0.0
  description: >-
    The Auditor API lets audit firms conduct audits from a tool outside of
    Vanta. Unlock data syncing with Vanta through this API.


    **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)`
    from the server dropdown to issue requests against
    `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the
    commercial host — replace it with `https://api.vanta-gov.com/oauth/token`.
  termsOfService: https://www.vanta.com/terms
  license:
    name: UNLICENSED
  contact:
    name: API Support
    url: https://help.vanta.com/
    email: support@vanta.com
servers:
  - url: https://api.vanta.com/v1
    description: US Region API
  - url: https://api.vanta-gov.com/v1
    description: Vanta Gov (FedRAMP)
security: []
paths:
  /audits/{auditId}/managed-vendors:
    get:
      tags:
        - Audits
      summary: List vendors for an audit
      description: >-
        Retrieves vendor population data for an audit.


        This endpoint provides access to vendor records visible to auditors

        during an audit engagement.


        Supports filtering by:

        - `search`: Searches vendor names (case-insensitive)

        - `vendorStatusesMatchesAny`: Filters by vendor status (ACTIVE,
        ARCHIVED, IN_PROCUREMENT)

        - `inherentRiskMatchesAny`: Filters by inherent risk level


        Results are sorted by name (ascending) by default.

        Use `orderBy` and `orderDirection` to customize sorting.

        Sort parameters must remain consistent across paginated requests.


        Uses cursor-based pagination. To paginate:

        1. Make initial request with desired `pageSize`

        2. Check `results.pageInfo.hasNextPage`

        3. Use `results.pageInfo.endCursor` as `pageCursor` for next request


        Rate limit: 10 requests / minute.
      operationId: ListVendors
      parameters:
        - description: The audit ID
          in: path
          name: auditId
          required: true
          schema:
            type: string
        - description: Maximum number of results per page (1-100, default 10)
          in: query
          name: pageSize
          required: false
          schema:
            $ref: '#/components/schemas/PageSize'
        - description: Pagination cursor from previous response
          in: query
          name: pageCursor
          required: false
          schema:
            $ref: '#/components/schemas/PageCursor'
        - description: Search term for filtering by vendor name
          in: query
          name: search
          required: false
          schema:
            type: string
        - description: Filter vendors by status values
          in: query
          name: vendorStatusesMatchesAny
          required: false
          schema:
            type: array
            items:
              $ref: '#/components/schemas/AuditVendorStatus'
        - description: Filter vendors by inherent risk level values
          in: query
          name: inherentRiskMatchesAny
          required: false
          schema:
            type: array
            items:
              $ref: '#/components/schemas/AuditVendorRiskLevel'
        - description: >-
            Field to sort results by. Allowed: "name", "inherentRisk". Default:
            "name"
          in: query
          name: orderBy
          required: false
          schema:
            $ref: '#/components/schemas/VendorOrderBy'
        - description: 'Sort direction: "asc" or "desc". Default: "asc"'
          in: query
          name: orderDirection
          required: false
          schema:
            $ref: '#/components/schemas/OrderDirection'
      responses:
        '200':
          description: Paginated list of vendors with pagination metadata
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PaginatedResponse_AuditVendor_'
              examples:
                Example 1:
                  value:
                    results:
                      pageInfo:
                        hasNextPage: true
                        hasPreviousPage: false
                        startCursor: 5f2c939a52855e725c8d5824
                        endCursor: 5f2c939a52855e725c8d5824
                      data:
                        - id: 5f2c939a52855e725c8d5824
                          name: Acme Corp
                          vendorCategory: SaaS
                          inherentRisk: HIGH
                          status: ACTIVE
                          findings: 3
                          lastReviewedCompleted: '2025-01-15T10:00:00.000Z'
                          nextSecurityReviewDueDate: '2025-07-15T10:00:00.000Z'
                          residualRisk: HIGH
                          dataAgreements:
                            complete: 1
                            total: 2
      security:
        - bearerAuth: []
      x-codeSamples:
        - lang: typescript
          label: ListVendors
          source: |-
            import { Vanta } from "vanta-auditor-api-sdk";

            const vanta = new Vanta({
              bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
            });

            async function run() {
              const result = await vanta.audits.listVendors({
                auditId: "<id>",
              });

              console.log(result);
            }

            run();
        - lang: java
          label: ListVendors
          source: >-
            package hello.world;


            import com.vanta.vanta_auditor_api.Vanta;

            import
            com.vanta.vanta_auditor_api.models.operations.ListVendorsRequest;

            import
            com.vanta.vanta_auditor_api.models.operations.ListVendorsResponse;

            import java.lang.Exception;


            public class Application {

                public static void main(String[] args) throws Exception {

                    Vanta sdk = Vanta.builder()
                            .bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
                        .build();

                    ListVendorsRequest req = ListVendorsRequest.builder()
                            .auditId("<id>")
                            .build();

                    ListVendorsResponse res = sdk.audits().listVendors()
                            .request(req)
                            .call();

                    if (res.paginatedResponseAuditVendor().isPresent()) {
                        System.out.println(res.paginatedResponseAuditVendor().get());
                    }
                }
            }
components:
  schemas:
    PageSize:
      type: integer
      format: int32
      default: 10
      description: >-
        Controls the maximum number of items returned in one response from the
        API.
      minimum: 1
      maximum: 100
    PageCursor:
      type: string
      description: >-
        A marker or pointer, telling the API where to start fetching items for
        the subsequent page in a paginated dataset.

        Note that the requested page will not include the item that corresponds
        to this cursor but will start from the one immediately

        after this cursor.
    AuditVendorStatus:
      type: string
      enum:
        - ACTIVE
        - ARCHIVED
        - IN_PROCUREMENT
    AuditVendorRiskLevel:
      type: string
      enum:
        - CRITICAL
        - HIGH
        - MEDIUM
        - LOW
        - UNSCORED
    VendorOrderBy:
      type: string
      enum:
        - name
        - inherentRisk
    OrderDirection:
      type: string
      enum:
        - asc
        - desc
      description: >-
        Sort direction shared across the external REST API surface.


        `"asc"` for ascending, `"desc"` for descending. Endpoints expose this as
        the

        `orderDirection` / `sortDirection` query parameter and map it onto
        whatever

        internal direction representation the underlying service expects.
    PaginatedResponse_AuditVendor_:
      properties:
        results:
          properties:
            data:
              items:
                $ref: '#/components/schemas/AuditVendor'
              type: array
            pageInfo:
              $ref: '#/components/schemas/PageInfo'
          required:
            - data
            - pageInfo
          type: object
      required:
        - results
      type: object
      additionalProperties: false
    AuditVendor:
      description: >-
        Managed vendor row returned by the auditor managed-vendors API.


        Only `id` and `name` are required. All other fields are optional to
        support

        controlled audits where only approved columns are returned and

        customizable field visibility.
      properties:
        id:
          type: string
          description: Vendor record ID.
          example: 5f2c939a52855e725c8d5824
        name:
          type: string
          description: Vendor name.
          example: Acme Corp
        inherentRisk:
          $ref: '#/components/schemas/AuditVendorRiskLevel'
          description: Inherent risk level of the vendor.
          example: HIGH
        status:
          $ref: '#/components/schemas/AuditVendorStatus'
          description: Vendor status.
          example: ACTIVE
        findings:
          type: number
          format: double
          description: Number of findings associated with the vendor.
          example: 3
        lastReviewedCompleted:
          type: string
          format: date-time
          nullable: true
          description: Date when the last security review was completed, or null if none.
          example: '2025-01-15T10:00:00.000Z'
        nextSecurityReviewDueDate:
          type: string
          format: date-time
          nullable: true
          description: Date when the next security review is due, or null if not scheduled.
          example: '2025-07-15T10:00:00.000Z'
        vendorCategory:
          type: string
          nullable: true
          description: Vendor category (e.g. cloud provider, SaaS).
          example: cloudProvider
        residualRisk:
          allOf:
            - $ref: '#/components/schemas/AuditVendorRiskLevel'
          nullable: true
          description: |-
            Residual risk level of the vendor.
            Full Audit View only - omitted in Controlled Audit View.
          example: HIGH
        dataAgreements:
          properties:
            total:
              type: number
              format: double
            complete:
              type: number
              format: double
          required:
            - total
            - complete
          type: object
          nullable: true
          description: >-
            BAA/DPA document completion counts, or null if no such documents are
            required.

            Full Audit View only - omitted in Controlled Audit View.
      required:
        - id
        - name
      type: object
      additionalProperties: false
    PageInfo:
      description: Provides information about the pagination of a dataset.
      properties:
        endCursor:
          type: string
          nullable: true
          description: >-
            The cursor that points to the end of the current page, or null if
            there is no such cursor.
        hasNextPage:
          type: boolean
          description: Indicates if there is another page after the current page.
        hasPreviousPage:
          type: boolean
          description: Indicates if there is a page before the current page.
        startCursor:
          type: string
          nullable: true
          description: >-
            The cursor that points to the start of the current page, or null if
            there is no such cursor.
      required:
        - endCursor
        - hasNextPage
        - hasPreviousPage
        - startCursor
      type: object
      additionalProperties: false
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

````