> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# List vulnerabilities within the scope of a given audit

> List all vulnerabilities based on selected filters.

End of life — this endpoint works for classic audits only; it does not support
controlled audit view. It remains available for existing classic audits but will be removed once
classic audits are fully phased out, so do not build new integrations on it.

Rate limit: 10 requests / minute.



## OpenAPI

````yaml https://spec.speakeasy.com/vanta/vanta/conduct-an-audit-with-code-samples get /audits/{auditId}/vulnerabilities
openapi: 3.0.0
info:
  title: Conduct an audit
  version: 1.0.0
  description: >-
    The Auditor API lets audit firms conduct audits from a tool outside of
    Vanta. Unlock data syncing with Vanta through this API.


    **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)`
    from the server dropdown to issue requests against
    `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the
    commercial host — replace it with `https://api.vanta-gov.com/oauth/token`.
  termsOfService: https://www.vanta.com/terms
  license:
    name: UNLICENSED
  contact:
    name: API Support
    url: https://help.vanta.com/
    email: support@vanta.com
servers:
  - url: https://api.vanta.com/v1
    description: US Region API
  - url: https://api.vanta-gov.com/v1
    description: Vanta Gov (FedRAMP)
security: []
paths:
  /audits/{auditId}/vulnerabilities:
    get:
      tags:
        - Audits
      summary: List vulnerabilities within the scope of a given audit
      description: >-
        List all vulnerabilities based on selected filters.


        End of life — this endpoint works for classic audits only; it does not
        support

        controlled audit view. It remains available for existing classic audits
        but will be removed once

        classic audits are fully phased out, so do not build new integrations on
        it.


        Rate limit: 10 requests / minute.
      operationId: ListVulnerabilities
      parameters:
        - in: path
          name: auditId
          required: true
          schema:
            type: string
        - description: Filter vulnerabilities by search query
          in: query
          name: query
          required: false
          schema:
            type: string
        - in: query
          name: pageSize
          required: false
          schema:
            $ref: '#/components/schemas/PageSize'
        - in: query
          name: pageCursor
          required: false
          schema:
            $ref: '#/components/schemas/PageCursor'
        - description: Filter vulnerabilities by deactivation status.
          in: query
          name: isDeactivated
          required: false
          schema:
            type: boolean
        - description: Filter vulnerabilities based on a specific external ID.
          in: query
          name: externalVulnerabilityId
          required: false
          schema:
            type: string
        - description: Filter vulnerabilities that have an available fix.
          in: query
          name: isFixAvailable
          required: false
          schema:
            type: boolean
        - description: Filter vulnerabilities that are from a specific package.
          in: query
          name: packageIdentifier
          required: false
          schema:
            type: string
        - description: Filter vulnerabilities with a fix due after a specific timestamp
          in: query
          name: slaDeadlineAfterDate
          required: false
          schema:
            type: string
            format: date-time
        - description: Filter vulnerabilities with a fix due before a specific timestamp
          in: query
          name: slaDeadlineBeforeDate
          required: false
          schema:
            type: string
            format: date-time
        - description: |-
            Filter vulnerabilities by severity.
            Possible values: CRITICAL, HIGH, MEDIUM, LOW.
          in: query
          name: severity
          required: false
          schema:
            $ref: '#/components/schemas/ExternalFindingSeverity'
        - description: >-
            Filter vulnerabilities by the vulnerability scanner that detected
            them.
          in: query
          name: integrationId
          required: false
          schema:
            type: string
        - description: Filter vulnerabilities without an SLA due date.
          in: query
          name: includeVulnerabilitiesWithoutSlas
          required: false
          schema:
            type: boolean
        - description: Filter vulnerabilities by a specific asset ID.
          in: query
          name: vulnerableAssetId
          required: false
          schema:
            type: string
      responses:
        '200':
          description: Ok
          content:
            application/json:
              schema:
                $ref: >-
                  #/components/schemas/PaginatedResponse_AuditorApiVulnerability_
              examples:
                Example 1:
                  value:
                    results:
                      pageInfo:
                        hasNextPage: true
                        hasPreviousPage: false
                        startCursor: YXJyYXljb25uZWN0aW9uOjA=
                        endCursor: YXJyYXljb25uZWN0aW9uOjE=
                      data:
                        - id: a2f7e1b9d0c3f4e5a6c7b8d9
                          name: CVE-2021-12345
                          description: >-
                            MariaDB before 10.6.2 allows an application crash
                            because of mishandling of a pushdown from a HAVING
                            clause to a WHERE clause.
                          integrationId: Inspector
                          packageIdentifier: package
                          vulnerabilityType: COMMON
                          targetId: targetId
                          firstDetectedDate: '2021-01-01T00:00:00.000Z'
                          sourceDetectedDate: '2021-01-01T00:00:00.000Z'
                          lastDetectedDate: '2021-01-01T00:00:00.000Z'
                          severity: CRITICAL
                          cvssSeverityScore: 9.8
                          scannerScore: 100
                          isFixable: true
                          remediateByDate: '2021-01-01T00:00:00.000Z'
                          relatedVulns:
                            - CVE-2021-12345
                          relatedUrls:
                            - >-
                              https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-12345
                          externalURL: >-
                            https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-12345
                          scanSource: Not provided
                          deactivateMetadata:
                            deactivatedBy: b2f7e1b9d0c3f4e5a6c7b123
                            deactivatedOnDate: '2021-01-01T00:00:00.000Z'
                            deactivationReason: fix is too hard to carry out
                            deactivatedUntilDate: null
                            isVulnDeactivatedIndefinitely: true
      deprecated: true
      security:
        - bearerAuth: []
components:
  schemas:
    PageSize:
      type: integer
      format: int32
      default: 10
      description: >-
        Controls the maximum number of items returned in one response from the
        API.
      minimum: 1
      maximum: 100
    PageCursor:
      type: string
      description: >-
        A marker or pointer, telling the API where to start fetching items for
        the subsequent page in a paginated dataset.

        Note that the requested page will not include the item that corresponds
        to this cursor but will start from the one immediately

        after this cursor.
    ExternalFindingSeverity:
      description: >-
        ExternalFindingSeverity describes the severity of an external finding
        (Vulnerability or Security Alert)
      enum:
        - CRITICAL
        - HIGH
        - LOW
        - MEDIUM
      type: string
    PaginatedResponse_AuditorApiVulnerability_:
      properties:
        results:
          properties:
            data:
              items:
                $ref: '#/components/schemas/AuditorApiVulnerability'
              type: array
            pageInfo:
              $ref: '#/components/schemas/PageInfo'
          required:
            - data
            - pageInfo
          type: object
      required:
        - results
      type: object
      additionalProperties: false
    AuditorApiVulnerability:
      properties:
        id:
          type: string
          description: Unique identifier for the vulnerability.
        name:
          type: string
          description: Display name of the vulnerability.
        description:
          type: string
          description: Description of the vulnerability.
        integrationId:
          type: string
          description: Integration that the vulnerability is scanned by.
        packageIdentifier:
          type: string
          nullable: true
          description: |-
            Identifier for the package that the vulnerability is found on.
            Only relevant to vulnerabilities of type COMMON or GROUPED.
        vulnerabilityType:
          $ref: '#/components/schemas/VulnerabilityType'
          description: |-
            Type of the vulnerability.
            Possible values: CONFIGURATION, COMMON, GROUPED.
        targetId:
          type: string
          description: >-
            Unique identifier for the underlying resource that the vulnerability
            is found on.
        firstDetectedDate:
          type: string
          format: date-time
          description: Date when the vulnerability was first detected by Vanta.
        sourceDetectedDate:
          type: string
          format: date-time
          nullable: true
          description: Date when the vulnerability was first detected by the source.
        lastDetectedDate:
          type: string
          format: date-time
          nullable: true
          description: Date when the vulnerability was last detected.
        severity:
          $ref: '#/components/schemas/ExternalFindingSeverityType'
          description: |-
            Severity of the vulnerability.
            Possible values: LOW, MEDIUM, HIGH, CRITICAL.
        cvssSeverityScore:
          type: number
          format: double
          nullable: true
          description: CVSS severity score of the vulnerability.
        scannerScore:
          type: number
          format: double
          nullable: true
          description: Scanner score of the vulnerability.
        isFixable:
          type: boolean
          description: Whether the vulnerability is fixable.
        remediateByDate:
          type: string
          format: date-time
          nullable: true
          description: Date when the vulnerability should be remediated by.
        relatedVulns:
          items:
            type: string
          type: array
          description: |-
            Related vulnerabilities.
            Only relevant to vulnerabilities of type GROUPED.
        relatedUrls:
          items:
            type: string
          type: array
          description: Related URLs.
        externalURL:
          type: string
          description: External URL for the vulnerability.
        scanSource:
          type: string
          description: Scanning tool that detected the vulnerability
        deactivateMetadata:
          properties:
            isVulnDeactivatedIndefinitely:
              type: boolean
              description: Whether the vulnerability is deactivated indefinitely.
            deactivatedUntilDate:
              type: string
              format: date-time
              nullable: true
              description: Date when the vulnerability will be reactivated.
            deactivationReason:
              type: string
              description: Reason for deactivating the vulnerability.
            deactivatedOnDate:
              type: string
              format: date-time
              description: Date when the vulnerability was deactivated.
            deactivatedBy:
              type: string
              description: Identifier of the user who deactivated the vulnerability.
          required:
            - isVulnDeactivatedIndefinitely
            - deactivatedUntilDate
            - deactivationReason
            - deactivatedOnDate
            - deactivatedBy
          type: object
          nullable: true
          description: Metadata for the deactivation of the vulnerability.
      required:
        - id
        - name
        - description
        - integrationId
        - packageIdentifier
        - vulnerabilityType
        - targetId
        - firstDetectedDate
        - sourceDetectedDate
        - lastDetectedDate
        - severity
        - cvssSeverityScore
        - scannerScore
        - isFixable
        - remediateByDate
        - relatedVulns
        - relatedUrls
        - externalURL
        - deactivateMetadata
      type: object
      additionalProperties: false
    PageInfo:
      description: Provides information about the pagination of a dataset.
      properties:
        endCursor:
          type: string
          nullable: true
          description: >-
            The cursor that points to the end of the current page, or null if
            there is no such cursor.
        hasNextPage:
          type: boolean
          description: Indicates if there is another page after the current page.
        hasPreviousPage:
          type: boolean
          description: Indicates if there is a page before the current page.
        startCursor:
          type: string
          nullable: true
          description: >-
            The cursor that points to the start of the current page, or null if
            there is no such cursor.
      required:
        - endCursor
        - hasNextPage
        - hasPreviousPage
        - startCursor
      type: object
      additionalProperties: false
    VulnerabilityType:
      type: string
      enum:
        - CONFIGURATION
        - COMMON
        - GROUPED
    ExternalFindingSeverityType:
      type: string
      enum:
        - CRITICAL
        - HIGH
        - LOW
        - MEDIUM
      nullable: false
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

````