Remediate a failing test with the Vanta MCP - Vanta Developer Hub

Connect an AI tool to the Vanta MCP server, list your failing compliance tests, and ask it to generate a remediation plan with a suggested code change. With the Claude Code Vanta plugin, you can take it further and open a draft pull request with the fix if you’re using infrastructure as code (IaC).

Before you begin

A Vanta account with admin access.
One of: Claude Code, Cursor, Codex (Desktop or CLI), or Perplexity.
At least one Vanta integration connected — ideally a Cloud Provider (AWS, GCP, or Azure) for failing resources and a Version Control (GitHub, GitLab, or Bitbucket) for the IaC that manages them.

1

Connect your AI tool to the Vanta MCP server

Vanta hosts a separate MCP server per region — use the URL that matches your instance:

Region	MCP URL
United States	`https://mcp.vanta.com/mcp`
Europe	`https://mcp.eu.vanta.com/mcp`
Australia	`https://mcp.aus.vanta.com/mcp`

The examples below use the US URL — swap for your region if needed.

Recommended: Includes the MCP server and two custom skills /vanta:list-tests and /vanta:fix-test slash commands and the PR-opening skill.

In Claude Code, run these in order:

/plugin marketplace update anthropics/claude-plugins-official
/plugin install vanta-mcp-plugin@claude-plugins-official
/reload-plugins

Then run /mcp, select Vanta, pick your region, and click Allow to finish OAuth.

Don't see 'Vanta' in the /mcp list?

Run /reload-plugins again and wait a few seconds. If it still doesn’t appear, re-run the install command.

The OAuth page didn't open?

Open the authorization URL printed in the terminal yourself. If it’s expired, run /mcp → Vanta → Reconnect.

You get every MCP tool but no /vanta:* skills including PR generation.

claude mcp add --transport http vanta https://mcp.vanta.com/mcp

Then run /mcp, select vanta, and click Allow.

You get every MCP tool but no /vanta:* skills including PR generation.

Open Settings → Tools & MCP → Add custom MCP.

Paste:

{
  "mcpServers": {
    "vanta": {
      "url": "https://mcp.vanta.com/mcp"
    }
  }
}

Save, then click Allow when Cursor opens the OAuth flow.

You get every MCP tool but no /vanta:* skills including PR generation.

Settings → MCP servers → Add server.
Name: Vanta, Type: Streamable HTTP, URL: https://mcp.vanta.com/mcp.
Save, then click Authenticate and Allow.

You get every MCP tool but no /vanta:* skills including PR generation.

Shares config with Codex Desktop.

codex mcp add vanta --url https://mcp.vanta.com/mcp
codex mcp login vanta

Click Allow in the browser, then confirm with codex mcp list.

You get every MCP tool but no /vanta:* skills including PR generation.

Add a remote custom connector.
URL: https://mcp.vanta.com/mcp (or your regional endpoint).
Authentication: OAuth → click Allow.

Perplexity has no repository or shell access, so it usually returns a console-first plan and generic Terraform / CloudFormation snippets you can paste into a ticket.

2

List your highest-priority failing tests

In your tool’s chat, ask:

Show me the highest-priority failing Vanta tests relevant to this repository.

In the Claude Code plugin, you can run /vanta:list-tests instead. In Perplexity (no repo context), replace “relevant to this repository” with “ranked by severity” — and optionally paste your stack (“we run on AWS + GitHub Actions”) to bias results.

Found 12 failing tests. Top 5 for this repository:

1. GitHub repos should require pull request reviews before merging
   Test ID: github-repo-require-pr-reviews   |  Severity: HIGH

2. AWS S3 buckets should have server-side encryption enabled
   Test ID: aws-s3-bucket-server-side-encryption-enabled   |  Severity: HIGH

3. AWS IAM password policy should require minimum length of 14
   Test ID: aws-iam-password-policy-minimum-length   |  Severity: MEDIUM

Pick a HIGH-severity test ID to use in the next step.

0 failing tests returned?

Either everything’s passing, or your OAuth token expired. Re-authorize: /mcp → Vanta → Reconnect (Claude Code), re-trigger OAuth in Cursor or Perplexity settings, click Authenticate in Codex Desktop, or run codex mcp login vanta.

Tests unrelated to my codebase?

Re-open the right project before re-running the prompt. If your repo doesn’t contain any IaC (or you’re in Perplexity), the assistant falls back to severity ranking — paste your stack to bias results.

3

Inspect the failing resources for one test

Ask which specific resources are failing the test you picked:

Show me which specific resources are failing the "TEST ID" test.

Replace TEST ID with the ID from Step 2. Example output for github-repo-require-pr-reviews:

4 resources failing:

• my-company/web-app        — No branch protection rule on `main`
• my-company/api-server     — Branch protection does not require PR reviews
• my-company/infra          — Branch protection requires 0 reviewers
• my-company/data-pipeline  — No branch protection rule on `main`

You now know exactly what to fix.

I see resources I don't recognize?

Check the integration field (GitHub org, AWS account ID, GCP project, etc.). If your company has multiple orgs or cloud accounts, focus on the one you own.

4

Generate a remediation plan

Ask for the fix:

Generate a remediation plan for the "TEST ID" test. Include console steps,
CLI commands, and a Terraform / CloudFormation / CDK snippet I can adapt.

In the Claude Code plugin, run /vanta:fix-test TEST ID — it also scans your repo for matching IaC files and unlocks the optional PR step below.

The assistant pulls the failing resources from Vanta and returns a multi-option plan — typically a CLI command for the fastest fix, console steps for environments where the resource isn’t managed by IaC, and an IaC snippet you can commit to prevent recurrence:

Failing resources (4): web-app, api-server, infra, data-pipeline

Option A — gh CLI (fastest)
  gh api -X PUT repos/my-company/web-app/branches/main/protection \
    -F required_pull_request_reviews.required_approving_review_count=1 \
    -F enforce_admins=true \
    -F required_status_checks=null \
    -F restrictions=null
  (repeat for api-server, infra, data-pipeline)

Option B — GitHub UI
  For each repo: Settings → Branches → Add branch protection rule →
  pattern `main` → "Require a pull request before merging" → approvals: 1.

Option C — Terraform (prevents recurrence)
  resource "github_branch_protection" "web_app_main" {
    repository_id = github_repository.web_app.node_id
    pattern       = "main"
    required_pull_request_reviews {
      required_approving_review_count = 1
    }
  }

Vanta will re-evaluate on its next sync (within 24 hours).

The assistant won’t run CLI commands that mutate live resources on its own — it’ll surface them and ask first. Pick the option that fits your environment and apply it.

5

(Optional) Open a draft pull request

This step applies only if using the Claude Code Vanta plugin.

This step assumes the failing resource is managed by IaC in a repo connected as a Vanta Version Control integration (GitHub, GitLab, or Bitbucket), the repo is open locally, and Claude has push access. If that’s true, ask:

Open a draft pull request with the IaC changes from this plan.

The plugin matches your existing module structure, generates a minimal diff, and opens a draft PR against your current branch:

Opened draft PR #47: "fix: require PR reviews on 4 repos
(Vanta github-repo-require-pr-reviews)"
https://github.com/my-company/infra/pull/47

Review the diff before marking it ready — spot-check variable references and backend state.

My resources aren't in code?

Stick with the plan from Step 4 — run the CLI, apply the UI steps, or hand it to the team that owns the resource.

Plugin couldn't find Terraform files?

It searches .tf files in the root and common subfolders (infra/, terraform/, ops/). Point it elsewhere: “The Terraform files are in platform/infra/aws/.”

Plugin couldn't find the failing resource in this repo?

The resource probably lives in a different account / project / repo. Use Step 4’s CLI or UI option instead, or re-run from inside the repo that manages it.

I use CloudFormation or CDK, not Terraform?

The plugin supports all three. Tell it which framework you use and it’ll adjust the diff.

6

Verify the fix

Once you’ve applied the fix (PR merged, CLI run, console steps done, or ticket handed off), ask:

What is the current status of the "TEST ID" test in Vanta?

Vanta re-evaluates tests on its next sync, usually within 24 hours. If it still shows as failing, wait for the next sync or trigger one from the Vanta dashboard.

Congratulations

You’re connected to the Vanta MCP server and you’ve used it to surface failing tests, inspect failing resources, and generate a remediation plan — with an optional draft PR if you’re using the Claude Code plugin. From here:

Remediate more tests — re-run Step 2 (or /vanta:list-tests) and repeat the flow.
Explore other compliance data — ask your assistant about controls, vendors, vulnerabilities, or frameworks in plain English.
Learn more about the MCP — see the Vanta MCP server reference.

More things to try

Review your SOC 2 control coverage

Show me my SOC 2 controls, how many are complete versus in progress,
and which controls have the most failing tests.

Triage a vulnerability by severity

List every CRITICAL vulnerability whose remediation deadline is in the
next 30 days, and tell me which ones are already assigned.

Find tests failing across multiple frameworks

Which failing tests are mapped to both SOC 2 and ISO 27001? Show me the
failing resource count for each.

Check who owns a control

Who owns the "Encryption at rest" control, and which automated tests
validate it?

Next steps

Vanta MCP server

Full reference for connecting MCP clients to Vanta.

Query failing tests via API

Pull test results programmatically — useful for CI and dashboards.

Triage vulnerabilities

Surface vulnerable assets with approaching SLA deadlines.

Manage Vanta via API

Get an API token and automate your Vanta account with code.

Assign a control ownerMake a specific Vanta user accountable for a framework control's compliance status, using the Manage Vanta API.

⌘I