> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Remediate a failing test with the Vanta MCP

> Connect Claude Code, Codex, Cursor, or Perplexity to the Vanta MCP server, surface failing tests, and generate a remediation plan for one.

export const EstimatedTime = ({time, icon = "clock"}) => <div className="vanta-estimated-time" style={{
  display: "inline-flex",
  alignItems: "center",
  gap: "0.5rem",
  padding: "0.35rem 0.75rem",
  marginBottom: "1rem",
  borderRadius: "9999px",
  background: "color-mix(in srgb, #5E05C4 10%, transparent)",
  border: "1px solid color-mix(in srgb, #5E05C4 25%, transparent)",
  fontSize: "0.8125rem",
  fontWeight: 500,
  lineHeight: 1,
  color: "#5E05C4",
  whiteSpace: "nowrap"
}}>
    <Icon icon={icon} iconType="regular" size={14} color="#5E05C4" />
    <span>Estimated time: {time}</span>
  </div>;

<EstimatedTime time="15 minutes" />

Connect an AI tool to the [Vanta MCP server](/docs/vanta-mcp), list your failing compliance tests, and ask it to generate a remediation plan with a suggested code change. With the **Claude Code Vanta plugin**, you can take it further and open a draft pull request with the fix if you're using infrastructure as code (IaC).

## Before you begin

* A Vanta account with admin access.
* One of: [Claude Code](https://claude.ai/download), [Cursor](https://cursor.com/download), [Codex](https://developers.openai.com/codex) (Desktop or CLI), or [Perplexity](https://www.perplexity.ai/).
* At least one Vanta integration connected — ideally a **Cloud Provider** (AWS, GCP, or Azure) for failing resources and a **Version Control** (GitHub, GitLab, or Bitbucket) for the IaC that manages them.

<Steps titleSize="h3">
  <Step title="Connect your AI tool to the Vanta MCP server">
    Vanta hosts a separate MCP server per region — use the URL that matches your instance:

    | Region        | MCP URL                         |
    | ------------- | ------------------------------- |
    | United States | `https://mcp.vanta.com/mcp`     |
    | Europe        | `https://mcp.eu.vanta.com/mcp`  |
    | Australia     | `https://mcp.aus.vanta.com/mcp` |

    The examples below use the US URL — swap for your region if needed.

    <Tabs>
      <Tab title="Claude Code (plugin)">
        <Tip>
          **Recommended:** Includes the MCP server, the `/vanta:list-tests` and `/vanta:fix-test` slash commands, and the PR-opening skill.
        </Tip>

        In Claude Code, run these in order:

        ```bash theme={"system"}
        /plugin marketplace update anthropics/claude-plugins-official
        /plugin install vanta-mcp-plugin@claude-plugins-official
        /reload-plugins
        ```

        Then run `/mcp`, select **Vanta**, pick your region, and click **Allow** to finish OAuth.

        <AccordionGroup>
          <Accordion title="Don't see 'Vanta' in the /mcp list?">
            Run `/reload-plugins` again and wait a few seconds. If it still doesn't appear, re-run the install command.
          </Accordion>

          <Accordion title="The OAuth page didn't open?">
            Open the authorization URL printed in the terminal yourself. If it's expired, run `/mcp → Vanta → Reconnect`.
          </Accordion>
        </AccordionGroup>
      </Tab>

      <Tab title="Claude Code">
        <Note>
          You get every MCP tool but no `/vanta:*` skills including PR generation.
        </Note>

        ```bash theme={"system"}
        claude mcp add --transport http vanta https://mcp.vanta.com/mcp
        ```

        Then run `/mcp`, select **vanta**, and click **Allow**.
      </Tab>

      <Tab title="Cursor">
        <Note>
          You get every MCP tool but no `/vanta:*` skills including PR generation.
        </Note>

        1. Open **Settings → Tools & MCP → Add custom MCP**.

        2. Paste:

           ```json theme={"system"}
           {
             "mcpServers": {
               "vanta": {
                 "url": "https://mcp.vanta.com/mcp"
               }
             }
           }
           ```

        3. Save, then click **Allow** when Cursor opens the OAuth flow.
      </Tab>

      <Tab title="Codex Desktop">
        <Note>
          You get every MCP tool but no `/vanta:*` skills including PR generation.
        </Note>

        1. **Settings → MCP servers → Add server**.
        2. **Name:** `Vanta`, **Type:** **Streamable HTTP**, **URL:** `https://mcp.vanta.com/mcp`.
        3. **Save**, then click **Authenticate** and **Allow**.
      </Tab>

      <Tab title="Codex CLI">
        <Note>
          You get every MCP tool but no `/vanta:*` skills including PR generation.
        </Note>

        Shares config with Codex Desktop.

        ```bash theme={"system"}
        codex mcp add vanta --url https://mcp.vanta.com/mcp
        codex mcp login vanta
        ```

        Click **Allow** in the browser, then confirm with `codex mcp list`.
      </Tab>

      <Tab title="Perplexity">
        <Note>
          You get every MCP tool but no `/vanta:*` skills including PR generation.
        </Note>

        1. Add a **remote custom connector**.
        2. URL: `https://mcp.vanta.com/mcp` (or your regional endpoint).
        3. **Authentication: OAuth** → click **Allow**.

        <Info>
          Perplexity has no repository or shell access, so it usually returns a console-first plan and generic Terraform / CloudFormation snippets you can paste into a ticket.
        </Info>
      </Tab>
    </Tabs>
  </Step>

  <Step title="List your highest-priority failing tests">
    In your tool's chat, ask:

    ```
    Show me the highest-priority failing Vanta tests relevant to this repository.
    ```

    <Tip>
      In the **Claude Code plugin**, you can run `/vanta:list-tests` instead. In **Perplexity** (no repo context), replace "relevant to this repository" with "ranked by severity" — and optionally paste your stack ("we run on AWS + GitHub Actions") to bias results.
    </Tip>

    ```
    Found 12 failing tests. Top 5 for this repository:

    1. GitHub repos should require pull request reviews before merging
       Test ID: github-repo-require-pr-reviews   |  Severity: HIGH

    2. AWS S3 buckets should have server-side encryption enabled
       Test ID: aws-s3-bucket-server-side-encryption-enabled   |  Severity: HIGH

    3. AWS IAM password policy should require minimum length of 14
       Test ID: aws-iam-password-policy-minimum-length   |  Severity: MEDIUM
    ```

    Pick a HIGH-severity test ID to use in the next step.

    <AccordionGroup>
      <Accordion title="0 failing tests returned?">
        Either everything's passing, or your OAuth token expired. Re-authorize: `/mcp → Vanta → Reconnect` (Claude Code), re-trigger OAuth in Cursor or Perplexity settings, click **Authenticate** in Codex Desktop, or run `codex mcp login vanta`.
      </Accordion>

      <Accordion title="Tests unrelated to my codebase?">
        Re-open the right project before re-running the prompt. If your repo doesn't contain any IaC (or you're in Perplexity), the assistant falls back to severity ranking — paste your stack to bias results.
      </Accordion>
    </AccordionGroup>
  </Step>

  <Step title="Inspect the failing resources for one test">
    Ask which specific resources are failing the test you picked:

    ```
    Show me which specific resources are failing the "TEST ID" test.
    ```

    Replace `TEST ID` with the ID from Step 2. Example output for `github-repo-require-pr-reviews`:

    ```
    4 resources failing:

    • my-company/web-app        — No branch protection rule on `main`
    • my-company/api-server     — Branch protection does not require PR reviews
    • my-company/infra          — Branch protection requires 0 reviewers
    • my-company/data-pipeline  — No branch protection rule on `main`
    ```

    You now know exactly what to fix.

    <Accordion title="I see resources I don't recognize?">
      Check the integration field (GitHub org, AWS account ID, GCP project, etc.). If your company has multiple orgs or cloud accounts, focus on the one you own.
    </Accordion>
  </Step>

  <Step title="Generate a remediation plan">
    Ask for the fix:

    ```
    Generate a remediation plan for the "TEST ID" test. Include console steps,
    CLI commands, and a Terraform / CloudFormation / CDK snippet I can adapt.
    ```

    <Tip>
      In the **Claude Code plugin**, run `/vanta:fix-test TEST ID` — it also scans your repo for matching IaC files and unlocks the optional PR step below.
    </Tip>

    The assistant pulls the failing resources from Vanta and returns a multi-option plan — typically a CLI command for the fastest fix, console steps for environments where the resource isn't managed by IaC, and an IaC snippet you can commit to prevent recurrence:

    ```
    Failing resources (4): web-app, api-server, infra, data-pipeline

    Option A — gh CLI (fastest)
      gh api -X PUT repos/my-company/web-app/branches/main/protection \
        -F required_pull_request_reviews.required_approving_review_count=1 \
        -F enforce_admins=true \
        -F required_status_checks=null \
        -F restrictions=null
      (repeat for api-server, infra, data-pipeline)

    Option B — GitHub UI
      For each repo: Settings → Branches → Add branch protection rule →
      pattern `main` → "Require a pull request before merging" → approvals: 1.

    Option C — Terraform (prevents recurrence)
      resource "github_branch_protection" "web_app_main" {
        repository_id = github_repository.web_app.node_id
        pattern       = "main"
        required_pull_request_reviews {
          required_approving_review_count = 1
        }
      }

    Vanta will re-evaluate on its next sync (within 24 hours).
    ```

    The assistant won't run CLI commands that mutate live resources on its own — it'll surface them and ask first. Pick the option that fits your environment and apply it.
  </Step>

  <Step title="(Optional) Open a draft pull request">
    <Note>
      This step applies **only** if using the **Claude Code Vanta plugin**.
    </Note>

    This step assumes the failing resource is managed by IaC in a repo connected as a Vanta **Version Control** integration (GitHub, GitLab, or Bitbucket), the repo is open locally, and Claude has push access. If that's true, ask:

    ```
    Open a draft pull request with the IaC changes from this plan.
    ```

    The plugin matches your existing module structure, generates a minimal diff, and opens a draft PR against your current branch:

    ```
    Opened draft PR #47: "fix: require PR reviews on 4 repos
    (Vanta github-repo-require-pr-reviews)"
    https://github.com/my-company/infra/pull/47
    ```

    Review the diff before marking it ready — spot-check variable references and backend state.

    <AccordionGroup>
      <Accordion title="My resources aren't in code?">
        Stick with the plan from Step 4 — run the CLI, apply the UI steps, or hand it to the team that owns the resource.
      </Accordion>

      <Accordion title="Plugin couldn't find Terraform files?">
        It searches `.tf` files in the root and common subfolders (`infra/`, `terraform/`, `ops/`). Point it elsewhere: *"The Terraform files are in `platform/infra/aws/`."*
      </Accordion>

      <Accordion title="Plugin couldn't find the failing resource in this repo?">
        The resource probably lives in a different account / project / repo. Use Step 4's CLI or UI option instead, or re-run from inside the repo that manages it.
      </Accordion>

      <Accordion title="I use CloudFormation or CDK, not Terraform?">
        The plugin supports all three. Tell it which framework you use and it'll adjust the diff.
      </Accordion>
    </AccordionGroup>
  </Step>

  <Step title="Verify the fix">
    Once you've applied the fix (PR merged, CLI run, console steps done, or ticket handed off), ask:

    ```
    What is the current status of the "TEST ID" test in Vanta?
    ```

    Vanta re-evaluates tests on its next sync, usually within 24 hours. If it still shows as failing, wait for the next sync or trigger one from the Vanta dashboard.
  </Step>
</Steps>

## Congratulations

You're connected to the Vanta MCP server and you've used it to surface failing tests, inspect failing resources, and generate a remediation plan — with an optional draft PR if you're using the Claude Code plugin. From here:

* **Remediate more tests** — re-run Step 2 (or `/vanta:list-tests`) and repeat the flow.
* **Explore other compliance data** — ask your assistant about controls, vendors, vulnerabilities, or frameworks in plain English.
* **Learn more about the MCP** — see the [Vanta MCP server reference](/docs/vanta-mcp).

## More things to try

<AccordionGroup>
  <Accordion title="Review your SOC 2 control coverage">
    ```
    Show me my SOC 2 controls, how many are complete versus in progress,
    and which controls have the most failing tests.
    ```
  </Accordion>

  <Accordion title="Triage a vulnerability by severity">
    ```
    List every CRITICAL vulnerability whose remediation deadline is in the
    next 30 days, and tell me which ones are already assigned.
    ```
  </Accordion>

  <Accordion title="Find tests failing across multiple frameworks">
    ```
    Which failing tests are mapped to both SOC 2 and ISO 27001? Show me the
    failing resource count for each.
    ```
  </Accordion>

  <Accordion title="Check who owns a control">
    ```
    Who owns the "Encryption at rest" control, and which automated tests
    validate it?
    ```
  </Accordion>
</AccordionGroup>

## Next steps

<CardGroup cols={2}>
  <Card title="Vanta MCP server" href="/docs/vanta-mcp">
    Full reference for connecting MCP clients to Vanta.
  </Card>

  <Card title="Query failing tests via API" href="/docs/guides/query-test-results-and-filter-for-failing-resources">
    Pull test results programmatically — useful for CI and dashboards.
  </Card>

  <Card title="Triage vulnerabilities" href="/docs/guides/vulnerabilities-with-approaching-slas">
    Surface vulnerable assets with approaching SLA deadlines.
  </Card>

  <Card title="Manage Vanta via API" href="/docs/quickstart/manage-vanta">
    Get an API token and automate your Vanta account with code.
  </Card>
</CardGroup>
