> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.endorlabs.com/feedback

```json
{
  "path": "/integrations/vanta/index",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Set up Vanta integration with Endor Labs

> Learn how to integrate Vanta with Endor Labs and automate compliance requirements

Vanta enables organizations to manage risk by automating compliance and streamlining security reviews. Integrate Vanta with Endor Labs to view security findings in real-time and accelerate your security audit processes.

To integrate Endor Labs with Vanta:

* [Create an application in Vanta](#create-an-application-in-vanta)
  * [Create resources in Vanta](#create-resources-in-vanta)
* [Configure Vanta integration](#configure-vanta-integration)
  * [Associate an action policy with a Vanta notification](#associate-an-action-policy-with-a-vanta-notification)
  * [Manage Vanta notification targets in Endor Labs](#manage-vanta-notification-targets-in-endor-labs)
* [Run a scan](#run-a-scan)
  * [Findings exported to Vanta](#findings-exported-to-vanta)
* [View findings in Vanta](#view-findings-in-vanta)

## Create an application in Vanta

Create an application in Vanta so that Endor Labs can authenticate and export vulnerability findings to Vanta. The app requires `connectors.self:write-resource` and `connectors.self:read-resource scopes` to export vulnerabilities.

1. Sign in to Vanta as an Administrator.
2. Click **Settings** on the top navigation bar.
3. Select **Developer Console**.
   <img src="https://mintcdn.com/endorlabs-b4795f4f/dHzwUrp_QbpzV9uv/images/integrations/vanta/VantaDeveloperConsole.webp?fit=max&auto=format&n=dHzwUrp_QbpzV9uv&q=85&s=8bb677edbf131074bc18f57c99fe18a4" alt="Vanta Developer Console" width="3420" height="1762" data-path="images/integrations/vanta/VantaDeveloperConsole.webp" />
4. Click **Create**.
5. Select **Build Integrations**.
6. Enter a name and description for your application.
7. Select the **App Visibility** as **Private** and click **Create**.

<img src="https://mintcdn.com/endorlabs-b4795f4f/dHzwUrp_QbpzV9uv/images/integrations/vanta/createvantaapp.webp?fit=max&auto=format&n=dHzwUrp_QbpzV9uv&q=85&s=f7293091190f3c21f3b4df72f34f3016" alt="Create Vanta Integration" style={{width: '50%'}} width="944" height="1534" data-path="images/integrations/vanta/createvantaapp.webp" />

8. Select the **Application Category** as **Vulnerability Scanner**.
9. Click **Generate Client Secret** to generate the OAuth client secret.
   OAuth Client ID appears. Copy the OAuth Client ID and the client secret and have them handy. You must enter this data in Endor Labs to configure the Vanta integration.
   <img src="https://mintcdn.com/endorlabs-b4795f4f/dHzwUrp_QbpzV9uv/images/integrations/vanta/createendorvanta.webp?fit=max&auto=format&n=dHzwUrp_QbpzV9uv&q=85&s=c957b2704a69caa5b5c110037e839f4b" alt="Build Vanta Integration" width="2972" height="1634" data-path="images/integrations/vanta/createendorvanta.webp" />
10. Click **Save**.

### Create resources in Vanta

To successfully ingest security data and create notifications, map the Endor Labs attributes to resource types in Vanta.

1. Sign in to Vanta.
2. Navigate to **Settings** and click **Developer Console**.
3. Select your application and click **Resources**.
4. Click **Create Resource** and create the following resources to successfully map Endor Labs data into Vanta.

   * Enter the **Resource Type** as `Vulnerable Component` (mandatory) and select the **Base Resource Type** as **VulnerableComponent**.

     <img src="https://mintcdn.com/endorlabs-b4795f4f/dHzwUrp_QbpzV9uv/images/integrations/vanta/createresourcevanta.webp?fit=max&auto=format&n=dHzwUrp_QbpzV9uv&q=85&s=125c8c58d2ae4bd2c4fd0f5e0fa300f5" alt="Create Resource" style={{width: '50%'}} width="934" height="1612" data-path="images/integrations/vanta/createresourcevanta.webp" />

   * Enter the **Resource Type** as `Package Vulnerability` (optional) and select the **Base Resource Type** as **PackageVulnerabilityConnectors**.

   * Enter the **Resource Type** as `Static Code Analysis` (optional) and select the **Base Resource Type** as **StaticAnalysisCodeVulnerabilityConnectors**.

   Provide the **Static Code Analysis** resource type if you want to export exposed secrets in your first party code to Vanta.

   You can view the schema generated for all the resource types.

Copy the **Resource ID** of the generated resources and have them handy. You must enter this data in Endor Labs to configure the Vanta integration.

<img src="https://mintcdn.com/endorlabs-b4795f4f/dHzwUrp_QbpzV9uv/images/integrations/vanta/endorvantaresources.webp?fit=max&auto=format&n=dHzwUrp_QbpzV9uv&q=85&s=691f9d9981c6a5c340450530d63f25ac" alt="Vanta Resource IDs" width="2954" height="1332" data-path="images/integrations/vanta/endorvantaresources.webp" />

## Configure Vanta integration

Set up Endor Labs integration with Vanta.

Prerequisites:
Make sure you have the client ID, client secret, and the resource IDs from Vanta handy.

1. Sign in to Endor Labs and click **Integrations** from the sidebar.

2. Under **Notifications**, click **Add** for **Vanta**.

3. Click **Add Notification Integration**.

   <img src="https://mintcdn.com/endorlabs-b4795f4f/TVudXwCdR2gZhdvv/images/integrations/vanta/endortovanta.webp?fit=max&auto=format&n=TVudXwCdR2gZhdvv&q=85&s=3cf9243922caa9b59ac04507ea1d4f34" alt="Add Notification Integration" width="1892" height="1540" data-path="images/integrations/vanta/endortovanta.webp" />

4. Enter a name and description for this integration.

5. Enter the **CLIENT ID** and **CLIENT SECRET** that you generated on Vanta.

6. Under **Vanta Resources**, enter the Resource IDs for VULNERABILITY COMPONENT, PACKAGE VULNERABILITY, and STATIC CODE ANALYSIS VULNERABILITY from Vanta.

   <Note>
     **Vulnerable Component** is mandatory. You must enter either one of the **Package Vulnerability** or **Static Code Analysis Vulnerability** resource types.
   </Note>

7. Click **Add Notification Integration**.

### Associate an action policy with a Vanta notification

Users can create action policies to execute a recommended action when a scan violates a policy. For example, if there is a critical or high vulnerability, Endor Labs exports those vulnerabilities to Vanta to ensure compliance adherence.

While creating an action policy, configure the following settings:

* Select **Choose an Action** as **Send Notification**.
* From **SELECT NOTIFICATION TARGETS**, choose the Vanta integration notification that you created.
* Choose an [**Aggregation type**](/platform-administration/policies/action-policies#aggregation-types-for-notifications) for notifications. For integrating with Vanta, we recommend you choose **Project**.
* From **Assign Scope**, include the project tags in **INCLUSIONS** to apply this policy to a project.

See [Create an action policy](/platform-administration/policies/action-policies) for more details.

### Manage Vanta notification targets in Endor Labs

You can view and manage the Endor Labs Vanta notification targets created for a project.

1. From the sidebar, select **Integrations** from the left sidebar.
2. Under **Notifications**, click **Manage** for **Vanta**. You can view all your created notification targets for Vanta.
3. To edit a notification target, click the vertical ellipsis and choose **Edit Notification Integration**.
4. To delete a notification target, click the vertical ellipsis dots and choose **Delete Notification Integration**.

## Run a scan

Run the endorctl scan on your configured projects. See [endorctl scan commands](/developers-api/cli/commands/scan) for more information.

### Findings exported to Vanta

Endor Labs sends the following findings to Vanta:

* third-party open-source vulnerabilities
* secrets exposed in the first-party code

Endor Labs exports these findings as **Package Vulnerabilities** and **Static Code Analysis Vulnerabilities** in Vanta and associates them with a **Vulnerable Component** (that is the Repository Version) in Vanta.

Exporting findings generated on the Git repository security posture of an organization are not supported.

## View findings in Vanta

View Endor Labs' findings in Vanta and take remedial actions.

1. Sign in to Vanta.
2. Select **Tests** to view notifications.
3. Select the integration that you created in the **Integration** filter to view notifications from Endor Labs.

   <img src="https://mintcdn.com/endorlabs-b4795f4f/dHzwUrp_QbpzV9uv/images/integrations/vanta/viewendorresultsvanta.webp?fit=max&auto=format&n=dHzwUrp_QbpzV9uv&q=85&s=eed4ce54b873195afbaea163b5dffb71" alt="View Endor Labs Results in Vanta" width="3422" height="1796" data-path="images/integrations/vanta/viewendorresultsvanta.webp" />
4. Select a notification to view all findings associated with the Endor Labs policy.

   <img src="https://mintcdn.com/endorlabs-b4795f4f/dHzwUrp_QbpzV9uv/images/integrations/vanta/view_results_in_vanta.webp?fit=max&auto=format&n=dHzwUrp_QbpzV9uv&q=85&s=2420fa44101f4d2751394d3a60f39eab" alt="View notification in Vanta" width="1020" height="562" data-path="images/integrations/vanta/view_results_in_vanta.webp" />
5. Click on a finding to view more details in Endor Labs.

For example, if you create an action policy to notify critical vulnerabilities and configure it to a Vanta notification target, you can see the exports as **Critical vulnerabilities identified in code repositories are addressed** under **Tests** in Vanta. Vanta classifies the tests by the severity of the exported findings.