vanta-auditor-api-sdk

Developer-friendly & type-safe Typescript SDK specifically catered to leverage vanta-auditor-api-sdk API.

Summary

Conduct an audit: The Auditor API lets audit firms conduct audits from a tool outside of Vanta. Unlock data syncing with Vanta through this API.

Note for Vanta Gov (FedRAMP) customers: Select Vanta Gov (FedRAMP) from the server dropdown to issue requests against https://api.vanta-gov.com. The OAuth token URL shown below defaults to the commercial host — replace it with https://api.vanta-gov.com/oauth/token.

Table of Contents

• vanta-auditor-api-sdk
  • SDK Installation
  • Requirements
  • SDK Example Usage
  • Authentication
  • Available Resources and Operations
  • Standalone functions
  • Retries
  • Error Handling
  • Server Selection
  • Custom HTTP Client
  • Debugging
• Development
  • Maturity
  • Contributions
• vanta-auditor-api-sdk-typescript
• vanta-auditor-api-sdk-typescript

SDK Installation

The SDK can be installed with either npm, pnpm, bun or yarn package managers.

NPM

npm add vanta-auditor-api-sdk

PNPM

pnpm add vanta-auditor-api-sdk

Bun

bun add vanta-auditor-api-sdk

Yarn

yarn add vanta-auditor-api-sdk

Requirements

For supported JavaScript runtimes, please consult RUNTIMES.md.

SDK Example Usage

Example

import { Vanta } from "vanta-auditor-api-sdk";

const vanta = new Vanta({
  bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
});

async function run() {
  const result = await vanta.audits.list({});

  console.log(result);
}

run();

Authentication

Per-Client Security Schemes

This SDK supports the following security scheme globally:

Name	Type	Scheme	Environment Variable
bearerAuth	http	HTTP Bearer	VANTA_BEARER_AUTH

To authenticate with the API the bearerAuth parameter must be set when initializing the SDK client instance. For example:

import { Vanta } from "vanta-auditor-api-sdk";

const vanta = new Vanta({
  bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
});

async function run() {
  const result = await vanta.audits.list({});

  console.log(result);
}

run();

Available Resources and Operations

Available methods

Auditors

• create - Create an auditor

Audits

• list - List audits
• getAudit - Get audit by ID
• listCodeChanges - List code changes for an audit
• listComments - List audit comments
• listControls - List audit controls
• createCustomControl - Create a custom control for an audit
• listInformationRequestsForControl - List information requests linked to a control within an audit
• listEvidence - List audit evidence
• createCustomEvidenceRequest - Create a custom evidence request for an audit
• updateEvidence - Update audit evidence
• createCommentForEvidence - Create a comment for audit evidence
• getEvidenceUrls - List audit evidence url
• getFrameworkCodes - Get framework codes for an audit
• listInformationRequests - List information requests for an audit
• createInformationRequest - Create a new information request
• getInformationRequest - Get an information request by ID
• updateInformationRequest - Update an information request for an audit
• deleteInformationRequest - Delete an information request for an audit
• acceptInformationRequestEvidence - Accept evidence for an information request
• listInformationRequestActivity - List information request activity
• listCommentsForInformationRequest - List comments for an information request
• createCommentForInformationRequest - Create a comment for an information request
• updateCommentForInformationRequest - Update a comment for an information request
• deleteCommentForInformationRequest - Delete a comment for an information request
• listInformationRequestEvidence - List evidence for an information request
• getInformationRequestTestSnapshotEvidenceDetail - Get test snapshot detail for an evidence row
• flagInformationRequestEvidence - Flag evidence for an information request
• listAuditIssues - List snapshotted issues for an audit
• listAuditSnapshots - List snapshotted issues for an audit
• listVendors - List vendors for an audit
• listMonitoredComputersInAuditScope - List monitored computers
• listPeopleInAuditScope - List of people who are in scope for this audit
• listAccountAccessServices - List account access services for an audit
• listPersonnelAccountAccess - List account access records for an audit
• listPersonnelGroups - List groups for an audit
• listPersonnelPeople - List people for an audit
• listRiskSnapshots - List risk snapshots for an audit
• listAuditRisks - List risks for an audit
• shareInformationRequestList - Share information request list with customer
• listVendorsInAuditScope - List of vendors who are in scope for this audit
• listVulnerabilities - List vulnerabilities within the scope of a given audit
• listVulnerabilityRemediationsInAuditScope - List vulnerability remediations that are in scope for this audit
• getVulnerableAssets - List assets associated with vulnerabilities

Standalone functions

All the methods listed above are available as standalone functions. These functions are ideal for use in applications running in the browser, serverless runtimes or other environments where application bundle size is a primary concern. When using a bundler to build your application, all unused functionality will be either excluded from the final bundle or tree-shaken away.

To read more about standalone functions, check FUNCTIONS.md.

Available standalone functions

• auditorsCreate - Create an auditor
• auditsAcceptInformationRequestEvidence - Accept evidence for an information request
• auditsCreateCommentForEvidence - Create a comment for audit evidence
• auditsCreateCommentForInformationRequest - Create a comment for an information request
• auditsCreateCustomControl - Create a custom control for an audit
• auditsCreateCustomEvidenceRequest - Create a custom evidence request for an audit
• auditsCreateInformationRequest - Create a new information request
• auditsDeleteCommentForInformationRequest - Delete a comment for an information request
• auditsDeleteInformationRequest - Delete an information request for an audit
• auditsFlagInformationRequestEvidence - Flag evidence for an information request
• auditsGetAudit - Get audit by ID
• auditsGetEvidenceUrls - List audit evidence url
• auditsGetFrameworkCodes - Get framework codes for an audit
• auditsGetInformationRequest - Get an information request by ID
• auditsGetInformationRequestTestSnapshotEvidenceDetail - Get test snapshot detail for an evidence row
• auditsGetVulnerableAssets - List assets associated with vulnerabilities
• auditsList - List audits
• auditsListAccountAccessServices - List account access services for an audit
• auditsListAuditIssues - List snapshotted issues for an audit
• auditsListAuditRisks - List risks for an audit
• auditsListAuditSnapshots - List snapshotted issues for an audit
• auditsListCodeChanges - List code changes for an audit
• auditsListComments - List audit comments
• auditsListCommentsForInformationRequest - List comments for an information request
• auditsListControls - List audit controls
• auditsListEvidence - List audit evidence
• auditsListInformationRequestActivity - List information request activity
• auditsListInformationRequestEvidence - List evidence for an information request
• auditsListInformationRequests - List information requests for an audit
• auditsListInformationRequestsForControl - List information requests linked to a control within an audit
• auditsListMonitoredComputersInAuditScope - List monitored computers
• auditsListPeopleInAuditScope - List of people who are in scope for this audit
• auditsListPersonnelAccountAccess - List account access records for an audit
• auditsListPersonnelGroups - List groups for an audit
• auditsListPersonnelPeople - List people for an audit
• auditsListRiskSnapshots - List risk snapshots for an audit
• auditsListVendors - List vendors for an audit
• auditsListVendorsInAuditScope - List of vendors who are in scope for this audit
• auditsListVulnerabilities - List vulnerabilities within the scope of a given audit
• auditsListVulnerabilityRemediationsInAuditScope - List vulnerability remediations that are in scope for this audit
• auditsShareInformationRequestList - Share information request list with customer
• auditsUpdateCommentForInformationRequest - Update a comment for an information request
• auditsUpdateEvidence - Update audit evidence
• auditsUpdateInformationRequest - Update an information request for an audit

Retries

Some of the endpoints in this SDK support retries. If you use the SDK without any configuration, it will fall back to the default retry strategy provided by the API. However, the default retry strategy can be overridden on a per-operation basis, or across the entire SDK.

To change the default retry strategy for a single API call, simply provide a retryConfig object to the call:

import { Vanta } from "vanta-auditor-api-sdk";

const vanta = new Vanta({
  bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
});

async function run() {
  const result = await vanta.audits.list({}, {
    retries: {
      strategy: "backoff",
      backoff: {
        initialInterval: 1,
        maxInterval: 50,
        exponent: 1.1,
        maxElapsedTime: 100,
      },
      retryConnectionErrors: false,
    },
  });

  console.log(result);
}

run();

If you'd like to override the default retry strategy for all operations that support retries, you can provide a retryConfig at SDK initialization:

import { Vanta } from "vanta-auditor-api-sdk";

const vanta = new Vanta({
  retryConfig: {
    strategy: "backoff",
    backoff: {
      initialInterval: 1,
      maxInterval: 50,
      exponent: 1.1,
      maxElapsedTime: 100,
    },
    retryConnectionErrors: false,
  },
  bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
});

async function run() {
  const result = await vanta.audits.list({});

  console.log(result);
}

run();

Error Handling

VantaError is the base class for all HTTP error responses. It has the following properties:

Property	Type	Description
error.message	string	Error message
error.statusCode	number	HTTP response status code eg 404
error.headers	Headers	HTTP response headers
error.body	string	HTTP body. Can be empty string if no body is returned.
error.rawResponse	Response	Raw HTTP response

Example

import { Vanta } from "vanta-auditor-api-sdk";
import * as errors from "vanta-auditor-api-sdk/models/errors";

const vanta = new Vanta({
  bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
});

async function run() {
  try {
    const result = await vanta.auditors.create({
      email: "Genesis_Kunze87@yahoo.com",
      givenName: "<value>",
      familyName: "<value>",
    });

    console.log(result);
  } catch (error) {
    if (error instanceof errors.VantaError) {
      console.log(error.message);
      console.log(error.statusCode);
      console.log(error.body);
      console.log(error.headers);
    }
  }
}

run();

Error Classes

Primary error:

• VantaError: The base class for HTTP error responses.

Less common errors (6)

Network errors:

• ConnectionError: HTTP client was unable to make a request to a server.
• RequestTimeoutError: HTTP request timed out due to an AbortSignal signal.
• RequestAbortedError: HTTP request was aborted by the client.
• InvalidRequestError: Any input used to create a request is invalid.
• UnexpectedClientError: Unrecognised or unexpected error.

Inherit from VantaError:

• ResponseValidationError: Type mismatch between the data returned from the server and the structure expected by the SDK. See error.rawValue for the raw value and error.pretty() for a nicely formatted multi-line string.

Server Selection

Select Server by Index

You can override the default server globally by passing a server index to the serverIdx: number optional parameter when initializing the SDK client instance. The selected server will then be used as the default on the operations that use it. This table lists the indexes associated with the available servers:

#	Server	Description
0	https://api.vanta.com/v1	US Region API
1	https://api.vanta-gov.com/v1	Vanta Gov (FedRAMP)

Example

import { Vanta } from "vanta-auditor-api-sdk";

const vanta = new Vanta({
  serverIdx: 0,
  bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
});

async function run() {
  const result = await vanta.audits.list({});

  console.log(result);
}

run();

Override Server URL Per-Client

The default server can also be overridden globally by passing a URL to the serverURL: string optional parameter when initializing the SDK client instance. For example:

import { Vanta } from "vanta-auditor-api-sdk";

const vanta = new Vanta({
  serverURL: "https://api.vanta-gov.com/v1",
  bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
});

async function run() {
  const result = await vanta.audits.list({});

  console.log(result);
}

run();

Custom HTTP Client

The TypeScript SDK makes API calls using an HTTPClient that wraps the native Fetch API. This client is a thin wrapper around fetch and provides the ability to attach hooks around the request lifecycle that can be used to modify the request or handle errors and response.

The HTTPClient constructor takes an optional fetcher argument that can be used to integrate a third-party HTTP client or when writing tests to mock out the HTTP client and feed in fixtures.

The following example shows how to:

• route requests through a proxy server using undici's ProxyAgent
• use the "beforeRequest" hook to add a custom header and a timeout to requests
• use the "requestError" hook to log errors

import { Vanta } from "vanta-auditor-api-sdk";
import { ProxyAgent } from "undici";
import { HTTPClient } from "vanta-auditor-api-sdk/lib/http";

const dispatcher = new ProxyAgent("http://proxy.example.com:8080");

const httpClient = new HTTPClient({
  // 'fetcher' takes a function that has the same signature as native 'fetch'.
  fetcher: (input, init) =>
    // 'dispatcher' is specific to undici and not part of the standard Fetch API.
    fetch(input, { ...init, dispatcher } as RequestInit),
});

httpClient.addHook("beforeRequest", (request) => {
  const nextRequest = new Request(request, {
    signal: request.signal || AbortSignal.timeout(5000)
  });

  nextRequest.headers.set("x-custom-header", "custom value");

  return nextRequest;
});

httpClient.addHook("requestError", (error, request) => {
  console.group("Request Error");
  console.log("Reason:", `${error}`);
  console.log("Endpoint:", `${request.method} ${request.url}`);
  console.groupEnd();
});

const sdk = new Vanta({ httpClient: httpClient });

Debugging

You can setup your SDK to emit debug logs for SDK requests and responses.

You can pass a logger that matches console's interface as an SDK option.

Warning

Beware that debug logging will reveal secrets, like API tokens in headers, in log messages printed to a console or files. It's recommended to use this feature only during local development and not in production.

import { Vanta } from "vanta-auditor-api-sdk";

const sdk = new Vanta({ debugLogger: console });

You can also enable a default debug logger by setting an environment variable VANTA_DEBUG to true.

Development

Maturity

This SDK is in beta, and there may be breaking changes between versions without a major version update. Therefore, we recommend pinning usage to a specific package version. This way, you can install the same version each time without breaking changes unless you are intentionally looking for the latest version.

Contributions

While we value open-source contributions to this SDK, this library is generated programmatically. Any manual changes added to internal files will be overwritten on the next generation. We look forward to hearing your feedback. Feel free to open a PR or an issue with a proof of concept and we'll do our best to include it in a future release.

SDK Created by Speakeasy

vanta-auditor-api-sdk-typescript

vanta-auditor-api-sdk-typescript