Your compliance evidence, pushed to your GRC platform at scan time.

NSAuditor AI Enterprise can map every finding from a compliance scan to your GRC platform's own evidence and test records and push them at scan time — so your Vanta or Drata workspace reflects your latest cloud posture without an export/import round-trip. It's opt-in and Zero-Data-Exfiltration by default: nothing leaves your infrastructure unless you set the environment variables, egress is redaction-gated, and your API token is never written to any artifact.

✓ Vanta — scan-time push activated ✓ Drata — connector shipped ◷ Secureframe — on the roadmap ⚡ Opt-in · ZDE by default EE 0.32.0 · 2026-07-07
Honest status — read this first

The Vanta and Drata connectors are shipped, opt-in, and covered by an extensive test suite. Live validation against production Vanta and Drata tenants is in progress as partner onboarding proceeds — until it completes, treat production use as early-access and validate against your own tenant first. This is a single-workspace, operator-configured connector: it pushes to the one workspace whose token you provide. It is not a managed sync across many tenants, and there is no partner-hosted pipeline behind it. Secureframe is on the roadmap. We'd rather tell you exactly where the connector is than oversell it.

01What the connector does

NSAuditor has always written a GRC-ready JSON evidence artifact you could import by hand. The GRC connectors close the last gap: when you enable one, a single compliance scan maps each finding to the provider's evidence/test model and pushes it as the scan runs. Under the hood the push loop is built for the failure modes that matter when you write to someone else's API:

  • Suppression-aware outcome mapping — each control is pushed as pass, fail, or passed-with-compensating-control, honoring your suppression decisions rather than blindly reporting raw findings.
  • Framework-dimensioned idempotency keys — a deterministic key per control-and-framework means a network-timed-out retry updates the existing record instead of creating a duplicate.
  • Rate-limit backoff + circuit breaker — the loop backs off on HTTP 429 and trips a consecutive-failure circuit breaker so a degraded provider API never stalls or corrupts your scan.
  • Durable per-control audit artifact — every push writes a scan_grc_push_<provider>.json record next to your scan output, so you always have local proof of exactly what was sent and how the provider responded.
  • Loud, never-silent outcomes — a skipped or no-op push is surfaced visibly in the scan summary; the connector never fails quietly.
Zero Data Exfiltration

The push is the only outbound call, it happens only when you opt in, and its egress is redaction-gated. Your API token is read from the environment, redacted from every log and error path, and never serialized to any artifact. The audit record captures a non-reversible fingerprint of the pushed body — counts and signals, never secret values and never the token.

02Quick start

Set two environment variables and run a compliance scan as usual. With nothing set, scans behave exactly as before and only write the local evidence JSON.

# Vanta $ export COMPLIANCE_GRC_PROVIDER=vanta $ export COMPLIANCE_GRC_TOKEN=<your-vanta-api-token> $ nsauditor-ai scan --host aws --compliance soc2 ✓ compliance evidence mapped · pushing to Vanta… ✓ scan_grc_push_vanta.json written · 0 data left your infrastructure # Drata $ export COMPLIANCE_GRC_PROVIDER=drata $ export COMPLIANCE_GRC_TOKEN=<your-drata-api-key> $ nsauditor-ai scan --host aws --compliance soc2,iso-27001

The GRC connectors are an Enterprise capability and require the @nsasoft/nsauditor-ai-ee package.

03Configuration reference

Environment variableRequiredPurpose
COMPLIANCE_GRC_PROVIDERYes (to enable)Selects the connector: vanta or drata. Unset means the push is disabled and only the local evidence JSON is written.
COMPLIANCE_GRC_TOKENYesThe provider API token / key for the target workspace. Read at scan time, redacted from all output, never serialized.
COMPLIANCE_GRC_BASE_URLOptionalOverride the provider API base URL — for a regional endpoint or a proxy that keeps egress on your own perimeter.
COMPLIANCE_GRC_CONTROL_MAPVanta: optional
Drata: required
Vanta — optional mapping that aligns NSAuditor controls to your workspace's test/control IDs when they differ from the defaults. Drata — points at the Custom Connection config (connectionId, resourceId, schemaMap); the shipped defaults are empty, so Drata pushes require it and fail-fast without it.
COMPLIANCE_GRC_REDACTIONOptionalEgress redaction policy applied to the pushed body before it leaves your infrastructure. One of off, hash, or remove.

04Vanta — scan-time push, activated

NSAuditor has shipped a Vanta connector library since v0.11.0 — but it was dormant: nothing read the configuration and nothing pushed at scan time. EE 0.32.0 wires it in. With COMPLIANCE_GRC_PROVIDER=vanta set, each compliance scan maps its findings to Vanta test results and pushes them, carrying the full reliability discipline above: suppression-aware outcomes, framework-dimensioned idempotency, rate-limit backoff, the consecutive-failure circuit breaker, and the token-redacted per-control audit log. This activation went through four rounds of adversarial external review across idempotency, timeout/abort, evidence-integrity, and fail-closed configuration before it shipped.

One honest note on scope: the shipped connector targets Vanta's evidence/test model, and the production Vanta API integration (OAuth authorization and the live resource-push endpoint) is being finalized with the partner. Until that lands and live-tenant validation completes, treat Vanta push as early-access and validate against your own tenant first.

05Drata — a new connector (Custom Connections)

New this release: a Drata connector built on Drata's Custom Connections model. It pushes structured records to your Custom Connection resource; your own Drata Test Builder rules (Advanced/Enterprise plans) then evaluate them. The division of labor is deliberate — the connector delivers the evidence, your rules do the evaluation. It's self-contained and rides the same hardened push loop as the Vanta path, so it carries the same reliability and audit-integrity guarantees without touching the reviewed Vanta code.

06Platform status

PlatformStatusModelNotes
VantaShipped · scan-time push activatedTest resultsFindings map to Vanta test results with suppression-aware outcomes. Live-tenant validation in progress.
DrataShipped · connectorCustom ConnectionsPushes structured records; your Test Builder rules evaluate (Advanced/Enterprise plans). Live-tenant validation in progress.
SecureframeOn the roadmapPlanned; not in this release.

07What "shipped" means

The Vanta and Drata connectors are shipped, opt-in, and tested. Live validation against production Vanta and Drata tenants is in progress as partner onboarding proceeds. This is a single-workspace, operator-configured connector — you point it at one workspace with one token, and it pushes there. Until live-tenant validation completes, treat production use as early-access and validate against your own tenant first. If that's the honest state of an integration, that's what we'll tell you.

Wire it into your GRC workflow

The GRC connectors ship in NSAuditor AI Enterprise. See the enterprise overview and pricing, or read how one scan produces seven framework-mapped evidence packs.