The Vanta and Drata connectors are shipped, opt-in, and covered by an extensive test suite. Live validation against production Vanta and Drata tenants is in progress as partner onboarding proceeds — until it completes, treat production use as early-access and validate against your own tenant first. This is a single-workspace, operator-configured connector: it pushes to the one workspace whose token you provide. It is not a managed sync across many tenants, and there is no partner-hosted pipeline behind it. Secureframe is on the roadmap. We'd rather tell you exactly where the connector is than oversell it.
01What the connector does
NSAuditor has always written a GRC-ready JSON evidence artifact you could import by hand. The GRC connectors close the last gap: when you enable one, a single compliance scan maps each finding to the provider's evidence/test model and pushes it as the scan runs. Under the hood the push loop is built for the failure modes that matter when you write to someone else's API:
- Suppression-aware outcome mapping — each control is pushed as pass, fail, or passed-with-compensating-control, honoring your suppression decisions rather than blindly reporting raw findings.
- Framework-dimensioned idempotency keys — a deterministic key per control-and-framework means a network-timed-out retry updates the existing record instead of creating a duplicate.
- Rate-limit backoff + circuit breaker — the loop backs off on HTTP 429 and trips a consecutive-failure circuit breaker so a degraded provider API never stalls or corrupts your scan.
- Durable per-control audit artifact — every push writes a
scan_grc_push_<provider>.jsonrecord next to your scan output, so you always have local proof of exactly what was sent and how the provider responded. - Loud, never-silent outcomes — a skipped or no-op push is surfaced visibly in the scan summary; the connector never fails quietly.
The push is the only outbound call, it happens only when you opt in, and its egress is redaction-gated. Your API token is read from the environment, redacted from every log and error path, and never serialized to any artifact. The audit record captures a non-reversible fingerprint of the pushed body — counts and signals, never secret values and never the token.
02Quick start
Set two environment variables and run a compliance scan as usual. With nothing set, scans behave exactly as before and only write the local evidence JSON.
The GRC connectors are an Enterprise capability and require the @nsasoft/nsauditor-ai-ee package.
03Configuration reference
| Environment variable | Required | Purpose |
|---|---|---|
COMPLIANCE_GRC_PROVIDER | Yes (to enable) | Selects the connector: vanta or drata. Unset means the push is disabled and only the local evidence JSON is written. |
COMPLIANCE_GRC_TOKEN | Yes | The provider API token / key for the target workspace. Read at scan time, redacted from all output, never serialized. |
COMPLIANCE_GRC_BASE_URL | Optional | Override the provider API base URL — for a regional endpoint or a proxy that keeps egress on your own perimeter. |
COMPLIANCE_GRC_CONTROL_MAP | Vanta: optional Drata: required | Vanta — optional mapping that aligns NSAuditor controls to your workspace's test/control IDs when they differ from the defaults. Drata — points at the Custom Connection config (connectionId, resourceId, schemaMap); the shipped defaults are empty, so Drata pushes require it and fail-fast without it. |
COMPLIANCE_GRC_REDACTION | Optional | Egress redaction policy applied to the pushed body before it leaves your infrastructure. One of off, hash, or remove. |
04Vanta — scan-time push, activated
NSAuditor has shipped a Vanta connector library since v0.11.0 — but it was dormant: nothing read the configuration and nothing pushed at scan time. EE 0.32.0 wires it in. With COMPLIANCE_GRC_PROVIDER=vanta set, each compliance scan maps its findings to Vanta test results and pushes them, carrying the full reliability discipline above: suppression-aware outcomes, framework-dimensioned idempotency, rate-limit backoff, the consecutive-failure circuit breaker, and the token-redacted per-control audit log. This activation went through four rounds of adversarial external review across idempotency, timeout/abort, evidence-integrity, and fail-closed configuration before it shipped.
One honest note on scope: the shipped connector targets Vanta's evidence/test model, and the production Vanta API integration (OAuth authorization and the live resource-push endpoint) is being finalized with the partner. Until that lands and live-tenant validation completes, treat Vanta push as early-access and validate against your own tenant first.
05Drata — a new connector (Custom Connections)
New this release: a Drata connector built on Drata's Custom Connections model. It pushes structured records to your Custom Connection resource; your own Drata Test Builder rules (Advanced/Enterprise plans) then evaluate them. The division of labor is deliberate — the connector delivers the evidence, your rules do the evaluation. It's self-contained and rides the same hardened push loop as the Vanta path, so it carries the same reliability and audit-integrity guarantees without touching the reviewed Vanta code.
06Platform status
| Platform | Status | Model | Notes |
|---|---|---|---|
| Vanta | Shipped · scan-time push activated | Test results | Findings map to Vanta test results with suppression-aware outcomes. Live-tenant validation in progress. |
| Drata | Shipped · connector | Custom Connections | Pushes structured records; your Test Builder rules evaluate (Advanced/Enterprise plans). Live-tenant validation in progress. |
| Secureframe | On the roadmap | — | Planned; not in this release. |
07What "shipped" means
The Vanta and Drata connectors are shipped, opt-in, and tested. Live validation against production Vanta and Drata tenants is in progress as partner onboarding proceeds. This is a single-workspace, operator-configured connector — you point it at one workspace with one token, and it pushes there. Until live-tenant validation completes, treat production use as early-access and validate against your own tenant first. If that's the honest state of an integration, that's what we'll tell you.