Frequently Asked Questions: How do I Mark Resources out of Scope?

  • Updated

You may have some inventory items built into your infrastructure that have yet to be included in the scope of your audit. You can mark them out of scope on the Integrations


You can mark resources out of scope in the following connection types: 

  • Cloud Provider
  • Identity Provider (IDP)
  • Version Control System
  • Human Resource Information System (HRIS)
  • Datastore Provider
  • Mobile Device Management Tool (MDM)

Manually Configure the Scope of Your Resources 

  • Select Integrations from the left-hand navigation panel
  • Choose the integration you would like to adjust, and select configure scope
  • From here, you can toggle each option off or on one by one, or select:
    • Mark all in: to mark all options in scope
    • Mark all off: to mark all options out of scope

  • Changes will be saved automatically

Screenshot 2023-12-18 at 1.54.35 PM.png


Scoping through Tags 

  • Vanta supports reading tags (called labels in GCP) from our various cloud provider integrations to populate different attributes of cloud resources, such as owner, description, user data, and scope. While these attributes can be set manually on the inventory page or integration page for scoping, these fields are not persistent and will disappear once the integration is disconnected. For this reason, we recommend using tags, as they are continuous and more scalable.

What should be considered In-Scope or Out-of-Scope for an audit? 

  • In-scope inventory should include any item used in your production environment, items containing sensitive information, and items containing user data. It is essential to ensure these items are secure due to the nature of the information they contain.
  • Out-of-scope inventory could be any items not used in a production environment or items that do not contain sensitive information. 

Turning off automatic scoping of new resources

By default, Vanta automatically scopes in new resources as a best practice so that users don’t have to manually keep track of resources that are scoped in for an audit. In some scenarios, you may not want this behavior. If you would like to scope in new repositories manually, follow these steps:

This behavior is currently only available for the following Version Control System integrations: GitHub, GitLab, and Bitbucket.
  • Select Configure Scope on the Integrations page

  • Turn off the toggle for Automatically scope in new repositories

  • Confirm the change in the warning prompt if you would like to proceed.

  • New repositories will no longer be scoped in by default
    • Ensure you periodically check for new repositories to ensure you’ve included the appropriate ones for your audit.
  • You can always turn the toggle back on if you’d like to scope in new repositories automatically.

Syncing IDP scoping with associated resources

When using IDP scoping to only mark a subset of users within Vanta’s scope, it may also be helpful to apply the same scoping logic to any resources fetched from other integrations (like GitHub), so that only resources linked to scoped-in users are marked as within scope.

  • To do this, you can turn on the Apply user scope to resources toggle by clicking on the Apply user scope button above the list of your connected integrations on the integrations page. 



  • By default, this is turned off - turning it on will apply the same user-level scoping logic for any associated resources.
  • This will take effect the next time Vanta pulls in any account information and generally updates it within the hour. Currently, this feature only supports applying IDP scoping to user accounts. 



  • Once this setting is turned on, any accounts that are linked to a user within Vanta will be unable to be manually toggled in or out of scope, and the “Mark all in” and “Mark all out” quick actions will only apply for accounts without a linked user.
  • To individually mark an account as out of scope, you will need to either unlink it from its current in-scope user (which can be done with the unlink button on the account row), or mark the owning user as out of scope.