๐ Vendor Security Questionnaire for Engineering Integrations
Intro: Product teams often need a short, engineering-friendly question set, not a 200-question compliance workbook. This page gives a minimum viable questionnaire for integrations that execute code, receive webhooks, hold tokens, or touch product data.
What this page includes
- concise due-diligence questions
- extra questions for code execution, agents, and runners
- how to separate โnice to knowโ from release-critical answers
- when to escalate to a deeper review
Baseline questions
- What data does the integration receive, store, or log?
- What tokens, keys, or scopes does it require?
- Can it execute customer-controlled or repository-controlled code?
- Can it modify artifacts, config, or production state?
- How are incidents, revocations, and emergency disablement handled?
- What audit trail exists for sensitive actions?
- How are updates shipped and communicated?
Extra questions for agents, runners, and plugins
- Is execution isolated per run?
- Can a previous job or tenant leave residue for a later one?
- What outbound network paths are allowed?
- Can the component reach metadata, vault, or deployment endpoints?
- How quickly can the organization cut it off if compromise is suspected?
Release-critical answers
Treat these as approval gates:
- required scopes or trust relationships;
- code-execution model;
- data handling and retention model;
- emergency disable path;
- audit and notification model for sensitive actions.
Related pages
- Vendor Agents, Runners, and Build-Integration Trust Boundaries
- Webhooks, OAuth, and SaaS Integration Security
Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.