NSAuditor AI EE 0.3.3 Closes Second “False-Clean” SOC 2 Reporting Bug in Azure Plugin, Extends Coverage to Multi-Cloud (AWS + Azure)
EE 0.3.3 closes a Critical false-clean reporting bug in the Azure plugin — same failure mode 0.3.2 fixed, recurring under a different canonical shape. CC6.1, CC6.6, C1.1 gain Azure evidence rules.
LAS VEGAS, NV — May 8, 2026 — Nsasoft US LLC, a network security and AI-assisted audit software company, today announced the immediate availability of NSAuditor AI Enterprise Edition (EE) v0.3.3. The release ships through npm under restricted-access distribution and is recommended for every existing 0.3.2 customer running Azure or planning multi-cloud SOC 2 evidence collection. EE 0.3.3 pairs with the existing Community Edition v0.1.30 — no CE bump required. EE 0.3.2 is explicitly deprecated on npm.
1. The second “false-clean” SOC 2 reporting bug — Azure edition — is closed
EE 0.3.2 closed the AWS-side false-clean bug by introducing the cloud-finding harvester. The harvester reads each cloud plugin’s findings out of pm.run().results[] and routes them into the compliance engine — but it only recognized one canonical shape: { resource, severity, issues: [text] }, the shape plugin 020 (aws-s3-auditor) emits.
Plugin 022 (azure-cloud-scanner) was emitting a different shape. All three Azure audit functions (NSG ingress, RBAC role assignments, Storage account hardening) returned { severity, finding, resource } — finding singular, not issues[]. The harvester didn’t recognize the shape. Findings were generated correctly, sat in the result tree, and were silently dropped before reaching the compliance engine. Customers running --compliance soc2 --host azure would see “6 / 6 covered controls passing” against an Azure subscription with real RBAC misconfigurations, NSG ingress wide-opens, and unencrypted Storage accounts.
This is the same failure mode that EE 0.3.2 announced as fixed — recurring in a different cloud surface because the canonical shape contract wasn’t enforced platform-wide.
EE 0.3.3 rewrites all three Azure audit functions to emit the canonical { resource, severity, issues[] } shape, and the reviewer pass also caught a parallel bug in the same plugin: the per-finding loop in run() still read f.finding after the audit functions had been migrated to f.issues[]. That would have produced [CRITICAL] undefined strings in the auditor-facing evidence banner. Fixed before ship.
“We told customers in 0.3.2 that the false-clean class was closed. It wasn’t — Azure was holding the same bug under a different shape. We caught it ourselves at dogfood, but we shouldn’t have shipped it. The drift-detector test that now spans every cloud plugin is the structural fix.”
2. Plugin 021 (gcp-cloud-scanner) — preventive port
The GCP plugin had the same { finding } singular shape plugin 022 had — and would have produced the same false-clean reporting class for GCP customers the moment a customer ran --compliance soc2 --host gcp. Mechanical port to the canonical shape applied in 0.3.3 along with the matching f.issues.join('; ') fix in the run-loop. (gcp-cloud-scanner mapsToFindings rules in soc2.json are still pending for v0.4.0; the shape is now correct so when the GCP rules ship, findings will route through the harvester immediately rather than re-litigating the contract.)
3. Mapped coverage extends to Azure: 6 new evidence rules, 3 controls
| Pattern (Azure) | Maps to |
|---|---|
Owner role assigned to <principal> at subscription scope |
CC6.1 — least privilege at the broadest blast-radius scope |
Contributor role assigned to <principal> at subscription scope |
CC6.1 — Contributor at sub-scope is effectively admin for the resource layer |
User Access Administrator role assigned to <principal> at subscription scope |
CC6.1 — UAA at sub-scope is the privesc primitive auditors specifically test for |
NSG <name>: 0.0.0.0/0 → port <p> (anchored regex) |
CC6.6 — perimeter ingress without source restriction |
Storage account <name>: defaultAction = Allow |
C1.1 — confidential workload network-boundary opt-out |
Storage account <name>: allowBlobPublicAccess = true |
C1.1 — confidential workload public-blob exposure |
CC6.1, CC6.6, and C1.1 were already covered for AWS — those three controls now have both AWS-side and Azure-side evidence rows in docs/soc2-coverage.md, which is what auditors mean when they ask whether a tool “supports multi-cloud.”
4. Class-of-bug drift detector now spans all three cloud plugins
EE 0.3.2 introduced the plugin-emission drift detector — a test that asserts every titlePattern regex in soc2.json matches at least one canonical issue string the corresponding plugin emits, and vice versa. In 0.3.2 this covered aws-s3-auditor and aws-iam-deep-auditor. In 0.3.3 the table extends to azure-cloud-scanner, with both forward (rule → plugin) and reverse (plugin → rule) cross-walks. Future plugin renames or soc2.json rule edits will fail CI rather than silently drift into a third false-clean variant.
5. Production-bug fixes you can stop working around
- Plugin 022 RBAC duplicate emission (EE-0.3.3.3) — The same Owner-at-subscription-scope role assignment was being emitted twice for the same principal — once when iterating role assignments and again when re-walking inherited scope. Set-based dedup on
(principalId, scope, roleDefinitionId)matches the dedup behavior plugin 020 has had since 0.3.0. @azure/arm-authorizationversion pin fix (EE-0.3.3.1) — Peer-dep was pinned at^10.0.0. The latest version published to npm is 9.0.0; 10.0.0 doesn’t exist. Customers running a clean install of 0.3.2 against Azure would have hitCould not resolve @azure/arm-authorization@^10.0.0. Lowered to^9.0.0.@azure/arm-storagemissing optionalDependency (EE-0.3.3.5) — Caught at the clean-tarball pre-publish smoke against a fresh global install: the Storage audit silently no-op’d because the SDK wasn’t installed, and the dogfood Azure subscription returned 1 finding instead of the expected 2. Added"@azure/arm-storage": "^19.0.0"tooptionalDependencies. The pre-publish gate (npm pack→npm install -g <tarball>→ smoke against a real subscription) is now the canonical ship gate — caught this before any customer saw it.
Coverage Matrix — AICPA Trust Services Criteria 2017
| Status | Count | Trust Services Criteria | New in 0.3.3 |
|---|---|---|---|
| ✔ Covered | 8 | CC6.1, CC6.2, CC6.6, CC6.7, CC6.8, CC7.1, C1.1, C1.2 | CC6.1 + CC6.6 + C1.1 now have Azure-side evidence rows in addition to AWS |
| ⚠ Partial | 5 | CC6.3, CC7.2, CC7.3, CC8.1, A1.2 | — |
| ○ Out of scope | 34 | CC1.*, CC2.*, CC3.*, CC4.*, CC5.*, CC9.*, PI1.*, P1.0–P8.0, CC6.4, CC6.5 | — |
The covered count stays at 8 / 8 (matching 0.3.2). What changed is the evidence breadth per control — three of those eight now produce evidence from both AWS and Azure surfaces. Full per-control evidence table at docs/soc2-coverage.md.
Upgrade path for existing customers
# Existing 0.3.2 EE install — CE stays put at 0.1.30
npm install -g @nsasoft/nsauditor-ai-ee@latest
# No license re-install needed — license storage is unchanged from CE 0.1.30.
nsauditor-ai license --statusExisting 0.3.2 deployments are deprecated on npm with explicit pointers to the 0.3.3 upgrade target. Customers running AWS-only workloads still benefit from the canonical-shape contract enforcement (the GCP-side preventive port) and the extended drift detector — even if they never touch the Azure plugin.
About Nsasoft US LLC
Nsasoft US LLC is a Las Vegas-based network security software company specializing in privacy-first, AI-assisted security tooling. The company develops open-core security scanners, infrastructure auditing tools, and SOC 2 readiness products for enterprise and developer audiences. Customer credentials and scan data never leave the host — all AI inference and CVE matching happen against customer-controlled API keys or fully offline NVD feeds.
Press contact: info@nsasoft.us · License & enterprise sales: enterprise@nsasoft.us · Security advisories: security@nsasoft.us
— Read the full SOC 2 multi-cloud guide at nsauditor.com/ai/docs/soc2/ · Source: github.com/nsasoft/nsauditor-ai-ee
