NSAuditor AI EE 0.13.3 Deepens Plugin 1220: Blob Recoverability + Per-Container Public Access Close the Two Secondary-Resource-Path Gaps Flagged by the 0.13.2 Adversarial Review
EE 0.13.3 deepens the Azure Storage hardening auditor with two new dimensions — blob recoverability and per-container anonymous public access — closing the two boundary gaps flagged at 0.13.2.
Las Vegas, NV — May 26, 2026 — Nsasoft US LLC has released NSAuditor AI Enterprise Edition v0.13.3, a deepening cycle on the Azure Storage Account Data-Protection Auditor that landed three days ago in EE 0.13.2. The new release closes the two coverage-boundary items the 0.13.2 adversarial false-negative review explicitly flagged as scope-deferred — now testable end-to-end against newly-provisioned Azure fixtures.
Plugin count is unchanged at 26 Enterprise Edition plugins. This is a deepening of plugin 1220, not a new plugin. All six supported compliance coverage matrices — SOC 2, HIPAA Security Rule §164.312, NIST CSF 2.0, PCI DSS v4.0.1, ISO/IEC 27001:2022, and CIS Critical Security Controls v8 — remain unchanged at 10/4/33, 7/3/45, 13/10/83, 20/8/39, 17/14/62, and 17/22/114 respectively. The 0.13.3 release is pure substrate-depth uplift on already-covered controls.
The cycle ships as the 35th consecutive trio-publish in the institutionalized release cadence — restricted Enterprise Edition 0.13.3 paired with public Community Edition 0.1.78 and public agent-skill 0.1.45.
What the 0.13.2 review flagged — and why it matters
When EE 0.13.2 shipped the first dedicated Azure auditor three days ago, the team published the result of its adversarial review explicitly: results-trustworthy-with-caveats. The plugin read the account-level data-protection surface accurately, but two real exposure classes lived on secondary resource paths the scanner never walked.
The first: an Azure Storage Account fully hardened on the original five dimensions — HTTPS-only transit, TLS 1.2, no Shared-Key authorization, infrastructure encryption, customer-managed-key reachability — can still be one Remove-AzStorageBlob from permanent loss if blob soft-delete and versioning are off.
The second: a blob container with publicAccess=Blob or publicAccess=Container is anonymous-internet-readable when the account-level allowBlobPublicAccess toggle is also true — and plugin 1022 catches only the account-level toggle, never the specific public container.
EE 0.13.3 walks both secondary paths.
Dim 6 — Blob recoverability (blobServices.getServiceProperties)
Plugin 1220 now reads the secondary blob-service path on every audited Storage Account:
- Blob soft-delete via
deleteRetentionPolicy— disabled is a MEDIUM finding (no recovery window for deleted blobs); enabled passes the substrate. - Blob versioning via
isVersioningEnabled— disabled is a LOW finding (an overwrite or delete has no prior-version recovery); enabled passes the substrate. - A denied or failed secondary read degrades to a LOW evidence-gap (class G in the platform’s false-negative taxonomy), never a silent recoverability PASS.
Findings route to SOC 2 A1.2 (Availability — Recovery Procedures), HIPAA §164.312(c)(1) Integrity, NIST CSF 2.0 PR.DS-11, ISO/IEC 27001:2022 A.8.13 Backup, and CIS Controls v8 11.1. PCI DSS has no covered backup sub-requirement at the platform’s current scope and is correctly skipped.
Dim 7 — Per-container anonymous public access (blobContainers.list, account-toggle-aware)
Plugin 1220 now enumerates blob containers on every audited Storage Account and reasons about the account-level toggle:
- A public container —
publicAccess=BloborpublicAccess=Container— combined with accountallowBlobPublicAccess=trueis a HIGH finding labelled “EFFECTIVE exposure.” It is the Azure analog of a public S3 bucket. - A public container while the account toggle is false is a MEDIUM latent finding. Azure overrides to private today; the exposure becomes effective the instant the toggle is enabled.
- All containers private passes the substrate; a denied enumeration degrades to an evidence-gap.
Findings route to SOC 2 C1.1, HIPAA §164.312(a)(1), NIST CSF 2.0 PR.DS-01, PCI DSS v4.0.1 7.2.1, ISO/IEC 27001:2022 A.8.3, and CIS Controls v8 3.3.
Live-validated against purpose-built fixtures
Two Azure fixtures were provisioned for this arc and made the new dimensions live-testable. The deliberately-misconfigured nsapubcontainersa47291 (containing a public blob container) emitted the expected HIGH on Dim 7 — anonymous public access AND account-level toggle true. The Dim 6 read flagged the accounts lacking blob soft-delete and versioning. The platform’s COMPLIANT fixtures were then tuned — soft-delete and versioning enabled — so they stay all-green under the deepened plugin and the green-streak holds.
Adversarial review — SHIP
Plugin 1220 was re-reviewed through the platform’s audit-cloud-plugin-false-negatives lens against the 14-class taxonomy and shipped clean. Both new dimensions walk their class-C secondary paths, apply class-D Azure field defaults (absent soft-delete / versioning = disabled; absent container publicAccess = private per Azure default), degrade to class-G evidence-gap on denied reads, apply class-B enum case-normalization, and use class-H for await pagination to exhaustion.
The review surfaced three explicit scope-deferred items for a future cycle — noted, not missed: deeper recoverability signals (containerDeleteRetentionPolicy, point-in-time-restore, change feed), SAS-token scope and stored-access-policy container exposure beyond publicAccess, and a pinned-or-disabled-key fixture to live-exercise the CMK degrade tiers (the PASS branch is already live-exercised).
Regression baseline
The Enterprise Edition test suite runs 6,454 tests and passes all of them — a +9 net increase against the EE 0.13.2 baseline of 6,445, with 24 tests in the plugin-1220 suite. The 81-session 100% green streak is preserved. Additive only — no breaking changes.
Availability
NSAuditor AI EE 0.13.3 is recommended for every existing customer auditing Azure Storage workloads — especially organizations subject to SOC 2 Availability criterion A1.2, HIPAA Security Rule integrity, or PCI DSS data-access scope at the container level. The hexa-framework one-scan workflow — --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 — produces six separate auditor-ready evidence packs from a single scan. The release is available immediately through npm under restricted-access distribution; no license re-installation is required for existing customers. EE 0.13.2, Community Edition 0.1.77, and agent-skill 0.1.44 are deprecated on this publish with paired-pointer messages.
Install (Enterprise Edition; restricted npm token required):
npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latestThe full Enterprise feature reference is at nsauditor.com/ai/enterprise; framework matrices live at nsauditor.com/ai/docs; a synthetic-fixture sample scan demonstrating the new Dim-6 and Dim-7 findings is at nsauditor.com/ai/docs/sample-scan. Trial requests and enterprise inquiries: enterprise@nsasoft.us.
About Nsasoft US LLC
Nsasoft US LLC is a Las Vegas-based network security software company specializing in privacy-first, AI-assisted security tooling. Customer credentials and scan data never leave the host — all AI inference and CVE matching run against customer-controlled keys or fully offline NVD feeds. Press: info@nsasoft.us.
]]>
