NSAuditor AI EE 0.15.6 Closes Two Cross-Framework Audit-Routing Defects on S3 Public-Exposure — NIST CSF and PCI DSS Now Catch a Public Bucket; A Missing Guardrail No Longer Reads as a Confirmed Breach
EE 0.15.6 fixes two cross-framework audit-routing defects: NIST CSF and PCI DSS now catch a public S3 bucket, and a missing Public Access Block no longer false-FAILs a private bucket. No matrix shift.
Nsasoft US LLC has shipped NSAuditor AI EE 0.15.6, the forty-fourth consecutive trio-publish of its local-first, zero-data-exfiltration enterprise security scanner. The release is a compliance-mapping correctness patch — it fixes two cross-framework defects in how S3 public-exposure findings route to the six supported compliance frameworks. No plugin changes, no behavior changes, plugin count UNCHANGED at 28, all six coverage matrices UNCHANGED.
The two defects, in plain terms
An audit tool’s worst failure is a false report. Either a real exposure that shows CLEAN (false-negative) or a clean resource that shows as a violation (false-positive). NSAuditor AI runs its findings through six compliance frameworks, and the engineering team found both classes hiding in one place: S3 public-exposure routing. A publicly-accessible S3 bucket — the canonical cloud data-leak — was correctly flagged on SOC 2, HIPAA, ISO/IEC 27001:2022, and CIS Controls v8, but showed CLEAN on NIST CSF and PCI DSS. Separately, a missing guardrail (no Public Access Block) on an otherwise-private bucket was reported as if the bucket were confirmed-public — the kind of false-FAIL a PCI QSA rejects on sight. EE 0.15.6 closes both, with no change to the coverage matrices (the controls were already covered — this is routing correctness, not new scope).
Fix 1 — NIST CSF and PCI DSS now catch a public S3 bucket
Plugin 1020’s S3 public-exposure CRITICALs (public bucket policy, bucket ACL, object ACL, or non-current object version granting AllUsers or AuthenticatedUsers) now route to NIST CSF PR.AA-05 (access permissions / least-privilege) and NIST CSF PR.DS-01 (data-at-rest confidentiality, as a dual-map alongside PR.AA-05), and to PCI DSS Requirement 7.2.1 (access-control model). The PCI mapping carries an explicit CDE-scope caveat: whether the bucket holds cardholder data is the operator’s Data-Flow-Diagram determination, which the engine surfaces but does not assert.
Fix 2 — A missing guardrail no longer reads as a confirmed breach
The finding for a bucket with no Public Access Block — “bucket may be publicly accessible … not confirmed public” — is a defense-in-depth gap, not a confirmed exposure. The 0.15.2 calibration already rated it MEDIUM for exactly that reason. But its text still matched the broad "publicly accessible" routing rule, so it false-FAILed the confidentiality-exposure controls identically to a confirmed-public bucket. The rule is tightened to match only the confirmed-public phrasings (bucket is or objects publicly accessible) across all six frameworks; the guardrail-gap finding is still reported to the operator as a MEDIUM in the raw scan, but no longer trips a compliance control. All 9 aws-s3-auditor anchors across all 6 frameworks were re-anchored to the identical regex /(bucket is|objects) publicly accessible/i, preserving the cross-framework inheritance contract.
Two same-session review folds
FOLD-1: a parallel cross-framework gap on the bucket-POLICY public CRITICAL — previously mapped on SOC 2, HIPAA, and CIS but NOT on NIST, PCI, or ISO. The "Bucket policy grants public access" anchor was added to NIST PR.AA-05/PR.DS-01, PCI 7.2.1, and ISO A.5.23/A.8.3/A.8.12. All six frameworks now agree on a public bucket policy. FOLD-2: the non-current-version emission introduced in EE 0.15.4 was registered in the cross-framework drift detector that watches for emission-to-anchor mismatches.
Engineering discipline
Built test-first. The fix was driven by an independent multi-lens review — a NIST CSF Implementation-Tiers reviewer, a PCI DSS QSA-perspective reviewer, and a cloud false-negative reviewer — whose cardinal check, does any confirmed exposure now fail to route?, passed: no confirmed-public emission is silently dropped. The cross-framework inheritance contract is preserved by using one identical regex across all six framework mappings. Zero coverageSummary edits. EE full regression: 6638/6638 GREEN.
Validated live, on the published build
The audit was re-run from the globally-installed @latest artifact against a real test-infrastructure account — the proof that the fix works in the package customers receive, not just in unit tests:
- AWS S3, all six frameworks. A confirmed-public bucket (public bucket policy + public object ACLs + a public non-current version) now FAILs NIST CSF PR.AA-05 + PR.DS-01 (3 CRITICALs each — previously CLEAN) and PCI DSS 7.2.1 (FAIL — previously CLEAN) alongside SOC 2 C1.1, HIPAA §164.312(a)(2)(iv), ISO 27001 A.5.23/A.8.3/A.8.12, and CIS v8 3.3. All three public-exposure vectors (bucket policy, object ACL, non-current version) route correctly.
- The false-FAIL is gone, verified live. The same bucket emits the missing-Public-Access-Block MEDIUM finding in the raw scan — yet it now routes to zero compliance controls (before this release it would have failed NIST PR.AA-05 identically to a confirmed breach).
- No cross-cloud regression. The Azure auditors remain healthy on the published build; the change is isolated to S3 compliance routing.
- Install rehearsal. A clean
npm i -g …@latestresolves EE 0.15.6 + CE 0.1.87 + agent-skill 0.1.54 with a clean Enterprise license re-bind.
What did NOT ship
The post-0.15.5 GCP SDK major bump (@google-cloud/compute 4→6, @google-cloud/iam 1→2, googleapis 144→173) was deliberately not in this release — reverted out and deferred pending a live-GCP smoke that bundles with a plugin 1021 project-resolution fix surfaced during this cycle’s smoke. The package-lock is restored to the 0.15.5 GCP baseline.
Trio publish — done
EE 0.15.6 ships as the forty-fourth consecutive trio-publish:
- EE:
@nsasoft/nsauditor-ai-ee0.15.5 → 0.15.6 - CE:
nsauditor-ai0.1.86 → 0.1.87 (paired no-op) - agent-skill:
nsauditor-ai-agent-skill0.1.53 → 0.1.54 (paired no-op)
All on npm latest. CE and agent-skill are paired no-op bumps that preserve the @latest pin alignment. Install:
npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latestThe hexa-framework one-scan workflow remains: --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 produces six separate auditor-ready evidence packs from a single scan. Zero data exfiltration — all evidence stays inside your infrastructure.
Full release notes at the NSAuditor AI Enterprise Edition page.
