NSAuditor AI EE 0.16.0: Per-Account Cloud Scanning with –env, –aws-profile, and Sentinel-Host Plugin Auto-Scoping
EE 0.16.0 turns multi-account cloud auditing into one-liners: –env, –aws-profile, and sentinel-host plugin auto-scoping, hardened with an adversarial false-negative lens.
Security teams that audit a fleet of cloud accounts have always faced the same friction: before every scan you re-export the right credentials, and on a multi-cloud machine you hand-pick plugin IDs so one cloud’s auditors don’t pollute another cloud’s report. NSAuditor AI Enterprise Edition 0.16.0 turns both into one-liners.
--env <path> loads a per-scan dotenv (KEY=value) file — credentials, region, CLOUD_PROVIDER — for a single scan. Its values take precedence over the ambient shell, so a stale exported variable can’t quietly defeat the file you pointed at. A missing --env file is a hard error: for an audit tool, silently falling back to ambient credentials risks scanning the wrong or an empty account and emitting a false-clean report. And because ~/.aws/credentials is an INI file with multiple named profiles — not a dotenv — pointing --env at it is detected and redirected to the right flag.
--aws-profile <name> serves the native AWS multi-account case: it uses a named profile from the OS-default ~/.aws/credentials (%USERPROFILE%\.aws\credentials on Windows), clears any stale explicit access keys so the profile is authoritative, reads ~/.aws/config for region and SSO, and implies CLOUD_PROVIDER=aws so the bare command just works.
Sentinel-host plugin auto-scoping closes the multi-cloud noise problem at the source. --host aws|gcp|azure combined with --plugins all now runs only that cloud’s plugins; the other two clouds’ plugins and the non-cloud network plugins are skipped, and the skip is logged. Each per-account scan yields a clean, single-cloud evidence pack. Explicit --plugins lists are honored unchanged.
The part worth dwelling on is how the feature was hardened. The same adversarial false-negative lens NSAuditor uses on its cloud plugins — “what real exposure would this scanner bless as clean?” — was turned on the new feature itself, and it caught the most dangerous class an audit tool can ship: a configuration that produces a clean report over an account nothing actually scanned. A --host that disagrees with an explicit CLOUD_PROVIDER now fails fast instead of skipping every plugin and emitting an empty compliant report; a sentinel scope that matches zero plugins now warns loudly that nothing was audited; and the metadata that drives scoping is enforced on every cloud plugin by capability signal, not filename, so a future plugin can’t silently escape it. The pass also surfaced a pre-existing latent defect — the CLI’s bin wrapper would have made the installed command a silent no-op once an internal function was exported — caught and fixed before release with a regression test that runs the actual installed entry point.
On the Enterprise side, all 27 cloud plugins gained a declarative cloudProvider field — pure metadata the scoping filter consumes — with no change to any plugin’s audit logic or output. Plugin count stays at 28; all six coverage matrices (SOC 2, HIPAA, NIST CSF 2.0, PCI DSS v4.0.1, ISO/IEC 27001:2022, CIS Controls v8) are unchanged; there is no dependency change to the install surface. Your license is resolved independently of --env, so no key needs to live in any per-account file.
Install or upgrade: npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latest. One scan with --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 still produces six separate auditor-ready evidence packs — all generated inside your own infrastructure, zero data exfiltration.
