NSAuditor AI EE 0.18.0 closes five GCP false-negative detection gaps
EE 0.18.0 hardens GCP auditing against false negatives — legacy-ACL public buckets, IAM impersonation completeness, and fail-closed evidence gaps. 28 plugins, six frameworks unchanged.
Nsasoft has shipped NSAuditor AI Enterprise 0.18.0, a release dedicated entirely to one of the most dangerous defect classes an audit tool can have: the false negative — a “you’re secure” verdict delivered over a live exposure. The cycle closes five specific ways a Google Cloud audit could read clean while a real, attacker-relevant hole went unseen. No new compliance controls are added: the plugin count stays at 28 and all six coverage matrices (SOC 2, HIPAA, NIST CSF 2.0, PCI DSS v4.0.1, ISO/IEC 27001:2022, and CIS Controls v8) are unchanged. This is depth on already-covered ground.
The five gaps
1. Legacy-ACL public buckets. A Cloud Storage bucket made public through a legacy ACL (allUsers or allAuthenticatedUsers) while Uniform Bucket-Level Access is disabled was reading clean — the auditor only inspected IAM-policy exposure. It now scans the bucket ACL plus a sampled object-ACL surface, and a listed-but-unreadable object surface fails closed to an evidence gap rather than a silent pass.
2. IAM impersonation completeness. A project-scope roles/iam.serviceAccountKeyAdmin binding lets a principal mint a long-lived key for any service account in the project — effectively offline impersonation of the entire estate. That now fires the project-scope impersonation finding. A service account made admin-equivalent through a custom role (granting iam.serviceAccounts.actAs and friends) is now treated as admin in the impersonation graph, so a path terminating there is detected instead of dead-ending as clean.
3. Fail-closed evidence-gap routing. A denied GCP firewall, IAM, or bucket enumeration now routes into the findings set and fails its own native controls, instead of being quietly assumed clean at the compliance layer.
4. A project-IAM check that never actually ran. The project-IAM-public check had been calling an IAM method on a client that has none, so it threw on every live run and never produced a result. It now reads project IAM through the correct client, and the fix was validated live under pure Application Default Credentials.
5. An IAM-admin client unauthenticated under pure ADC. The client powering custom-role, key-custody, and impersonation analysis set credentials only for impersonation and key-file modes; under pure Application Default Credentials it ran with no auth and returned access-denied even for a project owner. An explicit scoped credential for the ADC path fixes it — confirmed live, with the impersonation findings above firing for real.
Caught before they shipped
The last two were pre-existing defects that unit tests could not see. Both were surfaced by a new mandatory pre-publish validation gate — pack the release, install it globally, run it against real cloud test infrastructure, then run it again under pure account-owner credentials. The same live run confirmed the impersonation fixes working. It is a useful illustration of why a “clean” result is only as trustworthy as the path that produced it: a false positive wastes an analyst’s time, but a false negative ships silent risk.
Availability
NSAuditor AI EE 0.18.0 is live on npm alongside Community Edition 0.2.1 and agent-skill 0.2.1. Install with npm i -g nsauditor-ai@latest (Community Edition) and @nsasoft/nsauditor-ai-ee@latest (Enterprise, licensed). The platform runs entirely on your own infrastructure — zero data exfiltration — across AWS, Azure, and GCP, producing auditor-ready evidence for six compliance frameworks from a single scan. Details at nsauditor.com/ai/enterprise.
