NSAuditor AI EE 0.3.2 Closes “False-Clean” SOC 2 Reporting Bug, Adds C1.2 Disposal Control with WORM-Mode Validation, and Cuts Customer Onboarding to Three Lines

LAS VEGAS, NV — May 8, 2026 — Nsasoft US LLC, a network security and AI-assisted audit software company, today announced the immediate availability of NSAuditor AI Enterprise Edition (EE) v0.3.2 alongside the open-core Community Edition (CE) v0.1.30. The paired release ships through npm under restricted-access (EE) and public (CE) distribution and is recommended for every existing 0.3.1 / 0.1.29 customer. Both prior versions are explicitly deprecated on npm.

1. The “false-clean” SOC 2 reporting bug is fixed

Live since EE v0.3.0 (April 2026), AWS scans run with --compliance soc2 produced gap reports labelled “0 findings analyzed · 7 / 7 controls passing” — even when the underlying scan emitted real S3 / IAM violations. Cause: cloud-plugin findings live in pm.run().results[] but the compliance engine only reads from the network-side finding queue. The engine never saw plugin output.

A CISO reading a clean-looking report would have no idea the underlying buckets were missing public-access blocks, lacked Object Lock, or were KMS-keyless. Auditors call this the worst possible failure mode for a pre-audit tool — a silent green-light is more dangerous than a missing report.

EE 0.3.2 introduces harvestCloudFindings() + CLOUD_PLUGIN_SOURCE_MAP in the engine; CE 0.1.30 forwards the per-plugin results array through enrichScan() (the EE-0.3.2.1 hard dependency). On every customer’s first scan after upgrade, the report now reflects reality.

“This was the kind of regression auditors specifically train for. Closing it took both halves of the paired release.”

2. New covered control: C1.2 — Disposal of Confidential Information

Coverage matrix moves from 7 covered → 8 covered. The new C1.2 control evidences the institutional WORM and tamper-resistance primitives auditors expect for confidential workloads:

• Object Lock not configured — S3 Object Lock is the institutional WORM control. Without it, retention windows can’t be cryptographically enforced.
• Object Lock GOVERNANCE mode (use COMPLIANCE for WORM) — Object Lock has two modes: COMPLIANCE (immutable: not even root can delete before retention expires) and GOVERNANCE (any principal with s3:BypassGovernanceRetention can delete). SEC Rule 17a-4 and FINRA 4511 require COMPLIANCE. Auditors specifically reject GOVERNANCE-mode buckets as evidence stores.
• MFA Delete not enabled — Versioning alone is not tamper-resistant; a single insider with bucket-write IAM can permanently delete a version. MFA Delete requires a second factor at delete-version time. Only flagged when versioning is enabled (otherwise the finding is meaningless).

A new AWS_S3_AUDIT_CONFIDENTIAL_BUCKETS env-var classifier escalates the C1.2 + KMS-CMK findings from LOW to MEDIUM for matched buckets, letting customers tune severity by workload sensitivity.

3. Other shipped findings under EE 0.3.2

• Server-side encryption uses AES256 (not KMS-CMK) → C1.1. KMS customer-managed keys give the customer rotation, audit, and crypto-shredding control that AES256 (AWS-managed) does not.
• Access logging not enabled — audit trail gap → CC7.1. S3 server-access logs are the canonical AWS evidence stream for object-level access detection.
• Partial public access block — missing: … → C1.1. A partial PAB still leaves at least one bypass route. Auditors expect all four settings (BlockPublicAcls / IgnorePublicAcls / BlockPublicPolicy / RestrictPublicBuckets).

4. Production-bug fixes you can stop working around

• PublicAccessBlock check failed: TypeError — Root cause was a 1-character import typo: GetBucketPublicAccessBlockCommand doesn’t exist in @aws-sdk/client-s3; the real export is GetPublicAccessBlockCommand. Live since EE 0.3.0 — every bucket emitted “TypeError” and the real PAB findings (“No public access block configured”) never fired in production. EE 0.3.2 ships the rename plus a load-time SDK-export validation block in plugins 020 + 030 so any future SDK rename surfaces as “plugin won’t load” at startup rather than per-call TypeError.
• Tightened Versioning is … regex — The drift-detector caught the previous substring pattern matching Versioning check failed: AccessDenied (an SDK error, not a finding) and producing fake A1.2 violations. Anchored to ~/^Versioning is (disabled|Suspended)/i.
• Cloud-sentinel SSRF bypass — --host aws | gcp | azure no longer requires the NSA_ALLOW_ALL_HOSTS=1 env var. The sentinel literals route to EE cloud-scanner plugins via the provider’s API; the SSRF guard’s RFC 1918 / loopback protection is preserved for real network targets.
• Plugin-emission drift detector — New test asserts every aws-s3-auditor / aws-iam-deep-auditor titlePattern matches at least one canonical issue string the corresponding plugin emits, and vice versa. Closes the silent-disappearance class where a plugin emits a string with no matching mapping rule (or a rule references a string no plugin emits).

5. Customer onboarding: three lines, no shell-rc edits

CE 0.1.30 introduces nsauditor-ai license install <KEY> — verifies the JWT signature before persisting and stores the key in the platform-appropriate location (macOS Keychain, or ~/.nsauditor/.env mode 0600 on Linux/Windows). The day-1 install flow:

npm install -g nsauditor-ai @nsasoft/nsauditor-ai-ee
nsauditor-ai license install enterprise_eyJ...
nsauditor-ai license --status

Plus:

• Multi-source license loader — loadLicense() resolves keys from env var → platform Keychain → ~/.nsauditor/.env, in priority order. CI/CD env-var override still wins.
• nsauditor-ai license --plugins — real enumeration of discovered plugins, grouped by source (CE / EE / custom), with active-or-required-tier status. Tier labels are now derived from the unmet capability set, not a hardcoded plugin.tier field — so capability-gated plugins correctly show “requires: enterprise” instead of the previous misleading “requires: pro”.
• nsauditor-ai --version / -v — discovery flag that no longer errors with Fatal: --host required, parallel to --help‘s 0.1.29 fix.

Coverage Matrix — AICPA Trust Services Criteria 2017

Validation

$ npm install -g nsauditor-ai@0.1.30 @nsasoft/nsauditor-ai-ee@0.3.2
$ nsauditor-ai license install enterprise_eyJhbGciOiJFUzI1NiIs...
✓ Enterprise license installed
  Stored at: macOS Keychain (service=nsauditor-ai)
  Org: customer@example.com   Seats: 5

$ CLOUD_PROVIDER=aws AWS_REGION=us-east-1 \
    nsauditor-ai scan --host aws --plugins 020,030 --compliance soc2
# findingCount: 31
# byStatus:    pass=4  fail=5  partial=4  out_of_scope=34
#
# Failing controls (representative AWS dev account):
#   CC6.1  IAM SHADOW ADMIN + privesc paths
#   CC7.1  7 buckets without S3 access logging
#   C1.1   2 buckets with no PAB + 6 with AES256-not-KMS
#   C1.2   7 buckets without Object Lock + 2 with versioning but no MFA Delete
#   A1.2   5 buckets with versioning disabled

Pre-fix this same scan produced findingCount: 0, pass: 7, fail: 0 — the false-clean report that started this release.

Architecture & availability

• Community Edition — Open-core, MIT-licensed, public on npm: npm install -g nsauditor-ai
• Enterprise Edition — Restricted-access scoped npm package: npm install -g @nsasoft/nsauditor-ai-ee
• Pricing & 14-day Pro trial: nsauditor.com/ai/pricing

Resources

• SOC 2 coverage matrix: nsauditor.com/ai/docs/soc2/
• CE on npm: npmjs.com/package/nsauditor-ai
• EE on npm: npmjs.com/package/@nsasoft/nsauditor-ai-ee
• CE source: github.com/nsasoft/nsauditor-ai
• Product home: nsauditor.com/ai

Upgrade path for existing customers

# Existing 0.1.29 + 0.3.1 install
npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest

# Existing customers with NSAUDITOR_LICENSE_KEY env var or ~/.nsauditor/.env
# continue to work — the multi-source loader is backward-compatible.

# Or migrate to the new install command (one-time):
nsauditor-ai license install enterprise_eyJ...

About Nsasoft US LLC

Nsasoft US LLC is a Las Vegas-based network security software company specializing in privacy-first, AI-assisted security tooling. The company develops open-core security scanners, infrastructure auditing tools, and SOC 2 readiness products for enterprise and developer audiences. Customer credentials and scan data never leave the host — all AI inference and CVE matching happen against customer-controlled API keys or fully offline NVD feeds.

Press contact: info@nsasoft.us · License & enterprise sales: enterprise@nsasoft.us