NSAuditor AI EE 0.3.5 — IAM Shadow-Admin Findings Now Carry a Cryptographically-Verifiable Evidence Trail; Adds GCP SOC 2 Mappings
EE 0.3.5 brings AWS IAM shadow-admin findings to the most complete evidence-trail surface of any v0.x release. Adds GCP SOC 2 mappings; pairs with CE 0.1.37 SECURITY release.
The EE 0.3.5 point release brings AWS IAM shadow-admin findings to the most complete evidence-trail surface of any v0.x release — closes nine reviewer-flagged gaps from the EE-RT.1.x review series so auditors stop reverse-engineering policies from the snapshot. New [via policy: ...] suffix names the contributing policy ARNs, paired partialProvenance / provenanceComplete flags signal whether the suffix is verifiably complete, per-ARN debug detail surfaces in result.policyFetchErrors[], a real false-negative class for group-mediated PassRole privesc is closed with cross-principal capture, and an SCP-awareness warning surfaces the AWS Organizations coverage gap that this scanner cannot see. Thread B adds GCP plugin SOC 2 mapping rules that close the GCP zero-coverage gap. Coverage matrix unchanged at 8 covered / 5 partial / 34 OOS — this release is entirely about evidence quality and auditor-actionable signals.
LAS VEGAS, NV — May 11, 2026 — Nsasoft US LLC, a network security and AI-assisted audit software company, today announced the immediate availability of NSAuditor AI Enterprise Edition (EE) v0.3.5. The release ships through npm under restricted-access distribution and is recommended for every existing customer running AWS IAM scans through --compliance soc2. EE 0.3.5 pairs with the Community Edition v0.1.37 SECURITY release shipped during the same sprint — auditors evaluating SOC 2 evidence MUST verify the CE version recorded in evidence artifacts is at least 0.1.37, because pre-0.1.37 silently bypassed the MCP auth check + license verification via the published bin shim. EE 0.3.4 is explicitly deprecated on npm.
The headline gap
EE 0.3.4 shipped institutional-grade transitive shadow-admin path detection — the multi-hop privesc class auditors specifically test for. The detector worked correctly. But the finding itself emitted only the principal chain. To remediate, auditors needed to know which IAM policy granted the privesc. That information was buried in the snapshot — auditors had to manually correlate finding text against per-policy analysis output to figure out what to actually fix.
EE 0.3.5 closes the gap. Every shadow-admin finding now carries a [via policy: ARN1, ARN2; inline: name1, name2] suffix listing every contributing policy ARN. Paste the ARN(s) into the AWS console — done. For PassRole findings, BOTH the PassRole policy ARN AND every policy that granted the exec primitive (e.g., lambda:CreateFunction) appear in the suffix — auditor closes the entire privesc from the single finding text, no reverse-engineering needed.
The trust gap: an evidence-completeness contract
If any IAM policy fetch fails silently during a scan — rate-limit, AccessDenied on iam:GetPolicyVersion, throttle, malformed JSON — the resulting suffix would silently omit the failed-to-fetch contributors. This is the worst-case Type-II evidence failure mode: the report looks authoritative when it is not. EE 0.3.5 introduces a dual-signal contract:
partialProvenance: true(per-finding flag) plus a top-levelwarnings[]entry — when ANY policy fetch failed in the scan, every shadow-admin finding signals that its suffix may be incomplete. Conservative; sets the floor.provenanceComplete: true | false(per-finding strict signal) — computed by walking each path principals against a per-principal fetch-error map.provenanceComplete: truemeans every principal in this finding path was fully fetched, so the suffix is verifiably complete (auditor accepts evidence even whenpartialProvenance: trueis set globally).result.policyFetchErrors[]— per-ARN debug detail array ({policyArn, policyName, principal, source, errorName}) so auditors can debugprovenanceComplete: falsefindings instead of just seeing a count. Capped at 50 entries by default with diversity-preserving round-robin selection by principal — defends against an attacker flooding attached policies on alphabetically-early roles to push real failures off the cap.
Real false-negative closed: group-mediated PassRole privesc
Pre-0.3.5, a chain alice (PassRole only) -> group:devs (exec only) -> admin produced no PassRole edge because the existing per-principal evaluation required PassRole AND exec on the SAME source. Group-mediated privesc where one half came from the user and the other from the group was structurally undetectable. Auditors trusting “no PassRole finding on alice” on a user whose group grants the exec primitive would file false-clean reports.
EE 0.3.5 closes the gap. The user-iteration loop now computes effective (user + member-group) policies and emits a new edge with a (group-inherited) marker so auditors distinguish cross-principal privesc from same-principal privesc. The provenance suffix lists BOTH the user-side PassRole policy AND the group-side exec-vector policy.
Honest disclosure of an SCP-coverage gap
When any role assumeRolePolicy contains Principal: AWS: "*" on an Allow-AssumeRole statement, the BFS treats the trust as universally permissive — true within IAM, but in AWS Organizations the actual cross-org constraint comes from Service Control Policies (SCPs) at the organization level, which this scanner has no API access to evaluate.
EE 0.3.5 surfaces the gap as a warnings[] entry naming the affected roles plus disclosing that the cross-org guard relies on out-of-band SCP verification. This is a deliberate “honest gap” disclosure rather than silent false-positive emission.
GCP plugin SOC 2 mapping rules (Thread B)
Plugin 021 (gcp-cloud-scanner) was previously emitting findings in the correct shape but had no soc2.json mapping rules — findings landed in the harvester and were silently dropped at the matching stage. EE 0.3.5 adds three GCP mapping rules:
- CC6.1 — Project IAM bindings to
allUsers/allAuthenticatedUsersbypass identity-based access control. - CC6.6 — VPC firewall ingress from
0.0.0.0/0without source restriction. - C1.1 — GCS bucket-level IAM granting any role to anonymous or any-Google-identity is a confidentiality-boundary violation.
Customers running multi-cloud SOC 2 evidence collection now have AWS + Azure + GCP coverage on CC6.1 / CC6.6 / C1.1.
SECURITY ADVISORY: CE 0.1.37 fixes a silent MCP auth bypass
In CE 0.1.31 through 0.1.36, the MCP server authentication check + license verification were silently bypassed when the server was invoked via the published nsauditor-ai-mcp bin shim — which is how Claude Desktop and other MCP clients spawn the server. The if (isMainModule) guard in mcp_server.mjs matched only node mcp_server.mjs direct invocation, never the bin shim, so authorizeMcpServerStartup() and await loadLicense() never ran during MCP-client sessions.
Severity: defense-in-depth degradation (caller already needed local code-execution to reach stdio of the spawned MCP child). PLUS a real customer-impact bug: paid Pro/Enterprise customers saw Current tier: CE in MCP responses despite an installed Enterprise license.
SOC 2 evidence implication: any SOC 2 evidence generated from MCP-routed responses on pre-0.1.37 versions did not have the documented MCP-authentication operational control evidence in effect. Auditors evaluating SOC 2 evidence MUST verify the CE version recorded in evidence artifacts is at least 0.1.37.
CE 0.1.37 extracted the startup sequence into an exported startStdioServer() function the bin shim now explicitly calls. A regression test spawns the bin shim without an auth key and asserts the auth check refuses startup — guards against future regressions.
Coverage Matrix — AICPA Trust Services Criteria 2017
| Status | Count | Trust Services Criteria |
|---|---|---|
| Covered | 8 | CC6.1, CC6.2, CC6.6, CC6.7, CC6.8, CC7.1, C1.1, C1.2 |
| Partial | 5 | CC6.3, CC7.2, CC7.3, CC8.1, A1.2 |
| Out of scope | 34 | CC1.*, CC2.*, CC3.*, CC4.*, CC5.*, CC9.*, PI1.*, P1.0-P8.0, CC6.4, CC6.5 |
The covered count stays at 8 / 8 (matching 0.3.4). What changed is the evidence quality per control — IAM shadow-admin findings under CC6.1 now carry verifiable provenance + completeness signals, AND the same three covered controls (CC6.1, CC6.6, C1.1) now have multi-cloud evidence rows for AWS + Azure + GCP.
Architecture and availability
Community Edition (nsauditor-ai) — Open-core, MIT-licensed, public on npm. Recommended pairing: 0.1.37 or later (SECURITY release):
npm install -g nsauditor-ai@0.1.37
nsauditor-ai --help
nsauditor-ai mcp install-key # one-time MCP auth setupEnterprise Edition (@nsasoft/nsauditor-ai-ee) — Restricted-access scoped npm package; install requires a valid Pro or Enterprise license:
npm install -g nsauditor-ai@0.1.37 @nsasoft/nsauditor-ai-ee@0.3.5
nsauditor-ai license install enterprise_eyJhbGciOiJFUzI1NiIs...
nsauditor-ai license --statusResources
- EE on npm
- CE on npm
- CE source on GitHub
- SOC 2 coverage matrix
- Product home
- Pricing and 14-day Pro trial
About Nsasoft US LLC
Nsasoft US LLC is a Las Vegas-based network security software company specializing in privacy-first, AI-assisted security tooling. The company develops open-core security scanners, infrastructure auditing tools, and SOC 2 readiness products for enterprise and developer audiences. Customer credentials and scan data never leave the host — all AI inference and CVE matching happen against customer-controlled API keys or fully offline NVD feeds.
Press contact: info@nsasoft.us
License and enterprise sales: enterprise@nsasoft.us
Security advisories: security@nsasoft.us
