NSAuditor AI EE 0.31.4 Fixes a Cloud-Scan Presentation False-Clean and Makes the Compliance CLI Honest
EE 0.31.4 stops a cloud scan with real findings from reporting “No open services detected,” reads incomplete scans as coverage UNVERIFIED, and adds –compliance all.
Nsasoft US LLC has shipped NSAuditor AI Enterprise 0.31.4, a report-surface and CLI hardening patch that closes a presentation-layer false-clean in cloud scanning and makes the compliance command line both honest and discoverable. The detection engine is unchanged and oracle-validated — every fix in this release lands at the surface a trial user sees first.
“No open services detected” — over real cloud criticals
NSAuditor AI’s network engine summarizes a host scan from its open services. A cloud scan has no network services — its findings live in the plugin results — so the summarizer fell through to its default line: “Host is UP — No open services detected.” That sentence was being written into the saved report even when the scan had found CRITICAL and HIGH cloud misconfigurations. A trial user running their first AWS audit could see a clean-looking headline over a stack of real exposures.
EE 0.31.4 rewrites the cloud-scan conclusion before the report is written: a cloud-appropriate one-line summary (the finding count by severity, with the top risks named), a structured per-provider findings summary, and the actual CRITICAL/HIGH findings — plus medium/low rollups and any “could-not-verify” evidence-gaps — surfaced into the report body. The same tested summarizer powers the CLI conclusion and the MCP scan_cloud tool, so the two surfaces stay in lockstep.
The deeper false-clean: a scan that audited nothing
An independent principal review of the first fix caught a subtler trap, fixed in the same cycle. A cloud plugin that times out or is denied a read (a routine least-privilege role lacking a List* permission) still returns a result envelope — just an empty one. Counting “I have results” as “something was audited” would let a scan that completed nothing — a region-wide API outage where every plugin timed out, for example — still print “no misconfigurations detected.”
EE 0.31.4 classifies those failure envelopes explicitly. If any plugin did not complete, the conclusion reads coverage UNVERIFIED, names the plugins that failed, routes a fail-closed evidence row for each, and warns — and if other plugins did find real issues, those findings are still shown alongside the coverage caveat. No scan that audited nothing can read clean.
A compliance CLI that tells the truth
Two usability defects are fixed. --compliance all now expands to all seven frameworks — SOC 2, HIPAA, NIST CSF 2.0, PCI DSS v4.0.1, ISO/IEC 27001:2022, CIS Controls v8, and GDPR Article 32 — parallel to --plugins all: one scan, seven auditor-ready evidence packs. And an unknown or misspelled --compliance token now fails fast with a clear message listing the valid frameworks and writes nothing, replacing the old behavior that wrote a confusing “Framework load failed” stub.
Engineering posture
This is a patch: no new framework, the plugin count is unchanged at 28, and all seven coverage matrices are unchanged. Fleet-wide read-only (Zero Data Exfiltration) enforcement holds across all 28 plugins — the new module reads only an already-computed findings summary and a static plugin map and issues no cloud calls. EE 0.31.4 pairs with Community Edition 0.2.18 (MIT) and agent-skill 0.2.16, and upgrades in place with no configuration change and no new dependency. Full details are at the NSAuditor AI Enterprise page.
