NSAuditor AI CE 0.2.23 / Enterprise 0.31.9 — Cloud Audits That Run Only When You Ask, and AI Conclusions That Don’t Disappear
CE 0.2.23 makes –host the single signal for what gets scanned, keeps AI conclusions visible on large scans, and Enterprise 0.31.9 renders positive evidence everywhere.
Nsasoft US LLC has published NSAuditor AI Community Edition 0.2.23 alongside Enterprise 0.31.9 and agent-skill 0.2.21 — a bug-fix cycle whose lead story lives in the free, MIT-licensed Community Edition. It closes three issues an operator found running the scanner against their own environment, and it pairs with an Enterprise render-parity fix. It is a patch: no new framework, plugin count unchanged at 28, and all seven coverage matrices unchanged.
Credentials are a capability, not an intent
An operator scanned a router — --host 192.168.1.1 — and found the output carrying findings for three cloud estates: AWS, Azure, and GCP. The cause was a scoping gap: the cloud-auditor plugins decided whether to run based on whether cloud credentials were present in the environment, not on what the operator actually asked to scan. A network scan, run on a machine that also held cloud API keys, quietly reached out and audited those clouds.
CE 0.2.23 establishes a simple contract and enforces it at the dispatch choke-point: a cloud auditor runs if and only if the host is its own cloud sentinel. --host aws runs the AWS auditors; --host gcp runs the GCP ones; a network host — any IP, CIDR, or hostname — runs none of them. There is no escape hatch: not the implicit “scan everything,” not an explicit plugin id, not credentials sitting in the environment, and not the single-plugin MCP tool. A cloud auditor asked to run against the wrong host is skipped loudly and recorded as a skipped entry rather than silently dropped, so scan history and machine consumers can see it. The contract was hardened across three independent review rounds — a first pass closed the command-line route but missed an MCP path, and a follow-up tightened an SSRF boundary the fix had touched.
The AI conclusion that quietly disappeared
On a full three-cloud scan, the operator’s AI-written conclusion showed up for one provider but not the others, with nothing in the output explaining why. A fixed two-minute timeout — fine for a small network-host payload — was too short for a cloud scan carrying hundreds of findings, so the request was aborted, and the failure was quiet. CE 0.2.23 scales the AI timeout with the payload (and keeps it overridable), applies it to the request itself, and writes a visible, self-explaining conclusion file plus a one-line end-of-scan status when the stage fails. “No AI conclusion” is never again a silent outcome.
Enterprise: positive evidence that renders everywhere
Enterprise 0.31.9 closes a Report-on-Compliance rendering gap. NSAuditor’s RoC can surface positive substrate — curated proof a control is operating — per control. When a control’s findings were all dismissed as false positives but it still carried that positive evidence, the evidence appeared in the Markdown and JSON reports but dropped out of the HTML one. The HTML now renders it in a dedicated section, for full parity, and the section carries auditor-correct language: a false-positive disposition is a factual assertion an assessor independently corroborates, not an accepted risk. The PCI cardholder-data-environment scope cue rides those surfaces too.
Why it matters
Scope integrity is the quiet foundation of every audit artifact: a report is trustworthy only if it covers exactly what was asked for and nothing else. This cycle removes an ambient-credential path that could fold three cloud estates into a host scan, turns a confusing silent AI failure into a visible one, and ensures the evidence an assessor relies on is present in whichever format they open.
The seven coverage matrices remain SOC 2 10/4/33, HIPAA 7/3/45, NIST CSF 2.0 13/10/83, PCI DSS v4.0.1 19/9/39, ISO/IEC 27001:2022 17/14/62, CIS Controls v8 17/23/113, and GDPR Article 32 4/5/2. NSAuditor AI is read-only by design — Zero Data Exfiltration holds fleet-wide. The Community Edition is free and MIT-licensed; Enterprise is licensed. Details at nsauditor.com/ai/enterprise.



