NSAuditor AI EE 0.8.0: Azure Scanner Per-Dimension Source Attribution Closes SOC 2 Key Vault Gap and Expands Multi-Cloud Appendix A Attestation

Minor Version Milestone: Structural Attribution Overhaul for Plugin 1022

NSAuditor AI Enterprise Edition 0.8.0 ships today as the twenty-fifth consecutive trio-publish (EE 0.8.0 + CE 0.1.68 + agent-skill 0.1.35). This release is a minor version milestone driven by a structural change in how Plugin 1022 Azure scanner identifies its findings — enabling precise SOC 2 control routing and true multi-cloud Appendix A cloud bucket attestation for the first time.

Per-Dimension Source Attribution

Prior to 0.8.0, all four Azure audit helpers emitted findings under a single umbrella source (azure-cloud-scanner), making it impossible to route storage findings to Appendix A without commingling NSG, RBAC, and Key Vault findings. EE 0.8.0 assigns each helper its own named source:

• azure-nsg-auditor — Network Security Group ingress rules (CC6.6)
• azure-rbac-auditor — RBAC role assignments at subscription scope (CC6.1)
• azure-storage-auditor — Storage account confidentiality and public blob access (C1.1)
• azure-keyvault-auditor — Key Vault purge protection, soft-delete retention, network ACL, and RBAC authorization (CC6.1 / CC6.3 / C1.1 / A1.2)

The umbrella azure-cloud-scanner source is retained as a defense-in-depth fallback only, with no SOC 2 mappings attached.

Azure Key Vault: First SOC 2 Coverage in EE History

Before 0.8.0, Plugin 1022 emitted Key Vault findings for every scan but routed them to zero SOC 2 controls. Thirteen new soc2.json mappings close this gap entirely, covering all Key Vault finding categories across four controls:

• CC6.1 — Network ACL enforcement (allow / absent) and PASS attestation
• CC6.3 — Legacy access policies, RBAC authorization state, and PASS attestation
• C1.1 — Purge protection disabled / unknown and PASS attestation
• A1.2 — Soft-delete retention below Azure floor / below institutional threshold / unknown and PASS attestation

Azure Key Vault findings now flow correctly into the compliance engine for all organizations using Key Vault in their Azure deployments.

Appendix A Multi-Cloud Expansion: AWS + GCP + Azure

The SOC 2 report Appendix A “Cloud Bucket Exposure Attestation” section now covers all three major cloud providers in a single coherent view. Per-dimension attribution made this structurally possible: azure-storage-auditor joins the bucket attestation source set alongside AWS S3 (plugin 1020) and GCP Cloud Storage (plugin 1024). NSG, RBAC, and Key Vault findings remain intentionally out of scope — Appendix A is bucket-confidentiality-only.

A provider-qualified dedup key (provider::resource) closes a bucket-name collision that previously under-counted unique buckets for organizations using shared naming conventions across clouds, such as DR replication pairs.

Engine Category Projection Contract

The compliance engine’s violation surface now carries a first-class category field projected from details.category. This is fully backward-compatible but touches the engine-side contract that every framework consumer reads — the institutional basis for the 0.7.x → 0.8.0 minor version bump. Future plugins already emitting details.category (GCP Cloud Storage, GCP IAM v2) benefit immediately from renderer-side category filtering without escape hatches.

Migration Note for Azure Operators

Any suppression file with match.source: 'azure-cloud-scanner' will no longer match findings post-0.8.0. Operators must split umbrella suppressions into per-dimension entries:

• RBAC findings → azure-rbac-auditor
• NSG findings → azure-nsg-auditor
• Storage findings → azure-storage-auditor
• Key Vault findings → azure-keyvault-auditor

Install

npm install -g nsauditor-ai@0.1.68 @nsasoft/nsauditor-ai-ee@0.8.0
npm install nsauditor-ai-agent-skill@0.1.35   # AI-coding-agent users

Full release notes and documentation: https://www.nsauditor.com/ai/enterprise/