LAS VEGAS, NV — May 8, 2026 — Nsasoft US LLC today announced the immediate availability of NSAuditor AI Enterprise Edition (EE) v0.3.3, a point release that closes a Critical “false-clean” reporting bug in the Azure cloud scanner and extends SOC 2 mapped coverage to multi-cloud (AWS + Azure) for three Trust Services Criteria. The release ships through npm under restricted-access distribution and is recommended for every existing 0.3.2 customer running Azure. EE 0.3.3 pairs with the existing Community Edition v0.1.30 — no CE bump required.
What changed
EE 0.3.2 closed an AWS-side “false-clean” bug by introducing the cloud-finding harvester — but the harvester only recognized the canonical shape { resource, severity, issues: [text] }. Plugin 022 (azure-cloud-scanner) was emitting a different shape ({ severity, finding, resource }, singular) for all three Azure audit functions: NSG ingress, RBAC role assignments, Storage account hardening. Findings were generated correctly, sat in the result tree, and were silently dropped before reaching the compliance engine. Customers running --compliance soc2 --host azure against a real Azure subscription with RBAC misconfigurations, wide-open NSG ingress, and unencrypted Storage accounts would still see “6 / 6 covered controls passing.”
EE 0.3.3 rewrites all three Azure audit functions to emit the canonical shape, fixes the f.finding → f.issues read in the run-loop (would have produced [CRITICAL] undefined in the auditor-facing banner), and applies the same preventive port to plugin 021 (gcp-cloud-scanner) before any GCP customer hits the same false-clean class.
Mapped coverage extends to Azure: 6 new evidence rules, 3 controls
| Pattern (Azure) | Maps to |
|---|---|
Owner role assigned to <principal> at subscription scope |
CC6.1 — least privilege at the broadest blast-radius scope |
Contributor role assigned to <principal> at subscription scope |
CC6.1 — Contributor at sub-scope is effectively admin for the resource layer |
User Access Administrator role assigned to <principal> at subscription scope |
CC6.1 — UAA at sub-scope is the privesc primitive auditors specifically test for |
NSG <name>: 0.0.0.0/0 → port <p> |
CC6.6 — perimeter ingress without source restriction |
Storage account <name>: defaultAction = Allow |
C1.1 — confidential workload network-boundary opt-out |
Storage account <name>: allowBlobPublicAccess = true |
C1.1 — confidential workload public-blob exposure |
CC6.1, CC6.6, and C1.1 were already covered for AWS — those three controls now have both AWS-side and Azure-side evidence rows in docs/soc2-coverage.md, which is what auditors mean when they ask whether a tool “supports multi-cloud.”
Class-of-bug drift detector now spans all three cloud plugins
EE 0.3.2 introduced a plugin-emission drift detector that asserts every titlePattern regex in soc2.json matches at least one canonical issue string the corresponding plugin emits, and vice versa. In 0.3.3 the table extends to azure-cloud-scanner with both forward (rule → plugin) and reverse (plugin → rule) cross-walks. Future plugin renames or soc2.json rule edits will fail CI rather than silently drift into a third false-clean variant.
Production-bug fixes
- Plugin 022 RBAC duplicate emission (EE-0.3.3.3) — Set-based dedup on
(principalId, scope, roleDefinitionId). @azure/arm-authorizationversion pin fix (EE-0.3.3.1) — Peer-dep was pinned at^10.0.0; latest npm version is 9.0.0. Lowered to^9.0.0.@azure/arm-storagemissing optionalDependency (EE-0.3.3.5) — Added"@azure/arm-storage": "^19.0.0"tooptionalDependencies. The pre-publish gate (npm pack→npm install -g <tarball>→ smoke against a real subscription) is now the canonical ship gate.
Upgrade path
# Existing 0.3.2 EE install — CE stays put at 0.1.30
npm install -g @nsasoft/nsauditor-ai-ee@latest
nsauditor-ai license --statusExisting 0.3.2 deployments are deprecated on npm with explicit pointers to the 0.3.3 upgrade target. Customers running AWS-only workloads still benefit from the canonical-shape contract enforcement and the extended drift detector — even if they never touch the Azure plugin.
Read the full SOC 2 multi-cloud guide at nsauditor.com/ai/docs/soc2/. Source: github.com/nsasoft/nsauditor-ai-ee.
Nsasoft US LLC is a Las Vegas-based network security software company specializing in privacy-first, AI-assisted security tooling. Press contact: info@nsasoft.us · License & enterprise sales: enterprise@nsasoft.us.
