NSAuditor AI Enterprise 0.32.0: Push Your Compliance Evidence to Vanta and Drata at Scan Time

NSAuditor AI Enterprise 0.32.0 is live on npm, paired with Community Edition 0.2.25 and agent-skill 0.2.23. The headline is GRC push activation: a single NSAuditor compliance scan can now map every finding to your GRC platform’s own evidence and test records and push them at scan time — so your Vanta or Drata workspace reflects your latest cloud posture without an export/import round-trip. It is opt-in and Zero-Data-Exfiltration by default: nothing leaves your infrastructure unless you set the environment variables, egress is redaction-gated, and your API token is never written to any artifact.

Vanta: scan-time push, activated

NSAuditor has shipped a Vanta connector library since v0.11.0 — but it was dormant: nothing read the configuration, nothing pushed at scan time. EE 0.32.0 wires it in. Set COMPLIANCE_GRC_PROVIDER=vanta and COMPLIANCE_GRC_TOKEN, and every compliance scan maps its findings to Vanta test results and pushes them — with suppression-aware outcome mapping (pass / fail / passed-with-compensating-control), framework-dimensioned idempotency keys so a network-timed-out retry never creates a duplicate record, rate-limit backoff, a consecutive-failure circuit breaker, and a durable per-control audit log written next to your scan artifacts. The token is redacted from every log and error path and is never serialized.

Drata: a new connector

New this release: a Drata connector built on Drata’s Custom Connections model. It pushes structured records to your Custom Connection resource; your own Drata Test Builder rules (Advanced/Enterprise plans) evaluate them — the connector delivers the evidence, your rules do the evaluation. It is self-contained and rides the same hardened push loop as the Vanta path, carrying the same reliability and audit-integrity guarantees.

Honest about what “shipped” means

The Vanta and Drata connectors are shipped, opt-in, and covered by an extensive test suite. Live validation against production Vanta and Drata tenants is in progress as partner onboarding proceeds — until it completes, treat production use as early-access and validate against your own tenant first. This is a single-workspace, operator-configured connector; it is not a multi-tenant managed sync. Secureframe is on the roadmap. We would rather tell you exactly where the connector is than oversell it.

Positive evidence for AWS

NSAuditor’s Report-on-Compliance can surface positive substrate — curated, per-control proof that a control is operating — alongside violations, without ever changing a control’s pass/fail status. This release opts in 60 AWS PASS-tier findings: 32 at-rest (RDS, Backup, ElastiCache) and 28 across SES, SQS/SNS, Inspector/GuardDuty, VPC endpoints, security-group perimeters, API Gateway, and Secrets Manager. Each carries an honest, framework-neutral caveat that says exactly what a point-in-time configuration scan does and does not prove. It is display-only, non-flipping, and count-neutral — and every curated finding gates on complete, verified evidence: a PASS over a truncated enumeration, an AccessDenied read, or a partially-captured population does not opt into positive substrate.

The numbers

This is a minor (major-feature) release with no new framework and no new plugins — still 28 — and all seven coverage matrices unchanged: SOC 2 10/4/33, HIPAA 7/3/45, NIST CSF 2.0 13/10/83, PCI DSS v4.0.1 19/9/39, ISO 27001:2022 17/14/62, CIS Controls v8 17/23/113, GDPR Art. 32 4/5/2.

Availability

On npm now: @nsasoft/nsauditor-ai-ee@0.32.0 (restricted, Pro/Enterprise), nsauditor-ai@0.2.25 (Community Edition, MIT), nsauditor-ai-agent-skill@0.2.23. Community Edition install: npm i -g nsauditor-ai. The Enterprise GRC connectors require the @nsasoft/nsauditor-ai-ee package. Docs and pricing: https://www.nsauditor.com/ai/enterprise/