NSAuditor AI EE 0.8.0: Azure Cloud Scanner Gets Per-Dimension Source Routing, Key Vault SOC 2 Coverage, and True Multi-Cloud Attestation

MobNS

What Changed in EE 0.8.0

NSAuditor AI Enterprise Edition 0.8.0 arrives as a minor version milestone — the twenty-fifth consecutive trio-publish alongside CE 0.1.68 and agent-skill 0.1.35. The headline change is a structural refactor of Plugin 1022, the Azure cloud scanner: each of its four audit dimensions now emits findings under its own named source rather than a shared umbrella, enabling routing precision that was previously impossible.

Four Named Sources Replace One Umbrella

The four Azure audit helpers now carry distinct source identifiers:

  • azure-nsg-auditor — Network Security Group ingress rule auditing
  • azure-rbac-auditor — RBAC role assignment auditing at subscription scope
  • azure-storage-auditor — Storage account exposure and public blob access
  • azure-keyvault-auditor — Key Vault lifecycle, network, and authorization controls

This change resolves a long-standing blocker: Azure storage findings can now route into the Appendix A “Cloud Bucket Exposure Attestation” section without pulling NSG, RBAC, or Key Vault findings along with them.

Key Vault Gets Its First SOC 2 Mapping Coverage

EE 0.8.0 adds 13 new soc2.json mappings for the Key Vault audit dimension. Prior to this release, Key Vault findings were scanned and emitted, but never wired to any SOC 2 controls. The new mappings cover CC6.1 (network ACL), CC6.3 (access policy model), C1.1 (purge protection), and A1.2 (soft-delete retention) — with both failure-state and PASS attestation entries for each control.

Appendix A Now Spans Three Clouds

With azure-storage-auditor joining the bucket attestation source set, the SOC 2 compliance report’s cloud bucket appendix now draws from AWS S3 (plugin 1020), GCP Cloud Storage (plugin 1024), and Azure Storage (plugin 1022) in a single unified view. A provider-qualified dedup key prevents bucket-name collisions for organizations that replicate storage across clouds under shared naming conventions.

Migration Required for Azure Suppression Files

Operators using match.source: 'azure-cloud-scanner' in suppression files must update those entries post-0.8.0. The umbrella source no longer carries any SOC 2 mappings and findings will not match against it. Each suppression should be split into entries targeting the appropriate per-dimension source.

Install EE 0.8.0

npm install -g nsauditor-ai@0.1.68 @nsasoft/nsauditor-ai-ee@0.8.0

Release notes: https://www.nsauditor.com/ai/enterprise/

Related Posts:

  • nsauditor-ai-ee-0-3-3-azure-soc2-multicloud
  • nsauditor-ai-ee-0-6-3-alerting-destination-audit-unrouted-security-findings
  • nsauditor-ai-ee-0-6-4-eventbridge-target-verification-mobns
  • nsauditor-ai-ee-068-enhances-multi-cloud-storage-audits-with-new-gcp-cloud-stora
  • nsauditor-ai-ee-045-enhances-cloud-security-with-new-aws-plugins-and-comprehensi