nsauditor-ai-agent-skill 0.1.22 → 0.1.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +33 -0
- package/README.md +3 -3
- package/SKILL.md +33 -16
- package/examples/agent-interactions.md +1 -1
- package/package.json +1 -1
- package/references/plugins.md +1 -1
- package/references/workflows.md +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,39 @@ Release notes for **`nsauditor-ai-agent-skill`** — installable knowledge packa
|
|
|
4
4
|
|
|
5
5
|
---
|
|
6
6
|
|
|
7
|
+
## 0.1.23 — Catalog refresh: plugin 1200 v2 evidence-acquisition extension — paired with EE 0.6.2 trio-publish (patch-level extension: multi-region GuardDuty + Inspector2 enumeration + GovCloud / ISO region support + `FindingPublishingFrequency` check + Inspector2 baseline expansion; plugin count UNCHANGED at 22; thirteenth consecutive trio-publish)
|
|
8
|
+
|
|
9
|
+
**Trio-publish institutionalization continued.** Paired with EE 0.6.2 + CE 0.1.56 — **thirteenth consecutive trio-publish across EE + CE + agent-skill in a single session** (0.4.5–0.6.2).
|
|
10
|
+
|
|
11
|
+
### What changed
|
|
12
|
+
|
|
13
|
+
- **`references/plugins.md`** — plugin 1200 row updated with v2 dim list. Multi-region enumeration (item a) replaces single-region scope; `FindingPublishingFrequency` check (item b) added as CC7.1 detection-latency dimension; Inspector2 baseline expansion (item e) grows scan-target baseline from {ec2, ecr, lambda} → {ec2, ecr, lambda, lambdaCode, codeRepository}. 4 same-session R1 reviewer folds applied (0 R-CRITICAL clean review pass): R-HIGH-1 region regex GovCloud + ISO support (closes FedRAMP / StateRAMP / IL5+ false-PASS class) + R-HIGH-2 frequency ordering not equality + R-MEDIUM-1 region cap defensibility + R-LOW-1 EC2 client instrumentation parity.
|
|
14
|
+
- **`SKILL.md`** — "post-EE 0.6.1" → "post-EE 0.6.2"; plugin count enumeration stays at 22 (existing plugin grew in scope).
|
|
15
|
+
- **`peerDependencies`** floor: unchanged at `nsauditor-ai >=0.1.40`.
|
|
16
|
+
|
|
17
|
+
### Why the catalog refresh matters
|
|
18
|
+
|
|
19
|
+
AI coding agents using this skill now know that plugin 1200:
|
|
20
|
+
|
|
21
|
+
- Audits GuardDuty and Inspector2 across **all opted-in regions** by default (not just the client's configured region).
|
|
22
|
+
- Supports **GovCloud (`us-gov-*`) and ISO (`us-iso*-*`) regions** — operators on those substrates were silently skipped pre-0.6.2.
|
|
23
|
+
- Classifies the GuardDuty `FindingPublishingFrequency` against an institutional baseline of 15 minutes (operator-tunable).
|
|
24
|
+
- Treats Inspector2 Lambda code scanning and code-repository scanning as part of the institutional baseline (Inspector2 GA 2024+ scan-target additions).
|
|
25
|
+
- Exposes operator opts: `regions: string[]` / `skipMultiRegion: true` / `regionListCap: 1..256` / `gdFrequencyPassFrequency: FIFTEEN_MINUTES | ONE_HOUR | SIX_HOURS`.
|
|
26
|
+
|
|
27
|
+
### Compatibility
|
|
28
|
+
|
|
29
|
+
No agent-skill API surface changes; pure documentation refresh. AI agents using earlier agent-skill versions against EE 0.6.2 still work, they just lack the v2 dim awareness.
|
|
30
|
+
|
|
31
|
+
**Customer install (paired):**
|
|
32
|
+
|
|
33
|
+
```bash
|
|
34
|
+
npm install -g nsauditor-ai@0.1.56 @nsasoft/nsauditor-ai-ee@0.6.2
|
|
35
|
+
npm install nsauditor-ai-agent-skill@0.1.23
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
---
|
|
39
|
+
|
|
7
40
|
## 0.1.22 — Catalog refresh: NEW plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor — paired with EE 0.6.1 trio-publish (patch-level new-plugin extension — first AWS-managed-threat-detection substrate audit; plugin count 21 → 22)
|
|
8
41
|
|
|
9
42
|
**Trio-publish institutionalization continued.** Paired with EE 0.6.1 + CE 0.1.55 — **twelfth consecutive trio-publish across EE + CE + agent-skill in a single session** (0.4.5–0.6.1).
|
package/README.md
CHANGED
|
@@ -106,11 +106,11 @@ This package provides **knowledge about** NSAuditor AI. To actually **run** scan
|
|
|
106
106
|
|
|
107
107
|
| Edition | Price | Highlights |
|
|
108
108
|
|---------|-------|-----------|
|
|
109
|
-
| **Community** | Free / MIT |
|
|
109
|
+
| **Community** | Free / MIT | 27 plugins (service probes + host/network discovery + intelligence/meta), basic AI, SARIF, CTEM, scan history |
|
|
110
110
|
| **Pro** | $49/mo | + CVE matching, verification probes, risk scoring, 3 Pro plugins (040 TLS / 050 TRIBE / 060 DNS) |
|
|
111
|
-
| **Enterprise** | $2k+/yr | +
|
|
111
|
+
| **Enterprise** | $2k+/yr | + 22 cloud-substrate auditor plugins (1020-1200 range; AWS / GCP / Azure SOC 2 evidence-pack), Zero Trust, RFC 3161 timestamps, chain-of-custody attestations, air-gapped deployment |
|
|
112
112
|
|
|
113
|
-
→ [Pricing](https://www.nsauditor.com/ai/pricing
|
|
113
|
+
→ [Pricing](https://www.nsauditor.com/ai/pricing/)
|
|
114
114
|
|
|
115
115
|
## Related
|
|
116
116
|
|
package/SKILL.md
CHANGED
|
@@ -206,22 +206,39 @@ ApproximateAgeOfOldestMessage + SNS NumberOfNotificationsFailed; closes 1 CRITIC
|
|
|
206
206
|
false-CLEAN class on empty-AlarmActions silent-PASS per R-CRITICAL fold; first
|
|
207
207
|
plugin-1150 dim to cross an SDK boundary — SQS+SNS → CloudWatch), AWS EC2
|
|
208
208
|
SG Perimeter Auditor (1170 v2 — RESTRICTED_PORTS 23 ports per CIS AWS Foundations
|
|
209
|
-
v3.0), AWS
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
AWS
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
209
|
+
v3.0), AWS VPC Endpoints / PrivateLink Auditor (1160 — NEW in EE 0.6.0; first plugin
|
|
210
|
+
to audit the PrivateLink isolation boundary; 4 dims: endpoint policy permissive
|
|
211
|
+
principals CC6.6, PrivateDNS enabled CC6.6, endpoint state A1.2+CC7.2, type substrate
|
|
212
|
+
Privacy+CC6.6), AWS ElastiCache Redis Auditor (1180 v2 — extended in EE 0.4.9:
|
|
213
|
+
kms:DescribeKey promotion + subnet route-table verifier; closes both v1 deferred items
|
|
214
|
+
R-MEDIUM-3 + R-LOW-2; main-RT-inheritance false-NEGATIVE closure per R-MEDIUM-2
|
|
215
|
+
reviewer-fold), AWS SES Email Integrity Auditor (1190 v3 — extended in EE 0.5.0 +
|
|
216
|
+
consolidated in EE 0.5.2 + v3 extension in EE 0.5.3: DKIM CNAME DNS resolution + DMARC
|
|
217
|
+
TXT record parser + SES classic API parity + deferred-items sweep + DKIM public-key
|
|
218
|
+
fingerprint capture/pin + in-band DMARC alignment classifier; closes 1 CRITICAL
|
|
219
|
+
false-CLEAN class on DMARC pct=0 per R-CRITICAL-1 fold + 1 HIGH false-NEGATIVE class
|
|
220
|
+
on DMARC sp subdomain-policy override per R-HIGH-1 fold + new MEDIUM
|
|
221
|
+
ses-dkim-dns-partial-with-transients per v2.1 R-MEDIUM-2 fold + silent-loss-class
|
|
222
|
+
closure on SES classic API quota exhaustion via cause: "classic-sdk-quota-exhausted"
|
|
223
|
+
per v2.1 R-HIGH-2 reviewer-fold; first plugin in EE to depend on node:dns/promises
|
|
224
|
+
for live DNS cross-reference), AWS Inspector2 / GuardDuty Enablement Auditor (1200 v2 —
|
|
225
|
+
NEW in EE 0.6.1, extended in EE 0.6.2; first AWS-managed-threat-detection substrate
|
|
226
|
+
audit; bundles two services per the plugin 1150 precedent; v2 grows scope across
|
|
227
|
+
multi-region enumeration via ec2:DescribeRegions / per-region dispatch / per-region
|
|
228
|
+
finding tags + GuardDuty FindingPublishingFrequency check (CC7.1 detection-latency;
|
|
229
|
+
operator-tunable baseline; ordering-based comparison via `_GD_FREQUENCY_RANK`) +
|
|
230
|
+
Inspector2 baseline expansion (+lambdaCode +codeRepository per Inspector2 GA 2024+);
|
|
231
|
+
operator opts `regions[]` / `skipMultiRegion` / `regionListCap` (1..256 clamp) /
|
|
232
|
+
`gdFrequencyPassFrequency`; closes FedRAMP / StateRAMP / IL5+ false-PASS class via
|
|
233
|
+
R-HIGH-1 4-part region regex fold admitting `us-gov-*` + `us-iso*-*` IDs;
|
|
234
|
+
soft-degrade on DescribeRegions AccessDenied → fall back to client's configured
|
|
235
|
+
region + distinct LOW finding; 4 dims active dim 5 org-scope deferred to 0.6.3
|
|
236
|
+
R-MEDIUM-2; 6 R1 reviewer folds in 0.6.1 incl. R1-CRITICAL-1 soc2.json titlePattern
|
|
237
|
+
misalignment closure + 4 R1 folds in 0.6.2 — 0 R-CRITICAL clean review pass).
|
|
221
238
|
**EE plugin IDs use the disjoint 1000+ range** (per EE 0.3.9 renumbering) to avoid
|
|
222
239
|
CE collision. CE reserves 001-099.
|
|
223
240
|
|
|
224
|
-
**EE SOC 2 substrate-evidence coverage (post-EE 0.6.
|
|
241
|
+
**EE SOC 2 substrate-evidence coverage (post-EE 0.6.2):** 10 covered controls (CC6.1 /
|
|
225
242
|
CC6.2 / CC6.6 / CC6.7 / CC6.8 / CC7.1 / CC7.2 / CC7.3 / C1.1 / C1.2) + 4 partial
|
|
226
243
|
(CC6.3 / CC8.1 / A1.2 / PI1.5) + 33 OOS for static substrate scanning. Coverage matrix
|
|
227
244
|
is institutionally honest: substrate-evidence depth grows release-over-release without
|
|
@@ -383,11 +400,11 @@ Add to your MCP configuration with the same command/args pattern.
|
|
|
383
400
|
|
|
384
401
|
| Edition | Price | Key Features |
|
|
385
402
|
|---------|-------|-------------|
|
|
386
|
-
| **Community** | Free / MIT |
|
|
403
|
+
| **Community** | Free / MIT | 27 plugins (service probes + host/network discovery + intelligence/meta), basic AI, CTEM, SARIF, scan history |
|
|
387
404
|
| **Pro** | $49/mo | + CVE matching, verification probes, risk scoring, Pro plugins (040 TLS / 050 TRIBE / 060 DNS) |
|
|
388
|
-
| **Enterprise** | $2k+/yr | +
|
|
405
|
+
| **Enterprise** | $2k+/yr | + 22 cloud-substrate auditor plugins (1020-1200 range) covering AWS / GCP / Azure against SOC 2 (10 covered + 4 partial controls); Zero Trust; SOC 2 evidence-pack generation; RFC 3161 timestamps; chain-of-custody attestations; air-gapped deployment |
|
|
389
406
|
|
|
390
|
-
→ [Pricing](https://www.nsauditor.com/ai/pricing
|
|
407
|
+
→ [Pricing](https://www.nsauditor.com/ai/pricing/)
|
|
391
408
|
|
|
392
409
|
---
|
|
393
410
|
|
|
@@ -199,7 +199,7 @@ Scan history is stored in .scan_history/ as JSONL for trend analysis."
|
|
|
199
199
|
3. Agent response:
|
|
200
200
|
"CVE lookup via NSAuditor requires a Pro license. Here are your options:
|
|
201
201
|
|
|
202
|
-
1.
|
|
202
|
+
1. View Pro/Enterprise pricing: https://www.nsauditor.com/ai/pricing/
|
|
203
203
|
2. Set NSAUDITOR_LICENSE_KEY in your MCP server environment
|
|
204
204
|
3. Manual lookup: search nvd.nist.gov for 'openssh 8.9' directly
|
|
205
205
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "nsauditor-ai-agent-skill",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.23",
|
|
4
4
|
"description": "AI Agent Skill for NSAuditor AI — gives any AI coding agent built-in knowledge of NSAuditor's MCP tools, schemas, plugins, and security audit workflows.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"nsauditor",
|
package/references/plugins.md
CHANGED
|
@@ -185,7 +185,7 @@ listings, and default pages.
|
|
|
185
185
|
| 1160 | AWS VPC Endpoints / PrivateLink Auditor (**NEW EE 0.6.0** — first new plugin since EE 0.4.7; first plugin to audit the PrivateLink isolation boundary; plugin count 20 → 21) | Enterprise | Audits AWS VPC endpoints (Interface + Gateway flavors) against **4 SOC 2 substrate-evidence dimensions** — VPC endpoints govern VPC-to-managed-service traffic without public-internet traversal (PrivateLink primitive). **Complements plugin 1170 SG perimeter** (1170 = layer-4 ingress; 1160 = service-layer perimeter). **Dim 1 — Endpoint policy permissive principals** (CC6.6 segmentation; wildcard-Principal classifier mirroring plugin 1150 SNS topic-policy discipline; NotPrincipal-Allow + Action-sensitivity filter via `_VPCE_SENSITIVE_ACTIONS` frozen Set; unconditional wildcard on sensitive action = CRITICAL — PrivateLink isolation BROKEN at policy layer; WITH Condition = HIGH walkthroughRequired). **Dim 2 — PrivateDNS enabled** (CC6.6; Interface + PrivateDnsEnabled=false = MEDIUM silent-bypass class — clients still resolve service-public hostname → traffic over public internet; Gateway = INFO not-applicable). **Dim 3 — Endpoint state** (A1.2 + CC7.2; `available` = PASS / `failed` = HIGH silent-failure / transient = INFO / unknown enum = LOW + evidenceGap). **Dim 4 — Endpoint type substrate disclosure** (Privacy + CC6.6; INFO substrate evidence per VPC). **2 same-session reviewer folds** (R-MEDIUM unknown-type fail-safe defaults to Interface — safer audit path; R-NIT Effect case-insensitivity regression pin). **No new SDK deps** — `@aws-sdk/client-ec2` already declared since EE 0.4.5 (used by plugin 1170 + plugin 1180 v2). 7 new soc2.json titlePattern entries (5 CC6.6 + 2 CC7.2/A1.2 dual-mapped). 57 plugin tests + 2 reviewer-fold pins (59 total). Synthetic-mock validation only — no VPC endpoint paired fixtures yet in test-infra-builder. | CC6.6 / A1.2 / CC7.2 / Privacy (substrate) |
|
|
186
186
|
| 1170 | AWS EC2 SG Perimeter Auditor (v2 — extended in EE 0.4.6) | Enterprise | Orthogonal evidence to plugin 1023 zero-trust-checker (1023 reads OBSERVED open ports; 1170 reads DECLARED SG policy via DescribeSecurityGroups). 6 dimensions: IPv4 0.0.0.0/0 ingress to **RESTRICTED_PORTS (v2: 23 ports per CIS AWS Foundations v3.0)** — SSH/RDP/MS SQL/MySQL/Postgres/Redshift/Redis/Memcached/MongoDB/Elasticsearch/CouchDB/Docker/Kubelet/K8s-API/etcd/Kibana/InfluxDB/Kafka/Consul/ZooKeeper/Vault CRITICAL + IPv6 ::/0 sibling CRITICAL + all-protocol (-1) wildcard CRITICAL + public ingress to non-restricted ports INFO + egress 0.0.0.0/0 INFO + orphan SG (no attached ENI) LOW governance. **v2: `opts.additionalRestrictedPorts` operator-config knob** + **per-SG cardinality cap with rollup trailer** (defends against finding-size DoS on 1000+ SG accounts) + **system-managed-SG name-prefix exclusion list** (ElasticMapReduce- / eks-cluster-sg- / AWSServiceRole / awseb- prefixes excluded from orphan-detection). UserIdGroupPairs rules surfaced as INFO + evidenceGap; transitive SG→SG chain analysis deferred to v3 | CC6.6 / CC6.2 |
|
|
187
187
|
| 1180 | AWS ElastiCache Redis Auditor (v2 — extended in EE 0.4.9) | Enterprise | First plugin in 1170-1180 ID range. **6 SOC 2 substrate-evidence dimensions** (v1 unchanged in count; v2 grew dims 2 + 6 in scope). **v1 dims preserved:** transit encryption (TransitEncryptionEnabled wraps RESP in TLS; HIGH on disabled) + Redis AUTH/IAM-auth user groups (PASS on UserGroupIds; MEDIUM no-authentication) + Multi-AZ deployment (HIGH disabled / INFO standalone-not-applicable / INFO+evidenceGap on transient enabling/disabling states) + SnapshotRetentionLimit cadence (HIGH=0 / MEDIUM 1-6 / PASS ≥7; operator-tunable `opts.snapshotRetentionPassMinDays`). Dual API enumeration (DescribeReplicationGroups + DescribeCacheClusters) with inter-API dedup. **v2 GROWN dims (EE 0.4.9 EE-RT.17 v2):** **dim 2 at-rest encryption + KMS key custody** — original four-tier ladder (HIGH disabled → MEDIUM AWS-owned-default → MEDIUM `alias/aws/elasticache` → PASS customer-managed CMK + LOW+evidenceGap on `:key/UUID` per conservative-classifier-principle) **PLUS v2 kms:DescribeKey cross-reference promotion** (mirrors plugin 1140 v2): UNVERIFIABLE `:key/UUID` ARN shapes promoted via KeyMetadata.KeyManager to deterministic PASS `elasticache-at-rest-customer-managed-kms-promoted` (CUSTOMER) / MEDIUM `elasticache-at-rest-aws-managed-kms-promoted` (AWS); conservative on AccessDenied/NotFound/unknown KeyManager. **dim 6 subnet routing** — v1 INFO substrate (`elasticache-subnet-group-substrate`) plus **v2 ec2:DescribeRouteTables verifier** that walks the cache subnet group's subnets via elasticache:DescribeCacheSubnetGroups + filtered ec2:DescribeRouteTables, classifying each subnet on Internet Gateway route presence via /^igw-[a-f0-9]+$/i (correctly excludes egress-only eigw-): HIGH `elasticache-subnet-public-route-detected` (with per-subnet `igwDestinationsBySubnet` evidence per R-HIGH-1 fold) / PASS `elasticache-subnet-private-verified` (all subnets verified IGW-free) / LOW + evidenceGap `elasticache-subnet-main-rt-inheritance` per R-MEDIUM-2 false-NEGATIVE closure (default-VPC main-RT typically routes `0.0.0.0/0 → igw-*`) / LOW + evidenceGap `elasticache-subnet-verification-unverifiable` on AccessDenied. **Cross-plugin sister of plugin 1170 SG perimeter** (layer-3 subnet→IGW vs layer-4 SG ingress policy). **7 same-session v2 reviewer folds** (HIGH-1 IGW destination evidence; MEDIUM-2 main-RT-inheritance false-NEGATIVE closure; MEDIUM-3 cache-key naming; LOW-6/7/9/10/11 + NIT-12). **Per-resource caching** prevents N×M API explosion (kmsKeyManagerCache + subnetGroupCache + subnetSetRoutingCache). **No new SDK deps** — @aws-sdk/client-kms + @aws-sdk/client-ec2 reused from EE 0.4.5. **Real-AWS smoke END-TO-END against 522412052794**: R-MEDIUM-2 fold escalation demonstrably firing in production (`redis-leaky-cache` → dim 6 LOW main-RT-inheritance). | CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1 |
|
|
188
|
-
| 1200 | AWS Inspector2 / GuardDuty Enablement Auditor (
|
|
188
|
+
| 1200 | AWS Inspector2 / GuardDuty Enablement Auditor (NEW EE 0.6.1, **EXTENDED EE 0.6.2 v2** — multi-region enumeration + FindingPublishingFrequency check + Inspector2 baseline expansion; closes FedRAMP / StateRAMP / IL5+ false-PASS class for GovCloud + ISO regions; plugin count UNCHANGED at 22 — existing plugin grew ~870 → ~1400 lines) | Enterprise | Audits AWS GuardDuty + AWS Inspector2 enablement state across **all opted-in regions** — **foundation-layer institutional evidence for CC7.1 detection procedures + CC7.2 monitoring** (an audit pack without managed-threat-detection evidence has no AWS-native anomaly-detection or CVE-detection stream). **v2 EE 0.6.2 GROWN scope** (closes 3 of 4 R2-deferred items from EE-RT.20 v1): **(a) Multi-region enumeration** — `ec2:DescribeRegions` enumerates opted-in regions (AllRegions=false defensively); per-region GuardDuty + Inspector2 dispatch; per-region findings carry region tag. Operator opts: `regions: string[]` (filter to subset, validated + deduped + capped 64 default), `skipMultiRegion: true` (cost-sensitive opt-out), `regionListCap` (1..256 clamp). Soft-degrade: EC2 SDK load failure / DescribeRegions AccessDenied → fall back to `config.region` + distinct `_CAT_REGION_ENUM_ACCESSDENIED` LOW finding. Back-compat: legacy single-region opts (`_guardDutyClient` / `_inspector2Client` singular) still respected. **(b) GuardDuty FindingPublishingFrequency check** — CC7.1 detection-latency. `_classifyGuardDutyFrequency` 4 outcomes: PASS `gd-frequency-optimal` / LOW `gd-frequency-suboptimal` / LOW `gd-frequency-unverifiable` (null detector or unknown enum). Operator-tunable: `gdFrequencyPassFrequency` (FIFTEEN_MINUTES / ONE_HOUR / SIX_HOURS; default FIFTEEN_MINUTES). **Ordering-based comparison** via `_GD_FREQUENCY_RANK` map (R-HIGH-2 fold) — stricter actual = PASS even when operator tuned baseline upward. **(e) Inspector2 baseline expansion** — `lambdaCode` (Lambda code scanning) + `codeRepository` (Inspector2 GitHub/GitLab scanning, GA 2024+) added to `_INS_INSTITUTIONAL_BASELINE_RESOURCES` (was {ec2, ecr, lambda}; now {ec2, ecr, lambda, lambdaCode, codeRepository}). **v1 dims preserved (4 active dims; dim 5 org-scope deferred to 0.6.3):** Dim 1 GuardDuty Detector enablement per region (CC7.1 — HIGH `gd-not-enabled`) + Dim 2 GuardDuty protection-feature coverage (CC7.1 — institutional baseline S3_DATA_EVENTS / EKS_AUDIT_LOGS / EBS_MALWARE_PROTECTION / RDS_LOGIN_EVENTS / LAMBDA_NETWORK_LOGS / RUNTIME_MONITORING) + Dim 3 Inspector2 enablement (CC7.1 + CC7.2 — DISABLED/SUSPENDED = HIGH) + Dim 4 Inspector2 scan-target coverage (CC7.1 zero / CC7.2 partial). **4 same-session R1 v2 reviewer folds** (network-security + Explore in parallel; 0 R-CRITICAL clean review pass): **R-HIGH-1 region regex GovCloud + ISO support** — pre-fold `^[a-z]{2,}-[a-z]+-[0-9]+$` silently dropped 4-part region IDs (`us-gov-east-1` / `us-iso-east-1` / `us-isob-east-1` / `us-isof-south-1`); operator passing `regions: ["us-gov-east-1"]` got silent skip + false-PASS — institutional-critical for FedRAMP / StateRAMP / IL5+ scope. Post-fold `^[a-z]{2,}(-[a-z]+){1,2}-[0-9]+$` admits 3- AND 4-part IDs. + **R-HIGH-2 frequency ordering not equality** (described above). + **R-MEDIUM-1 `_REGION_LIST_CAP` defensibility** — pre-fold hardcoded 32 silently truncated 4-part regions (AWS has ~40+ regions in 2026); post-fold default raised to 64 + operator-tunable + explicit truncation warning. + **R-LOW-1 EC2 client instrumentation** — operator-supplied `_ec2Client` now receives Thread-H AccessDenied counter + throttle-retry contract uniformly. **R2 reviewer-deferred** (queued in EE-RT.20.2 / 0.6.3): alerting-destination check (item c — needs `@aws-sdk/client-eventbridge` + `@aws-sdk/client-securityhub` integrations) + BatchGetAccountStatus contract verification (item d) + R-MEDIUM-2 `_getInspector2AccountStatus` return-shape refactor + optional dim 5 org-scope. **6 R1 v1 folds (EE 0.6.1) preserved as regression pins**: R1-CRITICAL-1 soc2.json titlePattern misalignment closure (4 patterns) + R1-CRITICAL-1 AccessDenied distinct findings + R1-CRITICAL-2 legacy DataSources case normalization + R1-HIGH-2 SUSPENDED/DISABLED Detector Status guard + R1-HIGH-3/4 dead-code drift closures. **No new SDK deps** — `@aws-sdk/client-guardduty` + `@aws-sdk/client-inspector2` + `@aws-sdk/client-ec2` already in optionalDependencies. 7 new soc2.json titlePattern entries from v1 still anchored. v2 tests: +27 (21 base + 6 R1-fold regression pins). Synthetic-mock validation only — no multi-region GuardDuty/Inspector2 paired fixtures yet in test-infra-builder. | CC7.1 / CC7.2 |
|
|
189
189
|
| 1190 | AWS SES Email Integrity Auditor (NEW EE 0.4.7; EXTENDED EE 0.5.0 v2; CONSOLIDATED EE 0.5.2 v2.1; **EXTENDED EE 0.5.3 v3** — Part A DKIM public-key fingerprint capture/pin + Part B in-band DMARC alignment classifier; 5 same-session reviewer folds incl. 1 R-CRITICAL false-CLEAN closure on truncated DKIM keys via new `_stripControlCharsNoTruncate` helper; v2.1 closed — 7 deferred reviewer-fold items closed + new MEDIUM `ses-dkim-dns-partial-with-transients` category + module-load-time disjointness IIFE + silent-loss-class closure on SES classic API quota exhaustion via `cause: "classic-sdk-quota-exhausted"`) | Enterprise | **v2 EE 0.5.0 GROWN dims:** **dim 1 DKIM** — original substrate **PLUS v2 DKIM CNAME DNS resolution promotion**: each `<token>._domainkey.<domain>` CNAME resolved via node:dns/promises + matched against `<token>.dkim.amazonses.com` (case-insensitive per RFC 1035 §2.3.3); four outcomes PASS `ses-dkim-dns-verified` / MEDIUM `ses-dkim-dns-partial` / **HIGH `ses-dkim-dns-missing` (false-CLEAN closure: SES Status=SUCCESS but DNS removed)** / LOW + evidenceGap `ses-dkim-dns-unverifiable`. **dim 2 MailFrom** — original substrate **PLUS v2 DMARC TXT record parser + MailFrom promotion**: RFC 7489 §6.4 tag-list parser + `_dmarc.<identityDomain>` TXT lookup; five outcomes PASS `ses-dmarc-policy-reject` / MEDIUM `ses-dmarc-policy-quarantine` / HIGH `ses-dmarc-policy-none` / HIGH `ses-dmarc-missing` / LOW + evidenceGap `ses-dmarc-unverifiable`. **R-CRITICAL-1 fold (false-CLEAN closure)**: `pct=0` on `p=reject`/`p=quarantine` functionally equivalent to `p=none`; now routes to HIGH `ses-dmarc-policy-none`. **R-HIGH-1 fold (subdomain-takeover false-NEGATIVE closure)**: `sp` subdomain-policy override now evaluated — `p=reject; sp=none` downgrades to HIGH with `dmarcSpWeakens` (subdomain phishing wide open while apex protected). **dim 4 sending-auth policies** — original IAM-policy classifier **PLUS v2 SES classic GetIdentityPolicies parity**: `_loadSesClassicSdk` restored; cross-API discrepancy emits HIGH `ses-classic-policy-discrepancy` (classic-only — canonical false-NEGATIVE class) / MEDIUM (`_canonicalSort` JSON deep-equal ignores whitespace + key-order drift) / INFO (v2-only benign). Conservative on classic SDK unavailable / AccessDenied → LOW + evidenceGap. **v1 dims preserved unchanged:** TLS enforcement (dim 3) + dedicated IP pool (dim 5) + suppression list (dim 6 ZDE — count + reason only). **v2 promoter pattern**: sync v1 classifiers unchanged; async promoters walk collected findings post-classification. **R-HIGH-2 fold**: brittle `inTestMode = !!opts._client` coupling replaced with explicit `_skipV2Promotion` master switch + 3 orthogonal kill-switches. **First plugin in EE to depend on node:dns/promises** for live DNS cross-reference. **8 same-session v2 reviewer folds** (1 CRITICAL + 3 HIGH + 2 MEDIUM + 2 LOW); 6 queued in Pick-up Block. **Real-DNS smoke validation END-TO-END** against production resolvers (`_dmarc.nsasoft.us` parsed correctly: `p=reject, sp=reject, pct=100`; forward-compat `fo=1` tag preserved). Empty-account SESv2 enumeration baseline succeeded end-to-end against 522412052794. **v1 base (preserved):** First plugin in 1190-1199 ID range. Closes the next-highest-priority gap from `tasks/things-to-check.md` AWS SOC 2 audit-canonical compliance checklist after Redis closed in 0.4.6. **6 audit dimensions:** **DKIM enablement + signing status** (CC6.1 / Privacy — HIGH on `SigningEnabled=false`; transient PENDING/TEMPORARY_FAILURE/NOT_STARTED INFO + walkthroughRequired; FAILED MEDIUM on DNS drift; unknown enum LOW + evidenceGap per conservative-classifier-principle) + **custom MailFrom domain alignment** (Privacy substrate — INFO + walkthroughRequired on default amazonses.com / PASS on custom + Status=SUCCESS) + **configuration set TLS enforcement** (C1.1 — REQUIRE PASS / OPTIONAL HIGH SMTP-downgrade-attack window / non-string-but-truthy distinct LOW with `tlsPolicyType` evidence per R-MEDIUM-7 fold) + **identity sending authorization policy permissive principals** (CC6.6 — multi-class wildcard detector covering bare `"*"` / `{AWS:"*"}` / `{Service:"*"}` / `{Federated:"*"}` / `{CanonicalUser:"*"}` / array-form `[*]` per R-HIGH-4 fold + distinct HIGH `ses-sending-auth-notprincipal-allow` per R-CRITICAL-1 fold catching NotPrincipal+Allow wildcard-EQUIVALENT class + LOW + evidenceGap `ses-sending-auth-malformed-statement` per R-HIGH-2 fold) + **dedicated IP pool sending posture** (CC7.1 substrate, account-level — INFO + walkthroughRequired on configured pools / INFO on shared-pool default) + **suppression list state** (CC7.1 deliverability substrate — **ZDE invariant: NEVER reads suppressed-destination email addresses**; count + reason only; verified at run() envelope boundary via sentinel-string assertion per R-LOW-8 fold). Dual API surface discipline: v1 uses SESv2 only (canonical modern API); `@aws-sdk/client-ses` declared in optionalDependencies for v2+ cross-API parity. **11 same-session reviewer folds** — ties single-cycle reviewer-fold record. **CRITICAL-1 closure**: NotPrincipal+Allow false-CLEAN class (matches plugins 1070 + 1150 discipline). **HIGH-4 closure**: `_isWildcardPrincipal` walks every Principal class value (pre-fold only `principal.AWS` inspected, leaking `{Service:"*"}` + `{Federated:"*"}` as silent CLEAN). **No real-AWS smoke against violation-tier fixtures** — test-infra-builder has NO SES paired fixtures yet (full-stack fixtures deferred to v2 alongside DKIM CNAME DNS resolution + DMARC TXT record parsing); empty-account smoke baseline against 522412052794 DID succeed end-to-end. | CC6.1 / CC6.6 / C1.1 / CC7.1 (substrate) / Privacy (substrate) |
|
|
190
190
|
|
|
191
191
|
---
|
package/references/workflows.md
CHANGED
|
@@ -298,4 +298,4 @@ User wants to...
|
|
|
298
298
|
1. `probe_service` and `get_vulnerabilities` require Pro license
|
|
299
299
|
2. Set `NSAUDITOR_LICENSE_KEY` environment variable
|
|
300
300
|
3. CE alternative: use `scan_host` (always available) + manual CVE research
|
|
301
|
-
4.
|
|
301
|
+
4. Pro/Enterprise pricing: https://www.nsauditor.com/ai/pricing/
|