July 4, 2026
SOCFortress Vulnerability Operations Center — Part III - July 2026 Update: Five New Audit Modules
Intro

By SOCFortress
6 min read
Intro
We shipped a significant set of features to VulnOps on July 3rd. This post walks through everything that landed: five new CIS-benchmark audit modules, a persistent manual override workflow for findings that require human judgement, and a UI overhaul that gives each cloud provider its own dedicated tab in Cloud Posture. All of these are live in the current build.
What We Built
- Power Platform Audit
- Google Workspace Audit
- Snowflake CIS Audit
- Digital Ocean CIS Foundations
- Alibaba Cloud CIS Audit
- Dashboard Health Pills
- Manual Override Workflow
Power Platform Audit — 22 CIS Controls
Microsoft Power Platform (Power Apps, Power Automate, Power BI) is increasingly deployed in enterprise environments, often with default settings that permit broad data sharing or unauthenticated connectors. The new Power Platform Audit module implements 22 controls from the CIS Microsoft Power Platform Benchmark.
API surface: The module authenticates via Microsoft Graph (https://graph.microsoft.com) and the Business Application Platform API (https://api.bap.microsoft.com) using an Azure service principal with client_credentials OAuth flow. Credentials (tenant ID, client ID, client secret) are encrypted at rest with Fernet before storage.
What it checks:
- Power Platform tenant isolation settings (guest access, cross-tenant connections)
- DLP (Data Loss Prevention) policy coverage across default and non-default environments
- Power BI workspace sharing permissions and public access controls
- Connector classification — which connectors are blocked vs. allowed in each environment
- Audit log retention and admin activity logging configuration
Controls that cannot be evaluated programmatically (e.g., those requiring manual review of connector classifications or custom policies) are returned as MANUAL_REVIEW rather than a false PASS. Those findings are the primary candidates for the manual override workflow described below.
Schema: power_platform_audit_jobs, power_platform_findings, power_platform_configs. Finding records carry cis_id, title, result (PASS | FAIL | MANUAL_REVIEW), severity, rationale, remediation, and optionally resource_id when the control applies to a specific environment.
Google Workspace Audit — 25 CIS Controls
The Google Workspace Audit module covers 25 controls from the CIS Google Workspace Benchmark using the Google Admin SDK Directory API and DNS-based checks for SPF/DKIM/DMARC posture.
Authentication: Service account key (JSON) with domain-wide delegation. The module impersonates a super-admin to access directory settings without interactive login. The service account key is stored encrypted.
Coverage areas:
- Super-admin account hygiene (MFA enrollment, recovery options, inactive admin accounts)
- Third-party OAuth app access (marketplace trust model, OAuth scope review)
- Gmail security settings (enhanced pre-delivery scanning, external recipient warnings, attachment malware scanning)
- Email authentication (SPF record
~allvs-all, DKIM key rotation age, DMARCp=rejectpolicy) - Google Drive sharing defaults (external sharing scope, public link creation)
- Calendar external sharing and directory listing controls
DNS checks run synchronously at scan time using Python's dns.resolver — no external lookup service required.
Snowflake CIS Audit — 46 Controls
Snowflake is now a common data warehouse in cloud-native environments, and its security posture is frequently under-reviewed. This module implements 46 controls from the CIS Snowflake Benchmark.
Authentication: The Snowflake Python connector authenticates with account identifier, username, and password (stored encrypted). The connector is imported lazily inside the service to avoid startup failures when credentials have not been configured.
Control categories:
Category Controls Account & Identity MFA enforcement, password policy, network policy (IP allowlist) Access Control Role grants, ACCOUNTADMIN usage, privilege audit Networking Private Link configuration, public endpoint access Data Governance Row-level security, column masking policies, object tagging Audit & Logging Query history retention, login history, SNOWFLAKE database audit Storage External stage encryption, S3/GCS/Azure storage integration settings
The module runs queries against SNOWFLAKE.ACCOUNT_USAGE views (with appropriate privilege requirements) to evaluate access grants, role hierarchies, and audit retention. Controls where the view lacks sufficient visibility are returned as MANUAL_REVIEW.
Digital Ocean CIS Foundations — 30 Controls
The Digital Ocean module covers 30 controls from the CIS Digital Ocean Benchmark, covering Droplets, Kubernetes, managed databases, object storage, networking, and account-level controls.
API integration: Uses the Digital Ocean v2 REST API (https://api.digitalocean.com/v2/) with a personal access token. All 30 checks run against live API state — no agent required on the Droplets themselves.
Highlights:
- Droplet monitoring agent enrollment and SSH key authentication (no password auth)
- Kubernetes cluster auto-upgrade, node pool surge upgrades, and RBAC enablement
- Managed database SSL enforcement and trusted sources configuration
- Spaces (object storage) bucket ACL — public vs. private, CDN configuration
- VPC isolation — whether Droplets are placed in the default VPC or tenant-specific VPCs
- Team-level two-factor authentication enforcement
- API token scope review (read vs. read/write tokens in use)
A DOClient thin wrapper handles pagination transparently, returning full result sets for resources like Droplets or Spaces where result counts may be large.
Alibaba Cloud CIS Audit — 85 Controls
The largest module shipped this cycle, Alibaba Cloud implements 85 controls from the CIS Alibaba Cloud Foundations Benchmark — the most comprehensive coverage of any single module in VulnOps.
SDK: Uses alibabacloud-sdk-core with AK/SK credentials (AccessKey ID + AccessKey Secret). Regional endpoints are constructed per-service (ecs.{region}.aliyuncs.com, oss-{region}.aliyuncs.com, etc.).
Coverage:
Service Controls RAM (Identity) Root account MFA, RAM user MFA, unused credentials, access key rotation, password policy ECS (Compute) Public IP exposure, security group rules (0.0.0.0/0 ingress), disk encryption OSS (Object Storage) Bucket ACL, server-side encryption, versioning, access logging, lifecycle policy RDS (Databases) Public accessibility, SSL enforcement, audit log retention VPC (Networking) Security group least-privilege, network ACL review, flow log enablement ActionTrail (Logging) Trail enabled in all regions, log integrity validation, OSS delivery CloudMonitor Alert policies for root login, high-risk API calls, resource threshold breaches KMS Key rotation, key state, key policy review
At 85 controls, this is the deepest benchmark coverage in VulnOps. The Alibaba module has its own sidebar entry and dedicated findings drawer with section filtering by service area.
Dashboard Health Pills
The VulnOps Dashboard aggregates posture health across all enabled modules per tenant. Prior to this update, it only surfaced ScoutSuite (cloud), Identity, External Exposure, and M365. The five new modules are now represented as health pills alongside the existing ones.
Each pill shows:
- Module name with an icon
- Critical finding count (red badge if > 0)
- Last scan timestamp
- Status — never scanned, healthy, or degraded
Manual Override Workflow
Several CIS controls — particularly around policy review, manual procedures, or vendor-specific configurations that APIs don't expose — are returned as MANUAL_REVIEW rather than a binary PASS/FAIL. Previously, those findings would stay in MANUAL_REVIEW state indefinitely.
This release adds a persistent manual override system that lets operators assign a result to any MANUAL_REVIEW finding, record the assessor and date, and have that assignment survive scan re-runs.
Cloud Posture: Per-Provider Tabs
The Cloud Posture page previously presented all ScoutSuite-based accounts (AWS, Azure, GCP, OCI) under a single "Cloud Accounts" tab, with Digital Ocean and Alibaba Cloud as separate tabs. Each provider now has its own dedicated tab.
Tab order: Azure | AWS | GCP | OCI | Digital Ocean | Alibaba Cloud
For the four ScoutSuite providers (Azure, AWS, GCP, OCI), selecting a tab:
- Filters the account list to accounts of that provider only
- Pre-selects the provider in the "Add Account" form (hiding the provider dropdown, since it's implied by the active tab)
- Filters the Account Overview compliance table to that provider's accounts
- Filters findings (Failed Controls, All Findings) to that provider via a new
?provider=query parameter on the/cloud/{tenant_id}/findingsendpoint - Filters Scan History to jobs belonging to that provider's account IDs
Digital Ocean and Alibaba Cloud tabs continue to render their dedicated audit page components rather than the ScoutSuite UI.
What's Next
The module library is growing — the next additions we're evaluating include GitHub Advanced Security findings integration, Kubernetes cluster CIS benchmarks, and expanding the AI Assistant's context to include the new audit modules so it can reason across cloud provider posture simultaneously.
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Contact Us: https://www.socfortress.co/contact_form.html