Landing zone governance (multi-repo aggregation)
Full workflow
Complete guide (limitations, CI, published lens): landing-zone-governance
Why use CCE
Landing zones define guardrails, but application teams spread across dozens of repos each invoke cloud APIs independently. Central governance teams lack a portfolio view of which API actions are used org-wide — leading to blanket IAM policies and audit gaps.
CCE aggregates code-derived entitlements across repos so landing-zone owners can enforce consistent IAM baselines and detect out-of-zone usage.
Example command
cce -folder . -language AUTO -filter cloud -format json -output scan.json