Skip to content

Landing zone governance (multi-repo aggregation)

Full workflow

Complete guide (limitations, CI, published lens): landing-zone-governance

Why use CCE

Landing zones define guardrails, but application teams spread across dozens of repos each invoke cloud APIs independently. Central governance teams lack a portfolio view of which API actions are used org-wide — leading to blanket IAM policies and audit gaps.

CCE aggregates code-derived entitlements across repos so landing-zone owners can enforce consistent IAM baselines and detect out-of-zone usage.

Example command

cce -folder . -language AUTO -filter cloud -format json -output scan.json