Skip to content

Pre-deploy IAM review

Full workflow

Complete guide (limitations, CI, published lens): pre-deploy-iam-review

Why use CCE

IAM policies are often reviewed at infrastructure change time, not when application code adds new cloud API calls. New entitlements slip into production with overly broad roles still attached.

CCE gives a per-PR entitlement delta source — scan code before merge and compare to attached IAM.

Example command

cce -folder . -language AUTO -filter cloud -format json -output pr-entitlements.json

Analysis recipe

This use case is registered as recipe pre-deploy-iam-review — run with:

cce run -folder . -language AUTO -recipes pre-deploy-iam-review -output pre-deploy-iam-review.json