Skip to main content

CCE Scanning Overview

Learn how CXRay identifies Common Configuration Enumeration issues and security misconfigurations in your infrastructure and applications.

What is CCE Scanning?

CCE (Common Configuration Enumeration) scanning identifies security misconfigurations based on industry standards and best practices. Unlike CVE scanning which focuses on code vulnerabilities, CCE scanning examines how systems and applications are configured.

Why Configuration Scanning Matters

Misconfigurations are one of the leading causes of security breaches. Common issues include:

  • Exposed credentials and secrets
  • Overly permissive access controls
  • Insecure default settings
  • Missing security headers
  • Weak encryption settings
  • Unnecessary services enabled

Configuration Standards

CXRay CCE scanning supports multiple security frameworks:

CIS Benchmarks

Center for Internet Security benchmarks for:

  • Operating systems
  • Cloud platforms (AWS, Azure, GCP)
  • Databases
  • Web servers

NIST Guidelines

National Institute of Standards and Technology security controls

PCI-DSS

Payment Card Industry Data Security Standard requirements

Custom Rules

Organization-specific security policies and compliance requirements

Supported Technologies

  • Cloud Platforms: AWS, Azure, GCP, Kubernetes
  • Containers: Docker, Podman
  • Web Servers: Apache, Nginx, IIS
  • Databases: PostgreSQL, MySQL, MongoDB, Redis
  • Configuration Files: YAML, JSON, XML, INI, TOML

Quick Example

# Scan for configuration issues
cxray scan --type cce .

# Scan with specific standard
cxray scan --type cce --standard cis .

# Scan cloud infrastructure
cxray scan --type cce --cloud aws --profile production

CCE Report Structure

CCE scan results include:

  • CCE ID: Configuration identifier
  • Severity: Critical, High, Medium, Low, Info
  • Standard: CIS, NIST, PCI-DSS, etc.
  • Current State: Detected configuration
  • Expected State: Recommended configuration
  • Impact: Security implications
  • Remediation: Steps to fix the issue

Common Findings

Exposed Secrets

# ❌ Bad - Hardcoded credentials
database:
  password: "admin123"

# ✅ Good - Environment variable
database:
  password: ${DB_PASSWORD}

Insecure Protocols

# ❌ Bad - Allowing TLS 1.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# ✅ Good - Only secure protocols
ssl_protocols TLSv1.2 TLSv1.3;

Overly Permissive Access

# ❌ Bad - Public access
s3_bucket:
  acl: public-read

# ✅ Good - Private with specific access
s3_bucket:
  acl: private
  bucket_policy: restricted

Next Steps