From 0089d060cfbc3eee1ced3f439814b784eb482c34 Mon Sep 17 00:00:00 2001
From: Patrick de Ruiter <pderuiter@bsdserver.nl>
Date: Sat, 1 Nov 2025 23:10:13 +0100
Subject: [PATCH] Add Tfsec security scanning before Checkov

- Added Tfsec job for Terraform security analysis
- Tfsec specializes in detecting security issues in Terraform code
- Pipeline flow: TFLint -> Tfsec -> Checkov -> SonarQube
- Tfsec focuses on cloud security misconfigurations
- Complements Checkov with different security rule sets
---
 .gitea/workflows/sonarqube.yaml | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/sonarqube.yaml b/.gitea/workflows/sonarqube.yaml
index 47c4e68..606662e 100644
--- a/.gitea/workflows/sonarqube.yaml
+++ b/.gitea/workflows/sonarqube.yaml
@@ -27,10 +27,26 @@ jobs:
     - name: Run TFLint
       run: tflint --format compact
 
+  tfsec:
+    name: Tfsec Security Scan
+    runs-on: ubuntu-latest
+    needs: tflint
+    steps:
+    - name: Checking out
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Run Tfsec
+      uses: aquasecurity/tfsec-action@v1.0.3
+      with:
+        format: default
+        soft_fail: false
+
   checkov:
     name: Checkov Security Scan
     runs-on: ubuntu-latest
-    needs: tflint
+    needs: tfsec
     steps:
     - name: Checking out
       uses: actions/checkout@v4