diff --git a/.gitea/workflows/sonarqube.yaml b/.gitea/workflows/sonarqube.yaml
index c2e7bd0..9f071d1 100644
--- a/.gitea/workflows/sonarqube.yaml
+++ b/.gitea/workflows/sonarqube.yaml
@@ -5,11 +5,37 @@ on:
   pull_request:
       types: [opened, synchronize, reopened]
 
-name: SonarQube Scan
+name: Code Quality & Security Scan
 jobs:
+  checkov:
+    name: Checkov Security Scan
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checking out
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Run Checkov
+      uses: bridgecrewio/checkov-action@v12
+      with:
+        directory: .
+        framework: terraform
+        output_format: cli,sarif
+        output_file_path: console,results.sarif
+        soft_fail: false
+
+    - name: Upload Checkov results
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: checkov-results
+        path: results.sarif
+
   sonarqube:
     name: SonarQube Trigger
     runs-on: ubuntu-latest
+    needs: checkov
     steps:
     - name: Checking out
       uses: actions/checkout@v4