From 1262a96f9364519545d7573be8dd2e840c654d28 Mon Sep 17 00:00:00 2001
From: Patrick de Ruiter <pderuiter@bsdserver.nl>
Date: Sat, 1 Nov 2025 22:36:25 +0100
Subject: [PATCH] Add Checkov compliance scanning to CI pipeline

- Added Checkov security scan job that runs before SonarQube
- Configured for Terraform-specific IaC compliance checks
- Outputs results in CLI and SARIF formats
- Uploads scan results as artifacts for review
- SonarQube job now depends on Checkov passing
- Renamed workflow to reflect both quality and security scanning
---
 .gitea/workflows/sonarqube.yaml | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/sonarqube.yaml b/.gitea/workflows/sonarqube.yaml
index c2e7bd0..9f071d1 100644
--- a/.gitea/workflows/sonarqube.yaml
+++ b/.gitea/workflows/sonarqube.yaml
@@ -5,11 +5,37 @@ on:
   pull_request:
       types: [opened, synchronize, reopened]
 
-name: SonarQube Scan
+name: Code Quality & Security Scan
 jobs:
+  checkov:
+    name: Checkov Security Scan
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checking out
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Run Checkov
+      uses: bridgecrewio/checkov-action@v12
+      with:
+        directory: .
+        framework: terraform
+        output_format: cli,sarif
+        output_file_path: console,results.sarif
+        soft_fail: false
+
+    - name: Upload Checkov results
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: checkov-results
+        path: results.sarif
+
   sonarqube:
     name: SonarQube Trigger
     runs-on: ubuntu-latest
+    needs: checkov
     steps:
     - name: Checking out
       uses: actions/checkout@v4