Add Checkov compliance scanning to CI pipeline

- Added Checkov security scan job that runs before SonarQube
- Configured for Terraform-specific IaC compliance checks
- Outputs results in CLI and SARIF formats
- Uploads scan results as artifacts for review
- SonarQube job now depends on Checkov passing
- Renamed workflow to reflect both quality and security scanning

.gitea/workflows/sonarqube.yaml

@@ -5,11 +5,37 @@ on:
   pull_request:
       types: [opened, synchronize, reopened]
 
-name: SonarQube Scan
+name: Code Quality & Security Scan
 jobs:
+  checkov:
+    name: Checkov Security Scan
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checking out
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Run Checkov
+      uses: bridgecrewio/checkov-action@v12
+      with:
+        directory: .
+        framework: terraform
+        output_format: cli,sarif
+        output_file_path: console,results.sarif
+        soft_fail: false
+
+    - name: Upload Checkov results
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: checkov-results
+        path: results.sarif
+
   sonarqube:
     name: SonarQube Trigger
     runs-on: ubuntu-latest
+    needs: checkov
     steps:
     - name: Checking out
       uses: actions/checkout@v4