From f4be04dce1f1a8cf2bf46c742cb17d6607d71256 Mon Sep 17 00:00:00 2001
From: Patrick de Ruiter <pderuiter@bsdserver.nl>
Date: Sat, 1 Nov 2025 22:56:34 +0100
Subject: [PATCH] Add TFLint as first pipeline step

- Added TFLint job to catch Terraform errors and best practices
- TFLint runs before Checkov for early error detection
- Uses latest TFLint version with automatic initialization
- Pipeline flow: TFLint -> Checkov -> SonarQube
---
 .gitea/workflows/sonarqube.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/.gitea/workflows/sonarqube.yaml b/.gitea/workflows/sonarqube.yaml
index d67087a..47c4e68 100644
--- a/.gitea/workflows/sonarqube.yaml
+++ b/.gitea/workflows/sonarqube.yaml
@@ -7,9 +7,30 @@ on:
 
 name: Code Quality & Security Scan
 jobs:
+  tflint:
+    name: TFLint
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checking out
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Setup TFLint
+      uses: terraform-linters/setup-tflint@v4
+      with:
+        tflint_version: latest
+
+    - name: Initialize TFLint
+      run: tflint --init
+
+    - name: Run TFLint
+      run: tflint --format compact
+
   checkov:
     name: Checkov Security Scan
     runs-on: ubuntu-latest
+    needs: tflint
     steps:
     - name: Checking out
       uses: actions/checkout@v4