on:
  push:
    branches:
      - master
  pull_request:
      types: [opened, synchronize, reopened]

name: Code Quality & Security Scan
jobs:
  checkov:
    name: Checkov Security Scan
    runs-on: ubuntu-latest
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Run Checkov
      uses: bridgecrewio/checkov-action@v12
      with:
        directory: .
        framework: terraform
        output_format: cli
        soft_fail: false

  sonarqube:
    name: SonarQube Trigger
    runs-on: ubuntu-latest
    needs: checkov
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        # Disabling shallow clone is recommended for improving relevancy of reporting
        fetch-depth: 0
    - name: SonarQube Scan
      uses: sonarsource/sonarqube-scan-action@v6
      env:
        SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }}
        SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}