Add checkov CI workflow for all Terraform modules

[akuzminsky]

Summary

Add a reusable checkov workflow (similar to vuln-scanner-pr.yml for OSV-Scanner) that runs on pull requests for all terraform_module repositories.

Context

The Terraform Module Requirements specify "Security scanning (OSV, checkov, tfsec)" under Testing & Quality. Currently:

• OSV-Scanner — deployed via vuln-scanner-pr.yml (already managed by github-control)
• Checkov — .checkov.yml config files exist in some repos (e.g., terraform-aws-openvpn, terraform-aws-pypiserver) but there is no CI workflow to run it
• tfsec — deprecated (absorbed into Trivy), not needed

Proposed Workflow

A checkov.yml workflow managed by github-control, deployed to all terraform_module repos:

name: Checkov Scan

on:
  pull_request:
    branches: [main]

permissions:
  contents: read
  security-events: write

jobs:
  checkov:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: bridgecrewio/checkov-action@v12
        with:
          config_file: .checkov.yml

Each module provides its own .checkov.yml with module-specific suppressions (documented false positives).

Modules with .checkov.yml ready

• terraform-aws-openvpn
• terraform-aws-pypiserver

Related

• Implement Terraform Module Requirements infrahouse/terraform-aws-pypiserver#39