diff --git a/Dockerfile b/Dockerfile
index 87116c3..d644b01 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,6 +13,7 @@ ENV ARCH=${TARGETARCH:-amd64}
 ENV DEBIAN_FRONTEND=noninteractive
 ENV KUBECTL_VERSION=1.33.0
 ENV KUBECTL_DATE=2025-05-01
+ENV TFLINT_VERSION=0.58.1
 
 # User config
 ENV DOCKER_USER=coder \
@@ -43,6 +44,7 @@ RUN apt-get update -y && apt-get upgrade -y && apt-get install --no-install-reco
     nodejs \
     npm \
     passwd \
+    pipx \
     python3 \
     python3-pip \
     python3-venv \
@@ -64,11 +66,6 @@ RUN apt-get update -y && apt-get upgrade -y && apt-get install --no-install-reco
 # Docker
 RUN curl -fsSL https://get.docker.com | sh && dockerd --version
 
-# pre-commit
-RUN pip3 install --break-system-packages --no-cache-dir pipx && \
-    pipx install pre-commit && \
-    ln -s /root/.local/pipx/venvs/pre-commit/bin/pre-commit /usr/local/bin/pre-commit
-
 # AWS CLI (handle arch manually)
 RUN set -e; \
     case "$ARCH" in \
@@ -90,6 +87,12 @@ RUN curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksc
     tar -xzf eksctl_Linux_${ARCH}.tar.gz -C /tmp && \
     mv /tmp/eksctl /usr/local/bin && rm eksctl_Linux_${ARCH}.tar.gz
 
+# TFlint
+RUN curl -sLO "https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/tflint_linux_${ARCH}.zip" && \
+    unzip -q tflint_linux_${ARCH}.zip && \
+    mv tflint /usr/local/bin/ && \
+    rm tflint_linux_${ARCH}.zip
+
 # code-server (auto-detects arch)
 RUN curl -fsSL https://code-server.dev/install.sh | sh
 
diff --git a/entrypoint.sh b/entrypoint.sh
index acef46d..3fea70b 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -96,6 +96,22 @@ until docker info >/dev/null 2>&1; do
   sleep 2
 done
 
+# ==== Install pre-commit ===
+if ! command -v pre-commit >/dev/null 2>&1; then
+  echo "[entrypoint] Installing pre-commit..."
+  su - "$DOCKER_USER" -c "pipx install pre-commit"
+else
+  echo "[entrypoint] pre-commit already installed, skipping installation."
+fi
+
+# === Install checkov ===
+if ! command -v checkov >/dev/null 2>&1; then
+  echo "[entrypoint] Installing checkov..."
+  su - "$DOCKER_USER" -c "pipx install checkov"
+else
+  echo "[entrypoint] checkov already installed, skipping installation."
+fi
+
 # === Install hyperterm ===
 if ! stat $HOME_DIR/.hyperterm > /dev/null 2>&1; then
   echo "[entrypoint] Installing hyperterm..."