From a6476ecbd6704a8271d854668166492f2b8ad02b Mon Sep 17 00:00:00 2001
From: Ori Bendet <oribendet@Oris-MacBook-Pro.local>
Date: Sat, 28 Feb 2026 17:41:06 -0500
Subject: [PATCH] fix(terraform): fix false positive for labels with prefixed
 keys (slash)

Labels with a DNS-subdomain-prefixed key (e.g. "gateway.istio.io/defaults-for-class")
were incorrectly flagged as invalid. The slash in the key causes KICS's HCL parser to
produce a nested object instead of a string value; calling regex.match on a non-string
returns false, triggering the false positive.

Add is_string() guard before the regex check so non-string values are skipped.
Also fix a typo in the result messages ("metada" -> "metadata") and add a negative
test case covering prefixed label keys.

Fixes #7938

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../kubernetes/metadata_label_is_invalid/query.rego          | 5 +++--
 .../kubernetes/metadata_label_is_invalid/test/negative.tf    | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego
index fac01d34dc4..c80931bd68a 100644
--- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego
+++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego
@@ -8,6 +8,7 @@ CxPolicy[result] {
 
 	labels := resource[name].metadata.labels
 
+	is_string(labels[key])
 	regex.match("^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", labels[key]) == false
 
 	result := {
@@ -16,8 +17,8 @@ CxPolicy[result] {
 		"resourceName": tf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("%s[%s].metadata.labels", [resourceType, name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("%s[%s].metada.labels[%s] has valid label", [resourceType, name, key]),
-		"keyActualValue": sprintf("%s[%s].metada.labels[%s] has invalid label", [resourceType, name, key]),
+		"keyExpectedValue": sprintf("%s[%s].metadata.labels[%s] has valid label", [resourceType, name, key]),
+		"keyActualValue": sprintf("%s[%s].metadata.labels[%s] has invalid label", [resourceType, name, key]),
 		"searchLine": common_lib.build_search_line(["resource", resourceType, name, "metadata"], ["labels", key]),
 	}
 }
diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/negative.tf b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/negative.tf
index 30e30393a79..7516cd0cf65 100644
--- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/negative.tf
+++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/negative.tf
@@ -3,7 +3,8 @@ resource "kubernetes_pod" "test2" {
     name = "terraform-example"
 
     labels = {
-      app = "MyApp"
+      app                                   = "MyApp"
+      "gateway.istio.io/defaults-for-class" = "something"
     }
   }