Skip to content

fix(terraform): fix inverted logic in Workload Host Port Not Specified query#7976

Open
cx-ori-bendet wants to merge 1 commit intomasterfrom
fix/workload-host-port-inverted-logic
Open

fix(terraform): fix inverted logic in Workload Host Port Not Specified query#7976
cx-ori-bendet wants to merge 1 commit intomasterfrom
fix/workload-host-port-inverted-logic

Conversation

@cx-ori-bendet
Copy link
Contributor

@cx-ori-bendet cx-ori-bendet commented Feb 28, 2026

Summary

  • The Terraform query for Workload Host Port Not Specified had its logic inverted compared to the equivalent K8s query
  • It was flagging containers that did not have host_port defined — but the actual security concern is the opposite: defining host_port exposes the port on the host node's network interface, increasing the attack surface
  • The K8s query correctly flags when hostPort IS defined; the Terraform query had not common_lib.valid_key(path.port, "host_port") which fired when it was absent
  • Changes:
    • Removed not from the valid_key check so the rule fires when host_port IS defined
    • Updated result messages (keyExpectedValue / keyActualValue) to reflect the correct intent
    • Swapped positive/negative test file contents to match the corrected logic (positive files now contain host_port, negative files do not)

Fixes #7939

Test plan

  • Scan a container with host_port defined — should produce a finding
  • Scan a container without host_port — should produce no finding (was previously a false positive)
  • Run go test ./test/... -run TestQueries to verify all query tests pass

I submit this contribution under the Apache-2.0 license.

🤖 Generated with Claude Code

@claude
fix(terraform): fix inverted logic in Workload Host Port Not Specifie…
a4aefbc 
…d query

The Terraform query had the opposite logic to the K8s query: it was flagging
containers that did NOT have host_port defined, when the security concern is
the opposite — defining host_port exposes the port on the host node's network
interface and increases the attack surface.

- Remove `not` from the valid_key check so the rule fires when host_port IS defined
- Update result messages to reflect the correct expected/actual values
- Swap positive/negative test file contents to match the corrected logic

Fixes #7939

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@cx-ori-bendet cx-ori-bendet requested a review from a team as a code owner February 28, 2026 22:56
@github-actions github-actions bot added community Community contribution query New query feature terraform Terraform query kubernetes Kubernetes query labels Feb 28, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 28, 2026

kics-logo

KICS version: v2.1.18

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 0
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 0
Metric Values
Files scanned placeholder 1
Files parsed placeholder 1
Files failed to scan placeholder 0
Total executed queries placeholder 47
Queries failed to execute placeholder 0
Execution time placeholder 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

community Community contribution kubernetes Kubernetes query query New query feature terraform Terraform query

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(terraform): "Workload Host Port Not Specified" logic inverted

1 participant

@cx-ori-bendet