From a4aefbcf55f8b78113440ae02a63c1c311fad628 Mon Sep 17 00:00:00 2001
From: Ori Bendet <oribendet@Oris-MacBook-Pro.local>
Date: Sat, 28 Feb 2026 17:55:41 -0500
Subject: [PATCH] fix(terraform): fix inverted logic in Workload Host Port Not
 Specified query
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Terraform query had the opposite logic to the K8s query: it was flagging
containers that did NOT have host_port defined, when the security concern is
the opposite — defining host_port exposes the port on the host node's network
interface and increases the attack surface.

- Remove `not` from the valid_key check so the rule fires when host_port IS defined
- Update result messages to reflect the correct expected/actual values
- Swap positive/negative test file contents to match the corrected logic

Fixes #7939

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../kubernetes/workload_host_port_not_specified/query.rego  | 6 +++---
 .../workload_host_port_not_specified/test/negative1.tf      | 1 -
 .../workload_host_port_not_specified/test/negative2.tf      | 1 -
 .../workload_host_port_not_specified/test/positive1.tf      | 1 +
 .../workload_host_port_not_specified/test/positive2.tf      | 1 +
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/query.rego b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/query.rego
index d325bde7233..0bc68ffb437 100644
--- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/query.rego
+++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/query.rego
@@ -10,15 +10,15 @@ CxPolicy[result] {
 
 	path := checkPath(resource)
 
-	not common_lib.valid_key(path.port, "host_port")
+	common_lib.valid_key(path.port, "host_port")
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": x,
 		"resourceName": tf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("%s[%s].%s.port", [x, name, resource_prefix]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "Attribute 'host_port' should be defined and not null",
-		"keyActualValue": "Attribute 'host_port' is undefined or null",
+		"keyExpectedValue": "Attribute 'host_port' should not be defined",
+		"keyActualValue": "Attribute 'host_port' is defined",
 	}
 }
 
diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/negative1.tf b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/negative1.tf
index 44cb56eb518..13632a341ec 100644
--- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/negative1.tf
+++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/negative1.tf
@@ -15,7 +15,6 @@ resource "kubernetes_pod" "test" {
 
       port {
         container_port = 8080
-        host_port = 2
       }
 
       liveness_probe {
diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/negative2.tf b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/negative2.tf
index 1bc531caa49..a3a83eab050 100644
--- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/negative2.tf
+++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/negative2.tf
@@ -40,7 +40,6 @@ resource "kubernetes_deployment" "example" {
           }
           port {
             container_port = 8080
-            host_port = 2
           }
 
           liveness_probe {
diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive1.tf b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive1.tf
index 13632a341ec..44cb56eb518 100644
--- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive1.tf
+++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive1.tf
@@ -15,6 +15,7 @@ resource "kubernetes_pod" "test" {
 
       port {
         container_port = 8080
+        host_port = 2
       }
 
       liveness_probe {
diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive2.tf b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive2.tf
index a3a83eab050..1bc531caa49 100644
--- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive2.tf
+++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive2.tf
@@ -40,6 +40,7 @@ resource "kubernetes_deployment" "example" {
           }
           port {
             container_port = 8080
+            host_port = 2
           }
 
           liveness_probe {