fix(terraform): skip label validation for unresolved Terraform references

[cx-ori-bendet]

Summary

• KICS's HCL converter wraps bare Terraform references (local.*, var.*, data.*, etc.) in ${...} notation since it cannot resolve them at parse time
• These wrapped strings (e.g. "${local.resource_name}") fail the Kubernetes label value regex because $, {, } are not valid K8s label characters, causing false positives
• Added two guards before the regex check:
  1. is_string(labels[key]) — skips non-string values (e.g. nested objects that appear from HCL keys containing dots or slashes — also fixes bug(terraform): Detecting valid label as invalid #7938)
  2. not contains(labels[key], "${") — skips any value containing an unresolved Terraform reference wrapper
• Fixed a pre-existing typo in result messages: "metada" → "metadata"
• Added negative test cases: a local.* reference and a prefixed label key (gateway.istio.io/defaults-for-class)

Fixes #7944
Also fixes #7938

Root cause trace

# HCL input
labels = { app = local.resource_name }

# KICS converter output (wrapExpr in default.go)
"labels": { "app": "${local.resource_name}" }

# Regex check (before fix)
regex.match("^([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "${local.resource_name}")
# => false  ($ is not in the allowed charset)
# => false == false => true  => FALSE POSITIVE

Test plan

• Scan a Terraform resource with app = local.resource_name — should produce no finding
• Scan a resource with label key "gateway.istio.io/defaults-for-class" — should produce no finding
• Scan a resource with app = "g**dy.l+bel" — should still produce a finding
• Run go test ./test/... -run TestQueries to verify all query tests pass

I submit this contribution under the Apache-2.0 license.

🤖 Generated with Claude Code

[github-actions]

KICS version: v2.1.18

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0