fix(queries): fix policy evaluation when scanning Terraform plan vs HCL files

[cx-artur-ribeiro]

Reason for Proposed Changes

• KICS fails to detect policy-related security issues when scanning Terraform plan JSON files, while correctly identifying the same issues in HCL source files (.tf).
• This inconsistency occurs because policies are represented differently in the parsed payloads:
  • In HCL source files: Policies using jsonencode() are parsed as escaped JSON strings (e.g., "policy": "{"Statement":[...]}")
  • In Terraform plan files: The same policies are already resolved as JSON objects (e.g., "policy": {"Statement": [...]})
• The current implementation in terraform.rego uses json_unmarshal() which only handles string inputs, causing queries to silently fail on plan files where policies are already objects. This results in various different vulnerabilities being missed when scanning Terraform plans;

Proposed Changes

• Update terraform.rego to use common_lib.get_policy() instead of common_lib.json_unmarshal() for policy parsing. The get_policy() function handles both string and object formats consistently;
• This ensures policy-based queries produce consistent results regardless of whether they scan HCL source files or Terraform plan JSON files.

Note

• There are additional queries that need the same update. That update won't be done in the context of this pull request.
• I will open a new pull request to tackle the rest of the queries that need the same update.
• A refactor to the query IAM Access Analyzer Not Enabled was carried to improve maintenance and the overall behaviour of the query. However, since the query's objective is to verify the absence of a specific resource, the search_line and search_key are still having problems detecting the same resource each time (depends on the other of the payload structure). When KICS engine is able to point to the root of the project, this query will have the expected behaviour.

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.18

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0

[cx-eduardo-semanas]

LGTM

[cx-ricardo-jesus]

LGTM