fix(queries): fix policy evaluation when scanning Terraform plan vs HCL files

[cx-artur-ribeiro]

Reason for Proposed Changes

• KICS fails to detect policy-related security issues when scanning Terraform plan JSON files, while correctly identifying the same issues in HCL source files (.tf).
• This inconsistency occurs because policies are represented differently in the parsed payloads:
  • In HCL source files: Policies using jsonencode() are parsed as escaped JSON strings (e.g., "policy": "{"Statement":[...]}")
  • In Terraform plan files: The same policies are already resolved as JSON objects (e.g., "policy": {"Statement": [...]})
• The current implementation in terraform.rego uses json_unmarshal() which only handles string inputs, causing queries to silently fail on plan files where policies are already objects. This results in various different vulnerabilities being missed when scanning Terraform plans;

Proposed Changes

• Update terraform.rego to use common_lib.get_policy() instead of common_lib.json_unmarshal() for policy parsing. The get_policy() function handles both string and object formats consistently;
• This ensures policy-based queries produce consistent results regardless of whether they scan HCL source files or Terraform plan JSON files.

Note

• There are additional queries that need the same update. That update won't be done in the context of this pull request.
• I will open a new pull request to tackle the rest of the queries that need the same update.

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.18

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0

[cx-eduardo-semanas]

LGTM