fix(query): skip Terraform references in metadata label validation

[omribz156]

Closes #7944

Reason for Proposed Changes

• The Metadata Label Is Invalid query currently validates unresolved Terraform references such as local.resource_name as literal Kubernetes label values.
• That creates a false positive before Terraform resolves the value to a valid label.

Proposed Changes

• Skip metadata label validation when the value is a Terraform local.*, var.*, or data.* reference/interpolation.
• Add a negative Terraform fixture with a Kubernetes service label using local.resource_name.

Verification

• Before the fix, direct scan of the negative fixture returned one Metadata Label Is Invalid result at the labels block.
• After the fix, direct scan of the negative fixture returned TOTAL: 0.
• Direct scan of the existing positive fixture still returned TOTAL: 1 for g**dy.l+bel.
• git diff --check passed with local CRLF warnings only.

Focused Go query harness timed out locally on Windows, so I used direct CLI scans for this query.

This was implemented with Codex assistance, with the final patch kept focused and manually reviewed.

I submit this contribution under the Apache-2.0 license.

[cx-artur-ribeiro]

Hi @omribz156,
Nice contribution(s), thanks in advance for the awesome work!

Although I believe the fix you proposed was going to silently get rid of the false positives, supporting terraform locals would be the best approach in my opinion.

This PR - #7946 - aims to achieve that by replicating the behaviour of terraform's locals resolver. You can check more information on the PR description and the tagged issue.

I'm not sure if both solutions can coexist completely, but part of it may be a good fit.

Let me know what you think!