--tag key!=value should include resources lacking the tag (CLI parity with tag filters) #969
Description
Align != tag filtering in both CLI and dashboard UI with expected semantics
While running controls/benchmarks via powerpipe benchmark run ... --tag key!=value, the CLI currently excludes resources that do not define the tag at all. For example:
tags = {
deprecated = "true"
}
powerpipe benchmark run ... --tag deprecated!=true
Expected behavior (and how end users interpret the filter):
- Include controls whose
deprecatedtag exists and is not"true". - Include controls that don’t define the
deprecatedtag (since they don’t match the disallowed value). - Only exclude controls where
deprecated = "true".
Actual behavior today:
- Only controls with deprecated defined and not equal to the provided value are included.
- Controls lacking the tag are incorrectly filtered out.
This causes CLI output to deviate from common tag-filter semantics (e.g., filtering by environments, booleans, etc.). Please update the CLI tag-filter implementation so inequality (!=) and not in [...] filters treat missing tags as “pass”, matching user expectations and
allowing filters like env!=staging or deprecated!=true to include items without the tag.
Dashboard UI
Currently powerpipe benchmark/control run ... --tag key!=value only includes resources where the tag exists and differs, leaving out resources missing that tag. The dashboard UI mirrors this behavior via the Filter & Group panel: key != value filters hide controls
lacking the tag entirely. Users expect != (and not in) to exclude only the disallowed value, while treating missing tags as a match (e.g. env!=staging or deprecated!=true). Update both CLI and UI filtering logic so inequality filters include resources without the tag
and only exclude those whose tag equals the disallowed value, keeping both surfaces consistent.