Exposing port 22 (SSH)

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Exposing port 22 (SSH)

Metadata

Id: 5907595b-5b6d-4142-b173-dbb0e73fbff8

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Low

Category: Best Practices

Learn More

Provider Reference

Description

Exposing SSH (port 22) from a container image creates an unnecessary remote access surface that enables brute-force attacks, credential theft, and lateral movement if the container or host is compromised. This rule checks Dockerfiles for EXPOSE instructions and flags any EXPOSE entry that includes port 22.

Remove port 22 from EXPOSE directives and rely on container runtime access methods (for example, docker exec or kubectl exec), a bastion host, or an ephemeral, tightly-controlled SSH gateway with network restrictions and strong authentication when interactive access is required.

Secure example without SSH exposed:

EXPOSE 8080

Compliant Code Examples

FROM gliderlabs/alpine:3.3
RUN apk --no-cache add nginx
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

Non-Compliant Code Examples

FROM gliderlabs/alpine:3.3
RUN apk --no-cache add nginx
EXPOSE 3000 80 443 22
CMD ["nginx", "-g", "daemon off;"]