---
title: Exposing port 22 (SSH)
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Exposing port 22 (SSH)
---

# Exposing port 22 (SSH)

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `5907595b-5b6d-4142-b173-dbb0e73fbff8`

**Cloud Provider:** Dockerfile

**Platform:** Dockerfile

**Severity:** Low

**Category:** Best Practices

#### Learn More{% #learn-more %}

- [Provider Reference](https://sysdig.com/blog/dockerfile-best-practices/)

### Description{% #description %}

Exposing SSH (port 22) from a container image creates an unnecessary remote access surface that enables brute-force attacks, credential theft, and lateral movement if the container or host is compromised. This rule checks Dockerfiles for `EXPOSE` instructions and flags any `EXPOSE` entry that includes port `22`.

Remove port `22` from `EXPOSE` directives and rely on container runtime access methods (for example, `docker exec` or `kubectl exec`), a bastion host, or an ephemeral, tightly-controlled SSH gateway with network restrictions and strong authentication when interactive access is required.

Secure example without SSH exposed:

```dockerfile
EXPOSE 8080
```

## Compliant Code Examples{% #compliant-code-examples %}

```dockerfile
FROM gliderlabs/alpine:3.3
RUN apk --no-cache add nginx
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```dockerfile
FROM gliderlabs/alpine:3.3
RUN apk --no-cache add nginx
EXPOSE 3000 80 443 22
CMD ["nginx", "-g", "daemon off;"]
```