Back to catalog

Secure Shell (ssh) Port Exposed in Image

No violationsstackroxhighbuilddeploy

Alert on deployments exposing port 22, commonly reserved for SSH access.

Rationale
Port 22 is reserved for SSH access. SSH should not typically be used within containers.
Remediation
Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.25A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.1

Generated artifacts

1 of 5 targets supported
secure-shell-ssh-port-exposed-in-image.rego
# Secure Shell (ssh) Port Exposed in Image (trivy)
# severity: high
# source: stackrox/629f847d-72b1-4009-8891-cbe479ab10ab
package trivy.secure_shell_ssh_port_exposed_in_image

deny[msg] {
  # rule 1
  some inst
  inst := input.Misconfigurations[_].Message
  contains(inst, {"EXPOSE=(22/tcp|\s+22/tcp)"}[_])
  msg := "[high] Secure Shell (ssh) Port Exposed in Image: Alert on deployments exposing port 22, commonly reserved for SSH access."
}
IR (canonical)
{
  "id": "629f847d-72b1-4009-8891-cbe479ab10ab",
  "name": "Secure Shell (ssh) Port Exposed in Image",
  "description": "Alert on deployments exposing port 22, commonly reserved for SSH access.",
  "rationale": "Port 22 is reserved for SSH access. SSH should not typically be used within containers.",
  "remediation": "Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted.",
  "severity": "high",
  "categories": [
    "Security Best Practices"
  ],
  "lifecycle": [
    "build",
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "dockerfile-line",
    "values": [
      "EXPOSE=(22/tcp|\\s+22/tcp)"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "629f847d-72b1-4009-8891-cbe479ab10ab",
  "name": "Secure Shell (ssh) Port Exposed in Image",
  "description": "Alert on deployments exposing port 22, commonly reserved for SSH access.",
  "rationale": "Port 22 is reserved for SSH access. SSH should not typically be used within containers.",
  "remediation": "Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted.",
  "disabled": false,
  "categories": [
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "BUILD",
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Dockerfile Line",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "EXPOSE=(22/tcp|\\s+22/tcp)"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}