Sensitive service port exposed
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
EXPOSE documents a sensitive backend/admin port (SSH, a database, Redis, the Docker daemon, RDP). It does not publish the port by itself, but it shows the image is meant to serve a service that should not be reachable from untrusted networks.
Why it matters
EXPOSE documents that the image intends to serve on a sensitive port such as SSH, a database, Redis, RDP, or the Docker daemon. EXPOSE alone does not publish the port, but shipping such a service in an app image, or publishing that port, can put a backend directly on an untrusted network.
How to fix it
Confirm the service really belongs in this image. Run databases and caches as separate, network-isolated services rather than inside the app image, and never map these ports to public interfaces. If the EXPOSE is only documentation and the port is bound to a private network, keep it, but review how the container is actually run.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo