apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: dockerfile-deny-expose-port-22
  labels:
    dockerfile.tags.kyverno.io: 'dockerfile'
  annotations:
    title.policy.kyverno.io: Dockerfile expose port 22 not allowed
    description.policy.kyverno.io: This Policy ensures that port 22 is not exposed in Dockerfile.
spec:
  rules:
    - name: check-port-exposure
      assert:
        all:
        - message: "Port 22 exposure is not allowed"
          check:
            ~.(Stages[].Commands[?Name=='EXPOSE'][]):
              (contains(Ports, '22') || contains(Ports, '22/TCP')): false