diff --git a/profiles/apparmor.d/ssh-keyscan b/profiles/apparmor.d/ssh-keyscan
new file mode 100644
index 000000000..a71012c05
--- /dev/null
+++ b/profiles/apparmor.d/ssh-keyscan
@@ -0,0 +1,33 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2025 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+#
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile ssh-keyscan /usr/bin/ssh-keyscan {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  # By default, limit file options to the following dirs
+  file r @{HOME}/.ssh/{,**},
+
+  # Allow executable mapping and read for the binary
+  file mr /usr/bin/ssh-keyscan,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/ssh-keyscan>
+}
+