Sockguard Logo
Open Source · Apache-2.0

Docker Socket
Proxy

Control what gets through. Filter Docker API requests by method and path with default-deny posture, structured audit logging, and drop-in Tecnativa compatibility.

View on GitHubDocumentationTry the rule tester
GHCRDocker Hub pullsMulti-archContainer size
StarsForksIssuesLicense Apache-2.0Last commit
CIGo Report CardGo Reference

Features

Security-first Docker socket proxy with zero external dependencies

sockguard capabilities10 modules
01

Default-Deny Posture

Security

Everything blocked unless explicitly allowed. No match means deny.

02

Request Body Inspection

Security

POST /containers/create bodies are parsed to block privileged containers, host networking, and non-allowlisted bind mounts before Docker ever sees the request.

03

mTLS for Remote TCP

Security

Non-loopback TCP listeners require mutual TLS 1.3 by default. Plaintext remote TCP is explicit legacy opt-in only.

04

Owner Label Isolation

Control

Stamp containers, networks, volumes, and build images with an owner label. List and prune calls are auto-filtered, and cross-owner access is denied.

05

Client ACL Primitives

Control

Gate callers by source CIDR and enforce per-client allowlists resolved from the calling container's labels over the bridge network.

06

Granular Control

Control

Allow start/stop while blocking create/exec. Per-operation POST controls with glob matching.

07

Structured Logging

Operations

JSON access logs with method, path, decision, matched rule index, latency, and client info.

08

YAML Configuration

Control

Declarative rules in YAML. Glob patterns for paths, first-match-wins evaluation, 10 bundled presets.

09

Tecnativa Compatible

Operations

Drop-in replacement using the same env vars. CONTAINERS=1, POST=0, ALLOW_START=1 all work.

10

Minimal Attack Surface

Security

Wolfi-based image, ~12MB. Cosign-signed with SBOM and build provenance.

Quick Start

Add to your docker-compose.yml and you're done

docker-compose.yml
services:
  sockguard:
    image: codeswhat/sockguard:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - sockguard-socket:/var/run/sockguard
    environment:
      - SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock
      - CONTAINERS=1
      - EVENTS=1

  your-app:
    depends_on:
      - sockguard
    volumes:
      - sockguard-socket:/var/run/sockguard:ro
    environment:
      - DOCKER_HOST=unix:///var/run/sockguard/sockguard.sock

volumes:
  sockguard-socket:

Comparison

How Sockguard stacks up against other Docker socket proxies

FeatureTecnativaLinuxServerwollomaticSockguard
Method + path filteringYesYesYesYes
Granular POST opsNoPartialVia regexYes
Request body inspectionNoNoNoYes (/containers/create)
Per-client policiesNoNoCIDR + labelsCIDR + labels
Resource owner labelsNoNoNoYes
Remote TCP mTLSNoNoNoYes (TLS 1.3)
Response filteringNoNoNoPlanned
Structured audit logNoNoNoYes
YAML configNoNoNoYes