Skip to content

11notes vs Sockguard

11notes takes the most opinionated approach to socket security: read-only, no config, no write risk. Sockguard gives you the same default-deny posture and extends it to the full Docker API — with configurable rules, per-client policies, signed bundles, and image trust verification — so you can scope exactly what each caller is allowed to do.

11notes — ActiveSockguard — Active

Feature Comparison

Here's how we compare on the features that matter most.

Feature11notesSockguard
Method filteringYesYes
Read-only focusYes (hardcoded, zero write risk)Configurable (read + controlled write)
Zero-configYes (no file needed)No (YAML required)
Attack surfaceMinimal (read-only hardcoded)Broader (configurable)
Request body inspectionNoYes (12+ resource types)
Per-client policiesNoCIDR + labels + cert selectors + unix peer
Write API controlNo (blocks all writes)Yes (default-deny + granular rules)
Read-side redactionPartial (7 risky GETs blocked)Full (visibility rules + JSON field redaction)
Signed policy bundlesNoYes (cosign keyed + keyless, Rekor)
Container image trustNoYes (cosign + enforce / warn modes)
Prometheus metricsNoYes (socket-proxy request metrics)
Rate limitsNoYes (per-profile token-bucket)
Audit log schemaNoYes (JSON schema + reason codes)

Key Differentiators

What we built that 11notesdoesn't cover.

Configurable Default-Deny

11notes is read-only by design — you cannot enable writes. Sockguard starts default-deny and lets you open exactly the operations you need with explicit rules, so CI can run containers while monitoring only reads metrics.

Full Read-Side Redaction

11notes blocks 7 risky GET endpoints. Sockguard goes further with visibility rules and JSON field redaction — callers only see the labels, environment variables, and mount paths their policy allows.

Per-Client Policies

11notes applies the same read-only stance to every caller. Sockguard assigns different policies per CIDR range, Docker label, TLS certificate selector, or Unix peer credential.

Container Image Trust

Sockguard enforces image signatures at run time — blocking create or exec calls for images that aren't signed or don't match a trusted digest. 11notes has no image-trust layer.

Signed Policy Bundles

Sockguard verifies policy files with cosign keyed or keyless signatures and Rekor inclusion. Policy tampering is caught before any request is evaluated.

Prometheus Metrics

Sockguard exports socket-proxy request metrics, deny counts, and latency histograms. 11notes has no observability layer beyond container logs.

Coming from 11notes?

Sockguard can replace 11notes entirely. Start with a read-only policy that mirrors 11notes' blocked endpoints, then gradually open write operations with explicit rules scoped to trusted clients. The default-deny baseline is identical — you just get more control.

Quick start
$ docker run -d \
  --name sockguard \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /var/run/sockguard:/var/run/sockguard \
  -e SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock \
  codeswhat/sockguard

Ready to try Sockguard?

Default-deny, Apache-2.0, no SaaS required. Drop it in front of your socket in minutes.