11notes vs Sockguard
11notes takes the most opinionated approach to socket security: read-only, no config, no write risk. Sockguard gives you the same default-deny posture and extends it to the full Docker API — with configurable rules, per-client policies, signed bundles, and image trust verification — so you can scope exactly what each caller is allowed to do.
Feature Comparison
Here's how we compare on the features that matter most.
| Feature | 11notes | Sockguard |
|---|---|---|
| Method filtering | Yes | Yes |
| Read-only focus | Yes (hardcoded, zero write risk) | Configurable (read + controlled write) |
| Zero-config | Yes (no file needed) | No (YAML required) |
| Attack surface | Minimal (read-only hardcoded) | Broader (configurable) |
| Request body inspection | No | Yes (12+ resource types) |
| Per-client policies | No | CIDR + labels + cert selectors + unix peer |
| Write API control | No (blocks all writes) | Yes (default-deny + granular rules) |
| Read-side redaction | Partial (7 risky GETs blocked) | Full (visibility rules + JSON field redaction) |
| Signed policy bundles | No | Yes (cosign keyed + keyless, Rekor) |
| Container image trust | No | Yes (cosign + enforce / warn modes) |
| Prometheus metrics | No | Yes (socket-proxy request metrics) |
| Rate limits | No | Yes (per-profile token-bucket) |
| Audit log schema | No | Yes (JSON schema + reason codes) |
Key Differentiators
What we built that 11notesdoesn't cover.
Configurable Default-Deny
11notes is read-only by design — you cannot enable writes. Sockguard starts default-deny and lets you open exactly the operations you need with explicit rules, so CI can run containers while monitoring only reads metrics.
Full Read-Side Redaction
11notes blocks 7 risky GET endpoints. Sockguard goes further with visibility rules and JSON field redaction — callers only see the labels, environment variables, and mount paths their policy allows.
Per-Client Policies
11notes applies the same read-only stance to every caller. Sockguard assigns different policies per CIDR range, Docker label, TLS certificate selector, or Unix peer credential.
Container Image Trust
Sockguard enforces image signatures at run time — blocking create or exec calls for images that aren't signed or don't match a trusted digest. 11notes has no image-trust layer.
Signed Policy Bundles
Sockguard verifies policy files with cosign keyed or keyless signatures and Rekor inclusion. Policy tampering is caught before any request is evaluated.
Prometheus Metrics
Sockguard exports socket-proxy request metrics, deny counts, and latency histograms. 11notes has no observability layer beyond container logs.
Coming from 11notes?
Sockguard can replace 11notes entirely. Start with a read-only policy that mirrors 11notes' blocked endpoints, then gradually open write operations with explicit rules scoped to trusted clients. The default-deny baseline is identical — you just get more control.
$ docker run -d \
--name sockguard \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /var/run/sockguard:/var/run/sockguard \
-e SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock \
codeswhat/sockguardReady to try Sockguard?
Default-deny, Apache-2.0, no SaaS required. Drop it in front of your socket in minutes.