Skip to content

CetusGuard vs Sockguard

CetusGuard pioneered regex-based Docker socket filtering with two-way mTLS — a genuinely stronger security baseline than ENV-var proxies. Sockguard matches the mTLS listener and adds request body inspection, per-client certificate selectors, signed policy bundles, and Prometheus metrics. Remote daemon TLS is on the v1.4 roadmap — CetusGuard ships it today.

CetusGuard — ActiveSockguard — Active

Feature Comparison

Here's how we compare on the features that matter most.

FeatureCetusGuardSockguard
Method + path filteringYes (regex)Yes
Remote TCP mTLS listenerYesYes (TLS 1.3)
Regex path rulesYesYes
Remote daemon upstream (TLS)Yes (in production)Planned (v1.4)
Config simplicityCompact rule filesFull YAML config
Request body inspectionNoYes (12+ resource types)
Per-client policiesNoCIDR + labels + cert selectors + SPKI + unix peer
Read-side redactionNoYes (visibility rules + JSON field redaction)
Signed policy bundlesNoYes (cosign keyed + keyless, Rekor)
Container image trustNoYes (cosign + enforce / warn modes)
Prometheus metricsNoYes (socket-proxy request metrics)
Rate limitsNoYes (per-profile token-bucket)
Rollout modes (enforce / warn / audit)NoYes (per-profile shadow mode)
Audit log schemaNoYes (JSON schema + reason codes)

Key Differentiators

What we built that CetusGuarddoesn't cover.

Request Body Inspection

CetusGuard filters by method and path only. Sockguard inspects request bodies — blocking containers by image, exec commands by pattern, bind mounts by path, and more across 12+ resource types.

Per-Client Policies

CetusGuard applies the same regex rules to every caller. Sockguard assigns different policies per CIDR range, Docker label, TLS certificate selector (including SPKI pinning), or Unix peer credential.

Signed Policy Bundles

Sockguard verifies policy files with cosign keyed or keyless signatures and Rekor transparency log inclusion. An unsigned or tampered bundle is rejected before any request is evaluated.

Container Image Trust

Sockguard enforces image signatures at run time — blocking create or exec calls for images that aren't signed or don't match a trusted digest. CetusGuard has no image-trust layer.

Prometheus Metrics

Sockguard exports socket-proxy request metrics, deny counts, and latency histograms. CetusGuard has no built-in metrics endpoint.

Rollout Modes

Sockguard's per-profile rollout modes (enforce / warn / audit) let you shadow-test strict rules before they block anything. CetusGuard is enforce-only.

Coming from CetusGuard?

Your regex path rules translate directly to Sockguard YAML rule blocks, and your mTLS certificates work unchanged. Sockguard exposes the same TCP listener — swap the image and enable body inspection and per-client profiles at your own pace.

Quick start
$ docker run -d \
  --name sockguard \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /var/run/sockguard:/var/run/sockguard \
  -e SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock \
  codeswhat/sockguard

Ready to try Sockguard?

Default-deny, Apache-2.0, no SaaS required. Drop it in front of your socket in minutes.