Skip to content

LinuxServer vs Sockguard

LinuxServer's docker-socket-proxy brings the LSIO ecosystem and community maintenance to Tecnativa's proven ENV-var approach. Sockguard matches the drop-in simplicity and adds request body inspection, per-client policies, signed policy bundles, and Prometheus metrics — all in a lean Go binary with no s6-overlay required.

LinuxServer — ActiveSockguard — Active

Feature Comparison

Here's how we compare on the features that matter most.

FeatureLinuxServerSockguard
Method + path filteringYesYes
Config formatENV vars (Tecnativa-compatible)YAML config
LSIO ecosystemFull s6-overlay + LSIO packagingStandard Docker image
Community backingLinuxServer.io (100k+ users)CodesWhat
Request body inspectionNoYes (12+ resource types)
Per-client policiesNoCIDR + labels + cert selectors + unix peer
Prometheus metricsNoYes (socket-proxy request metrics)
Signed policy bundlesNoYes (cosign keyed + keyless, Rekor)
Rollout modes (enforce / warn / audit)NoYes (per-profile shadow mode)
Rate limitsNoYes (per-profile token-bucket)
Hot-reloadNoYes (SIGHUP/fsnotify, validate endpoint)
Audit log schemaNoYes (JSON schema + reason codes)

Key Differentiators

What we built that LinuxServerdoesn't cover.

Request Body Inspection

LinuxServer filters by method and path only. Sockguard inspects request bodies — blocking containers by image, exec commands by pattern, bind mounts by path, and more across 12+ resource types.

Per-Client Policies

LinuxServer applies the same ENV-var rules to every caller. Sockguard assigns different policies per CIDR range, Docker label, TLS certificate selector, or Unix peer — so CI, monitoring, and admin clients can each have a tighter scope.

Signed Policy Bundles

Sockguard verifies policy files with cosign keyed or keyless signatures and Rekor transparency log inclusion. An unsigned or tampered bundle is rejected before any request reaches the daemon.

Prometheus Metrics

Sockguard exports socket-proxy request metrics, deny counts, and latency histograms. LinuxServer has no built-in observability beyond container logs.

Rollout Modes

Sockguard's per-profile rollout modes (enforce / warn / audit) let you shadow-test a new policy before it blocks anything. Roll out strict rules without a maintenance window.

Read-Side Redaction

Sockguard can redact sensitive fields from GET responses — labels, environment variables, mount paths — so callers only see what their policy allows. LinuxServer has no response filtering.

Coming from LinuxServer?

Translate your ENV var allow-list to Sockguard YAML rules once. Sockguard mounts the same socket, speaks the same Docker API, and drops into your compose stack as a one-line service swap — then you can enable body inspection and per-client profiles at your own pace.

Quick start
$ docker run -d \
  --name sockguard \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /var/run/sockguard:/var/run/sockguard \
  -e SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock \
  codeswhat/sockguard

Ready to try Sockguard?

Default-deny, Apache-2.0, no SaaS required. Drop it in front of your socket in minutes.