Skip to content

Tecnativa vs Sockguard

Tecnativa's docker-socket-proxy is the community reference for ENV-var-based Docker socket filtering — simple, battle-tested, trusted by tens of thousands of deployments. Sockguard builds on that foundation with request body inspection, per-client policies, signed policy bundles, and Prometheus metrics — without any SaaS layer.

Tecnativa — ActiveSockguard — Active

Feature Comparison

Here's how we compare on the features that matter most.

FeatureTecnativaSockguard
Method + path filteringYesYes
Config formatENV vars (zero learning curve)YAML config
Community sizeHuge (50k+ GitHub stars)Growing
Production maturity10+ years in productionNewer
Request body inspectionNoYes (12+ resource types)
Per-client policiesNoCIDR + labels + cert selectors + unix peer
Prometheus metricsNoYes (socket-proxy request metrics)
Signed policy bundlesNoYes (cosign keyed + keyless, Rekor)
Rollout modes (enforce / warn / audit)NoYes (per-profile shadow mode)
Rate limitsNoYes (per-profile token-bucket)
YAML config + hot-reloadNoYes (SIGHUP/fsnotify, validate endpoint)
Audit log schemaNoYes (JSON schema + reason codes)

Key Differentiators

What we built that Tecnativadoesn't cover.

Request Body Inspection

Tecnativa filters by method and path only. Sockguard goes into the request body — blocking containers by image, exec commands by pattern, bind mounts by path, and more across 12+ resource types.

Per-Client Policies

Every client sees the same rules with Tecnativa. Sockguard lets you assign different policies per CIDR range, Docker label, TLS certificate selector (including SPKI pinning), or Unix peer credential.

Signed Policy Bundles

Sockguard verifies policy files with cosign keyed or keyless signatures and Rekor transparency log inclusion. An unsigned or tampered bundle is rejected before any request is evaluated.

Prometheus Metrics

Sockguard exports socket-proxy request metrics, deny counts, and latency histograms that plug directly into your existing Grafana dashboards. Tecnativa has no built-in metrics.

Rollout Modes

Shadow-mode enforcement lets you ship new rules without breaking anything. Sockguard's per-profile rollout modes (enforce / warn / audit) mean you can test a policy before it goes live.

Rate Limits

Sockguard's per-profile token-bucket rate limiter and global priority gate protect the daemon from runaway callers. Tecnativa has no request-rate controls.

Coming from Tecnativa?

Map your existing ENV var allow-list to Sockguard YAML rules once, then layer on body inspection, per-client profiles, and signed bundles. Sockguard runs on the same socket mount — no other infrastructure changes required.

Quick start
$ docker run -d \
  --name sockguard \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /var/run/sockguard:/var/run/sockguard \
  -e SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock \
  codeswhat/sockguard

Ready to try Sockguard?

Default-deny, Apache-2.0, no SaaS required. Drop it in front of your socket in minutes.