Tecnativa vs Sockguard
Tecnativa's docker-socket-proxy is the community reference for ENV-var-based Docker socket filtering — simple, battle-tested, trusted by tens of thousands of deployments. Sockguard builds on that foundation with request body inspection, per-client policies, signed policy bundles, and Prometheus metrics — without any SaaS layer.
Feature Comparison
Here's how we compare on the features that matter most.
| Feature | Tecnativa | Sockguard |
|---|---|---|
| Method + path filtering | Yes | Yes |
| Config format | ENV vars (zero learning curve) | YAML config |
| Community size | Huge (50k+ GitHub stars) | Growing |
| Production maturity | 10+ years in production | Newer |
| Request body inspection | No | Yes (12+ resource types) |
| Per-client policies | No | CIDR + labels + cert selectors + unix peer |
| Prometheus metrics | No | Yes (socket-proxy request metrics) |
| Signed policy bundles | No | Yes (cosign keyed + keyless, Rekor) |
| Rollout modes (enforce / warn / audit) | No | Yes (per-profile shadow mode) |
| Rate limits | No | Yes (per-profile token-bucket) |
| YAML config + hot-reload | No | Yes (SIGHUP/fsnotify, validate endpoint) |
| Audit log schema | No | Yes (JSON schema + reason codes) |
Key Differentiators
What we built that Tecnativadoesn't cover.
Request Body Inspection
Tecnativa filters by method and path only. Sockguard goes into the request body — blocking containers by image, exec commands by pattern, bind mounts by path, and more across 12+ resource types.
Per-Client Policies
Every client sees the same rules with Tecnativa. Sockguard lets you assign different policies per CIDR range, Docker label, TLS certificate selector (including SPKI pinning), or Unix peer credential.
Signed Policy Bundles
Sockguard verifies policy files with cosign keyed or keyless signatures and Rekor transparency log inclusion. An unsigned or tampered bundle is rejected before any request is evaluated.
Prometheus Metrics
Sockguard exports socket-proxy request metrics, deny counts, and latency histograms that plug directly into your existing Grafana dashboards. Tecnativa has no built-in metrics.
Rollout Modes
Shadow-mode enforcement lets you ship new rules without breaking anything. Sockguard's per-profile rollout modes (enforce / warn / audit) mean you can test a policy before it goes live.
Rate Limits
Sockguard's per-profile token-bucket rate limiter and global priority gate protect the daemon from runaway callers. Tecnativa has no request-rate controls.
Coming from Tecnativa?
Map your existing ENV var allow-list to Sockguard YAML rules once, then layer on body inspection, per-client profiles, and signed bundles. Sockguard runs on the same socket mount — no other infrastructure changes required.
$ docker run -d \
--name sockguard \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /var/run/sockguard:/var/run/sockguard \
-e SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock \
codeswhat/sockguardReady to try Sockguard?
Default-deny, Apache-2.0, no SaaS required. Drop it in front of your socket in minutes.