Sockguard

Getting Started

Install sockguard with Docker Compose, Docker Run, or a release binary, and point your apps at the proxy socket.

Installation

services:
  sockguard:
    image: codeswhat/sockguard:latest
    restart: unless-stopped
    read_only: true
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./sockguard.yaml:/etc/sockguard/sockguard.yaml:ro
      - sockguard-socket:/var/run/sockguard
    environment:
      - SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock

volumes:
  sockguard-socket:

Docker Run

docker run -d \
  --name sockguard \
  --read-only \
  --cap-drop=ALL \
  --security-opt no-new-privileges:true \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v ./sockguard.yaml:/etc/sockguard/sockguard.yaml:ro \
  -v sockguard-socket:/var/run/sockguard \
  -e SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock \
  codeswhat/sockguard:latest

Sockguard runs as root inside the container by default so it can open /var/run/docker.sock on stock Docker hosts without user or group_add overrides. The hardening knobs that matter in practice are --read-only, --cap-drop=ALL, --security-opt no-new-privileges:true, and your runtime's seccomp/AppArmor/SELinux defaults.

Binary

Download from GitHub Releases:

sockguard serve -c /etc/sockguard/sockguard.yaml

This guide uses a unix socket because it is the simplest secure deployment. If you expose Sockguard on non-loopback TCP, configure listen.tls for mutual TLS. Plaintext remote TCP requires the explicit legacy opt-in SOCKGUARD_LISTEN_INSECURE_ALLOW_PLAIN_TCP=true.

Connecting Your Apps

Point your Docker consumers at the proxy socket instead of docker.sock:

services:
  traefik:
    volumes:
      - sockguard-socket:/var/run/sockguard:ro
    environment:
      - DOCKER_HOST=unix:///var/run/sockguard/sockguard.sock

  drydock:
    volumes:
      - sockguard-socket:/var/run/sockguard:ro
    environment:
      - DD_WATCHER_LOCAL_SOCKET=/var/run/sockguard/sockguard.sock

CLI Commands

# Start the proxy (default command)
sockguard serve

# Validate configuration and print the compiled rule table
sockguard validate -c /etc/sockguard/sockguard.yaml

# Offline dry-run: evaluate a single request against the rules,
# show which rule fires and why, without starting the proxy.
sockguard match -c /etc/sockguard/sockguard.yaml \
  -X GET --path /v1.45/containers/json

# Print version
sockguard version

sockguard match reads the same config, applies the same path normalization as the running proxy, and reports the decision in text (default) or JSON (-o json). Use it to sanity-check a ruleset before any traffic hits the proxy.

Next Steps

  • Configuration — YAML config and environment variables
  • Presets — Ready-made configs for drydock, Traefik, and more
  • Migration — Migrate from Tecnativa or LinuxServer

Introduction

Sockguard is a Docker socket proxy that inspects the bodies it proxies, not just the URLs.

Configuration

Configure sockguard via YAML or environment variables — listeners, TLS, request-body inspection, client profiles, ownership, and audit logging.

On this page

InstallationDocker Compose (recommended)Docker RunBinaryConnecting Your AppsCLI CommandsNext Steps