CetusGuard vs Sockguard
CetusGuard pioneered regex-based Docker socket filtering with two-way mTLS — a genuinely stronger security baseline than ENV-var proxies. Sockguard matches the mTLS listener and adds request body inspection, per-client certificate selectors, signed policy bundles, and Prometheus metrics. Remote daemon TLS is on the v1.4 roadmap — CetusGuard ships it today.
Feature Comparison
Here's how we compare on the features that matter most.
| Feature | CetusGuard | Sockguard |
|---|---|---|
| Method + path filtering | Yes (regex) | Yes |
| Remote TCP mTLS listener | Yes | Yes (TLS 1.3) |
| Regex path rules | Yes | Yes |
| Remote daemon upstream (TLS) | Yes (in production) | Planned (v1.4) |
| Config simplicity | Compact rule files | Full YAML config |
| Request body inspection | No | Yes (12+ resource types) |
| Per-client policies | No | CIDR + labels + cert selectors + SPKI + unix peer |
| Read-side redaction | No | Yes (visibility rules + JSON field redaction) |
| Signed policy bundles | No | Yes (cosign keyed + keyless, Rekor) |
| Container image trust | No | Yes (cosign + enforce / warn modes) |
| Prometheus metrics | No | Yes (socket-proxy request metrics) |
| Rate limits | No | Yes (per-profile token-bucket) |
| Rollout modes (enforce / warn / audit) | No | Yes (per-profile shadow mode) |
| Audit log schema | No | Yes (JSON schema + reason codes) |
Key Differentiators
What we built that CetusGuarddoesn't cover.
Request Body Inspection
CetusGuard filters by method and path only. Sockguard inspects request bodies — blocking containers by image, exec commands by pattern, bind mounts by path, and more across 12+ resource types.
Per-Client Policies
CetusGuard applies the same regex rules to every caller. Sockguard assigns different policies per CIDR range, Docker label, TLS certificate selector (including SPKI pinning), or Unix peer credential.
Signed Policy Bundles
Sockguard verifies policy files with cosign keyed or keyless signatures and Rekor transparency log inclusion. An unsigned or tampered bundle is rejected before any request is evaluated.
Container Image Trust
Sockguard enforces image signatures at run time — blocking create or exec calls for images that aren't signed or don't match a trusted digest. CetusGuard has no image-trust layer.
Prometheus Metrics
Sockguard exports socket-proxy request metrics, deny counts, and latency histograms. CetusGuard has no built-in metrics endpoint.
Rollout Modes
Sockguard's per-profile rollout modes (enforce / warn / audit) let you shadow-test strict rules before they block anything. CetusGuard is enforce-only.
Coming from CetusGuard?
Your regex path rules translate directly to Sockguard YAML rule blocks, and your mTLS certificates work unchanged. Sockguard exposes the same TCP listener — swap the image and enable body inspection and per-client profiles at your own pace.
$ docker run -d \
--name sockguard \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /var/run/sockguard:/var/run/sockguard \
-e SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock \
codeswhat/sockguardReady to try Sockguard?
Default-deny, Apache-2.0, no SaaS required. Drop it in front of your socket in minutes.