LinuxServer vs Sockguard
LinuxServer's docker-socket-proxy brings the LSIO ecosystem and community maintenance to Tecnativa's proven ENV-var approach. Sockguard matches the drop-in simplicity and adds request body inspection, per-client policies, signed policy bundles, and Prometheus metrics — all in a lean Go binary with no s6-overlay required.
Feature Comparison
Here's how we compare on the features that matter most.
| Feature | LinuxServer | Sockguard |
|---|---|---|
| Method + path filtering | Yes | Yes |
| Config format | ENV vars (Tecnativa-compatible) | YAML config |
| LSIO ecosystem | Full s6-overlay + LSIO packaging | Standard Docker image |
| Community backing | LinuxServer.io (100k+ users) | CodesWhat |
| Request body inspection | No | Yes (12+ resource types) |
| Per-client policies | No | CIDR + labels + cert selectors + unix peer |
| Prometheus metrics | No | Yes (socket-proxy request metrics) |
| Signed policy bundles | No | Yes (cosign keyed + keyless, Rekor) |
| Rollout modes (enforce / warn / audit) | No | Yes (per-profile shadow mode) |
| Rate limits | No | Yes (per-profile token-bucket) |
| Hot-reload | No | Yes (SIGHUP/fsnotify, validate endpoint) |
| Audit log schema | No | Yes (JSON schema + reason codes) |
Key Differentiators
What we built that LinuxServerdoesn't cover.
Request Body Inspection
LinuxServer filters by method and path only. Sockguard inspects request bodies — blocking containers by image, exec commands by pattern, bind mounts by path, and more across 12+ resource types.
Per-Client Policies
LinuxServer applies the same ENV-var rules to every caller. Sockguard assigns different policies per CIDR range, Docker label, TLS certificate selector, or Unix peer — so CI, monitoring, and admin clients can each have a tighter scope.
Signed Policy Bundles
Sockguard verifies policy files with cosign keyed or keyless signatures and Rekor transparency log inclusion. An unsigned or tampered bundle is rejected before any request reaches the daemon.
Prometheus Metrics
Sockguard exports socket-proxy request metrics, deny counts, and latency histograms. LinuxServer has no built-in observability beyond container logs.
Rollout Modes
Sockguard's per-profile rollout modes (enforce / warn / audit) let you shadow-test a new policy before it blocks anything. Roll out strict rules without a maintenance window.
Read-Side Redaction
Sockguard can redact sensitive fields from GET responses — labels, environment variables, mount paths — so callers only see what their policy allows. LinuxServer has no response filtering.
Coming from LinuxServer?
Translate your ENV var allow-list to Sockguard YAML rules once. Sockguard mounts the same socket, speaks the same Docker API, and drops into your compose stack as a one-line service swap — then you can enable body inspection and per-client profiles at your own pace.
$ docker run -d \
--name sockguard \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /var/run/sockguard:/var/run/sockguard \
-e SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock \
codeswhat/sockguardReady to try Sockguard?
Default-deny, Apache-2.0, no SaaS required. Drop it in front of your socket in minutes.