Skip to content

wollomatic vs Sockguard

wollomatic's socket-proxy ships regex path rules, bind-mount restrictions, and an upstream watchdog — genuinely useful additions over the ENV-var baseline. Sockguard builds on the same ideas and goes further: full request body inspection across 12+ resource types, per-client certificate selectors, signed policy bundles, and Prometheus metrics.

wollomatic — ActiveSockguard — Active

Feature Comparison

Here's how we compare on the features that matter most.

FeaturewollomaticSockguard
Method + path filteringYes (regex)Yes
Upstream watchdogYesYes (+ /health endpoint + metrics)
Structured loggingYes (JSON option)Yes (request + W3C trace correlation)
Bind-mount restrictionYes (body inspection)No separate feature — covered by body inspection
Config simplicityENV vars, no file neededYAML config required
Request body inspection (full)Partial (bind mounts only)Yes (12+ resource types)
Per-client policiesPartial (IP/hostname + labels)Full (CIDR + labels + cert selectors + SPKI + unix peer)
Signed policy bundlesNoYes (cosign keyed + keyless, Rekor)
Container image trustNoYes (cosign + enforce / warn modes)
Prometheus metricsNoYes (socket-proxy request metrics)
Rollout modes (enforce / warn / audit)NoYes (per-profile shadow mode)
Rate limitsNoYes (per-profile token-bucket)
Audit log schemaNoYes (JSON schema + reason codes)

Key Differentiators

What we built that wollomaticdoesn't cover.

Full Request Body Inspection

wollomatic can restrict bind mounts in request bodies. Sockguard goes further — inspecting container create, exec, image pull, volume, network, secret, config, service, swarm, node, and plugin requests for fine-grained control.

Full Per-Client Policies

wollomatic supports IP/hostname and label-based client matching. Sockguard adds TLS certificate selectors (including SPKI pinning), unix peer credentials, and CIDR ranges — each profile carrying its own independent ruleset.

Signed Policy Bundles

Sockguard verifies policy files with cosign keyed or keyless signatures and Rekor inclusion. wollomatic has no policy signing — anyone who can write the config file can change the rules.

Container Image Trust

Sockguard enforces image signatures at run time — blocking exec or create calls for images that aren't signed or don't match a trusted digest. wollomatic has no image-trust layer.

Prometheus Metrics

Sockguard exports socket-proxy request metrics, deny counts, and latency histograms. wollomatic has JSON logs but no metrics endpoint.

Rollout Modes

Sockguard's per-profile rollout modes (enforce / warn / audit) let you shadow-test strict rules before they block anything. wollomatic is enforce-only.

Coming from wollomatic?

Your regex path rules translate directly to Sockguard YAML rule blocks. Body inspection rules replace the bind-mount filter with full coverage. The upstream watchdog is built in — and you get a /health endpoint and Prometheus metrics on top.

Quick start
$ docker run -d \
  --name sockguard \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /var/run/sockguard:/var/run/sockguard \
  -e SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock \
  codeswhat/sockguard

Ready to try Sockguard?

Default-deny, Apache-2.0, no SaaS required. Drop it in front of your socket in minutes.