wollomatic vs Sockguard
wollomatic's socket-proxy ships regex path rules, bind-mount restrictions, and an upstream watchdog — genuinely useful additions over the ENV-var baseline. Sockguard builds on the same ideas and goes further: full request body inspection across 12+ resource types, per-client certificate selectors, signed policy bundles, and Prometheus metrics.
Feature Comparison
Here's how we compare on the features that matter most.
| Feature | wollomatic | Sockguard |
|---|---|---|
| Method + path filtering | Yes (regex) | Yes |
| Upstream watchdog | Yes | Yes (+ /health endpoint + metrics) |
| Structured logging | Yes (JSON option) | Yes (request + W3C trace correlation) |
| Bind-mount restriction | Yes (body inspection) | No separate feature — covered by body inspection |
| Config simplicity | ENV vars, no file needed | YAML config required |
| Request body inspection (full) | Partial (bind mounts only) | Yes (12+ resource types) |
| Per-client policies | Partial (IP/hostname + labels) | Full (CIDR + labels + cert selectors + SPKI + unix peer) |
| Signed policy bundles | No | Yes (cosign keyed + keyless, Rekor) |
| Container image trust | No | Yes (cosign + enforce / warn modes) |
| Prometheus metrics | No | Yes (socket-proxy request metrics) |
| Rollout modes (enforce / warn / audit) | No | Yes (per-profile shadow mode) |
| Rate limits | No | Yes (per-profile token-bucket) |
| Audit log schema | No | Yes (JSON schema + reason codes) |
Key Differentiators
What we built that wollomaticdoesn't cover.
Full Request Body Inspection
wollomatic can restrict bind mounts in request bodies. Sockguard goes further — inspecting container create, exec, image pull, volume, network, secret, config, service, swarm, node, and plugin requests for fine-grained control.
Full Per-Client Policies
wollomatic supports IP/hostname and label-based client matching. Sockguard adds TLS certificate selectors (including SPKI pinning), unix peer credentials, and CIDR ranges — each profile carrying its own independent ruleset.
Signed Policy Bundles
Sockguard verifies policy files with cosign keyed or keyless signatures and Rekor inclusion. wollomatic has no policy signing — anyone who can write the config file can change the rules.
Container Image Trust
Sockguard enforces image signatures at run time — blocking exec or create calls for images that aren't signed or don't match a trusted digest. wollomatic has no image-trust layer.
Prometheus Metrics
Sockguard exports socket-proxy request metrics, deny counts, and latency histograms. wollomatic has JSON logs but no metrics endpoint.
Rollout Modes
Sockguard's per-profile rollout modes (enforce / warn / audit) let you shadow-test strict rules before they block anything. wollomatic is enforce-only.
Coming from wollomatic?
Your regex path rules translate directly to Sockguard YAML rule blocks. Body inspection rules replace the bind-mount filter with full coverage. The upstream watchdog is built in — and you get a /health endpoint and Prometheus metrics on top.
$ docker run -d \
--name sockguard \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /var/run/sockguard:/var/run/sockguard \
-e SOCKGUARD_LISTEN_SOCKET=/var/run/sockguard/sockguard.sock \
codeswhat/sockguardReady to try Sockguard?
Default-deny, Apache-2.0, no SaaS required. Drop it in front of your socket in minutes.