v1.0.0
sockguard is a default-deny Docker socket proxy written in Go. It filters every request by HTTP method, path, and request body — so a compromised API consumer can't escalate through the socket.
🎉 sockguard v1.0.0 — first stable release
v1.0.0 ships the proxy contract that v1.0.0-rc.2 froze on 2026-05-16. Three small binary deltas land on top of the RC — a pinned Go toolchain, a sealed signature-verification edge case, and a sigstore bump. Everything else is non-binary hardening: new tests, CI workflows, policy presets, compose examples, and docs polish.
✨ Highlights
- 🏁 First stable release — the v1.x proxy contract is frozen.
- 🛡️ 12 bundled policy presets — 3 new: CIS Docker Benchmark, GitHub Actions runner, GitLab Runner.
- 🔐 Go toolchain pinned to 1.26.3 — clears 17 HIGH stdlib CVEs.
- 🧪 Phase A QA hardening — proxy-vs-daemon differential harness, real-
dockerdintegration tier, memory/goroutine soak tests, mTLS edge-case suite. - 📦 3 ready-to-run Docker Compose stacks under
examples/compose/.
🔒 Security
- Go toolchain pinned to
1.26.3via thetoolchaindirective ingo.mod; CI now readsgo-version-fileso the toolchain is a single source of truth. Clears 17 HIGH stdlib CVEs that opened against rc.2's stdlib in the weekly Grype scan. sigverify.VerifyKeylessno longer skips its issuer / SAN re-check on a nil certificate. An absent cert is now treated as a verification failure whenever issuer or SAN expectations are configured — if the cert can't be inspected, the expectation can't be honored, so the only safe answer is to reject.github.com/sigstore/sigstorebumpedv1.10.5→v1.10.6— cosmetic upstream OAuth success-page template fix; no behavior change in policy-bundle or image-trust.
🛡️ New presets & examples
| Preset | For |
|---|---|
cis-docker-benchmark.yaml |
Admission gate for the inspectable subset of CIS Docker Benchmark v1.6.0 Section 5. Non-compliant docker run is rejected with 403 before dockerd ever executes it. |
github-actions-runner.yaml |
Purpose-built for actions/runner self-hosted runners that spawn job + service containers. |
gitlab-runner.yaml |
Purpose-built for gitlab-runner with the Docker executor — rejects Privileged=true even if config.toml asks for it. |
Three matching compose stacks ship under examples/compose/ (each with docker-compose.yml, a sockguard.yaml overlay, and a security-tradeoff README.md). Total bundled presets is now 12.
🧪 Quality & testing
- Proxy-vs-daemon differential harness (
app/differential/) — 40+ path-evasion cases, a CL/TE request-smuggling axis, a JSON-decoder differential axis, and a newFuzzPathRoutingDifferentialtarget wired into per-PR / nightly / monthly tiers. - End-to-end suite against a real
dockerd(app/integration/) — drives sockguard as a process behind a live daemon and checks every shipped preset for allow/deny conformance, wired to a nightly CI job. - Memory / goroutine-leak soak (
scripts/soak.sh) plus a weekly 4 h CI run; slowloris and concurrent-hijack leak regressions. - mTLS / TLS edge-case suite —
internal/sigverifycoverage from 0 % to comprehensive; a weeklytestssl.shDAST probe of the TCP listener. - Downstream image-signature verification — a
verify-publishedCI job runs the exactcosign verifycommands published in the docs against every pushed image tag, catching docs-vs-pipeline drift.
🔧 Tooling & docs
gofmt -lCI gate added;govulncheck ./...added to the pre-push pipeline — the tree is vuln-clean.- New
/docs/cis-docker-benchmarkguide; widened/docs/security#known-limitations;/docs/presetsnow covers all 12 presets.
⬆️ Upgrading from 0.8.x
v1.0.0 carries the breaking YAML / CLI / metrics renames introduced in v1.0.0-rc.1 and the two-flag plaintext-TCP gate from v1.0.0-rc.2. Review those release notes before upgrading.
📥 Install
docker pull ghcr.io/codeswhat/sockguard:1.0.0Also published to docker.io/codeswhat/sockguard and quay.io/codeswhat/sockguard. Prebuilt binaries for linux/macOS · amd64/arm64 are attached below. Every image and tarball is cosign-signed — see verification docs.
📦 ghcr.io/codeswhat/sockguard:1.0.0 · 📖 Documentation · 🔎 Full diff