Skip to content

v1.0.0-rc.1

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 15 May 19:28
· 103 commits to main since this release
v1.0.0-rc.1
e7f4a67
sockguard

sockguard is a default-deny Docker socket proxy written in Go. It filters every request by HTTP method, path, and request body — so a compromised API consumer can't escalate through the socket.

sockguard v1.0.0-rc.1 — release candidate 1

⚠️ Pre-release. First v1.0 release candidate. It carries the breaking renames the v1.x line is built on — read the section below before upgrading. For production use the stable v1.0.0.

⚠️ Breaking changes

YAML schema renames — update configs and env var names before upgrading:

  • listen.tls.allowed_common_nameslisten.tls.common_names (and the matching allowed_dns_names, allowed_ip_addresses, allowed_uri_sans, allowed_public_key_sha256_pins lose their allowed_ prefix — same five renames apply to admin.listen.tls.*).
  • request_body.plugin.allow_ipc_hostallow_host_ipc; allow_pid_hostallow_host_pid.
  • request_body.container_update.allow_devicesallow_all_devices.
  • admin.max_body_bytesadmin.max_request_bytes.
  • reload.debounce_ms / reload.poll_interval_ms (integer ms) → reload.debounce / reload.poll_interval (Go duration strings, e.g. "250ms").

CLI flag rename: --deny-response-verbosity--deny-verbosity.

Prometheus metric renames — update dashboards and alerts:

  • Counter sockguard_throttle_totalsockguard_throttle_requests_total; label reasonreason_code.
  • The rule label is dropped from sockguard_http_denied_requests_total (its value was a zero-based ordinal that shifted on any rule edit). The rule index still appears in the structured audit log (matched_rule) and access log (rule).

🔒 Security

Dependency hardening — bumped eight indirect dependencies to close 11 OSSF Scorecard / OSV-Scanner findings. govulncheck now reports zero reachable and zero unreachable-but-imported vulnerabilities for the proxy binary. Notable: go-tuf/v2 (path-traversal + delegation-threshold + DoS fixes), sigstore/rekor (SSRF + nil-deref fixes), golang.org/x/net (HTTP/2 infinite loop), google.golang.org/grpc (authorization bypass).

Filter inspector hardening:

  • POST /containers/create now always denies HostConfig.VolumesFrom, UTSMode=host, a non-empty CgroupParent, GroupAdd, and ExtraHosts — five namespace-escape / privilege-escalation fields that were previously uninspected. No policy can opt out.
  • POST /containers/{id}/exec and POST /swarm/unlock are now fail-closed when the request body can't be decoded.
  • Filter middleware applies a 30 s read deadline to the request body before inspection, so a slowloris-style stalled body can't pin an inspector worker.

Ownership & client-ACL hardening:

  • The owner-label filter on list endpoints now replaces the entire label filter rather than appending — closing a cross-tenant bypass where a client could OR in label=com.sockguard.owner=victim to widen the visible set.
  • Profile-lookup caches are now bounded (1024 entries, LRU); container-label resolution re-checks the container is still live before caching.

🔄 Changed

  • New RELEASING.md documents the end-to-end release process.
  • serve --help now enumerates configuration precedence; --config help documents the missing-file fallback behavior.

📥 Install

docker pull ghcr.io/codeswhat/sockguard:1.0.0-rc.1

📦 ghcr.io/codeswhat/sockguard:1.0.0-rc.1 · 📖 Documentation · 🔎 Full diff

Assets 13
Loading