{"id":13446645,"url":"https://github.com/hectorm/cetusguard","last_synced_at":"2025-04-12T02:20:27.556Z","repository":{"id":38420139,"uuid":"482558324","full_name":"hectorm/cetusguard","owner":"hectorm","description":"CetusGuard is a tool that protects the Docker daemon socket by filtering calls to its API endpoints.","archived":false,"fork":false,"pushed_at":"2024-05-01T11:36:05.000Z","size":422,"stargazers_count":42,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-05-02T05:16:35.480Z","etag":null,"topics":["container","daemon","docker","firewall","proxy","security"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/hectorm/cetusguard","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hectorm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-04-17T15:18:23.000Z","updated_at":"2024-05-06T12:43:53.247Z","dependencies_parsed_at":"2023-10-17T01:45:31.734Z","dependency_job_id":"4a9017f8-0786-4cac-a515-efbafa112a36","html_url":"https://github.com/hectorm/cetusguard","commit_stats":null,"previous_names":[],"tags_count":31,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hectorm%2Fcetusguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hectorm%2Fcetusguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hectorm%2Fcetusguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hectorm%2Fcetusguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hectorm","download_url":"https://codeload.github.com/hectorm/cetusguard/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248505921,"owners_count":21115354,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container","daemon","docker","firewall","proxy","security"],"created_at":"2024-07-31T05:00:55.525Z","updated_at":"2025-04-12T02:20:27.521Z","avatar_url":"https://github.com/hectorm.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./resources/logo/CetusGuard-Color-Reduced.svg\" height=\"192\"\u003e\n\u003c/p\u003e\n\n# CetusGuard\n\nCetusGuard is a tool that protects the Docker daemon socket by filtering calls to its API endpoints.\n\nSome highlights:\n * It is written in a memory-safe language.\n * Has a small codebase that is easy to audit.\n * Has zero dependencies to mitigate supply chain attacks.\n\n## Docker daemon security\n\nUnless you opt in to [rootless mode][1], the Docker daemon requires root and any service with access to its API can escalate privileges. Even in rootless mode, any container with access to the API can escape out of the container, this applies to both Docker and Podman.\n\nThe Docker daemon [exposes its API][2] by default through a non-networked Unix socket, which can be restricted by file system permissions, and for networked use the daemon supports being exposed through SSH or TCP with TLS client authentication. However, you still need to fully trust any service you give access to its API.\n\nCetusGuard solves this problem by acting as a proxy between the daemon and the services that consume its API, allowing for example read-only access to some endpoints.\n\n## Usage\n\nCetusGuard is distributed as a Docker image available on [Docker Hub][3] or [GitHub Container Registry][4] and as a statically linked binary available in the [releases section][5] of the project.\n\nA collection of examples for experimenting with CetusGuard, including some real world scenarios with Traefik and Netdata, can be found in the [./examples/](./examples/) directory.\n\nThese are the supported options:\n```\n  -backend-addr string\n        Container daemon socket to connect to (env CETUSGUARD_BACKEND_ADDR, CONTAINER_HOST, DOCKER_HOST) (default \"unix:///var/run/docker.sock\")\n  -backend-tls-cacert string\n        Path to the backend TLS certificate used to verify the daemon identity (env CETUSGUARD_BACKEND_TLS_CACERT)\n  -backend-tls-cert string\n        Path to the backend TLS certificate used to authenticate with the daemon (env CETUSGUARD_BACKEND_TLS_CERT)\n  -backend-tls-key string\n        Path to the backend TLS key used to authenticate with the daemon (env CETUSGUARD_BACKEND_TLS_KEY)\n  -frontend-addr value\n        Address to bind the server to, can be specified multiple times (env CETUSGUARD_FRONTEND_ADDR) (default [\"tcp://127.0.0.1:2375\"])\n  -frontend-tls-cacert string\n        Path to the frontend TLS certificate used to verify the identity of clients (env CETUSGUARD_FRONTEND_TLS_CACERT)\n  -frontend-tls-cert string\n        Path to the frontend TLS certificate (env CETUSGUARD_FRONTEND_TLS_CERT)\n  -frontend-tls-key string\n        Path to the frontend TLS key (env CETUSGUARD_FRONTEND_TLS_KEY)\n  -log-level int\n        The minimum entry level to log, from 0 to 7 (env CETUSGUARD_LOG_LEVEL) (default 6)\n  -no-builtin-rules\n        Do not load the built-in rules (env CETUSGUARD_NO_BUILTIN_RULES)\n  -rules value\n        Filter rules separated by new lines, can be specified multiple times (env CETUSGUARD_RULES)\n  -rules-file value\n        Filter rules file, can be specified multiple times (env CETUSGUARD_RULES_FILE)\n  -version\n        Show version number and quit\n```\n\n## Filter rules\n\nBy default, only a few common harmless endpoints are allowed, `/_ping`, `/info` and `/version`.\n\nAll other endpoints are denied and must be explicitly allowed through a rule syntax defined by the following ABNF grammar:\n```\nblank   = ( SP / HTAB )\nmethod  = 1*%x41-5A                             ; HTTP method\nmethods = method *( \",\" method )                ; HTTP method list\npattern = 1*UNICODE                             ; Target path regex\nrule    = *blank methods 1*blank pattern *blank ; Rule\n```\n\nOnly requests that match the specified HTTP methods and target path regex are allowed.\n\nThere are several variables specified by surrounding `%` that can be used to construct rule patterns, the full list and values can be found in the [`rule.go`](./cetusguard/rule.go) file.\n\nLines starting with `!` are ignored.\n\nSome example rules are:\n```\n! Ping\nGET,HEAD %API_PREFIX_PING%\n\n! Get version\nGET %API_PREFIX_VERSION%\n\n! Get system information\nGET %API_PREFIX_INFO%\n\n! Get data usage information\nGET %API_PREFIX_SYSTEM%/df\n\n! Monitor events\nGET %API_PREFIX_EVENTS%\n\n! List containers\nGET %API_PREFIX_CONTAINERS%/json\n\n! Inspect a container\nGET %API_PREFIX_CONTAINERS%/%CONTAINER_ID_OR_NAME%/json\n\n! Create a container\nPOST %API_PREFIX_CONTAINERS%/create(\\?.*)?\n\n! Start a container\nPOST %API_PREFIX_CONTAINERS%/%CONTAINER_ID_OR_NAME%/start(\\?.*)?\n\n! Kill a container\nPOST %API_PREFIX_CONTAINERS%/%CONTAINER_ID_OR_NAME%/kill(\\?.*)?\n\n! Remove a container\nDELETE %API_PREFIX_CONTAINERS%/%CONTAINER_ID_OR_NAME%(\\?.*)?\n\n! Connect a container to a network\nPOST %API_PREFIX_NETWORKS%/%NETWORK_ID_OR_NAME%/connect(\\?.*)?\n\n! Disconnect a container from a network\nPOST %API_PREFIX_NETWORKS%/%NETWORK_ID_OR_NAME%/disconnect(\\?.*)?\n\n! Inspect an image\nGET %API_PREFIX_IMAGES%/%IMAGE_ID_OR_REFERENCE%/json\n\n! Pull or import an image\nPOST %API_PREFIX_IMAGES%/create\n\n! Remove an image\nDELETE %API_PREFIX_IMAGES%/%IMAGE_ID_OR_REFERENCE%(\\?.*)?\n```\n\n## License\n\n[MIT License](./LICENSE.md) © [Héctor Molinero Fernández](https://hector.molinero.dev).\n\n[1]: https://docs.docker.com/engine/security/rootless/\n[2]: https://docs.docker.com/engine/security/protect-access/\n[3]: https://hub.docker.com/r/hectorm/cetusguard\n[4]: https://github.com/hectorm/cetusguard/pkgs/container/cetusguard\n[5]: https://github.com/hectorm/cetusguard/releases\n","funding_links":[],"categories":["Container Operations","Go"],"sub_categories":["Security"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhectorm%2Fcetusguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhectorm%2Fcetusguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhectorm%2Fcetusguard/lists"}