Skip to main content
In enterprises with strict network policies, all egress traffic to external services must go through an HTTP proxy. By the end of this tutorial, you will have an HTTP proxy running locally and the Kosli CLI configured to use it.
If you already have an HTTP proxy running, skip to Use the HTTP proxy with Kosli CLI.

Prerequisites

Start the HTTP proxy

We will use Tinyproxy running in Docker as our HTTP proxy. Create a minimal Tinyproxy configuration and start it:
You should see Tinyproxy log output in the terminal, confirming it is listening on port 8888.

Use the HTTP proxy with Kosli CLI

In a new terminal, verify the setup by listing environments from the public cyber-dojo demo org:
Your request is routed through the proxy and forwarded to Kosli. You should see output similar to:
If your proxy requires authentication, embed the credentials in the proxy URL:

More examples

Once the proxy is running, any Kosli CLI command can be routed through it by adding the --http-proxy flag. Here are some common examples: Report a Docker image artifact through the proxy:
Snapshot a Kubernetes cluster through the proxy:
Attach a JUnit test attestation through the proxy:
Request an approval through the proxy:

Persist the proxy configuration

Rather than passing --http-proxy on every command, save it to your Kosli config:
All subsequent CLI commands will now route through the proxy automatically.

Scope of --http-proxy

The --http-proxy flag only applies to traffic between the CLI and the Kosli API. Commands that integrate with third-party services (GitHub, GitLab, Jira, SonarCloud/SonarQube, Azure, AWS) use separate HTTP clients that are not affected by this flag. To proxy that traffic, set the standard HTTPS_PROXY / HTTP_PROXY / NO_PROXY environment variables separately. The table below shows every external endpoint the CLI may contact and how to proxy each one:
DestinationEndpointCommandsProxy method
Kosli APIhttps://app.kosli.com (configurable via --host)All commands--http-proxy or HTTPS_PROXY
GitHubhttps://api.github.com (configurable via --github-base-url)PR/commit attestationsHTTPS_PROXY only
GitLabhttps://gitlab.com (configurable via --gitlab-base-url)PR attestationsHTTPS_PROXY only
JiraConfigured via --jira-base-urlJira attestationsHTTPS_PROXY only
SonarCloud/SonarQubehttps://sonarcloud.io (configurable via --sonar-server-url)Sonar attestationsHTTPS_PROXY only
Azure DevOpsConfigured via --azure-org-urlAzure PR attestationsHTTPS_PROXY only
Azure management APIsAzure ARM/IMDS endpointsAzure app snapshotsHTTPS_PROXY only
AWS APIsRegional AWS endpointsECS / Lambda / S3 snapshotsHTTPS_PROXY only
Container registriesOCI registries (ECR, GCR, DockerHub, etc.)Artifact fingerprinting (--artifact-type oci)HTTPS_PROXY only
Kubernetes API serverIn-cluster or via kubeconfigsnapshot k8skubeconfig proxy-url or HTTPS_PROXY

Corporate proxies requiring Kerberos or NTLM

Go’s HTTP client only supports Basic authentication for proxies. If your corporate proxy requires Kerberos or NTLM (common in large enterprises), run a local auth-handling proxy such as cntlm or px, then point HTTPS_PROXY at http://127.0.0.1:<local-port>.

Kubernetes reporter

The snapshot k8s command makes two independent outbound connections:
  1. Kubernetes API server — uses the kubeconfig for connection and authentication. Configure the proxy via the kubeconfig proxy-url field or the HTTPS_PROXY environment variable.
  2. Kosli API — uses the standard Kosli HTTP client, controlled by --http-proxy.
These two connections must be configured independently.

What you’ve accomplished

You have set up Tinyproxy as an HTTP proxy and configured the Kosli CLI to route all traffic through it. This pattern works with any HTTP proxy — replace http://localhost:8888 with your organization’s proxy URL and run kosli config --http-proxy=<your-proxy-url> to apply it globally.
Last modified on June 5, 2026