Skip to main content

Documentation Index

Fetch the complete documentation index at: https://kosli-reference-docs-v2-17-8.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

In enterprises with strict network policies, all egress traffic to external services must go through an HTTP proxy. By the end of this tutorial, you will have an HTTP proxy running locally and the Kosli CLI configured to use it.
If you already have an HTTP proxy running, skip to Use the HTTP proxy with Kosli CLI.

Prerequisites

Start the HTTP proxy

We will use Tinyproxy running in Docker as our HTTP proxy. Create a minimal Tinyproxy configuration and start it: 
cat <<EOF > tinyproxy.conf
User nobody
Group nobody
Port 8888
EOF

docker run -p 8888:8888 -v $(PWD)/tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf:ro kalaksi/tinyproxy
You should see Tinyproxy log output in the terminal, confirming it is listening on port 8888.

Use the HTTP proxy with Kosli CLI

In a new terminal, verify the setup by listing environments from the public cyber-dojo demo org: 
kosli list envs --org cyber-dojo --http-proxy http://localhost:8888 --api-token <your-token>
Your request is routed through the proxy and forwarded to Kosli. You should see output similar to: 
NAME                         TYPE  LAST REPORT                LAST MODIFIED              TAGS
aws-beta                     ECS   2024-04-18T15:17:54+02:00  2024-04-18T15:17:54+02:00  [url=https://beta.cyber-dojo.org/]
aws-prod                     ECS   2024-04-18T15:17:57+02:00  2024-04-18T15:17:57+02:00  [url=https://cyber-dojo.org/]
terraform-state-differ-beta  S3    2024-04-18T15:18:23+02:00  2024-04-18T15:18:23+02:00
terraform-state-differ-prod  S3    2024-04-18T15:18:17+02:00  2024-04-18T15:18:17+02:00
If your proxy requires authentication, embed the credentials in the proxy URL: 
kosli list envs --org cyber-dojo --http-proxy http://username:password@proxy-host:8080 --api-token <your-token>

Persist the proxy configuration

Rather than passing --http-proxy on every command, save it to your Kosli config: 
kosli config --http-proxy=http://localhost:8888
All subsequent CLI commands will now route through the proxy automatically.

Scope of --http-proxy

The --http-proxy flag only applies to traffic between the CLI and the Kosli API. Commands that integrate with third-party services (GitHub, GitLab, Jira, SonarCloud/SonarQube, Azure, AWS) use separate HTTP clients that are not affected by this flag. To proxy that traffic, set the standard HTTPS_PROXY environment variable separately. The table below shows every external endpoint the CLI may contact and how to proxy each one:
DestinationEndpointCommandsProxy method
Kosli APIhttps://app.kosli.com (configurable via --host)All commands--http-proxy or HTTPS_PROXY
GitHubhttps://api.github.com (configurable via --github-base-url)PR/commit attestationsHTTPS_PROXY only
GitLabhttps://gitlab.com (configurable via --gitlab-base-url)PR attestationsHTTPS_PROXY only
JiraConfigured via --jira-base-urlJira attestationsHTTPS_PROXY only
SonarCloud/SonarQubehttps://sonarcloud.io (configurable via --sonar-server-url)Sonar attestationsHTTPS_PROXY only
Azure DevOpsConfigured via --azure-org-urlAzure PR attestationsHTTPS_PROXY only
Azure management APIsAzure ARM/IMDS endpointsAzure app snapshotsHTTPS_PROXY only
AWS APIsRegional AWS endpointsECS / Lambda / S3 snapshotsHTTPS_PROXY only
Container registriesOCI registries (ECR, GCR, DockerHub, etc.)Artifact fingerprinting (--artifact-type oci)HTTPS_PROXY only
Kubernetes API serverIn-cluster or via kubeconfigsnapshot k8skubeconfig proxy-url or HTTPS_PROXY

Kubernetes reporter

The snapshot k8s command makes two independent outbound connections:
  1. Kubernetes API server — uses the kubeconfig for connection and authentication. Configure the proxy via the kubeconfig proxy-url field or the HTTPS_PROXY environment variable.
  2. Kosli API — uses the standard Kosli HTTP client, controlled by --http-proxy.
These two connections must be configured independently.

What you’ve accomplished

You have set up Tinyproxy as an HTTP proxy and configured the Kosli CLI to route all traffic through it. This pattern works with any HTTP proxy — replace http://localhost:8888 with your organisation’s proxy URL and run kosli config --http-proxy=<your-proxy-url> to apply it globally.
Last modified on May 11, 2026