From bf47b4df92ad325beeb114c515e37e9cf97d0806 Mon Sep 17 00:00:00 2001
From: Tore Martin Hagen <tore@kosli.com>
Date: Tue, 12 May 2026 13:19:18 +0200
Subject: [PATCH 1/2] Added comment about http proxy

---
 tutorials/cli_and_http_proxy.md | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/tutorials/cli_and_http_proxy.md b/tutorials/cli_and_http_proxy.md
index 4e71448..a0c66bb 100644
--- a/tutorials/cli_and_http_proxy.md
+++ b/tutorials/cli_and_http_proxy.md
@@ -70,23 +70,27 @@ All subsequent CLI commands will now route through the proxy automatically.
 
 ## Scope of `--http-proxy`
 
-The `--http-proxy` flag only applies to traffic between the CLI and the Kosli API. Commands that integrate with third-party services (GitHub, GitLab, Jira, SonarCloud/SonarQube, Azure, AWS) use separate HTTP clients that are **not** affected by this flag. To proxy that traffic, set the standard `HTTPS_PROXY` environment variable separately.
+The `--http-proxy` flag only applies to traffic between the CLI and the Kosli API. Commands that integrate with third-party services (GitHub, GitLab, Jira, SonarCloud/SonarQube, Azure, AWS) use separate HTTP clients that are **not** affected by this flag. To proxy that traffic, set the standard `HTTPS_PROXY` / `HTTP_PROXY` / `NO_PROXY` environment variables separately.
 
 The table below shows every external endpoint the CLI may contact and how to proxy each one:
 
 | Destination | Endpoint | Commands | Proxy method |
 |---|---|---|---|
 | Kosli API | `https://app.kosli.com` (configurable via `--host`) | All commands | `--http-proxy` or `HTTPS_PROXY` |
-| GitHub | `https://api.github.com` (configurable via `--github-base-url`) | PR/commit attestations | `HTTPS_PROXY` only |
-| GitLab | `https://gitlab.com` (configurable via `--gitlab-base-url`) | PR attestations | `HTTPS_PROXY` only |
-| Jira | Configured via `--jira-base-url` | Jira attestations | `HTTPS_PROXY` only |
-| SonarCloud/SonarQube | `https://sonarcloud.io` (configurable via `--sonar-server-url`) | Sonar attestations | `HTTPS_PROXY` only |
-| Azure DevOps | Configured via `--azure-org-url` | Azure PR attestations | `HTTPS_PROXY` only |
-| Azure management APIs | Azure ARM/IMDS endpoints | Azure app snapshots | `HTTPS_PROXY` only |
-| AWS APIs | Regional AWS endpoints | ECS / Lambda / S3 snapshots | `HTTPS_PROXY` only |
-| Container registries | OCI registries (ECR, GCR, DockerHub, etc.) | Artifact fingerprinting (`--artifact-type oci`) | `HTTPS_PROXY` only |
+| GitHub | `https://api.github.com` (configurable via `--github-base-url`) | PR/commit attestations | `HTTPS_PROXY` env |
+| GitLab | `https://gitlab.com` (configurable via `--gitlab-base-url`) | PR attestations | `HTTPS_PROXY` env |
+| Jira | Configured via `--jira-base-url` | Jira attestations | `HTTPS_PROXY` env |
+| SonarCloud/SonarQube | `https://sonarcloud.io` (configurable via `--sonar-server-url`) | Sonar attestations | `HTTPS_PROXY` env |
+| Azure DevOps | Configured via `--azure-org-url` | Azure PR attestations | `HTTPS_PROXY` env |
+| Azure management APIs | Azure ARM/IMDS endpoints | Azure app snapshots | `HTTPS_PROXY` env |
+| AWS APIs | Regional AWS endpoints | ECS / Lambda / S3 snapshots | `HTTPS_PROXY` env |
+| Container registries | OCI registries (ECR, GCR, DockerHub, etc.) | Artifact fingerprinting (`--artifact-type oci`) | `HTTPS_PROXY` env |
 | Kubernetes API server | In-cluster or via kubeconfig | `snapshot k8s` | kubeconfig `proxy-url` or `HTTPS_PROXY` |
 
+### Corporate proxies requiring Kerberos or NTLM
+
+Go's HTTP client only supports Basic authentication for proxies. If your corporate proxy requires Kerberos or NTLM (common in large enterprises), run a local auth-handling proxy such as [cntlm](https://cntlm.sourceforge.net/) or [px](https://github.com/genotrance/px), then point `HTTPS_PROXY` at `http://127.0.0.1:<local-port>`.
+
 ## Kubernetes reporter
 
 The `snapshot k8s` command makes two independent outbound connections:

From 77ac974286595e8e21e5c923dcb065dcc0bd4105 Mon Sep 17 00:00:00 2001
From: Tore Martin Hagen <tore@kosli.com>
Date: Tue, 12 May 2026 13:26:34 +0200
Subject: [PATCH 2/2] Reverted a change

---
 tutorials/cli_and_http_proxy.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/tutorials/cli_and_http_proxy.md b/tutorials/cli_and_http_proxy.md
index a0c66bb..a294bf4 100644
--- a/tutorials/cli_and_http_proxy.md
+++ b/tutorials/cli_and_http_proxy.md
@@ -77,14 +77,14 @@ The table below shows every external endpoint the CLI may contact and how to pro
 | Destination | Endpoint | Commands | Proxy method |
 |---|---|---|---|
 | Kosli API | `https://app.kosli.com` (configurable via `--host`) | All commands | `--http-proxy` or `HTTPS_PROXY` |
-| GitHub | `https://api.github.com` (configurable via `--github-base-url`) | PR/commit attestations | `HTTPS_PROXY` env |
-| GitLab | `https://gitlab.com` (configurable via `--gitlab-base-url`) | PR attestations | `HTTPS_PROXY` env |
-| Jira | Configured via `--jira-base-url` | Jira attestations | `HTTPS_PROXY` env |
-| SonarCloud/SonarQube | `https://sonarcloud.io` (configurable via `--sonar-server-url`) | Sonar attestations | `HTTPS_PROXY` env |
-| Azure DevOps | Configured via `--azure-org-url` | Azure PR attestations | `HTTPS_PROXY` env |
-| Azure management APIs | Azure ARM/IMDS endpoints | Azure app snapshots | `HTTPS_PROXY` env |
-| AWS APIs | Regional AWS endpoints | ECS / Lambda / S3 snapshots | `HTTPS_PROXY` env |
-| Container registries | OCI registries (ECR, GCR, DockerHub, etc.) | Artifact fingerprinting (`--artifact-type oci`) | `HTTPS_PROXY` env |
+| GitHub | `https://api.github.com` (configurable via `--github-base-url`) | PR/commit attestations | `HTTPS_PROXY` only |
+| GitLab | `https://gitlab.com` (configurable via `--gitlab-base-url`) | PR attestations | `HTTPS_PROXY` only |
+| Jira | Configured via `--jira-base-url` | Jira attestations | `HTTPS_PROXY` only |
+| SonarCloud/SonarQube | `https://sonarcloud.io` (configurable via `--sonar-server-url`) | Sonar attestations | `HTTPS_PROXY` only |
+| Azure DevOps | Configured via `--azure-org-url` | Azure PR attestations | `HTTPS_PROXY` only |
+| Azure management APIs | Azure ARM/IMDS endpoints | Azure app snapshots | `HTTPS_PROXY` only |
+| AWS APIs | Regional AWS endpoints | ECS / Lambda / S3 snapshots | `HTTPS_PROXY` only |
+| Container registries | OCI registries (ECR, GCR, DockerHub, etc.) | Artifact fingerprinting (`--artifact-type oci`) | `HTTPS_PROXY` only |
 | Kubernetes API server | In-cluster or via kubeconfig | `snapshot k8s` | kubeconfig `proxy-url` or `HTTPS_PROXY` |
 
 ### Corporate proxies requiring Kerberos or NTLM