Added comment about http proxy

Author: ToreMerkely

tutorials/cli_and_http_proxy.md

@@ -70,23 +70,27 @@ All subsequent CLI commands will now route through the proxy automatically.
 
 ## Scope of `--http-proxy`
 
-The `--http-proxy` flag only applies to traffic between the CLI and the Kosli API. Commands that integrate with third-party services (GitHub, GitLab, Jira, SonarCloud/SonarQube, Azure, AWS) use separate HTTP clients that are **not** affected by this flag. To proxy that traffic, set the standard `HTTPS_PROXY` environment variable separately.
+The `--http-proxy` flag only applies to traffic between the CLI and the Kosli API. Commands that integrate with third-party services (GitHub, GitLab, Jira, SonarCloud/SonarQube, Azure, AWS) use separate HTTP clients that are **not** affected by this flag. To proxy that traffic, set the standard `HTTPS_PROXY` / `HTTP_PROXY` / `NO_PROXY` environment variables separately.
 
 The table below shows every external endpoint the CLI may contact and how to proxy each one:
 
 | Destination | Endpoint | Commands | Proxy method |
 |---|---|---|---|
 | Kosli API | `https://app.kosli.com` (configurable via `--host`) | All commands | `--http-proxy` or `HTTPS_PROXY` |
-| GitHub | `https://api.github.com` (configurable via `--github-base-url`) | PR/commit attestations | `HTTPS_PROXY` only |
-| GitLab | `https://gitlab.com` (configurable via `--gitlab-base-url`) | PR attestations | `HTTPS_PROXY` only |
-| Jira | Configured via `--jira-base-url` | Jira attestations | `HTTPS_PROXY` only |
-| SonarCloud/SonarQube | `https://sonarcloud.io` (configurable via `--sonar-server-url`) | Sonar attestations | `HTTPS_PROXY` only |
-| Azure DevOps | Configured via `--azure-org-url` | Azure PR attestations | `HTTPS_PROXY` only |
-| Azure management APIs | Azure ARM/IMDS endpoints | Azure app snapshots | `HTTPS_PROXY` only |
-| AWS APIs | Regional AWS endpoints | ECS / Lambda / S3 snapshots | `HTTPS_PROXY` only |
-| Container registries | OCI registries (ECR, GCR, DockerHub, etc.) | Artifact fingerprinting (`--artifact-type oci`) | `HTTPS_PROXY` only |
+| GitHub | `https://api.github.com` (configurable via `--github-base-url`) | PR/commit attestations | `HTTPS_PROXY` env |
+| GitLab | `https://gitlab.com` (configurable via `--gitlab-base-url`) | PR attestations | `HTTPS_PROXY` env |
+| Jira | Configured via `--jira-base-url` | Jira attestations | `HTTPS_PROXY` env |
+| SonarCloud/SonarQube | `https://sonarcloud.io` (configurable via `--sonar-server-url`) | Sonar attestations | `HTTPS_PROXY` env |
+| Azure DevOps | Configured via `--azure-org-url` | Azure PR attestations | `HTTPS_PROXY` env |
+| Azure management APIs | Azure ARM/IMDS endpoints | Azure app snapshots | `HTTPS_PROXY` env |
+| AWS APIs | Regional AWS endpoints | ECS / Lambda / S3 snapshots | `HTTPS_PROXY` env |
+| Container registries | OCI registries (ECR, GCR, DockerHub, etc.) | Artifact fingerprinting (`--artifact-type oci`) | `HTTPS_PROXY` env |
 | Kubernetes API server | In-cluster or via kubeconfig | `snapshot k8s` | kubeconfig `proxy-url` or `HTTPS_PROXY` |
 
+### Corporate proxies requiring Kerberos or NTLM
+
+Go's HTTP client only supports Basic authentication for proxies. If your corporate proxy requires Kerberos or NTLM (common in large enterprises), run a local auth-handling proxy such as [cntlm](https://cntlm.sourceforge.net/) or [px](https://github.com/genotrance/px), then point `HTTPS_PROXY` at `http://127.0.0.1:<local-port>`.
+
 ## Kubernetes reporter
 
 The `snapshot k8s` command makes two independent outbound connections: