Skip to content

Instantly share code, notes, and snippets.

@tonistiigi

tonistiigi/proxy.md Secret

Created May 13, 2026 03:33
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tonistiigi/ced43318d7eaaea4a966de2ccff999ae to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tonistiigi/ced43318d7eaaea4a966de2ccff999ae to your computer and use it in GitHub Desktop.
Download ZIP
Raw
proxy.md 
docker buildx build --load -t moby/buildkit:dev "https://github.com/moby/buildkit.git?ref=pull/6740/head&keep-git-dir=1"
docker buildx create --driver-opt image=moby/buildkit:dev --name=proxy --buildkitd-flags '--proxy-network' --bootstrap
export BUILDX_BUILDER=proxy

Alpine packages

from alpine
run env && apk update && apk add git
> docker buildx build -f alpine.Dockerfile --progress=plain .

...
#6 [2/2] RUN env && apk update && apk add git

#6 0.078 HTTPS_PROXY=http://10.89.0.5:37271
#6 0.078 no_proxy=127.0.0.1,localhost,::1
#6 0.078 NO_PROXY=127.0.0.1,localhost,::1
#6 0.078 https_proxy=http://10.89.0.5:37271
#6 0.078 http_proxy=http://10.89.0.5:37271
#6 0.078 HTTP_PROXY=http://10.89.0.5:37271
#6 0.562 v3.23.4-168-gb27ea208cc9 [https://dl-cdn.alpinelinux.org/alpine/v3.23/main]
#6 0.562 v3.23.4-175-gb41205ee696 [https://dl-cdn.alpinelinux.org/alpine/v3.23/community]
#6 0.562 OK: 27434 distinct packages available
#6 0.710 ( 1/13) Installing brotli-libs (1.2.0-r0)
#6 0.787 ( 2/13) Installing c-ares (1.34.6-r0)
#6 0.856 ( 3/13) Installing libunistring (1.4.1-r0)
#6 0.932 ( 4/13) Installing libidn2 (2.3.8-r0)
#6 1.000 ( 5/13) Installing nghttp2-libs (1.69.0-r0)
#6 1.068 ( 6/13) Installing nghttp3 (1.13.1-r0)
#6 1.136 ( 7/13) Installing libpsl (0.21.5-r3)
#6 1.207 ( 8/13) Installing zstd-libs (1.5.7-r2)
#6 1.285 ( 9/13) Installing libcurl (8.17.0-r1)
#6 1.366 (10/13) Installing libexpat (2.7.5-r0)
#6 1.447 (11/13) Installing pcre2 (10.47-r0)
#6 1.524 (12/13) Installing git (2.52.0-r0)
#6 1.655 (13/13) Installing git-init-template (2.52.0-r0)
#6 1.720 Executing busybox-1.37.0-r30.trigger
#6 1.728 OK: 21.3 MiB in 29 packages
#6 1.804 proxy network requests:
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/APKINDEX.tar.gz -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/community/aarch64/APKINDEX.tar.gz -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/brotli-libs-1.2.0-r0.apk -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/c-ares-1.34.6-r0.apk -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/libunistring-1.4.1-r0.apk -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/libidn2-2.3.8-r0.apk -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/nghttp2-libs-1.69.0-r0.apk -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/nghttp3-1.13.1-r0.apk -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/libpsl-0.21.5-r3.apk -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/zstd-libs-1.5.7-r2.apk -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/libcurl-8.17.0-r1.apk -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/libexpat-2.7.5-r0.apk -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/pcre2-10.47-r0.apk -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/git-2.52.0-r0.apk -> 200
#6 1.804 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/git-init-template-2.52.0-r0.apk -> 200
#6 DONE 1.8s

> docker buildx history inspect attachment --type https://slsa.dev/provenance/v1
...
"buildType": "https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-definitions.md",
    "resolvedDependencies": [
      {
        "uri": "pkg:docker/alpine@latest?platform=linux%2Farm64",
        "digest": {
          "sha256": "5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11"
        }
      },
      {
        "uri": "https://dl-cdn.alpinelinux.org/alpine/v3.23/community/aarch64/APKINDEX.tar.gz",
        "digest": {
          "sha256": "8ffdf3699b20098b2a951c742d4fe628b2923288ad3e9be01109d75c60da5b02"
        }
      },
      {
        "uri": "https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/APKINDEX.tar.gz",
        "digest": {
          "sha256": "c6e1878b7688dac072f16dc1983101f96022d4ec0c39576f51f963069588dc45"
        }
      },
      {
        "uri": "https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/brotli-libs-1.2.0-r0.apk",
        "digest": {
          "sha256": "c8a9113b0007d40291e55cfc196744b64004253707e37b3c07e188166fb2d0a0"
        }
      },
      {
...

Debian packages

from debian
run apt-get update && apt-get install -y curl
6 4.422 Processing triggers for libc-bin (2.41-12+deb13u2) ...
#6 4.429 Processing triggers for ca-certificates (20250419) ...
#6 4.432 Updating certificates in /etc/ssl/certs...
#6 4.572 0 added, 0 removed; done.
#6 4.572 Running hooks in /etc/ca-certificates/update.d...
#6 4.573 done.
#6 4.959 proxy network requests:
#6 4.959 - GET http://deb.debian.org/debian/dists/trixie/InRelease -> 200
#6 4.959 - GET http://deb.debian.org/debian/dists/trixie-updates/InRelease -> 200
#6 4.959 - GET http://deb.debian.org/debian-security/dists/trixie-security/InRelease -> 200
#6 4.959 - GET http://deb.debian.org/debian/dists/trixie/main/binary-arm64/by-hash/SHA256/26538de7144bee5272d161aecd966d3bd3abf6f3a17ad2d8215dfa6b97b70420 -> 200
#6 4.959 - GET http://deb.debian.org/debian/dists/trixie-updates/main/binary-arm64/by-hash/SHA256/c19917f48cb63acd2e334367e2b4b18bcd7c5c00b0eb02f6e369e5315f43e63e -> 200
#6 4.959 - GET http://deb.debian.org/debian-security/dists/trixie-security/main/binary-arm64/by-hash/SHA256/085c36098e2068c64077d835e30c72cd91322e9657ba651fa57090c8dfa650dc -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/b/bash-completion/bash-completion_2.16.0-7_all.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian-security/pool/updates/main/o/openssl/openssl_3.5.5-1%7edeb13u2_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20250419_all.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/k/krb5/krb5-locales_1.21.3-5_all.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/b/brotli/libbrotli1_1.1.0-2%2bb7_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/k/krb5/libkrb5support0_1.21.3-5_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/e/e2fsprogs/libcom-err2_1.47.2-3%2bb10_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/k/krb5/libk5crypto3_1.21.3-5_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/k/keyutils/libkeyutils1_1.6.3-6_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/k/krb5/libkrb5-3_1.21.3-5_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/k/krb5/libgssapi-krb5-2_1.21.3-5_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/libu/libunistring/libunistring5_1.3-2_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/libi/libidn2/libidn2-0_2.3.8-2_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2-modules-db_2.1.28%2bdfsg1-9_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2-2_2.1.28%2bdfsg1-9_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/o/openldap/libldap2_2.6.10%2bdfsg-1_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/n/nghttp2/libnghttp2-14_1.64.0-1.1_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/n/nghttp3/libnghttp3-9_1.8.0-1_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/libp/libpsl/libpsl5t64_0.21.2-1.1%2bb1_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/libf/libffi/libffi8_3.4.8-2_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/p/p11-kit/libp11-kit0_0.25.5-3_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/libt/libtasn1-6/libtasn1-6_4.20.0-2_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/g/gnutls28/libgnutls30t64_3.8.9-3%2bdeb13u2_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/r/rtmpdump/librtmp1_2.4%2b20151223.gitfa8646d.1-2%2bb5_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/libs/libssh2/libssh2-1t64_1.11.1-1_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/c/curl/libcurl4t64_8.14.1-2%2bdeb13u2_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/c/curl/curl_8.14.1-2%2bdeb13u2_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/o/openldap/libldap-common_2.6.10%2bdfsg-1_all.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2-modules_2.1.28%2bdfsg1-9_arm64.deb -> 200
#6 4.959 - GET http://deb.debian.org/debian/pool/main/p/publicsuffix/publicsuffix_20250328.1952-0.1_all.deb -> 200
#6 DONE 5.0s


      {
        "uri": "http://deb.debian.org/debian/pool/main/n/nghttp2/libnghttp2-14_1.64.0-1.1_arm64.deb",
        "digest": {
          "sha256": "34343e4eae830320a96d4bbdc989ba2611fbc4459ac1cff8feb2beb22c75a1ea"
        }
      },
      {
        "uri": "http://deb.debian.org/debian/pool/main/n/nghttp3/libnghttp3-9_1.8.0-1_arm64.deb",
        "digest": {
          "sha256": "26bfb8d1bead043f57d95663bab02f7611e7078fb7cf71383fa480c4b4c24d81"
        }
      },

Raw ICMP/DNS blocked

from alpine
run ping -c 4 google.com

#6 [2/2] RUN ping -c 4 google.com
#6 5.037 ping: bad address 'google.com'
#6 ERROR: process "/bin/sh -c ping -c 4 google.com" did not complete successfully: exit code: 1
------
 > [2/2] RUN ping -c 4 google.com:
5.037 ping: bad address 'google.com'
------
ERROR: failed to build: failed to solve: process "/bin/sh -c ping -c 4 google.com" did not complete successfully: exit code: 1

from alpine
run apk add bind-tools
run dig google.com

#6 [3/3] RUN dig google.com
#6 0.041 ;; UDP setup with 0.250.250.200#53(0.250.250.200) for google.com failed: network unreachable.
#6 0.042 ;; no servers could be reached
#6 0.042 ;; UDP setup with 0.250.250.200#53(0.250.250.200) for google.com failed: network unreachable.
#6 0.042 ;; no servers could be reached
#6 0.042 ;; UDP setup with 0.250.250.200#53(0.250.250.200) for google.com failed: network unreachable.
#6 0.042 ;; no servers could be reached
#6 ERROR: process "/bin/sh -c dig google.com" did not complete successfully: exit code: 9
------
 > [3/3] RUN dig google.com:
0.041 ;; UDP setup with 0.250.250.200#53(0.250.250.200) for google.com failed: network unreachable.
0.042 ;; no servers could be reached
0.042 ;; UDP setup with 0.250.250.200#53(0.250.250.200) for google.com failed: network unreachable.
0.042 ;; no servers could be reached
0.042 ;; UDP setup with 0.250.250.200#53(0.250.250.200) for google.com failed: network unreachable.
0.042 ;; no servers could be reached
------
ERROR: failed to build: failed to solve: process "/bin/sh -c dig google.com" did not complete successfully: exit code: 9

Raw untracked HTTP blocked

from alpine
run HTTP_PROXY= http_proxy= wget http://google.com
#5 [2/2] RUN HTTP_PROXY= http_proxy= wget http://google.com
#5 5.040 wget: bad address 'google.com'
#5 ERROR: process "/bin/sh -c HTTP_PROXY= http_proxy= wget http://google.com" did not complete successfully: exit code: 1
------
 > [2/2] RUN HTTP_PROXY= http_proxy= wget http://google.com:
5.040 wget: bad address 'google.com'
------

Redirects

Clean redirects show up in provenance as extra materials.

from alpine
run wget http://google.com

#6 [2/2] RUN wget http://google.com
#6 0.037 Connecting to 10.89.0.5:35067 (10.89.0.5:35067)
#6 0.279 saving to 'index.html'
#6 0.338 index.html           100% |********************************| 80468  0:00:00 ETA
#6 0.338 'index.html' saved
#6 0.357 proxy network requests:
#6 0.357 - GET http://google.com/ -> 301
#6 0.357 - GET http://www.google.com/ -> 200
#6 DONE 0.4s

» docker buildx history inspect attachment --type https://slsa.dev/provenance/v1 
{
  "buildDefinition": {
    "buildType": "https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-definitions.md",
    "resolvedDependencies": [
      {
        "uri": "pkg:docker/alpine@latest?platform=linux%2Farm64",
        "digest": {
          "sha256": "5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11"
        }
      },
      {
        "uri": "http://google.com/",
        "digest": {
          "sha256": "aef84bc2d3b77f713c2de20ac749b5341cfa4acb0cfa2579d8868254c78ccbed"
        }
      },
      {
        "uri": "http://www.google.com/",
        "digest": {
          "sha256": "aef84bc2d3b77f713c2de20ac749b5341cfa4acb0cfa2579d8868254c78ccbed"
        }
      }
    ],

Source policy

Alpine packages allowed, other URLs blocked.

from alpine
run apk update
run wget http://google.com
package docker

default allow = false

allow if {
    not input.http
}

allow if {
    input.http
    print(input.http)
    input.http.host == "dl-cdn.alpinelinux.org:443"
}

decision := {
    "allow": allow
}
#1 loading policies Dockerfile.rego
#1 0.409 checking policy for source local://context
#1 0.413 policy decision for source local://context: ALLOW
#1 0.433 checking policy for source docker-image://docker.io/library/alpine:latest@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 (linux/arm64)
#1 0.435 policy decision for source docker-image://docker.io/library/alpine:latest@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 (linux/arm64): ALLOW
#1 0.547 checking policy for source https://dl-cdn.alpinelinux.org:443/alpine/v3.23/main/aarch64/APKINDEX.tar.gz
#1 0.549 Dockerfile.rego:11: {"host": "dl-cdn.alpinelinux.org:443", "path": "/alpine/v3.23/main/aarch64/APKINDEX.tar.gz", "schema": "https", "url": "https://dl-cdn.alpinelinux.org:443/alpine/v3.23/main/aarch64/APKINDEX.tar.gz"}
#1 0.549 policy decision for source https://dl-cdn.alpinelinux.org:443/alpine/v3.23/main/aarch64/APKINDEX.tar.gz: ALLOW
#1 0.641 checking policy for source https://dl-cdn.alpinelinux.org:443/alpine/v3.23/community/aarch64/APKINDEX.tar.gz
#1 0.647 Dockerfile.rego:11: {"host": "dl-cdn.alpinelinux.org:443", "path": "/alpine/v3.23/community/aarch64/APKINDEX.tar.gz", "schema": "https", "url": "https://dl-cdn.alpinelinux.org:443/alpine/v3.23/community/aarch64/APKINDEX.tar.gz"}
#1 0.647 policy decision for source https://dl-cdn.alpinelinux.org:443/alpine/v3.23/community/aarch64/APKINDEX.tar.gz: ALLOW
#1 0.910 checking policy for source http://google.com/
#1 0.913 Dockerfile.rego:11: {"host": "google.com", "path": "/", "schema": "http", "url": "http://google.com/"}
#1 0.913 policy decision for source http://google.com/: DENY
#1 DONE 1.0s

#6 [2/3] RUN apk update
#6 0.383 v3.23.4-168-gb27ea208cc9 [https://dl-cdn.alpinelinux.org/alpine/v3.23/main]
#6 0.383 v3.23.4-175-gb41205ee696 [https://dl-cdn.alpinelinux.org/alpine/v3.23/community]
#6 0.383 OK: 27434 distinct packages available
#6 0.410 proxy network requests:
#6 0.410 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/APKINDEX.tar.gz -> 200
#6 0.410 - GET https://dl-cdn.alpinelinux.org/alpine/v3.23/community/aarch64/APKINDEX.tar.gz -> 200
#6 DONE 0.4s

#7 [3/3] RUN wget http://google.com
#7 0.035 Connecting to 10.89.0.5:37367 (10.89.0.5:37367)
#7 0.038 wget: server returned error: HTTP/1.1 403 Forbidden
#7 ERROR: process "/bin/sh -c wget http://google.com" did not complete successfully: exit code: 1
------
 > [3/3] RUN wget http://google.com:
0.035 Connecting to 10.89.0.5:37367 (10.89.0.5:37367)
0.038 wget: server returned error: HTTP/1.1 403 Forbidden
------
ERROR: failed to build: failed to solve: process "/bin/sh -c wget http://google.com" did not complete successfully: exit code: 1

POST requests work but are not snapshotted in provenance.

from debian
run apt-get update && apt-get install -y curl
run curl -i https://httpbin.org/post \
  -H 'Content-Type: application/json' \
  -d '{"hello":"world"}'
#7 [3/3] RUN curl -i https://httpbin.org/post   -H 'Content-Type: application/json'   -d '{"hello":"world"}'
#7 0.080   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
#7 0.080                                  Dload  Upload   Total   Spent    Left  Speed
100   450  100   433  100    17    938     36 --:--:-- --:--:-- --:--:--   976
#7 0.542 HTTP/1.1 200 Connection Established
#7 0.542
#7 0.542 HTTP/1.1 200 OK
#7 0.542 Content-Length: 433
#7 0.542 Access-Control-Allow-Credentials: true
#7 0.542 Access-Control-Allow-Origin: *
#7 0.542 Content-Type: application/json
#7 0.542 Date: Wed, 13 May 2026 03:01:37 GMT
#7 0.542 Server: gunicorn/19.9.0
#7 0.542
#7 0.542 {
#7 0.542   "args": {},
#7 0.542   "data": "{\"hello\":\"world\"}",
#7 0.542   "files": {},
#7 0.542   "form": {},
#7 0.542   "headers": {
#7 0.542     "Accept": "*/*",
#7 0.542     "Content-Length": "17",
#7 0.542     "Content-Type": "application/json",
#7 0.542     "Host": "httpbin.org",
#7 0.542     "User-Agent": "curl/8.14.1",
#7 0.542     "X-Amzn-Trace-Id": "Root=1-6a03e991-2ef66e464dce89aa514c191e"
#7 0.542   },
#7 0.542   "json": {
#7 0.542     "hello": "world"
#7 0.542   },
#7 0.542   "origin": "xxx",
#7 0.542   "url": "https://httpbin.org/post"
#7 0.542 }
#7 0.567 proxy network requests:
#7 0.567 - POST https://httpbin.org/post -> 200
#7 DONE 0.6s

» docker buildx history inspect attachment --type https://slsa.dev/provenance/v1
{
  "buildDefinition": {
    "buildType": "https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-definitions.md",
    "resolvedDependencies": [
      {
        "uri": "pkg:docker/debian@latest?platform=linux%2Farm64",
        "digest": {
          "sha256": "e2d08da6f42ef4b09b165d55528a12727aeed8240dc9edf888e3ec07e10ef9da"
        }
      },
      {
        "uri": "http://deb.debian.org/debian-security/dists/trixie-security/InRelease",
        "digest": {
          "sha256": "e98652500d170e875be6073d80c03cc2a24479efcea4897bd8506b6d36c2f086"
        }
      },
      {
        "uri": "http://deb.debian.org/debian-security/dists/trixie-security/main/binary-arm64/by-hash/SHA256/085c36098e2068c64077d835e30c72cd91322e9657ba651fa57090c8dfa650dc",
        "digest": {
          "sha256": "085c36098e2068c64077d835e30c72cd91322e9657ba651fa57090c8dfa650dc"
        }
      },
      {
        "uri": "http://deb.debian.org/debian-security/pool/updates/main/o/openssl/openssl_3.5.5-1%7edeb13u2_arm64.deb",
        "digest": {
          "sha256": "0ce35ddd2569346d67d259c9b6e327413be7fb098f6030fe729304e208270171"
        }
      },
      {
        "uri": "http://deb.debian.org/debian/dists/trixie-updates/InRelease",
        "digest": {
          "sha256": "ee62f4a9cdc2c1c22cf8b086c3d1afe9f1cca1db8cbaf4dbbd788e35c3b643d5"
        }
      },


....


        "network": {
          "mode": "proxy",
          "proxy": {
            "incomplete": [
              {
                "op": "sha256:1db164f30edf8f0cb4efdb0041d9f6ac2eb7dff920e8d107d23f64a4eaa7a5f6",
                "name": "/bin/sh -c curl -i https://httpbin.org/post   -H 'Content-Type: application/json'   -d '{\"hello\":\"world\"}'",
                "method": "POST",
                "uri": "https://httpbin.org/post",
                "reason": "method_not_materializable"
              }
            ]
          }
        }
      },
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment