Troubleshooting Local Scanner connectivity issues

This guide helps customers run the Aikido Local Scanner behind corporate proxies, custom SSL inspection, or locked-down networks. It covers when and how to use --enable-proxy and --ca-bundle, which domains to whitelist, and how to fix common certificate errors.

To function correctly, the Local Scanner must be able to access the following domains over HTTPS (port 443): *.aikido.dev

Using `--enable-proxy`

The scanner does not use the system proxy by default. To send all HTTPS traffic through your corporate proxy, you must:

Enable proxy support with the --enable-proxy flag.
Set the proxy URL via the HTTPS_PROXY (or https_proxy) environment variable.

Using `--ca-bundle` (custom root CAs)

When your proxy or firewall performs SSL inspection, it typically replaces the server’s certificate with one signed by an internal/corporate CA.

Use --ca-bundle to point the scanner at a PEM file that contains your corporate root CA certificate(s) (and optionally intermediate CAs). The scanner will then trust those CAs when connecting through the proxy.

Get your corporate CA certificate (e.g. from your IT team or export from the machine’s trust store). It must be in PEM format.
Pass it to the scanner via --ca-bundle or the AIKIDO_CA_BUNDLE environment variable.

Last updated 4 days ago

Was this helpful?

hashtagUsing --enable-proxy

hashtagUsing --ca-bundle (custom root CAs)

Using `--enable-proxy`

Using `--ca-bundle` (custom root CAs)