> ## Documentation Index > Fetch the complete documentation index at: https://kosli-mbevc1-patch-1.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # kosli allow artifact > Add an artifact to an environment's allowlist. ## Synopsis ```shell theme={"theme":"dracula","languages":{"custom":["/languages/rego.json"]}} kosli allow artifact [IMAGE-NAME | FILE-PATH | DIR-PATH] [flags] ``` Add an artifact to an environment's allowlist. The artifact fingerprint can be provided directly with the `--fingerprint` flag, or calculated based on `--artifact-type` flag. Artifact type can be one of: "file" for files, "dir" for directories, "oci" for container images in registries or "docker" for local docker images. Note: `--artifact-type=docker` reads the image's repo digest via the local Docker daemon. The image must have been pushed to or pulled from a registry for a repo digest to exist; a freshly built image (just `docker build`) will not have one. If the image is already in a registry, prefer `--artifact-type=oci`, which fetches the digest directly from the registry without needing a local Docker daemon. ## Flags | Flag | Description | | :----------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-t`, `--artifact-type` string | The type of the artifact to calculate its SHA256 fingerprint. One of: \[oci, docker, file, dir]. Only required if you want Kosli to calculate the fingerprint for you (i.e. when you don't specify '`--fingerprint`' on commands that allow it). | | `-D`, `--dry-run` | \[optional] Run in dry-run mode. When enabled, no data is sent to Kosli and the CLI exits with 0 exit code regardless of any errors. | | `-e`, `--environment` string | The environment name for which the artifact is allowlisted. | | `-x`, `--exclude` strings | \[optional] The comma separated list of directories and files to exclude from fingerprinting. Can take glob patterns. Only applicable for `--artifact-type` dir. | | `-F`, `--fingerprint` string | \[conditional] The SHA256 fingerprint of the artifact. Only required if you don't specify '`--artifact-type`'. | | `-h`, `--help` | help for artifact | | `--reason` string | The reason why this artifact is allowlisted. | | `--registry-password` string | \[conditional] The container registry password or access token. Only required if you want to read container image SHA256 digest from a remote container registry. | | `--registry-username` string | \[conditional] The container registry username. Only required if you want to read container image SHA256 digest from a remote container registry. | ## Flags inherited from parent commands | Flag | Description | | :---------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------ | | `-a`, `--api-token` string | The Kosli API token. | | `-c`, `--config-file` string | \[optional] The Kosli config file path. (default "kosli") | | `--debug` | \[optional] Print debug logs to stdout. | | `-H`, `--host` string | \[defaulted] The Kosli endpoint. (default "[https://app.kosli.com](https://app.kosli.com)") | | `--http-proxy` string | \[optional] The HTTP proxy URL including protocol and port number. e.g. `http://proxy-server-ip:proxy-port` | | `-r`, `--max-api-retries` int | \[defaulted] How many times should API calls be retried when the API host is not reachable. (default 3) | | `--org` string | The Kosli organization. | | `-q`, `--quiet` | \[optional] Suppress non-critical warning messages. Errors and normal output are not affected. If both `--quiet` and `--debug` are set, `--debug` wins. |