A Dev Container helper for developing inside a corporate network protected by SSL inspection.
"features": {
"ghcr.io/tomgrv/devcontainer-features/gateway:5": {}
}npx tomgrv/devcontainer-features -- add gatewaySSL inspection tools acts as a man-in-the-middle TLS proxy and replaces server certificates with its own. This breaks tools like curl, git, npm, pip, and others that perform certificate validation, because the root CA is not trusted by default inside a container.
- Installs the SSL inspection root CA certificate provided in
.devcontainer/.gateway/certs/gateway.peminto the system trust store at build time. - Exposes the certificate path via environment variables consumed by common runtimes and tools (Node.js, Python, Git, curl, Composer).
- Replaces the system
curlbinary (locally and in devcontainer) with a wrapper script (gateway-curl) that transparently handles gateway redirect forms and cookie management.
.devcontainer/
├── devcontainer.json # Dev Container configuration
├── create.sh # postCreateCommand
├── start.sh # postStartCommand
└── .gateway/
└── certs/
└── gateway.pem # Gateway root CA certificate ← YOU MUST SUPPLY THIS
- VS Code with the Dev Containers extension, or GitHub Codespaces.
- Docker (local) or a Codespaces-compatible environment.
- Your organisation's root CA certificate in PEM format.
- Run the feature installer
Declaring the feature in your devcontainer.json may not be sufficient as you would need to have the Zscaler certificate in place at build time.
To work around this, run the installer script manually in your terminal:
npx tomgrv/devcontainer-features -- add gateway-
Add your root CA certificate
Export the root CA from your browser or system trust store and save it as:
.devcontainer/.gateway/certs/gateway.pemThe certificate must be in PEM format (base64-encoded, begins with
-----BEGIN CERTIFICATE-----). -
Customise
devcontainer.json(optional)Add or remove Dev Container Features, VS Code extensions, forwarded ports, etc. to suit your project.
Comes pre-configured with tomgrv's devcontainer features for Git utilities, Git hooks management, and semantic versioning with GitVersion.
-
Open in Dev Container
- VS Code: open the repository folder and choose Reopen in Container when prompted.
- GitHub Codespaces: click Code → Create codespace on main.
| Variable | Purpose |
|---|---|
NODE_EXTRA_CA_CERTS |
Node.js / npm TLS trust |
REQUESTS_CA_BUNDLE |
Python requests / pip TLS trust |
SSL_CERT_FILE |
OpenSSL-based tools |
CURL_CA_BUNDLE |
curl TLS trust |
GIT_SSL_CAINFO |
git TLS trust |
COMPOSER_CA_FILE |
PHP Composer TLS trust |
The gateway-curl script replaces /usr/bin/curl (the real binary is kept at /usr/bin/curl.real). When a request is intercepted by a gateway and redirected to an authentication/acceptance form, the wrapper:
- Detects the HTML form response from the gateway.
- Parses and auto-submits the form fields.
- Saves the resulting session cookies to
~/.gateway_cookies.txt. - Re-issues the original request transparently.
All other requests are passed through to curl.real unchanged.
Certificate errors still occurring
Verify that gateway.pem contains the correct root CA (not an intermediate or leaf certificate). You can inspect it with:
openssl x509 -in .devcontainer/.gateway/certs/gateway.pem -noout -subject -issuerupdate-ca-certificates has no effect
Make sure the file extension is .crt inside the container (/usr/local/share/ca-certificates/gateway.crt). The Dockerfile handles the rename automatically.
curl wrapper causes issues
Set VERBOSE=0 to suppress wrapper log output, or call /usr/bin/curl.real directly to bypass the wrapper entirely.
MIT