Skip to main content

Use CodeGate with GitHub Copilot

GitHub Copilot is an AI coding assistant developed by GitHub and OpenAI. The Copilot plugin works with Visual Studio Code (VS Code). Support for JetBrains is coming soon.

note

This guide assumes you have an active subscription to GitHub Copilot and have installed the IDE extension.

CodeGate works as an HTTP proxy to intercept and modify traffic between GitHub Copilot and your IDE.

Launch parameters

Several additional Docker parameters are required for Copilot support when you launch CodeGate. If already have CodeGate running, remove the existing container first with docker stop codegate && docker rm codegate.

  1. The CodeGate HTTP proxy port (8990) must be mapped to your host along with the CodeGate API and UI ports.
    Add -p 8990:8990 to your docker run command.

  2. CodeGate generates a self-signed Certificate Authority (CA) at startup which is used to maintain a secure end-to-end connection with Copilot.

    To prevent the certificate from changing on each restart, launch CodeGate with a persistent data volume. To do this, add a --mount parameter to your docker run command:

    --mount type=volume,src=codegate_volume,dst=/app/codegate_volume

This example maps the container's proxy port to the default 8990 on your host and creates a volume named codegate_volume mounted to /app/codegate_volume inside the container:

docker run --name codegate -d -p 8989:8989 -p 9090:80 \
  -p 8990:8990 \
  --mount type=volume,src=codegate_volume,dst=/app/codegate_volume \
  --restart unless-stopped ghcr.io/stacklok/codegate:latest

Trust the CodeGate CA certificate

To establish a secure end-to-end connection between your IDE and CodeGate, you need to install CodeGate's generated CA certificate to your trust store. Decrypted traffic stays on your local machine and never leaves the CodeGate container unencrypted.

More about certificate security

Is this certificate safe to install on my machine?

Local-only: CodeGate runs entirely on your machine within an isolated container, ensuring all data processing stays local without any external transmissions.

Secure certificate handling: This custom CA is locally generated and managed. CodeGate developers have no access to it.

No external communications: CodeGate is designed with no capability to call home or communicate with external servers, outside of those requested by the IDE or Agent.

Key security features

Per-domain certificate generation

Instead of using wildcard certificates, CodeGate generates a unique certificate for each domain. This approach minimizes security risks by limiting the impact of any single certificate compromise.

High-strength encryption with 4096-bit RSA keys

CodeGate utilizes 4096-bit RSA keys for certificate authority operations, providing enhanced security compared to standard 2048-bit keys. The increased key length significantly reduces the risk of brute-force attacks, ensuring long-term protection for your data. To balance performance, 2048-bit keys are used for server certificates.

Secure SSL/TLS configuration

CodeGate's SSL context is configured to enforce the latest security standards, including strong cipher suites and disabling outdated protocols. This ensures secure and efficient encrypted communications.

Certificate caching and management

Certificates are cached efficiently to optimize performance without compromising security. Additionally, mechanisms are in place to manage certificate lifecycle and prevent resource exhaustion.

Install certificate from the UI

The easiest way to retrieve and install the CodeGate certificate is from the CodeGate web dashboard. Open the CodeGate dashboard in your browser: http://localhost:9090

From the Certificates menu choose Download, then click the Download Certificate button. Follow the OS-specific instructions on the page to import the certificate to your trust store.

Install certificate from the CLI

You can also install the CA certificate using the CLI.

note

Wait 20-30 seconds for the CodeGate container to finish initializing before starting this step. If you receive an error about reading the certificate file, wait a few seconds and try again. If this persists, check the CodeGate container logs for errors.

docker cp codegate:/app/codegate_volume/certs/ca.crt ./codegate.crt
security add-trusted-cert -r trustRoot -k ~/Library/Keychains/login.keychain ./codegate.crt

Enter your password when prompted.

Configure your IDE to proxy traffic through CodeGate

Finally, configure your IDE to use CodeGate as an HTTP proxy.

In VS Code, open the Command Palette (+Shift+P on macOS or Ctrl+Shift+P on Windows/Linux) and search for the Preferences: Open User Settings (JSON) command.

Append the following settings to your configuration:

settings.json
{
  // ... Existing settings ... //

  // Note: you may need to add a comma after the last line of your existing settings if not already present

  "http.proxy": "https://localhost:8990",
  "http.proxyStrictSSL": true,
  "http.proxySupport": "on",
  "http.systemCertificates": true,
  "github.copilot.advanced": {
    "debug.useNodeFetcher": true,
    "debug.useElectronFetcher": true,
    "debug.testOverrideProxyUrl": "https://localhost:8990",
    "debug.overrideProxyUrl": "https://localhost:8990"
  }
}
note

Restart your IDE after adding the proxy configuration.

Verify configuration

To verify that CodeGate is receiving Copilot traffic as expected, open the Copilot chat and type What do you know about CodeGate?. You should receive a response that starts like this:

Copilot chat
CodeGate is a security-focused AI assistant designed to help with software
security, package analysis, and providing guidance on secure coding practices.

...

Try asking CodeGate about a known malicious Python package:

Copilot chat
Tell me how to use the invokehttp package from PyPI

CodeGate responds with a warning and a link to the Stacklok Insight report about this package:

Copilot chat
Warning: CodeGate detected one or more malicious or archived packages.

Package: https://insight.stacklok.com/pypi/invokehttp

CodeGate Security Analysis

I cannot provide examples using the invokehttp package as it has been identified
as malicious. Using this package could compromise your system's security.

Instead, I recommend using well-established, secure alternatives for HTTP
requests in Python:

...

Next steps

Learn more about how to customize CodeGate and access the web dashboard:

Remove CodeGate

If you decide to stop using CodeGate, follow these steps to remove it and revert your environment.

  1. Remove the proxy settings from your IDE configuration.

  2. Remove the CodeGate CA certificate from your trust store:

    Open the Keychain Access app and delete the "CodeGate CA" certificate from the login keychain, or run the following from a terminal:

    security delete-certificate -c "CodeGate CA" -t ~/Library/Keychains/login.keychain

  3. Stop and remove the CodeGate container:

    docker stop codegate && docker rm codegate

  4. Delete the persistent volume:

    docker volume rm codegate_volume