diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml
index afcaee1a..9fe96ecc 100644
--- a/.github/workflows/preview-env.yml
+++ b/.github/workflows/preview-env.yml
@@ -436,24 +436,25 @@ jobs:
               body: lines.join('\n'),
             });
 
-      # ---------- Security scanning ----------
-      - name: Trivy IaC scan
-        if: github.event.action != 'closed'
-        uses: nhs-england-tools/trivy-action/iac-scan@289984b2f03034233a347d6dbadecd5ca9ea9634
-        with:
-          scan-ref: infrastructure/environments/preview
-          artifact-name: trivy-iac-scan-${{ steps.meta.outputs.branch_name }}
-
-      - name: Trivy image scan
-        if: github.event.action != 'closed'
-        uses: nhs-england-tools/trivy-action/image-scan@289984b2f03034233a347d6dbadecd5ca9ea9634
-        with:
-          image-ref: ${{steps.meta.outputs.ecr_url}}:${{steps.meta.outputs.branch_name}}
-          artifact-name: trivy-image-scan-${{ steps.meta.outputs.branch_name }}
-
-      - name: Generate SBOM
-        if: github.event.action != 'closed'
-        uses: nhs-england-tools/trivy-action/image-scan@289984b2f03034233a347d6dbadecd5ca9ea9634
-        with:
-          image-ref: ${{steps.meta.outputs.ecr_url}}:${{steps.meta.outputs.branch_name}}
-          artifact-name: trivy-sbom-${{ steps.meta.outputs.branch_name }}
+      # desable trivy in light of attack https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise
+      # # ---------- Security scanning ----------
+      # - name: Trivy IaC scan
+      #   if: github.event.action != 'closed'
+      #   uses: nhs-england-tools/trivy-action/iac-scan@289984b2f03034233a347d6dbadecd5ca9ea9634
+      #   with:
+      #     scan-ref: infrastructure/environments/preview
+      #     artifact-name: trivy-iac-scan-${{ steps.meta.outputs.branch_name }}
+
+      # - name: Trivy image scan
+      #   if: github.event.action != 'closed'
+      #   uses: nhs-england-tools/trivy-action/image-scan@289984b2f03034233a347d6dbadecd5ca9ea9634
+      #   with:
+      #     image-ref: ${{steps.meta.outputs.ecr_url}}:${{steps.meta.outputs.branch_name}}
+      #     artifact-name: trivy-image-scan-${{ steps.meta.outputs.branch_name }}
+
+      # - name: Generate SBOM
+      #   if: github.event.action != 'closed'
+      #   uses: nhs-england-tools/trivy-action/image-scan@289984b2f03034233a347d6dbadecd5ca9ea9634
+      #   with:
+      #     image-ref: ${{steps.meta.outputs.ecr_url}}:${{steps.meta.outputs.branch_name}}
+      #     artifact-name: trivy-sbom-${{ steps.meta.outputs.branch_name }}
diff --git a/Makefile b/Makefile
index c1f094c1..363776e9 100644
--- a/Makefile
+++ b/Makefile
@@ -20,6 +20,7 @@ endif
 IMAGE_NAME := ${IMAGE_REPOSITORY}:${IMAGE_TAG}
 COMMIT_VERSION := $(shell git rev-parse --short HEAD)
 BUILD_DATE := $(shell date -u +"%Y%m%d")
+INCLUDE_DEV_CERTS ?= ${DEV_CERTS_INCLUDED}
 # ==============================================================================
 
 # Example CI/CD targets are: dependencies, build, publish, deploy, clean, etc.
@@ -41,13 +42,25 @@ build-gateway-api: dependencies
 	@rm -rf ../infrastructure/images/gateway-api/resources/build/
 	@mkdir ../infrastructure/images/gateway-api/resources/build/
 	@cp -r ./target/gateway-api ../infrastructure/images/gateway-api/resources/build/
+	# If dev certificates are present inside the dev container, copy them into
+	# the gateway-api image build context so they can be installed there too.
+	@if [ -d "/resources/dev-certificates" ]; then \
+		rm -rf ../infrastructure/images/gateway-api/resources/dev-certificates; \
+		mkdir -p ../infrastructure/images/gateway-api/resources/dev-certificates; \
+		cp -r /resources/dev-certificates/* ../infrastructure/images/gateway-api/resources/dev-certificates/; \
+	fi
 	# Remove temporary build artefacts once build has completed
 	@rm -rf target && rm -rf dist
 
 .PHONY: build
 build: build-gateway-api # Build the project artefact @Pipeline
 	@echo "Building Docker x86 image using Docker. Utilising python version: ${PYTHON_VERSION} ..."
-	@$(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api
+	@if [[ -n "$${IN_BUILD_CONTAINER}" ]]; then \
+		echo "building with dev certs ..." ; \
+		$(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} --build-arg INCLUDE_DEV_CERTS=${INCLUDE_DEV_CERTS} -t ${IMAGE_NAME} infrastructure/images/gateway-api
+	else \
+		$(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api
+	fi
 	@echo "Docker image '${IMAGE_NAME}' built successfully!"
 
 publish: # Publish the project artefact @Pipeline
diff --git a/infrastructure/images/build-container/Dockerfile b/infrastructure/images/build-container/Dockerfile
index e062232e..ee4e2426 100644
--- a/infrastructure/images/build-container/Dockerfile
+++ b/infrastructure/images/build-container/Dockerfile
@@ -39,6 +39,8 @@ RUN apk update && \
     # Required to support the building of other docker images.
     docker-cli \
     docker-cli-buildx \
+    libxml2-dev \
+    libxslt-dev \
     # pyenv suggested requirements taken from https://github.com/pyenv/pyenv/wiki#suggested-build-environment
     build-base \
     libffi-dev \
diff --git a/infrastructure/images/gateway-api/Dockerfile b/infrastructure/images/gateway-api/Dockerfile
index d5b1ce55..95d485ea 100644
--- a/infrastructure/images/gateway-api/Dockerfile
+++ b/infrastructure/images/gateway-api/Dockerfile
@@ -2,13 +2,25 @@
 ARG PYTHON_VERSION=invalid
 FROM python:${PYTHON_VERSION}-alpine3.23 AS gateway-api
 
+# Controls whether dev certificates (if present) are installed into this image.
+ARG INCLUDE_DEV_CERTS=false
+
+COPY resources/ /resources
+
+# Install required certificates for dev machines.
+RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] && [ -d /resources/dev-certificates ]; then \
+        cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \
+        update-ca-certificates; \
+        cp -r /resources/dev-certificates/* /etc/ssl/certs/; \
+    else \
+        rm -rf /resources/dev-certificates || true; \
+    fi
+
 RUN apk upgrade --no-cache && \
     pip install --no-cache-dir --upgrade pip && \
     addgroup -S nonroot && \
     adduser -S gateway_api_user -G nonroot
 
-COPY resources/ /resources
-
 WORKDIR /resources/build/gateway-api
 
 ENV PYTHONPATH=/resources/build/gateway-api
diff --git a/infrastructure/images/gateway-api/resources/.gitignore b/infrastructure/images/gateway-api/resources/.gitignore
index 796b96d1..73ea2e21 100644
--- a/infrastructure/images/gateway-api/resources/.gitignore
+++ b/infrastructure/images/gateway-api/resources/.gitignore
@@ -1 +1,2 @@
 /build
+/dev-certificates