# docker pass run **Description:** Run a command with `se://` environment references resolved. **Usage:** `docker pass run -- CMD [ARGS...] [flags]` > [!NOTE] > **Experimental** > > This command is experimental. Experimental features are intended for testing and feedback as their functionality or design may change between releases without warning or can be removed entirely in a future release. ## Description Scans the current environment (plus any `--env-file` inputs) for variables whose value is exactly `se://`. Each reference is resolved through the secrets-engine daemon and the resolved value is passed to the child process. The child inherits stdin, stdout, and stderr. Requires the secrets-engine daemon (Docker Desktop) to be running. If any reference cannot be resolved, the command fails before the child is started and exits non-zero. ## Options | Option | Default | Description | |--------|---------|-------------| | `--env-file` | | Read environment variables from a dotenv-formatted file. Repeatable; later files override earlier files and the process environment. | ## Examples ### Run a command with one secret in its environment: ```console $ SE_TOKEN=se://gh-token docker pass run -- gh repo list ``` ### Multiple references: ```console $ DB_PASSWORD=se://myapp/postgres/password API_KEY=se://myapp/anthropic/api-key docker pass run -- ./my-binary ``` ### Resolve references from a dotenv file: ```console $ docker pass run --env-file .env -- ./my-binary ``` ### Multiple files (later overrides earlier; files override the process environment): ```console $ docker pass run --env-file .env --env-file .env.local -- ./my-binary ```