docker pass run
| Description | Run a command with `se://` environment references resolved. |
|---|---|
| Usage | docker pass run -- CMD [ARGS...] [flags] |
Experimental
This command is experimental.
Experimental features are intended for testing and feedback as their functionality or design may change between releases without warning or can be removed entirely in a future release.
Description
Scans the current environment (plus any --env-file inputs) for variables
whose value is exactly se://<ID|pattern>. Each reference is resolved through the
secrets-engine daemon and the resolved value is passed to the child process.
The child inherits stdin, stdout, and stderr.
Requires the secrets-engine daemon (Docker Desktop) to be running.
If any reference cannot be resolved, the command fails before the child is started and exits non-zero.
Options
| Option | Default | Description |
|---|---|---|
--env-file | Read environment variables from a dotenv-formatted file. Repeatable; later files override earlier files and the process environment. |
Examples
Run a command with one secret in its environment:
$ SE_TOKEN=se://gh-token docker pass run -- gh repo list
Multiple references:
$ DB_PASSWORD=se://myapp/postgres/password API_KEY=se://myapp/anthropic/api-key docker pass run -- ./my-binary
Resolve references from a dotenv file:
$ docker pass run --env-file .env -- ./my-binary
Multiple files (later overrides earlier; files override the process environment):
$ docker pass run --env-file .env --env-file .env.local -- ./my-binary