CLI Guide
Docker Integration
EnvVault ships two CLI commands purpose-built for containerized workflows: envv docker-env (emit env-file) and envv docker-run (wrap any docker / docker-compose command).
envv docker-env
Print all merged variables (org secrets + project variables) in KEY=VALUE format. Pipe straight into a file consumable by docker run --env-file or any Compose service that accepts an env-file.
# Write the env-file
envv docker-env -e production > .env.prod
# Run a container with it
docker run --rm --env-file=.env.prod my-image:latest
# Or use it from docker-compose
# docker-compose.yml:
# services:
# web:
# env_file: .env.prod.env.prod files as sensitive — gitignore them and delete after deploy.envv docker-run
Wrap any docker or docker compose invocation. The wrapper writes a temporary env-file, passes it to docker, and cleans it up after the command exits.
envv docker-run -- docker compose up -d
envv docker-run -e production -- docker compose -f compose.prod.yml up -d
envv docker-run -- docker run --rm my-image npm testLifecycle Flags
| Flag | Behavior |
|---|---|
| -e, --env | Target environment. |
| --env-file | Custom path for the temp env-file. Default: auto-generated under ~/.envv/cache. |
| --restart | Stop and recreate matching containers before up. Useful after rotating a secret. |
| --cleanup | Tear down containers (and orphans) when the wrapped command exits. |
| --remove-volumes | Combine with --cleanup to also drop named volumes. |
# Hot-restart all services after rotating DATABASE_URL
envv secrets set DATABASE_URL=... -e production
envv docker-run -e production --restart -- docker compose up -d
# Run integration tests with a clean teardown
envv docker-run -e test --cleanup --remove-volumes -- docker compose -f compose.test.yml run integrationCompose Best Practices
Don't set environment: per-service in docker-compose.yml. Let envv docker-run pass everything via an env-file so secrets aren't in your repo.
For multi-service stacks, set per-service overrides via $${VAR:-default} in the compose file and let EnvVault provide the actual VAR.
In production, run envv docker-run --restart after every secret rotation so containers pick up the new values without a manual docker compose down/up.