[cli] docs: document how to pass secrets to containers in docker compose

paolino · paolino · commit dd86cbe70f67 · 2025-09-16T21:32:05.000+01:00
diff --git a/cli/README.md b/cli/README.md
@@ -64,7 +64,6 @@ For scripting purposes you can disable the pretty effect of the env-var by passi
 
 ### Environment variables
 
-
 #### MPFS host
 If you do not want to host your own MPFS service, you can use a public one at `https://mpfs.plutimus.com`.
 
@@ -216,6 +215,8 @@ anti facts --help
 ```
 will show you all the available facts you can query.
 
+
+
 ## Design
 
 [Interface Design document](docs/antithesis-interface.md)
@@ -225,11 +226,12 @@ will show you all the available facts you can query.
 
 Depending on your role you can access the different manuals.
 
+
 - [Requester manual](docs/requester-role.md). A test-run requester is the regular user of the system. They can register users and roles, and request test-runs.
 - [Agent manual](docs/antithesis-agent-role.md). This is a special role that holds the key to the Antithesis platform. It is responsible  for
   whitelisting repository and managing test-runs, from pending state to running and completed.
 - [Oracle manual](docs/oracle-role.md). The oracle is the owner of the Antithesis token. It is almost mechanically responsible for merging change requests from the agent and the requester.
-
+- [Secrets management manual](docs/secrets-management.md). This manual describes how to manage secrets in a secure way.
 Finally, the [Real-world scenario manual][realWorld] provides a realistic overall use case involving all three roles.
 
 [realWorld]: docs/real-world.md
diff --git a/cli/docs/secrets-management.md b/cli/docs/secrets-management.md
@@ -0,0 +1,35 @@
+# Secrets management tips
+
+## Secrets in docker containers
+
+When passing secrets to a docker container in a compose you can use the `ANTI_SECRETS_FILE` environment variable to point to a file containing the secrets in yaml format. So instead of setting say `ANTI_SSH_PASSWORD` and `ANTI_GITHUB_PAT` you can create a file `secrets.yaml` with the following content:
+
+```yaml
+sshPassword: your_ssh_password
+githubPAT: your_github_pat
+```
+
+and then pass it to the container with someething like:
+
+```yaml
+services:
+  anti:
+    .....
+    environment:
+      - ANTI_SECRETS_FILE=/run/secrets/anti_secrets
+    secrets:
+      - anti_secrets
+
+secrets:
+  anti_secrets:
+    file: ./secrets.yaml
+```
+
+These are the supported secrets for different commands:
+```yaml
+sshPassword: requester_ssh_password
+githubPAT: requester_or_oracle_github_pat
+walletPassphrase: anyone_wallet_passphrase_if_any
+antithesisPassword: agent_antithesis_platform_password
+slackWebhook: agent_slack_webhook_url
+```
