diff --git a/README.md b/README.md
index 4c1d4a3..e62cf9a 100644
--- a/README.md
+++ b/README.md
@@ -3,13 +3,17 @@
 
 # secure-exec
 
-Populates secrets using AWS KMS or SSM into your app
+`secure-exec` populates secrets using AWS KMS or SSM into your app.
 
-## Examples
+It looks for prefixed variables in environment and replaces them:
+ - `{aws-kms}encrypted-text` - decrypts the value using AWS KMS
+ - `{aws-ssm}parameter-name` - loads parameters from AWS Systems Manager Parameter Store
+ 
+Then it runs `exec` system call and replaces itself with your app.
+ 
+For AWS access the default credentials chain is used. 
 
-`secure-exec` looks for prefixed variables in environment and replaces them with secret values:
- - `aws-kms` - decrypts the value using default AWS credentials chain
- - `aws-ssm` - loads parameters from AWS Systems Manager Parameter Store
+## Examples
 
 ### Wrap an executable
 
@@ -21,14 +25,16 @@ PARAM="{aws-kms}AQICAHjA3mwvsfng346vnbmf..." secure-exec app
 
 ### Docker example
 
-Build an image
+Build an image:
 
 ```
 FROM amazonlinux:2
 
-ADD https://github.com/secure-exec /secure-exec
+ADD https://github.com/secure-exec/ /secure-exec
+
+COPY app.jar /app.jar
 
-CMD /secure-exec java -jar /myapp.jar
+CMD secure-exec java -jar /app.jar
 ```
 
 Run:
@@ -41,4 +47,4 @@ docker run \
 ```
 
 `KMS_PARAM` and `SSM_PARAM` will be decrypted/populated and passed to `myapp` environment.
-`docker inspect` will still see encrypted value, only `myapp` receives plaintext.
+`docker inspect` will still see the old values