diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 1407f3c8..a9055aa1 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -42,10 +42,38 @@ jobs:
           path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
           key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }}
 
-      # Install Go!
       - uses: actions/setup-go@v3
         with:
           go-version: "~1.21"
 
       - name: Test
         run: make test
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "GOCACHE=$(go env GOCACHE)" >> ${{ runner.os == 'Windows' && '$env:' || '$' }}GITHUB_OUTPUT
+          echo "GOMODCACHE=$(go env GOMODCACHE)" >> ${{ runner.os == 'Windows' && '$env:' || '$' }}GITHUB_OUTPUT
+
+      - name: Go Build Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }}
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.21"
+
+      - name: Generate docs
+        run: make docs
+
+      - name: Check for unstaged files
+        run: git diff --exit-code
diff --git a/Makefile b/Makefile
index 7d6102ce..d607f956 100644
--- a/Makefile
+++ b/Makefile
@@ -7,6 +7,9 @@ develop:
 build: scripts/envbuilder-$(GOARCH)
 	./scripts/build.sh
 
+docs: options.go
+	go run ./scripts/docsgen/main.go
+
 .PHONY: test
 test: test-registry test-images
 	go test -count=1 ./...
diff --git a/README.md b/README.md
index d33f20a6..05a9b523 100644
--- a/README.md
+++ b/README.md
@@ -202,7 +202,8 @@ A sample script to pre-fetch a number of images can be viewed [here](./examples/
 
 The `SETUP_SCRIPT` environment variable dynamically configures the user and init command (PID 1) after the container build process.
 
-> **Note** > `TARGET_USER` is passed to the setup script to specify who will execute `INIT_COMMAND` (e.g., `code`).
+> [!NOTE]
+> `TARGET_USER` is passed to the setup script to specify who will execute `INIT_COMMAND` (e.g., `code`).
 
 Write the following to `$ENVBUILDER_ENV` to shape the container's init process:
 
@@ -250,3 +251,40 @@ On MacOS or Windows systems, we recommend either using a VM or the provided `.de
 - `develop`: runs `envbuilder:latest` against a sample Git repository.
 - `test`: run tests.
 - `test-registry`: stands up a local registry for caching images used in tests.
+
+<!--- Code generated by docsgen. DO NOT EDIT. --->
+<!--- START docsgen --->
+## Environment Variables
+
+| Environment variable | Default | Description |
+| - | - | - |
+| `SETUP_SCRIPT` |  | The script to run before the init script. It runs as the root user regardless of the user specified in the devcontainer.json file. SetupScript is ran as the root user prior to the init script. It is used to configure envbuilder dynamically during the runtime. e.g. specifying whether to start systemd or tiny init for PID 1. |
+| `INIT_SCRIPT` | `sleep infinity` | The script to run to initialize the workspace. |
+| `INIT_COMMAND` | `/bin/sh` | The command to run to initialize the workspace. |
+| `INIT_ARGS` |  | The arguments to pass to the init command. They are split according to /bin/sh rules with https://github.com/kballard/go-shellquote. |
+| `CACHE_REPO` |  | The name of the container registry to push the cache image to. If this is empty, the cache will not be pushed. |
+| `BASE_IMAGE_CACHE_DIR` |  | The path to a directory where the base image can be found. This should be a read-only directory solely mounted for the purpose of caching the base image. |
+| `LAYER_CACHE_DIR` |  | The path to a directory where built layers will be stored. This spawns an in-memory registry to serve the layers from. |
+| `DEVCONTAINER_DIR` |  | The path to the folder containing the devcontainer.json file that will be used to build the workspace and can either be an absolute path or a path relative to the workspace folder. If not provided, defaults to `.devcontainer`. |
+| `DEVCONTAINER_JSON_PATH` |  | The path to a devcontainer.json file that is either an absolute path or a path relative to DevcontainerDir. This can be used in cases where one wants to substitute an edited devcontainer.json file for the one that exists in the repo. |
+| `DOCKERFILE_PATH` |  | The relative path to the Dockerfile that will be used to build the workspace. This is an alternative to using a devcontainer that some might find simpler. |
+| `BUILD_CONTEXT_PATH` |  | Can be specified when a DockerfilePath is specified outside the base WorkspaceFolder. This path MUST be relative to the WorkspaceFolder path into which the repo is cloned. |
+| `CACHE_TTL_DAYS` |  | The number of days to use cached layers before expiring them. Defaults to 7 days. |
+| `DOCKER_CONFIG_BASE64` |  | The base64 encoded Docker config file that will be used to pull images from private container registries. |
+| `FALLBACK_IMAGE` |  | Specifies an alternative image to use when neither an image is declared in the devcontainer.json file nor a Dockerfile is present. If there's a build failure (from a faulty Dockerfile) or a misconfiguration, this image will be the substitute. Set ExitOnBuildFailure to true to halt the container if the build faces an issue. |
+| `EXIT_ON_BUILD_FAILURE` |  | Terminates the container upon a build failure. This is handy when preferring the FALLBACK_IMAGE in cases where no devcontainer.json or image is provided. However, it ensures that the container stops if the build process encounters an error. |
+| `FORCE_SAFE` |  | Ignores any filesystem safety checks. This could cause serious harm to your system! This is used in cases where bypass is needed to unblock customers. |
+| `INSECURE` |  | Bypass TLS verification when cloning and pulling from container registries. |
+| `IGNORE_PATHS` | `/var/run` | The comma separated list of paths to ignore when building the workspace. |
+| `SKIP_REBUILD` |  | Skip building if the MagicFile exists. This is used to skip building when a container is restarting. e.g. docker stop -> docker start This value can always be set to true - even if the container is being started for the first time. |
+| `GIT_URL` |  | The URL of the Git repository to clone. This is optional. |
+| `GIT_CLONE_DEPTH` |  | The depth to use when cloning the Git repository. |
+| `GIT_CLONE_SINGLE_BRANCH` |  | Clone only a single branch of the Git repository. |
+| `GIT_USERNAME` |  | The username to use for Git authentication. This is optional. |
+| `GIT_PASSWORD` |  | The password to use for Git authentication. This is optional. |
+| `GIT_HTTP_PROXY_URL` |  | The URL for the HTTP proxy. This is optional. |
+| `WORKSPACE_FOLDER` |  | The path to the workspace folder that will be built. This is optional. |
+| `SSL_CERT_BASE64` |  | The content of an SSL cert file. This is useful for self-signed certificates. |
+| `EXPORT_ENV_FILE` |  | Optional file path to a .env file where envbuilder will dump environment variables from devcontainer.json and the built container image. |
+| `POST_START_SCRIPT_PATH` |  | The path to a script that will be created by envbuilder based on the postStartCommand in devcontainer.json, if any is specified (otherwise the script is not created). If this is set, the specified InitCommand should check for the presence of this script and execute it after successful startup. |
+<!--- END docsgen --->
diff --git a/options.go b/options.go
index 9066d64b..792f4e1a 100644
--- a/options.go
+++ b/options.go
@@ -53,7 +53,7 @@ func (o *Options) CLI() serpent.OptionSet {
 			Value: serpent.StringOf(&o.SetupScript),
 			Description: "The script to run before the init script. It runs as " +
 				"the root user regardless of the user specified in the devcontainer.json " +
-				"file.\n\nSetupScript is ran as the root user prior to the init script. " +
+				"file. SetupScript is ran as the root user prior to the init script. " +
 				"It is used to configure envbuilder dynamically during the runtime. e.g. " +
 				"specifying whether to start systemd or tiny init for PID 1.",
 		},
@@ -272,3 +272,20 @@ func (o *Options) CLI() serpent.OptionSet {
 		},
 	}
 }
+
+func (o *Options) Markdown() string {
+	cliOptions := o.CLI()
+	mkd := "| Environment variable | Default | Description |\n" +
+		"| - | - | - |\n"
+
+	for _, opt := range cliOptions {
+		d := opt.Default
+		if d != "" {
+
+			d = "`" + d + "`"
+		}
+		mkd += "| `" + opt.Env + "` | " + d + " | " + opt.Description + " |\n"
+	}
+
+	return mkd
+}
diff --git a/scripts/docsgen/main.go b/scripts/docsgen/main.go
new file mode 100644
index 00000000..fa51c242
--- /dev/null
+++ b/scripts/docsgen/main.go
@@ -0,0 +1,39 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/coder/envbuilder"
+)
+
+const (
+	startSection = "<!--- START docsgen --->"
+	endSection   = "<!--- END docsgen --->"
+)
+
+func main() {
+	readmePath := "README.md"
+	readmeFile, err := os.ReadFile(readmePath)
+	if err != nil {
+		panic("error reading " + readmePath + " file")
+	}
+	readmeContent := string(readmeFile)
+	startIndex := strings.Index(readmeContent, startSection)
+	endIndex := strings.Index(readmeContent, endSection)
+	if startIndex == -1 || endIndex == -1 {
+		panic("start or end section comments not found in the file.")
+	}
+
+	var options envbuilder.Options
+	mkd := "\n## Environment Variables\n\n" + options.Markdown()
+	modifiedContent := readmeContent[:startIndex+len(startSection)] + mkd + readmeContent[endIndex:]
+
+	err = os.WriteFile(readmePath, []byte(modifiedContent), 0644)
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Println("README updated successfully with the latest flags!")
+}