diff --git a/README.md b/README.md
index c6e8dd6e..4d9a02fb 100644
--- a/README.md
+++ b/README.md
@@ -13,34 +13,34 @@
 
 **Shhh** is a tiny Flask app to create encrypted secrets and share 
 them securely with people. The goal of this application is to get rid
-of plain text sensitive information into emails or chat logs.  
+of plain text sensitive information into emails or chat logs.
 
 Shhh is deployed [here](https://www.shhh-encrypt.com) (_temporary unavailable
 until new deployment solution_), but **it's better for organisations and people 
 to deploy it on their own personal / private server** for even better security. 
-You can find in this repo everything you need to host the app yourself.  
+You can find in this repo everything you need to host the app yourself.
 
 Or you can **one-click deploy to Heroku** using the below button.
 It will generate a fully configured private instance of Shhh 
 immediately (using your own server running Flask behind Gunicorn and Nginx, 
-and your own Postgres database, **for free**).  
+and your own Postgres database, **for free**).
 
-[![Deploy][heroku-shield]][heroku]  
+[![Deploy][heroku-shield]][heroku]
 
 Also, checkout [shhh-cli](https://github.com/smallwat3r/shhh-cli), 
-a Go client to interact with the Shhh API from the command line.  
+a Go client to interact with the Shhh API from the command line.
 
 ## How does it work?
 
 The sender has to set an expiration date along with a passphrase to
-protect the information he wants to share.  
+protect the information he wants to share.
 
 A unique link is generated by Shhh that the sender can share with the
 receiver in an email, alongside the temporary passphrase he created
-in order to reveal the secret.  
+in order to reveal the secret.
 
 The secret will be **permanently removed** from the database as soon 
-as one of these events happens:  
+as one of these events happens:
 
 * the expiration date has passed. 
 * the receiver has decrypted the message. 
@@ -48,16 +48,16 @@ as one of these events happens:
 
 The secrets are encrypted in order to make the data anonymous, 
 especially in the database, and the passphrases are not stored 
-anywhere.  
+anywhere.
 
 _Encryption method used: Fernet with password, random salt value and
-strong iteration count (100 000)._  
+strong iteration count (100 000)._ 
 
 _Tip: for better security, avoid writing any info on how/where to use the secret you're sharing (like urls, websites or emails). Instead, explain this in your email or chat, with the link and passphrase generated from Shhh. So even if someone got access to your secret, there is no way for the attacker to know how and where to use it._
 
 ## Is there an API?
 
-Yes, you can find some doc [here](https://app.swaggerhub.com/apis-docs/smallwat3r/shhh-api/1.0.0).  
+Yes, you can find some doc [here](https://app.swaggerhub.com/apis-docs/smallwat3r/shhh-api/1.0.0).
 
 ## How to launch Shhh locally?
 
@@ -66,9 +66,7 @@ use you might want to use a more secure configuration.
 
 #### Deps
 
-Make sure you have `make`, `docker`, `yarn`, and a version of Python 3.12 installed on your machine.  
-
-The application will use the development env variables from [/environments/docker.dev](https://github.com/smallwat3r/shhh/blob/master/environments/docker.dev).  
+The application will use the development env variables from [/environments/docker.dev](https://github.com/smallwat3r/shhh/blob/master/environments/docker.dev).
 
 #### Docker
 
@@ -81,7 +79,7 @@ make dc-stop           # to stop the app
 ```
 
 Once the container image has finished building and has started, you 
-can access:  
+can access: 
 
 * Shhh at <http://localhost:8081>
 * Adminer at <http://localhost:8082/?pgsql=db&username=shhh&db=shhh> (if launched with `dc-start-adminer`)
@@ -105,14 +103,24 @@ exit()
 
 #### Development tools
 
-You can run tests and linting / security reports using the Makefile.  
+You can run tests and linting / security reports using the Makefile.
+
+Make sure you have `make`, `docker`, `yarn`, and a version of Python 3.12 installed on your machine.
+
+Tests, linting, security tools do not run from the Docker container, so you need to have a Python
+virtual environment configured locally.
+
+You can do so with the following command:
+``` sh
+make venv deps
+```
 
 The following command will display all the commands available from the Makefile:
 ``` sh
 make help
 ```
 
-* Enter a Flask shell
+* Enter a Flask shell (from the running shhh container)
   ``` sh
   make shell 
   ```
@@ -137,7 +145,7 @@ make help
 
 ## Environment variables
 
-Bellow is the list of environment variables used by Shhh.  
+Bellow is the list of environment variables used by Shhh.
 
 #### Mandatory
 * `FLASK_ENV`: the environment config to load (`testing`, `dev-local`, `dev-docker`, `heroku`, `production`).
@@ -164,12 +172,12 @@ Special thanks: [@AustinTSchaffer](https://github.com/AustinTSchaffer), [@kleinf
 
 ## License
 
-See [LICENSE](https://github.com/smallwat3r/shhh/blob/master/LICENSE) file.  
+See [LICENSE](https://github.com/smallwat3r/shhh/blob/master/LICENSE) file.
 
 ## Contact
 
 Please report issues or questions 
-[here](https://github.com/smallwat3r/shhh/issues).  
+[here](https://github.com/smallwat3r/shhh/issues).
 
 
 [![Buy me a coffee][buymeacoffee-shield]][buymeacoffee]