diff --git a/README.md b/README.md index b86898f7..17608707 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,7 @@ with support from Google. This is not an official Google or Trail of Bits produc * [Dry runs](#dry-runs) * [Examples](#examples) * [Troubleshooting](#troubleshooting) +* [Tips and Tricks](#tips-and-tricks) * [Security model](#security-model) * [Licensing](#licensing) * [Contributing](#contributing) @@ -379,6 +380,27 @@ $ pip-audit --no-deps -r requirements.txt $ pip-audit --require-hashes -r requirements.txt ``` +## Tips and Tricks + +### Running against a `pipenv` project + +`pipenv` uses both a `Pipfile` and `Pipfile.lock` file to track and freeze dependencies +instead of a `requirements.txt` file. `pip-audit` cannot process the `Pipfile[.lock]` +files directly, however, these can be converted to a supported `requirements.txt` file +that `pip-audit` can run against. Use a Python tool, such as +[`pipfile-requirements`](https://github.com/frostming/pipfile-requirements), to +convert your `Pipfile[.lock]` to a `requirements.txt` file and then run +`pip-audit` against the generated requirements file. + +```console +$ pipenv install --dev pipfile-requirements +$ pipenv run pipfile2req Pipfile.lock > requirements.txt +$ pipenv run pip-audit -r requirements.txt +``` + +The `requirements.txt` file needs to be kept up to date with `pipenv` when running +`pip-audit` locally like this. + ## Security Model This section exists to describe the security assumptions you **can** and **must not**