Ideally, you should use lockfiles for your CI/CD or docker. To create or update the lockfile, a developer needs to install dependencies manually first (as in `pip install X` -> `pip freeze`), at which point the checks would be executed and the user would consent.
That said, it's pretty uncommon to use lockfiles with pip, so I'm considering creating something like a plugin for poetry or uv, if there is demand?
Quite a few people use requirements.txt files with pip actually. I've seen many projects that even expect end users to do so. You might not notice - exactly because they aren't packaging for PyPI.
Sure, they presumably have a local dev environment where they install dependencies to test their own code.
But there are a lot of possible workflows around that. Some people might separately install things one at a time according to what they appear to need as they're developing, and then use `pip freeze` to create the `requirements.txt` file. Others might edit `requirements.txt` directly, and repeatedly re-create their environment based off that. Still others might involve any number of tools here, such as pip-tools (https://pypi.org/project/pip-tools/), pipenv (https://pypi.org/project/pipenv/), etc.
As long as they run `pip install` locally at any point in their process before pushing to the repo, they should get the opportunity to see the pipask report.
That said, it's pretty uncommon to use lockfiles with pip, so I'm considering creating something like a plugin for poetry or uv, if there is demand?