In #870 @mrutkows raised that importing yamllint into the CLI source code is not an option due to licensing restrictions.

As the original author that introduced this dependency, I raised #876 to remove it and maintain the functionality with a different, complaint approach of exec'ing out yamllint similar to what we do in the taxonomy repo. We kept yamllint in the requirements.txt as a UX measure so users wouldn't need to install the additional binary explicitly to use important CLI commands such as generate and diff.

However, leaving yamllint in the requirements.txt does leave still leave us open to raising alarms from third-party scanners and such as @mrutkows raised here: #876 (comment)

So we should follow up on this in one of the following ways (open to ideas as well):

1. Rip out the functionality entirely (fully-compliant but a functional regression)
2. Find a complaint alternative library (would need to align with taxonomy repo)
3. Add documentation or some setup script to install dependent binaries before using the CLI

3 would be my preference - there is some precedence to this, as the functional tests already require an additional binary as I noted in #712 and the current README has prereqs for users on Fedora

Tagging addn folks who have been involved with this to gather opinions on how to tackle this
@russellb @tiran @anik120 @bjhargrave