Currently the NVD API key can be passed as direct plugin parameter nvdApiKey or as server id to be extracted from the settings.xml (nvdApiServerId). The former has the disadvantage that it may be appear in the Maven logs and the latter has the disadvantage that it requires you to duplicate the credentials for CI/CD (where usually the settings.xml is ephemeral and therefore the canonical storage is somewhere else).
As environment variables are the common means for passing secrets (at least for container environments like e.g. used in GitHub Actions) it should also be supported to extract the NVD API key from a configured environment variable.
Currently the NVD API key can be passed as direct plugin parameter
nvdApiKeyor as server id to be extracted from thesettings.xml(nvdApiServerId). The former has the disadvantage that it may be appear in the Maven logs and the latter has the disadvantage that it requires you to duplicate the credentials for CI/CD (where usually the settings.xml is ephemeral and therefore the canonical storage is somewhere else).As environment variables are the common means for passing secrets (at least for container environments like e.g. used in GitHub Actions) it should also be supported to extract the NVD API key from a configured environment variable.