@nhumblot Your feature implemenation should include the environmentvariable option similar to how its done for the NVD API (which was unfortunately not added to the maven doc markdown (we should fix that) but is being documented in the standard maven plugin docs at https://dependency-check.github.io/DependencyCheck/dependency-check-maven/check-mojo.html#nvdApiKeyEnvironmentVariable

Specifying the environment variable name is a safer way to pass them than directly in the command-line (typically the env variable itself would be provided by setting it as a CI secret) given that maven will always log unmasked plaintexts on the mvn -X executions.

Configuring the ossIndexPassword property as an env variable reference would not help, as it would get interpolated by the shell and by the time maven logs it (in the -X-case) it would already be a plaintext password.

Wording for the ossIndexPassword should be similar to that of the ApiKey setting nudging the users to prefer either the settings.xml or the env variablename configuration option over specifying a password directly that is guaranteed to be exposed by mvn -X https://dependency-check.github.io/DependencyCheck/dependency-check-maven/check-mojo.html#nvdApiKey

Duplicate of #7640