diff --git a/.github/workflows/nvd_scanner.yml b/.github/workflows/nvd_scanner.yml
index 7b4a004..34d51fc 100644
--- a/.github/workflows/nvd_scanner.yml
+++ b/.github/workflows/nvd_scanner.yml
@@ -12,7 +12,7 @@ on:
 
 jobs:
   build:
-
+    environment: nvd
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
@@ -35,4 +35,6 @@ jobs:
         key: nvd-cache-we-are-happy-to-share-across-branches-${{ steps.get-date.outputs.date }}
 
     - name: Run NVD Scanner
+      env:
+        NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
       run: bb nvd-scan
diff --git a/doc/02-developer-guide.adoc b/doc/02-developer-guide.adoc
index 8f62950..010fb2b 100644
--- a/doc/02-developer-guide.adoc
+++ b/doc/02-developer-guide.adoc
@@ -124,9 +124,11 @@ Or to run both: `bb lint`
 
 === Vulnerability scanning
 We automatically scan for vulnerabilities in our dependencies on CI.
-If you want to run this work locally:
+If you want to run this work locally, you can for example:
 
 [source,shell]
 ----
-bb nvd-scan
+NVD_API_TOKEN=your-token-here bb nvd-scan
 ----
+
+Replace `your-token-here` with your personal nvd api token which you can easily request from https://nvd.nist.gov/developers/request-an-api-key.
diff --git a/doc/03-maintainer-guide.adoc b/doc/03-maintainer-guide.adoc
index 7678b62..7a2ad3f 100644
--- a/doc/03-maintainer-guide.adoc
+++ b/doc/03-maintainer-guide.adoc
@@ -60,6 +60,10 @@ CI - We use GitHub Actions for this project
 
 Clojars secrets are protected under the `publish` environment which is only referenced by `publish.yml`.
 
+The nvd api token is stored under the `nvd` environment and refernced by `nvd_scanner.yml`.
+Should you need to update the token, you can request one here: https://nvd.nist.gov/developers/request-an-api-key.
+If you are using gmail, you can request a unique token for clj-yaml CI by including `+clj-yaml` in your email address, ex. `bob@gmail.com` becomes `bob+clj-yaml@gmail.com`.
+
 == Expected Oddities
 
 When publishing, you will see both the `tests` workflow triggered and the `publish` workflow triggered (which also invokes the `tests` workflow).
diff --git a/nvd_check_helper_project/suppressions.xml b/nvd_check_helper_project/suppressions.xml
index c480896..7471dc1 100644
--- a/nvd_check_helper_project/suppressions.xml
+++ b/nvd_check_helper_project/suppressions.xml
@@ -27,4 +27,11 @@
     ]]> </notes>
     <cve>CVE-2021-4235</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+    This CVE is described as: In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
+    False positive; clj-yaml does not depend on a specific version of Clojure.
+    ]]> </notes>
+    <cve>CVE-2017-20189</cve>
+  </suppress>
 </suppressions>