docs: clarify Sonatype Guide OSS Index suggestions

README.md

@@ -46,17 +46,19 @@ The NVD API has enforced rate limits. If you are using a single API KEY and
 multiple builds occur you could hit the rate limit and receive 403 errors. In
 a CI environment one must use a caching strategy.
 
-### Sonatype OSS Index API Token Now Required for usage
+### Sonatype OSS Index mandatory authentication and migration to Sonatype Guide
 
-Since September 2025 Sonatype OSS Index started enforcing use of API tokens for authentication. In April 2026 a
-subsequent migration to Sonatype Guide began.
+In September 2025 Sonatype OSS Index started enforcing use of API tokens for authentication. In April 2026 a
+subsequent migration to Sonatype Guide began, kicking off a transition to use of Sonatype Guide API Tokens that are
+planned to replace the legacy OSS Index API keys/tokens before the end of 2026.
 
-If you wish to use Sonatype OSS Index you must configure Dependency-Check and consider implications for migration to 
-Sonatype Guide. See the [analyzer documentation](https://dependency-check.github.io/DependencyCheck/analyzers/oss-index-analyzer.html)
-for more information.
+Without credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation
+for the CLI, Maven, Gradle, or Ant integrations on how to set the analyzer credentials for use of a Sonatype Guide token
+or legacy OSS Index API key.
 
-Without credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation 
-for the cli, maven, gradle, or ant integrations on how to set the OSS Index credentials.
+If you wish to use Sonatype OSS Index (via Guide) you must configure Dependency-Check and consider implications for the
+migration to Sonatype Guide; whose commercial/usage model has changed. See the [analyzer documentation](https://dependency-check.github.io/DependencyCheck/analyzers/oss-index-analyzer.html)
+for more information.
 
 ### Gradle build Environment
 

src/site/markdown/analyzers/oss-index-analyzer.md

@@ -22,9 +22,8 @@ During this migration users will need to make some minor changes.
     - login with OSS Index account credentials to the Sonatype Guide platform to validate your account has been migrated
     - migrate OSS Index analyzer base URL to Sonatype Guide platform
       - override Dependency-Check configuration OR
-      - upgrade to Dependency-Check `12.2.1`+ (if using defaults)
-    - review API usage within Sonatype Guide to determine whether continued free usage is possible (new API limits apply from April 28 2026 onwards)
-      - consider [cache/restore of Dependency-Check's data directory](../data/cacheh2.md) between runs to retain the OSS Index cache, and reduce API load 
+      - upgrade to Dependency-Check `12.2.2`+ (if using defaults)
+    - review API usage within Sonatype Guide to determine whether continued free usage is possible (new API limits apply from April 28, 2026 onwards)
   - _Before_ December 31, 2026 
     - migrate to using a Sonatype Guide API token for authentication rather than the legacy OSS Index API token
 - For **new** users
@@ -35,3 +34,15 @@ For more details on this migration see:
 - [Sonatype OSS Index product page](https://www.sonatype.com/products/sonatype-guide/oss-index-users)
 - [Sonatype Migration timeline](https://help.sonatype.com/en/oss-index-migration-to-sonatype-guide.html)
 - [Using Sonatype Guide personal access tokens for OSS Index API](https://help.sonatype.com/en/using-guide-personal-access-tokens-with-oss-index-api-integrations.html)
+
+### Managing Sonatype Guide credit usage
+
+In contrast to the earlier completely free OSS Index solution, Sonatype Guide gives a limited number of credits on free 
+accounts; and effectively charges per component report. You can review your credit usage in your Sonatype Guide account.
+
+To reduce your credit usage:
+- consider [cache/restore of Dependency-Check's data directory](../data/cacheh2.md) between runs to retain the OSS Index cache, and reduce API load
+- consider retaining OSS Index cache entries longer by extending the analyzer's `validForHours` configuration setting beyond the 24-hour default
+  - extending cache time, will reduce credit usage at the cost of slower notification about potential new vulnerabilities
+- consider reducing frequency of running OSS Index analysis on builds
+  - for example, you may want to disable OSS Index analysis on local dev or per-commit/merge CI builds, and enable only for a daily or weekly scheduled build