Add pr scan

jasonhills-mongodb · jasonhills-mongodb · commit a1090994a6ed · 2025-12-02T15:47:07.000-05:00
diff --git a/.github/workflows/endor_labs_pr_scan.yml b/.github/workflows/endor_labs_pr_scan.yml
@@ -0,0 +1,48 @@
+name: Endor Labs PR Scan
+
+on:
+  pull_request:
+    branches:
+      - 'master'
+      - 'releases/v*'
+      - 'debian/*'
+    paths:
+      - '**/CMakeLists.txt'
+      - '**/*.cmake'
+
+jobs:
+  configure_and_scan:
+    permissions:
+      id-token: write # Required to request a json web token (JWT) for keyless authentication with Endor Labs
+      pull-requests: write # Required for endorctl to write pr comments
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v6
+      with:
+        fetch-tags: true
+        submodules: recursive
+
+    - name: Configure CMake and fetch dependency sources
+      env:
+        BUILD_TYPE: Release
+        BUILD: ${{github.workspace}}/build
+        CXX_STANDARD: 17
+      working-directory: ${{env.BUILD}}
+      run: cmake .. -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DCMAKE_CXX_STANDARD=${{env.CXX_STANDARD}} -DENABLE_TESTS=ON
+
+    - name: Endor Labs - Pull Request Scan
+      uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # v1.1.8
+      with:
+        additional_args: "--languages=c --exclude-path=\"build/CMakeFiles/**\""
+        enable_pr_comments: true
+        github_token: ${{ secrets.GITHUB_TOKEN }} # Required for endorctl to write pr comments
+        log_level: info
+        log_verbose: false
+        namespace: mongodb.${{github.repository_owner}}
+        pr: true
+        scan_dependencies: true
+        scan_summary_output_type: "table"
+        tags: github_action
+      env:
+        ENDOR_SCAN_EMBEDDINGS: true
diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - 'master'
-      - 'releases/v**'
+      - 'releases/v*'
       - 'debian/*'
     paths:
       - '**/CMakeLists.txt'
@@ -23,6 +23,7 @@ jobs:
     - name: Checkout Repository
       uses: actions/checkout@v6
       with:
+        fetch-tags: true
         submodules: recursive
 
     - name: Configure CMake and fetch dependency sources
@@ -33,7 +34,7 @@ jobs:
       working-directory: ${{env.BUILD}}
       run: cmake .. -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DCMAKE_CXX_STANDARD=${{env.CXX_STANDARD}} -DENABLE_TESTS=ON
 
-    - name: Install endorctl and Scan with Endor Labs
+    - name: Endor Labs - Monitoring Scan
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # v1.1.8
       with:
         additional_args: "--languages=c --exclude-path=\"build/CMakeFiles/**\""
@@ -42,6 +43,7 @@ jobs:
         namespace: mongodb.${{github.repository_owner}}
         pr: false
         scan_dependencies: true
+        scan_summary_output_type: "table"
         tags: github_action
       env:
         ENDOR_SCAN_EMBEDDINGS: true
