From 2d0a793ba11c69b76ebcf8c55aa6bd7f8bc69f94 Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 12:23:18 -0500
Subject: [PATCH 01/23] Add github action generate_sbom

---
 .github/workflows/generate_sbom.yml | 44 +++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 .github/workflows/generate_sbom.yml

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
new file mode 100644
index 0000000000..64aa436be0
--- /dev/null
+++ b/.github/workflows/generate_sbom.yml
@@ -0,0 +1,44 @@
+name: Generate SBOM
+
+on:
+  workflow_dispatch:
+  #push:
+  #  branches:
+  #    - 'master'
+  #    - 'releases/**'
+
+env:
+  BUILD_TYPE: Release
+  BUILD: ${{github.workspace}}/build
+  CXX_STANDARD: 17
+  SOURCE: ${{github.workspace}}
+  VERSION: ${{github.ref_name}}
+  ENDOR_NAMESPACE: mongodb.${{github.repository_owner}}
+
+jobs:
+  configure-and-scan:
+    permissions:
+      id-token: write # Required to request a json web token (JWT) for keyless authentication with Endor Labs
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+
+    - name: Install libsasl2-dev
+      run: sudo apt install -y libsasl2-dev
+
+    - name: Configure CMake and fetch dependency source
+      run: cmake .. -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DCMAKE_CXX_STANDARD=${{env.CXX_STANDARD}}
+      working-directory: ${{env.BUILD}}
+
+    - name: Scan with Endor Labs
+      uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
+      with:
+        namespace: ${{env.ENDOR_NAMESPACE}}
+        pr: false
+        scan_dependencies: true
+        scan_github_actions: true
+        tags: github_action
+        additional_args: --languages=c
+      env:
+        ENDOR_SCAN_EMBEDDINGS: true
\ No newline at end of file

From 407c1930138b94199be93eed0f6b4ec0370d876b Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 12:29:36 -0500
Subject: [PATCH 02/23] Adjust triggers

---
 .github/workflows/generate_sbom.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 64aa436be0..550bc79f9b 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -2,10 +2,11 @@ name: Generate SBOM
 
 on:
   workflow_dispatch:
-  #push:
-  #  branches:
-  #    - 'master'
-  #    - 'releases/**'
+  push:
+    branches:
+      - 'master'
+      - 'releases/**'
+      - 'CXX**'
 
 env:
   BUILD_TYPE: Release

From 12de006e71706d70a09cb71e938fd8a6ee56fd2f Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 12:46:27 -0500
Subject: [PATCH 03/23] Remove github action scan type

---
 .github/workflows/generate_sbom.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 550bc79f9b..70fe2dffd8 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -36,9 +36,7 @@ jobs:
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
         namespace: ${{env.ENDOR_NAMESPACE}}
-        pr: false
         scan_dependencies: true
-        scan_github_actions: true
         tags: github_action
         additional_args: --languages=c
       env:

From e18d34a634bf7d002323139261d48fbae446aaff Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 13:15:12 -0500
Subject: [PATCH 04/23] Remove PR scan flag

---
 .github/workflows/generate_sbom.yml | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 70fe2dffd8..8459cf2c42 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -20,6 +20,8 @@ jobs:
   configure-and-scan:
     permissions:
       id-token: write # Required to request a json web token (JWT) for keyless authentication with Endor Labs
+      packages: write
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repository
@@ -35,9 +37,32 @@ jobs:
     - name: Scan with Endor Labs
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
+        additional_args: --languages=c
         namespace: ${{env.ENDOR_NAMESPACE}}
+        pr: false
         scan_dependencies: true
         tags: github_action
-        additional_args: --languages=c
       env:
-        ENDOR_SCAN_EMBEDDINGS: true
\ No newline at end of file
+        ENDOR_SCAN_EMBEDDINGS: true
+        ENDOR_SCAN_INCLUDE_PATH: 
+        ENDOR_SCAN_EXCLUDE_PATH: 
+    
+    # - name: Setup Endor Labs Endorctl
+    #   uses: endorlabs/github-action/setup@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
+    #   with:
+    #     namespace: ${{env.ENDOR_NAMESPACE}}
+    #     enable_github_action_token: true
+
+    # - name: Run Endorctl
+    #   env:
+    #     ENDOR_GITHUB_ACTION_TOKEN_ENABLE: true
+    #     ENDOR_SCAN_DEPENDENCIES: true
+    #     ENDOR_SCAN_EMBEDDINGS: true
+    #     ENDOR_SCAN_INCLUDE_PATH: 
+    #     ENDOR_SCAN_LANGUAGES: c
+    #     ENDOR_SCAN_SUMMARY_OUTPUT_TYPE: json
+    #     ENDOR_SCAN_TAGS: github_action
+    #   run: |
+    #     endorctl scan
+
+

From aefae1615e13b062047d86a208306ca9c46858c7 Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 13:52:22 -0500
Subject: [PATCH 05/23] Set include_path

---
 .github/workflows/generate_sbom.yml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 8459cf2c42..2534d77ad0 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -37,15 +37,18 @@ jobs:
     - name: Scan with Endor Labs
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
-        additional_args: --languages=c
+        additional_args: --languages=c --include-path="build/_deps/**"
         namespace: ${{env.ENDOR_NAMESPACE}}
         pr: false
         scan_dependencies: true
         tags: github_action
       env:
         ENDOR_SCAN_EMBEDDINGS: true
-        ENDOR_SCAN_INCLUDE_PATH: 
-        ENDOR_SCAN_EXCLUDE_PATH: 
+
+    # - uses: actions/setup-python@v6
+    #   with:
+    #     python-version: '3.10' 
+    # - run: python my_script.py
     
     # - name: Setup Endor Labs Endorctl
     #   uses: endorlabs/github-action/setup@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
@@ -53,6 +56,7 @@ jobs:
     #     namespace: ${{env.ENDOR_NAMESPACE}}
     #     enable_github_action_token: true
 
+    # ${{ github.sha }}
     # - name: Run Endorctl
     #   env:
     #     ENDOR_GITHUB_ACTION_TOKEN_ENABLE: true

From c1aa9dc269c3baa55590f4b1a74263318fd3164a Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 14:00:50 -0500
Subject: [PATCH 06/23] Attempt to address error

---
 .github/workflows/generate_sbom.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 2534d77ad0..e1ab63089d 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -12,16 +12,14 @@ env:
   BUILD_TYPE: Release
   BUILD: ${{github.workspace}}/build
   CXX_STANDARD: 17
-  SOURCE: ${{github.workspace}}
-  VERSION: ${{github.ref_name}}
   ENDOR_NAMESPACE: mongodb.${{github.repository_owner}}
 
 jobs:
   configure-and-scan:
     permissions:
       id-token: write # Required to request a json web token (JWT) for keyless authentication with Endor Labs
-      packages: write
-      contents: read
+      #packages: write
+      #contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repository
@@ -37,7 +35,7 @@ jobs:
     - name: Scan with Endor Labs
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
-        additional_args: --languages=c --include-path="build/_deps/**"
+        additional_args: --languages=c --include-path="build/_deps/**" --exclude-path="src/**"
         namespace: ${{env.ENDOR_NAMESPACE}}
         pr: false
         scan_dependencies: true

From c7a9ec51c787da37127afba150cfb04d1bfd2b02 Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 14:13:31 -0500
Subject: [PATCH 07/23] Verbose logging

---
 .github/workflows/generate_sbom.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index e1ab63089d..4b79edd53f 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -36,6 +36,8 @@ jobs:
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
         additional_args: --languages=c --include-path="build/_deps/**" --exclude-path="src/**"
+        log_level: debug
+        log_verbose: true
         namespace: ${{env.ENDOR_NAMESPACE}}
         pr: false
         scan_dependencies: true

From 03d45d46f3f7f092426e99397826504c4f966e05 Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 14:18:29 -0500
Subject: [PATCH 08/23] Add scan_path

---
 .github/workflows/generate_sbom.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 4b79edd53f..46f0d5921b 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -41,6 +41,7 @@ jobs:
         namespace: ${{env.ENDOR_NAMESPACE}}
         pr: false
         scan_dependencies: true
+        scan_path: ${{github.workspace}}
         tags: github_action
       env:
         ENDOR_SCAN_EMBEDDINGS: true

From 0678ae7f70ce8b136d4388dedd9f23004d17e0f5 Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 14:41:46 -0500
Subject: [PATCH 09/23] Fix additional_args

---
 .github/workflows/generate_sbom.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 46f0d5921b..64b841301b 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -35,7 +35,7 @@ jobs:
     - name: Scan with Endor Labs
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
-        additional_args: --languages=c --include-path="build/_deps/**" --exclude-path="src/**"
+        additional_args: "--languages=c --include-path=\"build/_deps/**\" --exclude-path=\"src/**\""
         log_level: debug
         log_verbose: true
         namespace: ${{env.ENDOR_NAMESPACE}}

From ddac698ecd30f113d9715f3d5a8e59ac00af0b7c Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 15:34:58 -0500
Subject: [PATCH 10/23] Remove include and exclude

---
 .github/workflows/generate_sbom.yml | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 64b841301b..01941a3173 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -12,7 +12,6 @@ env:
   BUILD_TYPE: Release
   BUILD: ${{github.workspace}}/build
   CXX_STANDARD: 17
-  ENDOR_NAMESPACE: mongodb.${{github.repository_owner}}
 
 jobs:
   configure-and-scan:
@@ -32,13 +31,13 @@ jobs:
       run: cmake .. -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DCMAKE_CXX_STANDARD=${{env.CXX_STANDARD}}
       working-directory: ${{env.BUILD}}
 
-    - name: Scan with Endor Labs
+    - name: Install endorctl and Scan with Endor Labs
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
-        additional_args: "--languages=c --include-path=\"build/_deps/**\" --exclude-path=\"src/**\""
-        log_level: debug
+        additional_args: "--languages=c" # --include-path=\"build/_deps/**\" --exclude-path=\"src/**\""
+        log_level: info
         log_verbose: true
-        namespace: ${{env.ENDOR_NAMESPACE}}
+        namespace: mongodb.${{github.repository_owner}}
         pr: false
         scan_dependencies: true
         scan_path: ${{github.workspace}}
@@ -51,12 +50,6 @@ jobs:
     #     python-version: '3.10' 
     # - run: python my_script.py
     
-    # - name: Setup Endor Labs Endorctl
-    #   uses: endorlabs/github-action/setup@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
-    #   with:
-    #     namespace: ${{env.ENDOR_NAMESPACE}}
-    #     enable_github_action_token: true
-
     # ${{ github.sha }}
     # - name: Run Endorctl
     #   env:

From cbd8c52494111e13467aacca83c1fdbf546bb411 Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 15:46:21 -0500
Subject: [PATCH 11/23] Adjust checkout action

---
 .github/workflows/generate_sbom.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 01941a3173..e85ed32525 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -22,7 +22,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+        ref: ${{ github.head_ref || github.ref_name }} 
+        submodules: recursive
 
     - name: Install libsasl2-dev
       run: sudo apt install -y libsasl2-dev

From c2f2568b246772731c0d4dd273011fc94b0d816e Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 15:48:47 -0500
Subject: [PATCH 12/23] Clone whole repo

---
 .github/workflows/generate_sbom.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index e85ed32525..49a162b35c 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -25,7 +25,7 @@ jobs:
       uses: actions/checkout@v6
       with:
         fetch-depth: 0
-        ref: ${{ github.head_ref || github.ref_name }} 
+        #ref: ${{ github.head_ref || github.ref_name }} 
         submodules: recursive
 
     - name: Install libsasl2-dev

From f941e0902efed77843b000af7a403bcdd5e33316 Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 15:56:01 -0500
Subject: [PATCH 13/23] Revert to PR scan

---
 .github/workflows/generate_sbom.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 49a162b35c..ec00e8020b 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -23,10 +23,6 @@ jobs:
     steps:
     - name: Checkout Repository
       uses: actions/checkout@v6
-      with:
-        fetch-depth: 0
-        #ref: ${{ github.head_ref || github.ref_name }} 
-        submodules: recursive
 
     - name: Install libsasl2-dev
       run: sudo apt install -y libsasl2-dev
@@ -42,7 +38,7 @@ jobs:
         log_level: info
         log_verbose: true
         namespace: mongodb.${{github.repository_owner}}
-        pr: false
+        pr: true
         scan_dependencies: true
         scan_path: ${{github.workspace}}
         tags: github_action

From 71573424a56ab5a42405b18f7a1c9b1ee10a60ff Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 16:00:25 -0500
Subject: [PATCH 14/23] pr and ci_run to false

---
 .github/workflows/generate_sbom.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index ec00e8020b..7331e0b417 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -34,11 +34,12 @@ jobs:
     - name: Install endorctl and Scan with Endor Labs
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
-        additional_args: "--languages=c" # --include-path=\"build/_deps/**\" --exclude-path=\"src/**\""
+        additional_args: '--languages=c --include-path="build/_deps/**" --exclude-path="src/**"'
+        ci_run: false
         log_level: info
         log_verbose: true
         namespace: mongodb.${{github.repository_owner}}
-        pr: true
+        pr: false
         scan_dependencies: true
         scan_path: ${{github.workspace}}
         tags: github_action

From 287d514969cf4384e1b0de2494cad60ce2853f7a Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 16:06:59 -0500
Subject: [PATCH 15/23] Add contents read permission

---
 .github/workflows/generate_sbom.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 7331e0b417..507cac2f4c 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -18,11 +18,13 @@ jobs:
     permissions:
       id-token: write # Required to request a json web token (JWT) for keyless authentication with Endor Labs
       #packages: write
-      #contents: read
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repository
       uses: actions/checkout@v6
+      with:
+        submodules: recursive
 
     - name: Install libsasl2-dev
       run: sudo apt install -y libsasl2-dev

From 8a1bc3e157cb70c3841d7aef63a100fae4f7c20c Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 16:19:22 -0500
Subject: [PATCH 16/23] Default branch set

---
 .github/workflows/generate_sbom.yml | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 507cac2f4c..4800c5866e 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -12,6 +12,7 @@ env:
   BUILD_TYPE: Release
   BUILD: ${{github.workspace}}/build
   CXX_STANDARD: 17
+  ENDOR_NAMESPACE: mongodb.${{github.repository_owner}}
 
 jobs:
   configure-and-scan:
@@ -37,13 +38,11 @@ jobs:
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
         additional_args: '--languages=c --include-path="build/_deps/**" --exclude-path="src/**"'
-        ci_run: false
         log_level: info
-        log_verbose: true
-        namespace: mongodb.${{github.repository_owner}}
+        log_verbose: false
+        namespace: ${{env.ENDOR_NAMESPACE}}
         pr: false
         scan_dependencies: true
-        scan_path: ${{github.workspace}}
         tags: github_action
       env:
         ENDOR_SCAN_EMBEDDINGS: true
@@ -65,5 +64,3 @@ jobs:
     #     ENDOR_SCAN_TAGS: github_action
     #   run: |
     #     endorctl scan
-
-

From 8a46bc94531e4bd18e72f4bb3a3b22329beaa8fb Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 16:21:35 -0500
Subject: [PATCH 17/23] Remove include and exclude

---
 .github/workflows/generate_sbom.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 4800c5866e..f193d467a5 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -37,7 +37,7 @@ jobs:
     - name: Install endorctl and Scan with Endor Labs
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
-        additional_args: '--languages=c --include-path="build/_deps/**" --exclude-path="src/**"'
+        additional_args: '--languages=c' # --include-path="build/_deps/**" --exclude-path="src/**"'
         log_level: info
         log_verbose: false
         namespace: ${{env.ENDOR_NAMESPACE}}

From faa02c95679c9437b593c4312f5ffc14260740ed Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 16:59:01 -0500
Subject: [PATCH 18/23] Escape glob pattern

---
 .github/workflows/generate_sbom.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index f193d467a5..bd3eaae088 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -37,7 +37,7 @@ jobs:
     - name: Install endorctl and Scan with Endor Labs
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
-        additional_args: '--languages=c' # --include-path="build/_deps/**" --exclude-path="src/**"'
+        additional_args: "--languages=c --include-path=\"$INCLUDE_PATH\""
         log_level: info
         log_verbose: false
         namespace: ${{env.ENDOR_NAMESPACE}}
@@ -46,6 +46,7 @@ jobs:
         tags: github_action
       env:
         ENDOR_SCAN_EMBEDDINGS: true
+        INCLUDE_PATH: "build/_deps/**" # Use env to properly escape glob pattern
 
     # - uses: actions/setup-python@v6
     #   with:

From 735d4c1f2460c4f18561752a76ae738effc3da7e Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 17:01:51 -0500
Subject: [PATCH 19/23] Use env. for var

---
 .github/workflows/generate_sbom.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index bd3eaae088..334fb6f93d 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -37,7 +37,7 @@ jobs:
     - name: Install endorctl and Scan with Endor Labs
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
-        additional_args: "--languages=c --include-path=\"$INCLUDE_PATH\""
+        additional_args: "--languages=c --include-path=\"${{env.INCLUDE_PATH}}\""
         log_level: info
         log_verbose: false
         namespace: ${{env.ENDOR_NAMESPACE}}

From 5af3896906fcc7046b4782e71ff037a421cee8f6 Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 17:36:54 -0500
Subject: [PATCH 20/23] Add dot slash to include pattern

---
 .github/workflows/generate_sbom.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 334fb6f93d..ee15f4f3e8 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -27,8 +27,8 @@ jobs:
       with:
         submodules: recursive
 
-    - name: Install libsasl2-dev
-      run: sudo apt install -y libsasl2-dev
+    - name: Install dev libs
+      run: sudo apt install -y libsasl2-dev libsnappy-dev libssl-dev libmongocrypt-dev
 
     - name: Configure CMake and fetch dependency source
       run: cmake .. -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DCMAKE_CXX_STANDARD=${{env.CXX_STANDARD}}
@@ -46,7 +46,7 @@ jobs:
         tags: github_action
       env:
         ENDOR_SCAN_EMBEDDINGS: true
-        INCLUDE_PATH: "build/_deps/**" # Use env to properly escape glob pattern
+        INCLUDE_PATH: "./build/_deps/**" # Use env to properly escape glob pattern
 
     # - uses: actions/setup-python@v6
     #   with:

From 147f6ec03652ebd0ae538afc4d6f6b9cd4dc8c4b Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 17:48:55 -0500
Subject: [PATCH 21/23] Try **/_deps/**

---
 .github/workflows/generate_sbom.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index ee15f4f3e8..8f9e8c59db 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -46,7 +46,7 @@ jobs:
         tags: github_action
       env:
         ENDOR_SCAN_EMBEDDINGS: true
-        INCLUDE_PATH: "./build/_deps/**" # Use env to properly escape glob pattern
+        INCLUDE_PATH: "**/_deps/**" # Use env to properly escape glob pattern
 
     # - uses: actions/setup-python@v6
     #   with:

From ceff966fb85f25ae66f09d0d663edcdf5255e2df Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 17:52:18 -0500
Subject: [PATCH 22/23] Use scan_path

---
 .github/workflows/generate_sbom.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 8f9e8c59db..4090d39061 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -37,16 +37,16 @@ jobs:
     - name: Install endorctl and Scan with Endor Labs
       uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
       with:
-        additional_args: "--languages=c --include-path=\"${{env.INCLUDE_PATH}}\""
+        additional_args: --languages=c
         log_level: info
         log_verbose: false
         namespace: ${{env.ENDOR_NAMESPACE}}
         pr: false
         scan_dependencies: true
+        scan_path: build/_deps
         tags: github_action
       env:
         ENDOR_SCAN_EMBEDDINGS: true
-        INCLUDE_PATH: "**/_deps/**" # Use env to properly escape glob pattern
 
     # - uses: actions/setup-python@v6
     #   with:

From e4375a5bd175794868ae0a19f77df21b2c92b4ac Mon Sep 17 00:00:00 2001
From: Jason Hills <jason.hills@mongodb.com>
Date: Fri, 21 Nov 2025 18:07:50 -0500
Subject: [PATCH 23/23] Remove path

---
 .github/workflows/generate_sbom.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
index 4090d39061..e8f6e60d06 100644
--- a/.github/workflows/generate_sbom.yml
+++ b/.github/workflows/generate_sbom.yml
@@ -43,7 +43,6 @@ jobs:
         namespace: ${{env.ENDOR_NAMESPACE}}
         pr: false
         scan_dependencies: true
-        scan_path: build/_deps
         tags: github_action
       env:
         ENDOR_SCAN_EMBEDDINGS: true