Summary
The false-positive filter step in claude-code-security-review@main calls a deprecated Haiku model and returns a 404, so FP filtering is silently disabled on every run.
What I observed
Action anthropics/claude-code-security-review@main, run 2026-05-05.
claudecode-error.log from the artifact:
```
[claudecode.claude_api_client] Claude API client initialized successfully
[claudecode.claude_api_client] Claude API validation failed: Error code: 404 - {'type': 'error', 'error': {'type': 'not_found_error', 'message': 'model: claude-3-5-haiku-20241022'}, 'request_id': 'req_011Cak8XtmK9mzsk79cnKE6F'}
[claudecode.findings_filter] Claude API validation failed: API validation failed: Error code: 404 - {'type': 'error', 'error': {'type': 'not_found_error', 'message': 'model: claude-3-5-haiku-20241022'}, 'request_id': 'req_011Cak8XtmK9mzsk79cnKE6F'}
```
Main scan still completed successfully (review_completed: true, files reviewed correctly), so the failure is contained to the filter — but on a real PR with findings, every raw finding will be posted as a PR comment with no noise filtering.
Cause
claude-3-5-haiku-20241022 was deprecated by Anthropic. It's hardcoded as the FP-filter model in claudecode/claude_api_client.py (or wherever the filter model is wired).
Suggested fix
Bump to claude-haiku-4-5 — it's the natural drop-in replacement for the deprecated 3.5 Haiku. The FP-filter is a high-volume, low-complexity classification step (one short call per flagged finding), so Haiku-tier is the right cost/latency point — Sonnet/Opus would inflate CI cost on noisy PRs without meaningful accuracy gain on a binary "real vuln vs. noise" decision.
Even better: expose it as an action input (e.g. false-positive-filter-model) defaulting to claude-haiku-4-5, so consumers can override without forking — symmetric with the existing claude-model input on the main scan.
Workflow used
```yaml
- uses: anthropics/claude-code-security-review@main
with:
claude-api-key: ${{ secrets.CLAUDE_API_KEY }}
comment-pr: true
upload-results: true
exclude-directories: "node_modules,dist,build,.next,coverage,..."
claudecode-timeout: "20"
```
Happy to send a PR if useful.
Summary
The false-positive filter step in
claude-code-security-review@maincalls a deprecated Haiku model and returns a 404, so FP filtering is silently disabled on every run.What I observed
Action
anthropics/claude-code-security-review@main, run 2026-05-05.claudecode-error.logfrom the artifact:```
[claudecode.claude_api_client] Claude API client initialized successfully
[claudecode.claude_api_client] Claude API validation failed: Error code: 404 - {'type': 'error', 'error': {'type': 'not_found_error', 'message': 'model: claude-3-5-haiku-20241022'}, 'request_id': 'req_011Cak8XtmK9mzsk79cnKE6F'}
[claudecode.findings_filter] Claude API validation failed: API validation failed: Error code: 404 - {'type': 'error', 'error': {'type': 'not_found_error', 'message': 'model: claude-3-5-haiku-20241022'}, 'request_id': 'req_011Cak8XtmK9mzsk79cnKE6F'}
```
Main scan still completed successfully (
review_completed: true, files reviewed correctly), so the failure is contained to the filter — but on a real PR with findings, every raw finding will be posted as a PR comment with no noise filtering.Cause
claude-3-5-haiku-20241022was deprecated by Anthropic. It's hardcoded as the FP-filter model inclaudecode/claude_api_client.py(or wherever the filter model is wired).Suggested fix
Bump to
claude-haiku-4-5— it's the natural drop-in replacement for the deprecated 3.5 Haiku. The FP-filter is a high-volume, low-complexity classification step (one short call per flagged finding), so Haiku-tier is the right cost/latency point — Sonnet/Opus would inflate CI cost on noisy PRs without meaningful accuracy gain on a binary "real vuln vs. noise" decision.Even better: expose it as an action input (e.g.
false-positive-filter-model) defaulting toclaude-haiku-4-5, so consumers can override without forking — symmetric with the existingclaude-modelinput on the main scan.Workflow used
```yaml
with:
claude-api-key: ${{ secrets.CLAUDE_API_KEY }}
comment-pr: true
upload-results: true
exclude-directories: "node_modules,dist,build,.next,coverage,..."
claudecode-timeout: "20"
```
Happy to send a PR if useful.