Add Support for Custom Anthropic API Base URL and Authentication Token

[nikhillalkota]

Summary

This PR adds support for routing Claude API requests through custom proxy servers, specifically tested with LiteLLM proxy. This enables organizations to use their existing API gateway infrastructure, implement custom rate limiting, add monitoring/logging, and manage costs centrally.

Changes Made

1. GitHub Action Configuration (action.yml)

Added two new optional inputs:

anthropic-base-url:
description: 'Custom Anthropic API base URL (e.g., for LiteLLM proxy: https://litellm.prod.example.com)'
required: false
default: ''

anthropic-auth-token:
description: 'Alternative authentication token (use instead of claude-api-key for LiteLLM)'
required: false
default: ''

These inputs are passed to the audit script via environment variables (action.yml:260-261):

• ANTHROPIC_BASE_URL
• ANTHROPIC_AUTH_TOKEN

2. Claude API Client (claudecode/claude_api_client.py)

Modified ClaudeAPIClient.init():

• Added base_url parameter to constructor
• Implemented authentication token priority: api_key parameter > ANTHROPIC_API_KEY > ANTHROPIC_AUTH_TOKEN
• Read custom base URL from base_url parameter or ANTHROPIC_BASE_URL environment variable
• SECURITY: Validate base URL before use
  • Raises ValueError with descriptive error if validation fails
  • Prevents malicious URLs from being used
• Pass base_url to Anthropic client initialization when valid
• Added logging to show when custom base URL is used

3. Findings Filter (claudecode/findings_filter.py)

Modified FindingsFilter.init():

• Added base_url parameter
• Pass base_url to ClaudeAPIClient initialization
• Maintains backward compatibility works with or without base URL

4. GitHub Action Audit Script (claudecode/github_action_audit.py)

Enhanced authentication validation:

• Check for either ANTHROPIC_API_KEY or ANTHROPIC_AUTH_TOKEN
• Provide helpful error messages showing both standard API and LiteLLM proxy configuration examples
• Clear guidance when neither authentication method is provided

Modified initialize_findings_filter():

• Read ANTHROPIC_BASE_URL from environment
• Pass base_url to FindingsFilter initialization
• Check for ANTHROPIC_AUTH_TOKEN as alternative to ANTHROPIC_API_KEY

Modified validate_claude_available() (github_action_audit.py:327-329):

• Updated to check for both ANTHROPIC_API_KEY and ANTHROPIC_AUTH_TOKEN

5. Documentation (README.md)

Added new section demonstrating LiteLLM proxy usage:

• uses: anthropics/claude-code-security-review@main
  with:
  comment-pr: true
  anthropic-base-url: https://litellm.proxy.example.com
  anthropic-auth-token: ${{ secrets.LITELLM_TOKEN }}

Updated configuration table to document both new parameters

6. Improved gh CLI Detection (scripts/comment-pr-findings.js)

• Added findGhBinary() function for better gh CLI detection
• Checks multiple paths including user-installed locations (~/.local/bin/gh)
• Improves reliability on self-hosted runners

Breaking Changes

None. All changes are backward compatible. Existing workflows using only claude-api-key continue to work unchanged.

[danielpops]

I was going to implement something similar :) thanks for this :)

[SamYuan1990]

LGTM, can anyone help review this PR?

as this repo can provide security scan for open source community code repos, and I suppose ANTHROPIC_BASE_URL is good for different community with different LLM provider.
or I hope/wondering if anthropic provide community edition for security scan?