Merge pull request #54 from Contrast-Security-OSS/AIML-122-add-claude-code-external-agent-config

AIML-122: add claude code external agent config

Author: dougj-contrast

README.md

@@ -222,6 +222,48 @@ This is an example variation of the workflow file for use with the GitHub Copilo
   # The Closed and Merge Handler jobs remain the same as the previous example as well.
 ```
 
+### Installation and Configuration for Claude Code Coding Agent
+- NOTE: The Claude GitHub app is required to be installed in your GitHub organization or repository.
+- Please see: https://docs.anthropic.com/en/docs/claude-code/github-actions
+This is an example variation of the workflow file for use with the Claude Code Coding Agent:
+```
+  # The beginning of the workflow file is the same as the previous example.
+
+  # Use a variation of this 'generate_fixes' job in order to run with the Claude Code Coding Agent
+  generate_fixes:
+    name: Generate Fixes
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
+    steps:
+      # When using Claude Code, it is unnecessary to authenticate with an LLM API from this step.
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Contrast AI SmartFix - Generate Fixes Action
+        uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1 # Replace with the latest version
+        with:
+          # Contrast Configuration
+          contrast_host: ${{ vars.CONTRAST_HOST }} # The host name of your Contrast SaaS instance, e.g. 'app.contrastsecurity.com'
+          contrast_org_id: ${{ vars.CONTRAST_ORG_ID }} # The UUID of your Contrast organization
+          contrast_app_id: ${{ vars.CONTRAST_APP_ID }} # The UUID that is specific to the application in this repository.
+          contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }}
+          contrast_api_key: ${{ secrets.CONTRAST_API_KEY }}
+
+          # GitHub Configuration
+          github_token: ${{ secrets.PAT_TOKEN }} # Necessary for creating Issues and mentioning Claude Code (@claude). This token should have read permission for metadata and read-write permission for issues and pulls. A best practice is to have an GitHub Organization service account create the PAT (an Organization admin may need to approve it)
+          base_branch: '${{ github.event.repository.default_branch }}' # This will default to your repo default branch (other common base branches are 'main', 'master' or 'develop')
+          coding_agent: 'CLAUDE_CODE' # Specify the use of Claude Code instead of the default SmartFix internal coding agent
+
+          # Other Optional Inputs (see action.yml for defaults and more options)
+          # formatting_command: 'mvn spotless:apply' # Or the command appropriate for your project to correct the formatting of SmartFix's changes.  This ensures that SmartFix follows your coding standards.
+          # max_open_prs: 5 # This is the maximum limit for the number of PRs that SmartFix will have open at single time
+
+  # The Closed and Merge Handler jobs remain the same as the previous example as well.
+```
+
 ### Supported LLMs (Bring Your Own LLM \- BYOLLM) for the SmartFix Coding Agent
 
 SmartFix uses a "Bring Your Own LLM" (BYOLLM) model. You provide the credentials for your preferred LLM provider.

action.yml

@@ -90,7 +90,7 @@ inputs:
     required: false
     default: 'true'
   coding_agent:
-    description: 'Specifies the coding agent to use for generating fixes. Allowed values: SMARTFIX, GITHUB_COPILOT.'
+    description: 'Specifies the coding agent to use for generating fixes. Allowed values: SMARTFIX, GITHUB_COPILOT, CLAUDE_CODE.'
     required: false
     default: 'SMARTFIX'
 

src/config.py

@@ -165,7 +165,7 @@ def _check_contrast_config_values_exist(self):
 
     def _get_coding_agent(self) -> str:
         coding_agent = self._get_env_var("CODING_AGENT", required=False, default="SMARTFIX")
-        valid_agents = ["SMARTFIX", "GITHUB_COPILOT"]
+        valid_agents = ["SMARTFIX", "GITHUB_COPILOT", "CLAUDE_CODE"]
         if coding_agent.upper() not in valid_agents:
             _log_config_message(f"Warning: Invalid CODING_AGENT '{coding_agent}'. Must be one of {valid_agents}. Defaulting to 'SMARTFIX'.", is_warning=True)
             return "SMARTFIX"

src/external_coding_agent.py

@@ -155,6 +155,10 @@ def generate_fixes(self, vuln_uuid: str, remediation_id: str, vuln_title: str, i
         remediation_label = f"smartfix-id:{remediation_id}"
         issue_title = vuln_title
 
+        if self.config.CODING_AGENT == "CLAUDE_CODE":
+            debug_log("CLAUDE_CODE agent detected, tagging @claude in issue title for processing")
+            issue_title = f"@claude fix: {issue_title}"
+
         # Use the provided issue_body or fall back to default
         if issue_body is None:
             log(f"Failed to generate issue body for vulnerability id {vuln_uuid}", is_error=True)

src/git_handler.py

@@ -540,6 +540,10 @@ def create_issue(title: str, body: str, vuln_label: str, remediation_label: str)
             issue_number = int(os.path.basename(issue_url.strip()))
             log(f"Issue number extracted: {issue_number}")
 
+            if config.CODING_AGENT == "CLAUDE_CODE":
+                debug_log("CLAUDE_CODE agent detected no need to edit issue for assignment")
+                return issue_number
+
             # Now try to assign to @copilot separately
             assign_command = [
                 "gh", "issue", "edit",

src/main.py

@@ -333,7 +333,7 @@ def main():  # noqa: C901
             qa_system_prompt = vulnerability_data['qaSystemPrompt']
             qa_user_prompt = vulnerability_data['qaUserPrompt']
         else:
-            # For external coding agents (like GITHUB_COPILOT), get vulnerability details
+            # For external coding agents (GITHUB_COPILOT/CLAUDE_CODE), get vulnerability details
             log("\n::group::--- Fetching next vulnerability details from Contrast API ---")
             vulnerability_data = contrast_api.get_vulnerability_details(
                 config.CONTRAST_HOST, config.CONTRAST_ORG_ID, config.CONTRAST_APP_ID,