---
license: apache-2.0
base_model: Qwen/Qwen2.5-Coder-7B-Instruct
tags:
  - security
  - code-review
  - vulnerability-detection
  - sast
  - false-positive-reduction
  - gguf
  - qwen2
  - ollama
language:
  - en
pipeline_tag: text-generation
model-index:
  - name: kon-security-v5
    results:
      - task:
          type: text-generation
          name: Security Code Review
        metrics:
          - name: Accuracy
            type: accuracy
            value: 98.1
          - name: F1 Score
            type: f1
            value: 0.99
          - name: False Positive Rate
            type: custom
            value: 0.0
          - name: JSON Compliance
            type: custom
            value: 100.0
---

# kon-security-v5

**Expert Security Code Reviewer** - A fine-tuned Qwen2.5-Coder-7B model specialized for security vulnerability detection and false positive reduction in SAST (Static Application Security Testing) pipelines.

## Model Details

| Property | Value |
|----------|-------|
| Base Model | [Qwen2.5-Coder-7B-Instruct](https://huggingface.co/Qwen/Qwen2.5-Coder-7B-Instruct) |
| Fine-tuning | QLoRA (4-bit quantization) |
| Quantization | Q4_K_M (GGUF) |
| Parameters | 7.6B |
| Context Length | 32,768 tokens |
| File Size | ~4.7 GB |
| Format | GGUF (Ollama-compatible) |

## Performance

| Metric | Score |
|--------|-------|
| Overall Accuracy | **98.1%** |
| F1 Score | **0.99** |
| False Positive Rate | **0.0%** |
| JSON Compliance | **100%** |
| Avg Response Time | **2.8s** |

## Capabilities

- Identifies true security vulnerabilities across 20+ vulnerability categories
- Eliminates false positives from SAST tools (SQL injection, XSS, command injection, etc.)
- Provides structured JSON output with verdict, confidence, CWE IDs, severity, and remediation
- Understands framework-specific safe patterns (React, Django, Express, Rails, etc.)
- Supports taint analysis reasoning (source-to-sink tracking)

## Vulnerability Categories

CRITICAL: SQL Injection (CWE-89), Command Injection (CWE-78), Deserialization (CWE-502), Hardcoded Secrets (CWE-798), Code Injection (CWE-94)

HIGH: XSS (CWE-79), Path Traversal (CWE-22), SSRF (CWE-918), Timing Attacks (CWE-208), Buffer Overflow (CWE-120)

MEDIUM: Weak Crypto (CWE-327), Insecure Random (CWE-330), Information Disclosure (CWE-200), Missing Auth (CWE-306)

## Usage with Ollama

```bash
# Pull the model
ollama pull kon-security/kon-security-v5

# Or create from GGUF
ollama create kon-security-v5 -f Modelfile

# Run
ollama run kon-security-v5
```

### Example Prompt

```
<|im_start|>system
You are an expert security code reviewer...
<|im_end|>
<|im_start|>user
Analyze this code for SQL injection:
query = f"SELECT * FROM users WHERE id = {user_id}"
<|im_end|>
<|im_start|>assistant
```

### Example Response

```json
{
  "verdict": "TRUE_POSITIVE",
  "is_vulnerable": true,
  "confidence": 0.97,
  "cwe_ids": ["CWE-89"],
  "severity": "CRITICAL",
  "reasoning": "f-string interpolates user_id directly into SQL query without parameterization",
  "remediation": "cursor.execute('SELECT * FROM users WHERE id = ?', (user_id,))"
}
```

## System Prompt

The model is fine-tuned with the following system prompt baked in:

```
You are an expert security code reviewer specializing in identifying true
vulnerabilities and eliminating false positives. You analyze code with deep
understanding of security patterns across all languages and frameworks.

CRITICAL RULES:
1. Parameterized queries (?, $1, %s, :param) = SAFE from SQL injection
2. textContent, createTextNode = SAFE from XSS
3. React JSX {variable} = SAFE from XSS (React auto-escapes)
4. subprocess.run([list, args]) without shell=True = SAFE from command injection
5. json.loads/JSON.parse = SAFE (cannot execute code)
6. secure_filename() from werkzeug = SAFE from path traversal
7. bcrypt/argon2/scrypt for password hashing = SAFE
8. HMAC.compare_digest/timingSafeEqual = SAFE from timing attacks
9. DOMPurify.sanitize() = SAFE from XSS
10. MD5/SHA1 for non-security purposes (checksums, cache keys) = SAFE
11. Test files testing security scanners = SAFE
12. Environment variables for secrets = SAFE (not hardcoded)
13. ORM methods (Django .filter(), Rails .where(hash), SQLAlchemy) = SAFE from SQLi
14. Content-Security-Policy, helmet(), CORS allowlists = SAFE
```

## Integration with Kon Security Scanner

This model is the default LLM for the [Kon Security Scanner](https://github.com/kon-security/kon), providing:

- SAST finding validation and FP reduction
- CWE ID mapping
- Severity assessment
- Remediation suggestions

```python
from kon.core.ollama_analyzer import OllamaAnalyzer

analyzer = OllamaAnalyzer(model="kon-security-v5:latest")
result = analyzer.analyze_finding_enhanced(
    code_snippet="query = f'SELECT * FROM users WHERE id = {user_id}'",
    vulnerability_type="SQL Injection",
    file_path="app/db.py",
    line_number=42
)
print(result.verdict)  # TRUE_POSITIVE
```

## Training Details

- **Method**: QLoRA (4-bit quantization-aware fine-tuning)
- **Base**: Qwen2.5-Coder-7B-Instruct
- **Dataset**: Curated security code review examples covering 20+ CWE categories
- **Hardware**: NVIDIA GPU with CUDA support
- **Quantization**: Q4_K_M via llama.cpp

## License

Apache 2.0 (same as base model)