File size: 11,173 Bytes

---
license: apache-2.0
base_model: codellama/CodeLlama-13b-Instruct-hf
tags:
- code
- security
- codellama
- meta
- securecode
- owasp
- vulnerability-detection
datasets:
- scthornton/securecode-v2
language:
- en
library_name: transformers
pipeline_tag: text-generation
arxiv: 2512.18542
---

# CodeLlama 13B - SecureCode Edition

<div align="center">

[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![Training Dataset](https://img.shields.io/badge/dataset-SecureCode%20v2.0-green.svg)](https://huggingface.co/datasets/scthornton/securecode-v2)
[![Base Model](https://img.shields.io/badge/base-CodeLlama%2013B-orange.svg)](https://huggingface.co/codellama/CodeLlama-13b-Instruct-hf)
[![perfecXion.ai](https://img.shields.io/badge/by-perfecXion.ai-purple.svg)](https://perfecxion.ai)

**Meta's trusted code model enhanced with security expertise - enterprise-ready**

[📄 Paper](https://arxiv.org/abs/2512.18542) | [🤗 Model Card](https://huggingface.co/scthornton/codellama-13b-securecode) | [📊 Dataset](https://huggingface.co/datasets/scthornton/securecode-v2) | [💻 perfecXion.ai](https://perfecxion.ai)

</div>

---

## 🎯 What is This?

This is **CodeLlama 13B Instruct** fine-tuned on the **SecureCode v2.0 dataset** - Meta's established code model with strong brand recognition and enterprise adoption, now enhanced with production-grade security knowledge.

CodeLlama is built on Llama 2's foundation, trained on **500B tokens** of code and code-adjacent data. Combined with SecureCode training, this model delivers:

✅ **Enterprise-grade security awareness** across multiple languages
✅ **Trusted brand** backed by Meta's reputation
✅ **Robust code generation** with security as a first-class concern
✅ **Production-ready reliability** from extensively tested base model

**The Result:** A proven, enterprise-trusted code model with comprehensive security capabilities.

**Why CodeLlama 13B?** This model offers:
- 🏢 **Enterprise trust** - Widely adopted in production environments
- 🔐 **Strong security baseline** - 13B parameters for complex security reasoning
- 📈 **Proven track record** - Millions of downloads, extensive real-world testing
- 🎯 **Balanced performance** - Better than 7B models without 70B resource requirements
- ⚖️ **Commercial friendly** - Permissive license from Meta

---

## 🚨 The Problem This Solves

**AI coding assistants produce vulnerable code in 45% of security-relevant scenarios** (Veracode 2025). Enterprises deploying code generation tools face significant risk without security awareness.

**Real-world enterprise impact:**
- Equifax breach: **$425 million** settlement + reputation damage
- Capital One: **100 million** customer records, $80M fine
- SolarWinds: **18,000** organizations compromised

CodeLlama SecureCode Edition brings enterprise-grade security to Meta's trusted code generation platform.

---

## 💡 Key Features

### 🏢 Enterprise-Grade Foundation

CodeLlama 13B delivers strong performance:
- HumanEval: **50.0%** pass@1 (13B)
- MultiPL-E: **45.5%** average across languages
- Widely deployed in enterprise environments
- Extensive real-world validation

Now enhanced with **1,209 security-focused examples** covering OWASP Top 10:2025.

### 🔐 Comprehensive Security Training

Trained on real-world security incidents:
- **224 examples** of Broken Access Control vulnerabilities
- **199 examples** of Authentication Failures
- **125 examples** of Injection attacks (SQL, Command, XSS)
- **115 examples** of Cryptographic Failures
- Complete **OWASP Top 10:2025** coverage

### 🌍 Multi-Language Security Expertise

Fine-tuned on security examples across:
- Python (Django, Flask, FastAPI)
- JavaScript/TypeScript (Express, NestJS, React)
- Java (Spring Boot) - CodeLlama's strength
- C++ (Memory safety patterns)
- Go (Gin framework)
- PHP (Laravel, Symfony)
- C# (ASP.NET Core)
- Ruby (Rails)
- Rust (Actix, Rocket)

### 📋 Production Security Guidance

Every response includes:
1. **Vulnerable implementation** demonstrating the flaw
2. **Secure implementation** with enterprise best practices
3. **Attack demonstration** with realistic exploit scenarios
4. **Operational guidance** - SIEM integration, compliance, monitoring

---

## 📊 Training Details

| Parameter | Value |
|-----------|-------|
| **Base Model** | codellama/CodeLlama-13b-Instruct-hf |
| **Fine-tuning Method** | LoRA (Low-Rank Adaptation) |
| **Training Dataset** | [SecureCode v2.0](https://huggingface.co/datasets/scthornton/securecode-v2) |
| **Dataset Size** | 841 training examples |
| **Training Epochs** | 3 |
| **LoRA Rank (r)** | 16 |
| **LoRA Alpha** | 32 |
| **Learning Rate** | 2e-4 |
| **Quantization** | 4-bit (bitsandbytes) |
| **Trainable Parameters** | ~68M (0.52% of 13B total) |
| **Total Parameters** | 13B |
| **Context Window** | 16K tokens |
| **GPU Used** | NVIDIA A100 40GB |
| **Training Time** | ~110 minutes (estimated) |

### Training Methodology

**LoRA fine-tuning** preserves CodeLlama's enterprise reliability:
- Trains only 0.52% of parameters
- Maintains code generation quality
- Adds comprehensive security understanding
- Minimal deployment overhead

**Enterprise deployment ready** - Compatible with existing CodeLlama deployments.

---

## 🚀 Usage

### Quick Start

```python
from transformers import AutoModelForCausalLM, AutoTokenizer
from peft import PeftModel

# Load base model
base_model = "codellama/CodeLlama-13b-Instruct-hf"
model = AutoModelForCausalLM.from_pretrained(
    base_model,
    device_map="auto",
    torch_dtype="auto"
)
tokenizer = AutoTokenizer.from_pretrained(base_model)

# Load SecureCode adapter
model = PeftModel.from_pretrained(model, "scthornton/codellama-13b-securecode")

# Generate secure enterprise code
prompt = """### User:
Write a secure Spring Boot controller for user registration that handles all OWASP Top 10 concerns.

### Assistant:
"""

inputs = tokenizer(prompt, return_tensors="pt").to(model.device)
outputs = model.generate(**inputs, max_new_tokens=2048, temperature=0.7)
response = tokenizer.decode(outputs[0], skip_special_tokens=True)
print(response)
```

### Enterprise Deployment (4-bit Quantization)

```python
from transformers import AutoModelForCausalLM, AutoTokenizer, BitsAndBytesConfig
from peft import PeftModel

# 4-bit quantization - runs on 24GB GPU
bnb_config = BitsAndBytesConfig(
    load_in_4bit=True,
    bnb_4bit_use_double_quant=True,
    bnb_4bit_quant_type="nf4",
    bnb_4bit_compute_dtype="bfloat16"
)

model = AutoModelForCausalLM.from_pretrained(
    "codellama/CodeLlama-13b-Instruct-hf",
    quantization_config=bnb_config,
    device_map="auto"
)

model = PeftModel.from_pretrained(model, "scthornton/codellama-13b-securecode")
tokenizer = AutoTokenizer.from_pretrained("codellama/CodeLlama-13b-Instruct-hf")

# Production-ready deployment
```

### Integration with LangChain (Enterprise Use Case)

```python
from langchain.llms import HuggingFacePipeline
from transformers import AutoModelForCausalLM, pipeline
from peft import PeftModel

base_model = AutoModelForCausalLM.from_pretrained("codellama/CodeLlama-13b-Instruct-hf", device_map="auto")
model = PeftModel.from_pretrained(base_model, "scthornton/codellama-13b-securecode")
tokenizer = AutoTokenizer.from_pretrained("codellama/CodeLlama-13b-Instruct-hf")

pipe = pipeline("text-generation", model=model, tokenizer=tokenizer, max_new_tokens=2048)
llm = HuggingFacePipeline(pipeline=pipe)

# Enterprise security workflow
security_chain = LLMChain(llm=llm, prompt=security_prompt_template)
review_result = security_chain.run(code=enterprise_codebase)
```

---

## 🎯 Use Cases

### 1. **Enterprise Security Code Review**
Review mission-critical code for vulnerabilities:
```
Perform a comprehensive security audit of this payment processing module
```

### 2. **Compliance-Focused Code Generation**
Generate code meeting SOC 2, PCI-DSS, HIPAA requirements:
```
Write a HIPAA-compliant patient data access controller with audit logging
```

### 3. **Legacy System Remediation**
Modernize and secure legacy codebases:
```
Refactor this legacy Java authentication system to meet current security standards
```

### 4. **Security Architecture Review**
Analyze architectural security:
```
Review this microservices architecture for security vulnerabilities and attack vectors
```

### 5. **Secure API Development**
Generate production-ready secure APIs:
```
Create a RESTful API for financial transactions with comprehensive security controls
```

---

## ⚠️ Limitations

### What This Model Does Well
✅ Enterprise-grade security code generation
✅ Trusted brand with proven track record
✅ Strong performance on security-critical code
✅ Comprehensive security explanations

### What This Model Doesn't Do
❌ Not a replacement for security audits
❌ Cannot guarantee compliance certification
❌ Not legal/regulatory advice
❌ Not a replacement for security professionals

---

## 📈 Performance Benchmarks

### Hardware Requirements

**Minimum:**
- 28GB RAM
- 20GB GPU VRAM (with 4-bit quantization)

**Recommended:**
- 48GB RAM
- 24GB+ GPU (RTX 3090, RTX 4090, A5000)

**Inference Speed (on A100 40GB):**
- ~50 tokens/second (4-bit quantization)
- ~70 tokens/second (bfloat16)

### Code Generation (Base Model Scores)

| Benchmark | Score |
|-----------|-------|
| HumanEval | 50.0% |
| MultiPL-E | 45.5% |
| Enterprise deployments | 100,000+ |

---

## 🔬 Dataset Information

Trained on **[SecureCode v2.0](https://huggingface.co/datasets/scthornton/securecode-v2)**:
- **1,209 examples** with real CVE grounding
- **100% incident validation**
- **OWASP Top 10:2025** complete coverage
- **Expert security review**

---

## 📄 License

**Model:** Apache 2.0 | **Dataset:** CC BY-NC-SA 4.0

**Enterprise-friendly licensing** from Meta + perfecXion.ai

---

## 📚 Citation

```bibtex
@misc{thornton2025securecode-codellama,
  title={CodeLlama 13B - SecureCode Edition},
  author={Thornton, Scott},
  year={2025},
  publisher={perfecXion.ai},
  url={https://huggingface.co/scthornton/codellama-13b-securecode}
}
```

---

## 🙏 Acknowledgments

- **Meta AI** for CodeLlama's enterprise-grade foundation
- **OWASP Foundation** for vulnerability taxonomy
- **MITRE** for CVE database
- **Enterprise security teams** for real-world validation

---

## 🔗 Related Models

- **[llama-3.2-3b-securecode](https://huggingface.co/scthornton/llama-3.2-3b-securecode)** - Most accessible (3B)
- **[qwen-coder-7b-securecode](https://huggingface.co/scthornton/qwen-coder-7b-securecode)** - Best code model (7B)
- **[deepseek-coder-6.7b-securecode](https://huggingface.co/scthornton/deepseek-coder-6.7b-securecode)** - Security-optimized (6.7B)
- **[starcoder2-15b-securecode](https://huggingface.co/scthornton/starcoder2-15b-securecode)** - Multi-language (15B)

[View Collection](https://huggingface.co/collections/scthornton/securecode)

---

<div align="center">

**Built with ❤️ for secure enterprise software development**

[perfecXion.ai](https://perfecxion.ai) | [Contact](mailto:scott@perfecxion.ai)

</div>