Add paper citation and comprehensive model card (#2)

c1642d2 verified about 11 hours ago

11.2 kB

	---
	license: apache-2.0
	base_model: codellama/CodeLlama-13b-Instruct-hf
	tags:
	- code
	- security
	- codellama
	- meta
	- securecode
	- owasp
	- vulnerability-detection
	datasets:
	- scthornton/securecode-v2
	language:
	- en
	library_name: transformers
	pipeline_tag: text-generation
	arxiv: 2512.18542
	---

	# CodeLlama 13B - SecureCode Edition

	<div align="center">

	[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
	[![Training Dataset](https://img.shields.io/badge/dataset-SecureCode%20v2.0-green.svg)](https://huggingface.co/datasets/scthornton/securecode-v2)
	[![Base Model](https://img.shields.io/badge/base-CodeLlama%2013B-orange.svg)](https://huggingface.co/codellama/CodeLlama-13b-Instruct-hf)
	[![perfecXion.ai](https://img.shields.io/badge/by-perfecXion.ai-purple.svg)](https://perfecxion.ai)

	Meta's trusted code model enhanced with security expertise - enterprise-ready

	[📄 Paper](https://arxiv.org/abs/2512.18542) \| [🤗 Model Card](https://huggingface.co/scthornton/codellama-13b-securecode) \| [📊 Dataset](https://huggingface.co/datasets/scthornton/securecode-v2) \| [💻 perfecXion.ai](https://perfecxion.ai)

	</div>

	---

	## 🎯 What is This?

	This is CodeLlama 13B Instruct fine-tuned on the SecureCode v2.0 dataset - Meta's established code model with strong brand recognition and enterprise adoption, now enhanced with production-grade security knowledge.

	CodeLlama is built on Llama 2's foundation, trained on 500B tokens of code and code-adjacent data. Combined with SecureCode training, this model delivers:

	✅ Enterprise-grade security awareness across multiple languages
	✅ Trusted brand backed by Meta's reputation
	✅ Robust code generation with security as a first-class concern
	✅ Production-ready reliability from extensively tested base model

	The Result: A proven, enterprise-trusted code model with comprehensive security capabilities.

	Why CodeLlama 13B? This model offers:
	- 🏢 Enterprise trust - Widely adopted in production environments
	- 🔐 Strong security baseline - 13B parameters for complex security reasoning
	- 📈 Proven track record - Millions of downloads, extensive real-world testing
	- 🎯 Balanced performance - Better than 7B models without 70B resource requirements
	- ⚖️ Commercial friendly - Permissive license from Meta

	---

	## 🚨 The Problem This Solves

	AI coding assistants produce vulnerable code in 45% of security-relevant scenarios (Veracode 2025). Enterprises deploying code generation tools face significant risk without security awareness.

	Real-world enterprise impact:
	- Equifax breach: $425 million settlement + reputation damage
	- Capital One: 100 million customer records, $80M fine
	- SolarWinds: 18,000 organizations compromised

	CodeLlama SecureCode Edition brings enterprise-grade security to Meta's trusted code generation platform.

	---

	## 💡 Key Features

	### 🏢 Enterprise-Grade Foundation

	CodeLlama 13B delivers strong performance:
	- HumanEval: 50.0% pass@1 (13B)
	- MultiPL-E: 45.5% average across languages
	- Widely deployed in enterprise environments
	- Extensive real-world validation

	Now enhanced with 1,209 security-focused examples covering OWASP Top 10:2025.

	### 🔐 Comprehensive Security Training

	Trained on real-world security incidents:
	- 224 examples of Broken Access Control vulnerabilities
	- 199 examples of Authentication Failures
	- 125 examples of Injection attacks (SQL, Command, XSS)
	- 115 examples of Cryptographic Failures
	- Complete OWASP Top 10:2025 coverage

	### 🌍 Multi-Language Security Expertise

	Fine-tuned on security examples across:
	- Python (Django, Flask, FastAPI)
	- JavaScript/TypeScript (Express, NestJS, React)
	- Java (Spring Boot) - CodeLlama's strength
	- C++ (Memory safety patterns)
	- Go (Gin framework)
	- PHP (Laravel, Symfony)
	- C# (ASP.NET Core)
	- Ruby (Rails)
	- Rust (Actix, Rocket)

	### 📋 Production Security Guidance

	Every response includes:
	1. Vulnerable implementation demonstrating the flaw
	2. Secure implementation with enterprise best practices
	3. Attack demonstration with realistic exploit scenarios
	4. Operational guidance - SIEM integration, compliance, monitoring

	---

	## 📊 Training Details

	\| Parameter \| Value \|
	\|-----------\|-------\|
	\| Base Model \| codellama/CodeLlama-13b-Instruct-hf \|
	\| Fine-tuning Method \| LoRA (Low-Rank Adaptation) \|
	\| Training Dataset \| [SecureCode v2.0](https://huggingface.co/datasets/scthornton/securecode-v2) \|
	\| Dataset Size \| 841 training examples \|
	\| Training Epochs \| 3 \|
	\| LoRA Rank (r) \| 16 \|
	\| LoRA Alpha \| 32 \|
	\| Learning Rate \| 2e-4 \|
	\| Quantization \| 4-bit (bitsandbytes) \|
	\| Trainable Parameters \| ~68M (0.52% of 13B total) \|
	\| Total Parameters \| 13B \|
	\| Context Window \| 16K tokens \|
	\| GPU Used \| NVIDIA A100 40GB \|
	\| Training Time \| ~110 minutes (estimated) \|

	### Training Methodology

	LoRA fine-tuning preserves CodeLlama's enterprise reliability:
	- Trains only 0.52% of parameters
	- Maintains code generation quality
	- Adds comprehensive security understanding
	- Minimal deployment overhead

	Enterprise deployment ready - Compatible with existing CodeLlama deployments.

	---

	## 🚀 Usage

	### Quick Start

	```python
	from transformers import AutoModelForCausalLM, AutoTokenizer
	from peft import PeftModel

	# Load base model
	base_model = "codellama/CodeLlama-13b-Instruct-hf"
	model = AutoModelForCausalLM.from_pretrained(
	base_model,
	device_map="auto",
	torch_dtype="auto"
	)
	tokenizer = AutoTokenizer.from_pretrained(base_model)

	# Load SecureCode adapter
	model = PeftModel.from_pretrained(model, "scthornton/codellama-13b-securecode")

	# Generate secure enterprise code
	prompt = """### User:
	Write a secure Spring Boot controller for user registration that handles all OWASP Top 10 concerns.

	### Assistant:
	"""

	inputs = tokenizer(prompt, return_tensors="pt").to(model.device)
	outputs = model.generate(**inputs, max_new_tokens=2048, temperature=0.7)
	response = tokenizer.decode(outputs[0], skip_special_tokens=True)
	print(response)
	```

	### Enterprise Deployment (4-bit Quantization)

	```python
	from transformers import AutoModelForCausalLM, AutoTokenizer, BitsAndBytesConfig
	from peft import PeftModel

	# 4-bit quantization - runs on 24GB GPU
	bnb_config = BitsAndBytesConfig(
	load_in_4bit=True,
	bnb_4bit_use_double_quant=True,
	bnb_4bit_quant_type="nf4",
	bnb_4bit_compute_dtype="bfloat16"
	)

	model = AutoModelForCausalLM.from_pretrained(
	"codellama/CodeLlama-13b-Instruct-hf",
	quantization_config=bnb_config,
	device_map="auto"
	)

	model = PeftModel.from_pretrained(model, "scthornton/codellama-13b-securecode")
	tokenizer = AutoTokenizer.from_pretrained("codellama/CodeLlama-13b-Instruct-hf")

	# Production-ready deployment
	```

	### Integration with LangChain (Enterprise Use Case)

	```python
	from langchain.llms import HuggingFacePipeline
	from transformers import AutoModelForCausalLM, pipeline
	from peft import PeftModel

	base_model = AutoModelForCausalLM.from_pretrained("codellama/CodeLlama-13b-Instruct-hf", device_map="auto")
	model = PeftModel.from_pretrained(base_model, "scthornton/codellama-13b-securecode")
	tokenizer = AutoTokenizer.from_pretrained("codellama/CodeLlama-13b-Instruct-hf")

	pipe = pipeline("text-generation", model=model, tokenizer=tokenizer, max_new_tokens=2048)
	llm = HuggingFacePipeline(pipeline=pipe)

	# Enterprise security workflow
	security_chain = LLMChain(llm=llm, prompt=security_prompt_template)
	review_result = security_chain.run(code=enterprise_codebase)
	```

	---

	## 🎯 Use Cases

	### 1. Enterprise Security Code Review
	Review mission-critical code for vulnerabilities:
	```
	Perform a comprehensive security audit of this payment processing module
	```

	### 2. Compliance-Focused Code Generation
	Generate code meeting SOC 2, PCI-DSS, HIPAA requirements:
	```
	Write a HIPAA-compliant patient data access controller with audit logging
	```

	### 3. Legacy System Remediation
	Modernize and secure legacy codebases:
	```
	Refactor this legacy Java authentication system to meet current security standards
	```

	### 4. Security Architecture Review
	Analyze architectural security:
	```
	Review this microservices architecture for security vulnerabilities and attack vectors
	```

	### 5. Secure API Development
	Generate production-ready secure APIs:
	```
	Create a RESTful API for financial transactions with comprehensive security controls
	```

	---

	## ⚠️ Limitations

	### What This Model Does Well
	✅ Enterprise-grade security code generation
	✅ Trusted brand with proven track record
	✅ Strong performance on security-critical code
	✅ Comprehensive security explanations

	### What This Model Doesn't Do
	❌ Not a replacement for security audits
	❌ Cannot guarantee compliance certification
	❌ Not legal/regulatory advice
	❌ Not a replacement for security professionals

	---

	## 📈 Performance Benchmarks

	### Hardware Requirements

	Minimum:
	- 28GB RAM
	- 20GB GPU VRAM (with 4-bit quantization)

	Recommended:
	- 48GB RAM
	- 24GB+ GPU (RTX 3090, RTX 4090, A5000)

	Inference Speed (on A100 40GB):
	- ~50 tokens/second (4-bit quantization)
	- ~70 tokens/second (bfloat16)

	### Code Generation (Base Model Scores)

	\| Benchmark \| Score \|
	\|-----------\|-------\|
	\| HumanEval \| 50.0% \|
	\| MultiPL-E \| 45.5% \|
	\| Enterprise deployments \| 100,000+ \|

	---

	## 🔬 Dataset Information

	Trained on [SecureCode v2.0](https://huggingface.co/datasets/scthornton/securecode-v2):
	- 1,209 examples with real CVE grounding
	- 100% incident validation
	- OWASP Top 10:2025 complete coverage
	- Expert security review

	---

	## 📄 License

	Model: Apache 2.0 \| Dataset: CC BY-NC-SA 4.0

	Enterprise-friendly licensing from Meta + perfecXion.ai

	---

	## 📚 Citation

	```bibtex
	@misc{thornton2025securecode-codellama,
	title={CodeLlama 13B - SecureCode Edition},
	author={Thornton, Scott},
	year={2025},
	publisher={perfecXion.ai},
	url={https://huggingface.co/scthornton/codellama-13b-securecode}
	}
	```

	---

	## 🙏 Acknowledgments

	- Meta AI for CodeLlama's enterprise-grade foundation
	- OWASP Foundation for vulnerability taxonomy
	- MITRE for CVE database
	- Enterprise security teams for real-world validation

	---

	## 🔗 Related Models

	- [llama-3.2-3b-securecode](https://huggingface.co/scthornton/llama-3.2-3b-securecode) - Most accessible (3B)
	- [qwen-coder-7b-securecode](https://huggingface.co/scthornton/qwen-coder-7b-securecode) - Best code model (7B)
	- [deepseek-coder-6.7b-securecode](https://huggingface.co/scthornton/deepseek-coder-6.7b-securecode) - Security-optimized (6.7B)
	- [starcoder2-15b-securecode](https://huggingface.co/scthornton/starcoder2-15b-securecode) - Multi-language (15B)

	[View Collection](https://huggingface.co/collections/scthornton/securecode)

	---

	<div align="center">

	Built with ❤️ for secure enterprise software development

	[perfecXion.ai](https://perfecxion.ai) \| [Contact](mailto:scott@perfecxion.ai)

	</div>