scthornton
/

codellama-13b-securecode

@@ -1,362 +1,207 @@
 ---
-license: apache-2.0
 base_model: codellama/CodeLlama-13b-Instruct-hf
 tags:
-- code
-- security
-- codellama
-- meta
-- securecode
-- owasp
-- vulnerability-detection
 datasets:
-- scthornton/securecode-v2
-language:
-- en
-library_name: transformers
 pipeline_tag: text-generation
-arxiv: 2512.18542
 ---
-# CodeLlama 13B - SecureCode Edition
 <div align="center">
-[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-[![Training Dataset](https://img.shields.io/badge/dataset-SecureCode%20v2.0-green.svg)](https://huggingface.co/datasets/scthornton/securecode-v2)
-[![Base Model](https://img.shields.io/badge/base-CodeLlama%2013B-orange.svg)](https://huggingface.co/codellama/CodeLlama-13b-Instruct-hf)
-[![perfecXion.ai](https://img.shields.io/badge/by-perfecXion.ai-purple.svg)](https://perfecxion.ai)
-**Meta's trusted code model enhanced with security expertise - enterprise-ready**
-[📄 Paper](https://arxiv.org/abs/2512.18542) | [🤗 Model Card](https://huggingface.co/scthornton/codellama-13b-securecode) | [📊 Dataset](https://huggingface.co/datasets/scthornton/securecode-v2) | [💻 perfecXion.ai](https://perfecxion.ai)
 </div>
 ---
-## 🎯 What is This?
-This is **CodeLlama 13B Instruct** fine-tuned on the **SecureCode v2.0 dataset** - Meta's established code model with strong brand recognition and enterprise adoption, now enhanced with production-grade security knowledge.
-CodeLlama is built on Llama 2's foundation, trained on **500B tokens** of code and code-adjacent data. Combined with SecureCode training, this model delivers:
-✅ **Enterprise-grade security awareness** across multiple languages
-✅ **Trusted brand** backed by Meta's reputation
-✅ **Robust code generation** with security as a first-class concern
-✅ **Production-ready reliability** from extensively tested base model
-**The Result:** A proven, enterprise-trusted code model with comprehensive security capabilities.
-**Why CodeLlama 13B?** This model offers:
-- 🏢 **Enterprise trust** - Widely adopted in production environments
-- 🔐 **Strong security baseline** - 13B parameters for complex security reasoning
-- 📈 **Proven track record** - Millions of downloads, extensive real-world testing
-- 🎯 **Balanced performance** - Better than 7B models without 70B resource requirements
-- ⚖️ **Commercial friendly** - Permissive license from Meta
----
-## 🚨 The Problem This Solves
-**AI coding assistants produce vulnerable code in 45% of security-relevant scenarios** (Veracode 2025). Enterprises deploying code generation tools face significant risk without security awareness.
-**Real-world enterprise impact:**
-- Equifax breach: **$425 million** settlement + reputation damage
-- Capital One: **100 million** customer records, $80M fine
-- SolarWinds: **18,000** organizations compromised
-CodeLlama SecureCode Edition brings enterprise-grade security to Meta's trusted code generation platform.
----
-## 💡 Key Features
-### 🏢 Enterprise-Grade Foundation
-CodeLlama 13B delivers strong performance:
-- HumanEval: **50.0%** pass@1 (13B)
-- MultiPL-E: **45.5%** average across languages
-- Widely deployed in enterprise environments
-- Extensive real-world validation
-Now enhanced with **1,209 security-focused examples** covering OWASP Top 10:2025.
-### 🔐 Comprehensive Security Training
-Trained on real-world security incidents:
-- **224 examples** of Broken Access Control vulnerabilities
-- **199 examples** of Authentication Failures
-- **125 examples** of Injection attacks (SQL, Command, XSS)
-- **115 examples** of Cryptographic Failures
-- Complete **OWASP Top 10:2025** coverage
-### 🌍 Multi-Language Security Expertise
-Fine-tuned on security examples across:
-- Python (Django, Flask, FastAPI)
-- JavaScript/TypeScript (Express, NestJS, React)
-- Java (Spring Boot) - CodeLlama's strength
-- C++ (Memory safety patterns)
-- Go (Gin framework)
-- PHP (Laravel, Symfony)
-- C# (ASP.NET Core)
-- Ruby (Rails)
-- Rust (Actix, Rocket)
-### 📋 Production Security Guidance
-Every response includes:
-1. **Vulnerable implementation** demonstrating the flaw
-2. **Secure implementation** with enterprise best practices
-3. **Attack demonstration** with realistic exploit scenarios
-4. **Operational guidance** - SIEM integration, compliance, monitoring
----
-## 📊 Training Details
-| Parameter | Value |
-|-----------|-------|
-| **Base Model** | codellama/CodeLlama-13b-Instruct-hf |
-| **Fine-tuning Method** | LoRA (Low-Rank Adaptation) |
-| **Training Dataset** | [SecureCode v2.0](https://huggingface.co/datasets/scthornton/securecode-v2) |
-| **Dataset Size** | 841 training examples |
-| **Training Epochs** | 3 |
-| **LoRA Rank (r)** | 16 |
-| **LoRA Alpha** | 32 |
-| **Learning Rate** | 2e-4 |
-| **Quantization** | 4-bit (bitsandbytes) |
-| **Trainable Parameters** | ~68M (0.52% of 13B total) |
-| **Total Parameters** | 13B |
-| **Context Window** | 16K tokens |
-| **GPU Used** | NVIDIA A100 40GB |
-| **Training Time** | ~110 minutes (estimated) |
-### Training Methodology
-**LoRA fine-tuning** preserves CodeLlama's enterprise reliability:
-- Trains only 0.52% of parameters
-- Maintains code generation quality
-- Adds comprehensive security understanding
-- Minimal deployment overhead
-**Enterprise deployment ready** - Compatible with existing CodeLlama deployments.
----
-## 🚀 Usage
-### Quick Start
 ```python
-from transformers import AutoModelForCausalLM, AutoTokenizer
 from peft import PeftModel
-# Load base model
-base_model = "codellama/CodeLlama-13b-Instruct-hf"
-model = AutoModelForCausalLM.from_pretrained(
-    base_model,
-    device_map="auto",
-    torch_dtype="auto"
-)
-tokenizer = AutoTokenizer.from_pretrained(base_model)
-# Load SecureCode adapter
-model = PeftModel.from_pretrained(model, "scthornton/codellama-13b-securecode")
-# Generate secure enterprise code
-prompt = """### User:
-Write a secure Spring Boot controller for user registration that handles all OWASP Top 10 concerns.
-### Assistant:
-"""
-inputs = tokenizer(prompt, return_tensors="pt").to(model.device)
-outputs = model.generate(**inputs, max_new_tokens=2048, temperature=0.7)
-response = tokenizer.decode(outputs[0], skip_special_tokens=True)
-print(response)
-```
-### Enterprise Deployment (4-bit Quantization)
-```python
 from transformers import AutoModelForCausalLM, AutoTokenizer, BitsAndBytesConfig
-from peft import PeftModel
-# 4-bit quantization - runs on 24GB GPU
 bnb_config = BitsAndBytesConfig(
     load_in_4bit=True,
-    bnb_4bit_use_double_quant=True,
     bnb_4bit_quant_type="nf4",
-    bnb_4bit_compute_dtype="bfloat16"
 )
-model = AutoModelForCausalLM.from_pretrained(
     "codellama/CodeLlama-13b-Instruct-hf",
     quantization_config=bnb_config,
-    device_map="auto"
 )
-model = PeftModel.from_pretrained(model, "scthornton/codellama-13b-securecode")
-tokenizer = AutoTokenizer.from_pretrained("codellama/CodeLlama-13b-Instruct-hf")
-# Production-ready deployment
-```
-### Integration with LangChain (Enterprise Use Case)
-```python
-from langchain.llms import HuggingFacePipeline
-from transformers import AutoModelForCausalLM, pipeline
-from peft import PeftModel
-base_model = AutoModelForCausalLM.from_pretrained("codellama/CodeLlama-13b-Instruct-hf", device_map="auto")
 model = PeftModel.from_pretrained(base_model, "scthornton/codellama-13b-securecode")
-tokenizer = AutoTokenizer.from_pretrained("codellama/CodeLlama-13b-Instruct-hf")
-pipe = pipeline("text-generation", model=model, tokenizer=tokenizer, max_new_tokens=2048)
-llm = HuggingFacePipeline(pipeline=pipe)
-# Enterprise security workflow
-security_chain = LLMChain(llm=llm, prompt=security_prompt_template)
-review_result = security_chain.run(code=enterprise_codebase)
 ```
----
-## 🎯 Use Cases
-### 1. **Enterprise Security Code Review**
-Review mission-critical code for vulnerabilities:
-```
-Perform a comprehensive security audit of this payment processing module
-```
-### 2. **Compliance-Focused Code Generation**
-Generate code meeting SOC 2, PCI-DSS, HIPAA requirements:
-```
-Write a HIPAA-compliant patient data access controller with audit logging
-```
-### 3. **Legacy System Remediation**
-Modernize and secure legacy codebases:
-```
-Refactor this legacy Java authentication system to meet current security standards
-```
-### 4. **Security Architecture Review**
-Analyze architectural security:
-```
-Review this microservices architecture for security vulnerabilities and attack vectors
-```
-### 5. **Secure API Development**
-Generate production-ready secure APIs:
-```
-Create a RESTful API for financial transactions with comprehensive security controls
-```
----
-## ⚠️ Limitations
-### What This Model Does Well
-✅ Enterprise-grade security code generation
-✅ Trusted brand with proven track record
-✅ Strong performance on security-critical code
-✅ Comprehensive security explanations
-### What This Model Doesn't Do
-❌ Not a replacement for security audits
-❌ Cannot guarantee compliance certification
-❌ Not legal/regulatory advice
-❌ Not a replacement for security professionals
----
-## 📈 Performance Benchmarks
-### Hardware Requirements
-**Minimum:**
-- 28GB RAM
-- 20GB GPU VRAM (with 4-bit quantization)
-**Recommended:**
-- 48GB RAM
-- 24GB+ GPU (RTX 3090, RTX 4090, A5000)
-**Inference Speed (on A100 40GB):**
-- ~50 tokens/second (4-bit quantization)
-- ~70 tokens/second (bfloat16)
-### Code Generation (Base Model Scores)
-| Benchmark | Score |
-|-----------|-------|
-| HumanEval | 50.0% |
-| MultiPL-E | 45.5% |
-| Enterprise deployments | 100,000+ |
----
-## 🔬 Dataset Information
-Trained on **[SecureCode v2.0](https://huggingface.co/datasets/scthornton/securecode-v2)**:
-- **1,209 examples** with real CVE grounding
-- **100% incident validation**
-- **OWASP Top 10:2025** complete coverage
-- **Expert security review**
----
-## 📄 License
-**Model:** Apache 2.0 | **Dataset:** CC BY-NC-SA 4.0
-**Enterprise-friendly licensing** from Meta + perfecXion.ai
----
-## 📚 Citation
 ```bibtex
-@misc{thornton2025securecode-codellama,
-  title={CodeLlama 13B - SecureCode Edition},
   author={Thornton, Scott},
-  year={2025},
   publisher={perfecXion.ai},
-  url={https://huggingface.co/scthornton/codellama-13b-securecode}
 }
 ```
----
-## 🙏 Acknowledgments
-- **Meta AI** for CodeLlama's enterprise-grade foundation
-- **OWASP Foundation** for vulnerability taxonomy
-- **MITRE** for CVE database
-- **Enterprise security teams** for real-world validation
----
-## 🔗 Related Models
-- **[llama-3.2-3b-securecode](https://huggingface.co/scthornton/llama-3.2-3b-securecode)** - Most accessible (3B)
-- **[qwen-coder-7b-securecode](https://huggingface.co/scthornton/qwen-coder-7b-securecode)** - Best code model (7B)
-- **[deepseek-coder-6.7b-securecode](https://huggingface.co/scthornton/deepseek-coder-6.7b-securecode)** - Security-optimized (6.7B)
-- **[starcoder2-15b-securecode](https://huggingface.co/scthornton/starcoder2-15b-securecode)** - Multi-language (15B)
-[View Collection](https://huggingface.co/collections/scthornton/securecode)
----
-<div align="center">
-**Built with ❤️ for secure enterprise software development**
-[perfecXion.ai](https://perfecxion.ai) | [Contact](mailto:scott@perfecxion.ai)
-</div>

 ---
+license: llama2
 base_model: codellama/CodeLlama-13b-Instruct-hf
 tags:
+  - security
+  - cybersecurity
+  - secure-coding
+  - ai-security
+  - owasp
+  - code-generation
+  - qlora
+  - lora
+  - fine-tuned
+  - securecode
 datasets:
+  - scthornton/securecode
+library_name: peft
 pipeline_tag: text-generation
+language:
+  - code
+  - en
 ---
+# CodeLlama 13B SecureCode
 <div align="center">
+![Parameters](https://img.shields.io/badge/params-13B-blue.svg)
+![Dataset](https://img.shields.io/badge/dataset-2,185_examples-green.svg)
+![OWASP](https://img.shields.io/badge/OWASP-Top_10_2021_+_LLM_Top_10_2025-orange.svg)
+![Method](https://img.shields.io/badge/method-QLoRA_4--bit-purple.svg)
+**Security-specialized code model fine-tuned on the [SecureCode](https://huggingface.co/datasets/scthornton/securecode) dataset**
+[Dataset](https://huggingface.co/datasets/scthornton/securecode) | [Paper (arXiv:2512.18542)](https://arxiv.org/abs/2512.18542) | [Model Collection](https://huggingface.co/collections/scthornton/securecode) | [perfecXion.ai](https://perfecxion.ai)
 </div>
 ---
+## What This Model Does
+This model generates **secure code** when developers ask about building features. Instead of producing vulnerable implementations (like 45% of AI-generated code does), it:
+- Identifies the security risks in common coding patterns
+- Provides vulnerable *and* secure implementations side by side
+- Explains how attackers would exploit the vulnerability
+- Includes defense-in-depth guidance: logging, monitoring, SIEM integration, infrastructure hardening
+The model was fine-tuned on **2,185 security training examples** covering both traditional web security (OWASP Top 10 2021) and AI/ML security (OWASP LLM Top 10 2025).
+## Model Details
+| | |
+|---|---|
+| **Base Model** | [CodeLlama 13B Instruct](https://huggingface.co/codellama/CodeLlama-13b-Instruct-hf) |
+| **Parameters** | 13B |
+| **Architecture** | Llama 2 |
+| **Tier** | Tier 3: Large Model |
+| **Method** | QLoRA (4-bit NormalFloat quantization) |
+| **LoRA Rank** | 16 (alpha=32) |
+| **Target Modules** | `q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj` (7 modules) |
+| **Training Data** | [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) (2,185 examples) |
+| **Hardware** | NVIDIA A100 40GB |
+Meta's code-specialized Llama variant at 13B parameters. Deeper security reasoning with strong code understanding.
+## Quick Start
 ```python
 from peft import PeftModel
 from transformers import AutoModelForCausalLM, AutoTokenizer, BitsAndBytesConfig
+import torch
+# Load with 4-bit quantization (matches training)
 bnb_config = BitsAndBytesConfig(
     load_in_4bit=True,
     bnb_4bit_quant_type="nf4",
+    bnb_4bit_compute_dtype=torch.bfloat16,
 )
+base_model = AutoModelForCausalLM.from_pretrained(
     "codellama/CodeLlama-13b-Instruct-hf",
     quantization_config=bnb_config,
+    device_map="auto",
 )
+tokenizer = AutoTokenizer.from_pretrained("scthornton/codellama-13b-securecode")
 model = PeftModel.from_pretrained(base_model, "scthornton/codellama-13b-securecode")
+# Ask a security-relevant coding question
+messages = [
+    {"role": "user", "content": "How do I implement JWT authentication with refresh tokens in Python?"}
+]
+inputs = tokenizer.apply_chat_template(messages, return_tensors="pt").to(model.device)
+outputs = model.generate(inputs, max_new_tokens=2048, temperature=0.7)
+print(tokenizer.decode(outputs[0], skip_special_tokens=True))
 ```
+## Training Details
+### Dataset
+Trained on the full **[SecureCode](https://huggingface.co/datasets/scthornton/securecode)** unified dataset:
+- **2,185 total examples** (1,435 web security + 750 AI/ML security)
+- **20 vulnerability categories** across OWASP Top 10 2021 and OWASP LLM Top 10 2025
+- **12+ programming languages** and **49+ frameworks**
+- **4-turn conversational structure**: feature request, vulnerable/secure implementations, advanced probing, operational guidance
+- **100% incident grounding**: every example tied to real CVEs, vendor advisories, or published attack research
+### Hyperparameters
+| Parameter | Value |
+|-----------|-------|
+| LoRA rank | 16 |
+| LoRA alpha | 32 |
+| LoRA dropout | 0.05 |
+| Target modules | 7 linear layers |
+| Quantization | 4-bit NormalFloat (NF4) |
+| Learning rate | 2e-4 |
+| LR scheduler | Cosine with 100-step warmup |
+| Epochs | 3 |
+| Per-device batch size | 2 |
+| Gradient accumulation | 8x |
+| Effective batch size | 16 |
+| Max sequence length | 2048 tokens |
+| Optimizer | paged_adamw_8bit |
+| Precision | bf16 |
+**Notes:** Reduced max sequence length (2048) to fit A100 40GB memory. Strong at multi-turn security reasoning.
+## Security Coverage
+### Web Security (1,435 examples)
+OWASP Top 10 2021: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Software Integrity Failures, Logging/Monitoring Failures, SSRF.
+Languages: Python, JavaScript, Java, Go, PHP, C#, TypeScript, Ruby, Rust, Kotlin, YAML.
+### AI/ML Security (750 examples)
+OWASP LLM Top 10 2025: Prompt Injection, Sensitive Information Disclosure, Supply Chain Vulnerabilities, Data/Model Poisoning, Improper Output Handling, Excessive Agency, System Prompt Leakage, Vector/Embedding Weaknesses, Misinformation, Unbounded Consumption.
+Frameworks: LangChain, OpenAI, Anthropic, HuggingFace, LlamaIndex, ChromaDB, Pinecone, FastAPI, Flask, vLLM, CrewAI, and 30+ more.
+## SecureCode Model Collection
+This model is part of the **SecureCode** collection of 8 security-specialized models:
+| Model | Base | Size | Tier | HuggingFace |
+|-------|------|------|------|-------------|
+| Llama 3.2 SecureCode | meta-llama/Llama-3.2-3B-Instruct | 3B | Accessible | [`llama-3.2-3b-securecode`](https://huggingface.co/scthornton/llama-3.2-3b-securecode) |
+| Qwen2.5 Coder SecureCode | Qwen/Qwen2.5-Coder-7B-Instruct | 7B | Mid-size | [`qwen2.5-coder-7b-securecode`](https://huggingface.co/scthornton/qwen2.5-coder-7b-securecode) |
+| DeepSeek Coder SecureCode | deepseek-ai/deepseek-coder-6.7b-instruct | 6.7B | Mid-size | [`deepseek-coder-6.7b-securecode`](https://huggingface.co/scthornton/deepseek-coder-6.7b-securecode) |
+| CodeGemma SecureCode | google/codegemma-7b-it | 7B | Mid-size | [`codegemma-7b-securecode`](https://huggingface.co/scthornton/codegemma-7b-securecode) |
+| CodeLlama SecureCode | codellama/CodeLlama-13b-Instruct-hf | 13B | Large | [`codellama-13b-securecode`](https://huggingface.co/scthornton/codellama-13b-securecode) |
+| Qwen2.5 Coder 14B SecureCode | Qwen/Qwen2.5-Coder-14B-Instruct | 14B | Large | [`qwen2.5-coder-14b-securecode`](https://huggingface.co/scthornton/qwen2.5-coder-14b-securecode) |
+| StarCoder2 SecureCode | bigcode/starcoder2-15b-instruct-v0.1 | 15B | Large | [`starcoder2-15b-securecode`](https://huggingface.co/scthornton/starcoder2-15b-securecode) |
+| Granite 20B Code SecureCode | ibm-granite/granite-20b-code-instruct-8k | 20B | XL | [`granite-20b-code-securecode`](https://huggingface.co/scthornton/granite-20b-code-securecode) |
+Choose based on your deployment constraints: **3B** for edge/mobile, **7B** for general use, **13B-15B** for deeper reasoning, **20B** for maximum capability.
+## SecureCode Dataset Family
+| Dataset | Examples | Focus | Link |
+|---------|----------|-------|------|
+| **SecureCode** | 2,185 | Unified (web + AI/ML) | [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) |
+| SecureCode Web | 1,435 | Web security (OWASP Top 10 2021) | [scthornton/securecode-web](https://huggingface.co/datasets/scthornton/securecode-web) |
+| SecureCode AI/ML | 750 | AI/ML security (OWASP LLM Top 10 2025) | [scthornton/securecode-aiml](https://huggingface.co/datasets/scthornton/securecode-aiml) |
+## Intended Use
+**Use this model for:**
+- Training AI coding assistants to write secure code
+- Security education and training
+- Vulnerability research and secure code review
+- Building security-aware development tools
+**Do not use this model for:**
+- Offensive exploitation or automated attack generation
+- Circumventing security controls
+- Any activity that violates the base model's license
+## Citation
 ```bibtex
+@misc{thornton2026securecode,
+  title={SecureCode: A Production-Grade Multi-Turn Dataset for Training Security-Aware Code Generation Models},
   author={Thornton, Scott},
+  year={2026},
   publisher={perfecXion.ai},
+  url={https://huggingface.co/datasets/scthornton/securecode},
+  note={arXiv:2512.18542}
 }
 ```
+## Links
+- **Dataset**: [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode)
+- **Research Paper**: [arXiv:2512.18542](https://arxiv.org/abs/2512.18542)
+- **Model Collection**: [huggingface.co/collections/scthornton/securecode](https://huggingface.co/collections/scthornton/securecode)
+- **Author**: [perfecXion.ai](https://perfecxion.ai)
+## License
+This model is released under the **llama2** license (inherited from the base model). The training dataset ([SecureCode](https://huggingface.co/datasets/scthornton/securecode)) is licensed under **CC BY-NC-SA 4.0**.