Text Generation
PEFT
Safetensors
code
English
security
cybersecurity
secure-coding
ai-security
owasp
code-generation
lora
fine-tuned
securecode
gemma-4
conversational
Instructions to use scthornton/gemma-4-e4b-securecode with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- PEFT
How to use scthornton/gemma-4-e4b-securecode with PEFT:
from peft import PeftModel from transformers import AutoModelForCausalLM base_model = AutoModelForCausalLM.from_pretrained("google/gemma-4-E4B-it") model = PeftModel.from_pretrained(base_model, "scthornton/gemma-4-e4b-securecode") - Notebooks
- Google Colab
- Kaggle
| license: gemma | |
| base_model: google/gemma-4-E4B-it | |
| tags: | |
| - security | |
| - cybersecurity | |
| - secure-coding | |
| - ai-security | |
| - owasp | |
| - code-generation | |
| - lora | |
| - fine-tuned | |
| - securecode | |
| - gemma-4 | |
| datasets: | |
| - scthornton/securecode | |
| library_name: peft | |
| pipeline_tag: text-generation | |
| language: | |
| - code | |
| - en | |
| # Gemma 4 E4B SecureCode | |
| <div align="center"> | |
| -blue.svg) | |
|  | |
|  | |
|  | |
| **Security-specialized code model fine-tuned on the [SecureCode](https://huggingface.co/datasets/scthornton/securecode) dataset** | |
| [Dataset](https://huggingface.co/datasets/scthornton/securecode) | [Paper (arXiv:2512.18542)](https://arxiv.org/abs/2512.18542) | [Model Collection](https://huggingface.co/collections/scthornton/securecode) | [perfecXion.ai](https://perfecxion.ai) | |
| </div> | |
| --- | |
| ## What This Model Does | |
| This model generates **secure code** when developers ask about building features. Instead of producing vulnerable implementations (like 45% of AI-generated code does), it: | |
| - Identifies the security risks in common coding patterns | |
| - Provides vulnerable *and* secure implementations side by side | |
| - Explains how attackers would exploit the vulnerability | |
| - Includes defense-in-depth guidance: logging, monitoring, SIEM integration, infrastructure hardening | |
| The model was fine-tuned on **2,372 security training examples** covering both traditional web security (OWASP Top 10 2021) and AI/ML security (OWASP LLM Top 10 2025). | |
| ## Model Details | |
| | | | | |
| |---|---| | |
| | **Base Model** | [Gemma 4 E4B Instruct](https://huggingface.co/google/gemma-4-E4B-it) | | |
| | **Parameters** | E4B (~8B raw, ~4B effective via per-layer embeddings) | | |
| | **Architecture** | Gemma 4 (multimodal base; fine-tuned and intended for text-only use) | | |
| | **Tier** | Tier 1: Accessible | | |
| | **Method** | bf16 LoRA (no quantization) | | |
| | **LoRA Rank** | 16 (alpha=32) | | |
| | **Target Modules** | `q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj` on the language model decoder (the 18 KV-shared layers own no k/v weights, so k_proj/v_proj are adapted on the 24 layers that have them) | | |
| | **Training Data** | [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) (2,372 examples) | | |
| | **Hardware** | NVIDIA DGX Spark GB10 (Blackwell, unified memory) | | |
| Newest member of the SecureCode collection. Requires **transformers >= 5.13** (earlier 5.x versions have Gemma 4 training bugs; see notes below). | |
| ## Quick Start | |
| ```python | |
| from peft import PeftModel | |
| from transformers import AutoModelForCausalLM, AutoTokenizer | |
| import torch | |
| # Requires transformers >= 5.13 | |
| base_model = AutoModelForCausalLM.from_pretrained( | |
| "google/gemma-4-E4B-it", | |
| dtype=torch.bfloat16, | |
| device_map="auto", | |
| ) | |
| tokenizer = AutoTokenizer.from_pretrained("scthornton/gemma-4-e4b-securecode") | |
| model = PeftModel.from_pretrained(base_model, "scthornton/gemma-4-e4b-securecode") | |
| # Ask a security-relevant coding question (chat template required) | |
| messages = [ | |
| {"role": "user", "content": "How do I implement JWT authentication with refresh tokens in Python?"} | |
| ] | |
| inputs = tokenizer.apply_chat_template( | |
| messages, add_generation_prompt=True, return_tensors="pt" | |
| ).to(model.device) | |
| outputs = model.generate(inputs, max_new_tokens=2048, temperature=0.7) | |
| print(tokenizer.decode(outputs[0], skip_special_tokens=True)) | |
| ``` | |
| ## Training Details | |
| ### Dataset | |
| Trained on the full **[SecureCode](https://huggingface.co/datasets/scthornton/securecode)** unified dataset (audited release): | |
| - **2,372 total examples** (1,625 web security + 747 AI/ML security) | |
| - **20 vulnerability categories** across OWASP Top 10 2021 and OWASP LLM Top 10 2025 | |
| - **12+ programming languages** and **49+ frameworks** | |
| - **4-turn conversational structure**: feature request, vulnerable/secure implementations, advanced probing, operational guidance | |
| - **100% incident grounding**: every example tied to real CVEs, vendor advisories, or published attack research | |
| Unlike the rest of the collection (trained with `### User:` / `### Assistant:` role markers), this model was trained through **Gemma 4's own chat template**, matching its instruction tuning. | |
| ### Hyperparameters | |
| | Parameter | Value | | |
| |-----------|-------| | |
| | LoRA rank | 16 | | |
| | LoRA alpha | 32 | | |
| | LoRA dropout | 0.05 | | |
| | Target modules | language model decoder projections (see Model Details) | | |
| | Quantization | None (bf16 base weights) | | |
| | Learning rate | 2e-4 | | |
| | LR scheduler | Cosine with 100-step warmup | | |
| | Epochs | 3 | | |
| | Per-device batch size | 1 | | |
| | Gradient accumulation | 16x | | |
| | Effective batch size | 16 | | |
| | Max sequence length | 4096 tokens | | |
| | Optimizer | adamw_torch_fused | | |
| | Attention | PyTorch SDPA (fused) | | |
| | Precision | bf16 | | |
| **Notes:** Gradient checkpointing is deliberately OFF: Gemma 4 E4B's KV-shared layers read earlier layers' KV cache entries within a single forward pass, and checkpointing force-disables that cache, silently corrupting training. transformers 5.13+ also fixes `num_items_in_batch` loss normalization for this architecture. Trained text-only; the vision and audio towers are untouched by the LoRA adapter. | |
| ## Security Coverage | |
| ### Web Security (1,625 examples) | |
| OWASP Top 10 2021: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Software Integrity Failures, Logging/Monitoring Failures, SSRF. | |
| Languages: Python, JavaScript, Java, Go, PHP, C#, TypeScript, Ruby, Rust, Kotlin, YAML. | |
| ### AI/ML Security (747 examples) | |
| OWASP LLM Top 10 2025: Prompt Injection, Sensitive Information Disclosure, Supply Chain Vulnerabilities, Data/Model Poisoning, Improper Output Handling, Excessive Agency, System Prompt Leakage, Vector/Embedding Weaknesses, Misinformation, Unbounded Consumption. | |
| Frameworks: LangChain, OpenAI, Anthropic, HuggingFace, LlamaIndex, ChromaDB, Pinecone, FastAPI, Flask, vLLM, CrewAI, and 30+ more. | |
| ## SecureCode Model Collection | |
| This model is part of the **SecureCode** collection of 9 security-specialized models: | |
| | Model | Base | Size | Tier | HuggingFace | | |
| |-------|------|------|------|-------------| | |
| | Llama 3.2 SecureCode | meta-llama/Llama-3.2-3B-Instruct | 3B | Accessible | [`llama-3.2-3b-securecode`](https://huggingface.co/scthornton/llama-3.2-3b-securecode) | | |
| | Gemma 4 E4B SecureCode | google/gemma-4-E4B-it | E4B (8B raw) | Accessible | [`gemma-4-e4b-securecode`](https://huggingface.co/scthornton/gemma-4-e4b-securecode) | | |
| | Qwen2.5 Coder SecureCode | Qwen/Qwen2.5-Coder-7B-Instruct | 7B | Mid-size | [`qwen2.5-coder-7b-securecode`](https://huggingface.co/scthornton/qwen2.5-coder-7b-securecode) | | |
| | DeepSeek Coder SecureCode | deepseek-ai/deepseek-coder-6.7b-instruct | 6.7B | Mid-size | [`deepseek-coder-6.7b-securecode`](https://huggingface.co/scthornton/deepseek-coder-6.7b-securecode) | | |
| | CodeGemma SecureCode | google/codegemma-7b-it | 7B | Mid-size | [`codegemma-7b-securecode`](https://huggingface.co/scthornton/codegemma-7b-securecode) | | |
| | CodeLlama SecureCode | codellama/CodeLlama-13b-Instruct-hf | 13B | Large | [`codellama-13b-securecode`](https://huggingface.co/scthornton/codellama-13b-securecode) | | |
| | Qwen2.5 Coder 14B SecureCode | Qwen/Qwen2.5-Coder-14B-Instruct | 14B | Large | [`qwen2.5-coder-14b-securecode`](https://huggingface.co/scthornton/qwen2.5-coder-14b-securecode) | | |
| | StarCoder2 SecureCode | bigcode/starcoder2-15b-instruct-v0.1 | 15B | Large | [`starcoder2-15b-securecode`](https://huggingface.co/scthornton/starcoder2-15b-securecode) | | |
| | Granite 20B Code SecureCode | ibm-granite/granite-20b-code-instruct-8k | 20B | XL | [`granite-20b-code-securecode`](https://huggingface.co/scthornton/granite-20b-code-securecode) | | |
| Choose based on your deployment constraints: **3B/E4B** for edge and resource-constrained use, **7B** for general use, **13B-15B** for deeper reasoning, **20B** for maximum capability. | |
| ## SecureCode Dataset Family | |
| | Dataset | Examples | Focus | Link | | |
| |---------|----------|-------|------| | |
| | **SecureCode** | 2,372 | Unified (web + AI/ML) | [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) | | |
| | SecureCode Web | 1,625 | Web security (OWASP Top 10 2021) | [scthornton/securecode-web](https://huggingface.co/datasets/scthornton/securecode-web) | | |
| | SecureCode AI/ML | 747 | AI/ML security (OWASP LLM Top 10 2025) | [scthornton/securecode-aiml](https://huggingface.co/datasets/scthornton/securecode-aiml) | | |
| ## Intended Use | |
| **Use this model for:** | |
| - Training AI coding assistants to write secure code | |
| - Security education and training | |
| - Vulnerability research and secure code review | |
| - Building security-aware development tools | |
| **Do not use this model for:** | |
| - Offensive exploitation or automated attack generation | |
| - Circumventing security controls | |
| - Any activity that violates the base model's license | |
| ## Changelog | |
| - **2026-07 (v1, current)**: Initial release. Trained on the audited SecureCode release (**2,372 examples**: 1,625 web + 747 AI/ML) using **bf16 LoRA on an NVIDIA DGX Spark GB10 (Blackwell)**. Added to the SecureCode family alongside the 2026-07 refresh of the original 8 models. | |
| ## Citation | |
| ```bibtex | |
| @misc{thornton2026securecode, | |
| title={SecureCode: A Production-Grade Multi-Turn Dataset for Training Security-Aware Code Generation Models}, | |
| author={Thornton, Scott}, | |
| year={2026}, | |
| publisher={perfecXion.ai}, | |
| url={https://huggingface.co/datasets/scthornton/securecode}, | |
| note={arXiv:2512.18542} | |
| } | |
| ``` | |
| ## Links | |
| - **Dataset**: [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) | |
| - **Paper**: [arXiv:2512.18542](https://arxiv.org/abs/2512.18542) | |
| - **Collection**: [SecureCode models](https://huggingface.co/collections/scthornton/securecode) | |
| - **perfecXion.ai**: [https://perfecxion.ai](https://perfecxion.ai) | |