scthornton commited on
Commit
98dd905
·
verified ·
1 Parent(s): 09e9e4f

Update model card: audited SecureCode 2,372 dataset, bf16 LoRA on DGX Spark GB10

Browse files
Files changed (1) hide show
  1. README.md +161 -153
README.md CHANGED
@@ -1,199 +1,207 @@
1
  ---
2
- library_name: transformers
3
- tags: []
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
4
  ---
5
 
6
- # Model Card for Model ID
7
 
8
- <!-- Provide a quick summary of what the model is/does. -->
9
 
 
 
 
 
10
 
 
11
 
12
- ## Model Details
13
-
14
- ### Model Description
15
-
16
- <!-- Provide a longer summary of what this model is. -->
17
-
18
- This is the model card of a 🤗 transformers model that has been pushed on the Hub. This model card has been automatically generated.
19
-
20
- - **Developed by:** [More Information Needed]
21
- - **Funded by [optional]:** [More Information Needed]
22
- - **Shared by [optional]:** [More Information Needed]
23
- - **Model type:** [More Information Needed]
24
- - **Language(s) (NLP):** [More Information Needed]
25
- - **License:** [More Information Needed]
26
- - **Finetuned from model [optional]:** [More Information Needed]
27
-
28
- ### Model Sources [optional]
29
-
30
- <!-- Provide the basic links for the model. -->
31
-
32
- - **Repository:** [More Information Needed]
33
- - **Paper [optional]:** [More Information Needed]
34
- - **Demo [optional]:** [More Information Needed]
35
-
36
- ## Uses
37
-
38
- <!-- Address questions around how the model is intended to be used, including the foreseeable users of the model and those affected by the model. -->
39
-
40
- ### Direct Use
41
-
42
- <!-- This section is for the model use without fine-tuning or plugging into a larger ecosystem/app. -->
43
-
44
- [More Information Needed]
45
-
46
- ### Downstream Use [optional]
47
 
48
- <!-- This section is for the model use when fine-tuned for a task, or when plugged into a larger ecosystem/app -->
49
 
50
- [More Information Needed]
51
-
52
- ### Out-of-Scope Use
53
-
54
- <!-- This section addresses misuse, malicious use, and uses that the model will not work well for. -->
55
-
56
- [More Information Needed]
57
-
58
- ## Bias, Risks, and Limitations
59
-
60
- <!-- This section is meant to convey both technical and sociotechnical limitations. -->
61
-
62
- [More Information Needed]
63
 
64
- ### Recommendations
65
 
66
- <!-- This section is meant to convey recommendations with respect to the bias, risk, and technical limitations. -->
67
 
68
- Users (both direct and downstream) should be made aware of the risks, biases and limitations of the model. More information needed for further recommendations.
 
 
 
69
 
70
- ## How to Get Started with the Model
71
 
72
- Use the code below to get started with the model.
73
 
74
- [More Information Needed]
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
75
 
76
  ## Training Details
77
 
78
- ### Training Data
79
-
80
- <!-- This should link to a Dataset Card, perhaps with a short stub of information on what the training data is all about as well as documentation related to data pre-processing or additional filtering. -->
81
-
82
- [More Information Needed]
83
-
84
- ### Training Procedure
85
-
86
- <!-- This relates heavily to the Technical Specifications. Content here should link to that section when it is relevant to the training procedure. -->
87
-
88
- #### Preprocessing [optional]
89
-
90
- [More Information Needed]
91
-
92
-
93
- #### Training Hyperparameters
94
-
95
- - **Training regime:** [More Information Needed] <!--fp32, fp16 mixed precision, bf16 mixed precision, bf16 non-mixed precision, fp16 non-mixed precision, fp8 mixed precision -->
96
-
97
- #### Speeds, Sizes, Times [optional]
98
-
99
- <!-- This section provides information about throughput, start/end time, checkpoint size if relevant, etc. -->
100
-
101
- [More Information Needed]
102
-
103
- ## Evaluation
104
-
105
- <!-- This section describes the evaluation protocols and provides the results. -->
106
-
107
- ### Testing Data, Factors & Metrics
108
-
109
- #### Testing Data
110
-
111
- <!-- This should link to a Dataset Card if possible. -->
112
-
113
- [More Information Needed]
114
-
115
- #### Factors
116
-
117
- <!-- These are the things the evaluation is disaggregating by, e.g., subpopulations or domains. -->
118
-
119
- [More Information Needed]
120
-
121
- #### Metrics
122
-
123
- <!-- These are the evaluation metrics being used, ideally with a description of why. -->
124
-
125
- [More Information Needed]
126
-
127
- ### Results
128
-
129
- [More Information Needed]
130
-
131
- #### Summary
132
-
133
-
134
-
135
- ## Model Examination [optional]
136
-
137
- <!-- Relevant interpretability work for the model goes here -->
138
-
139
- [More Information Needed]
140
 
141
- ## Environmental Impact
142
 
143
- <!-- Total emissions (in grams of CO2eq) and additional considerations, such as electricity usage, go here. Edit the suggested text below accordingly -->
 
 
 
 
144
 
145
- Carbon emissions can be estimated using the [Machine Learning Impact calculator](https://mlco2.github.io/impact#compute) presented in [Lacoste et al. (2019)](https://arxiv.org/abs/1910.09700).
146
 
147
- - **Hardware Type:** [More Information Needed]
148
- - **Hours used:** [More Information Needed]
149
- - **Cloud Provider:** [More Information Needed]
150
- - **Compute Region:** [More Information Needed]
151
- - **Carbon Emitted:** [More Information Needed]
152
 
153
- ## Technical Specifications [optional]
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
154
 
155
- ### Model Architecture and Objective
156
 
157
- [More Information Needed]
158
 
159
- ### Compute Infrastructure
160
 
161
- [More Information Needed]
162
 
163
- #### Hardware
164
 
165
- [More Information Needed]
166
 
167
- #### Software
168
 
169
- [More Information Needed]
170
 
171
- ## Citation [optional]
172
 
173
- <!-- If there is a paper or blog post introducing the model, the APA and Bibtex information for that should go in this section. -->
174
 
175
- **BibTeX:**
 
 
 
 
 
 
 
 
 
 
176
 
177
- [More Information Needed]
178
 
179
- **APA:**
180
 
181
- [More Information Needed]
 
 
 
 
182
 
183
- ## Glossary [optional]
184
 
185
- <!-- If relevant, include terms and calculations in this section that can help readers understand the model or model card. -->
 
 
 
 
186
 
187
- [More Information Needed]
 
 
 
188
 
189
- ## More Information [optional]
190
 
191
- [More Information Needed]
192
 
193
- ## Model Card Authors [optional]
194
 
195
- [More Information Needed]
 
 
 
 
 
 
 
 
 
196
 
197
- ## Model Card Contact
198
 
199
- [More Information Needed]
 
 
 
 
1
  ---
2
+ license: gemma
3
+ base_model: google/gemma-4-E4B-it
4
+ tags:
5
+ - security
6
+ - cybersecurity
7
+ - secure-coding
8
+ - ai-security
9
+ - owasp
10
+ - code-generation
11
+ - lora
12
+ - fine-tuned
13
+ - securecode
14
+ - gemma-4
15
+ datasets:
16
+ - scthornton/securecode
17
+ library_name: peft
18
+ pipeline_tag: text-generation
19
+ language:
20
+ - code
21
+ - en
22
  ---
23
 
24
+ # Gemma 4 E4B SecureCode
25
 
26
+ <div align="center">
27
 
28
+ ![Parameters](https://img.shields.io/badge/params-E4B_(8B_raw)-blue.svg)
29
+ ![Dataset](https://img.shields.io/badge/dataset-2,372_examples-green.svg)
30
+ ![OWASP](https://img.shields.io/badge/OWASP-Top_10_2021_+_LLM_Top_10_2025-orange.svg)
31
+ ![Method](https://img.shields.io/badge/method-bf16_LoRA-purple.svg)
32
 
33
+ **Security-specialized code model fine-tuned on the [SecureCode](https://huggingface.co/datasets/scthornton/securecode) dataset**
34
 
35
+ [Dataset](https://huggingface.co/datasets/scthornton/securecode) | [Paper (arXiv:2512.18542)](https://arxiv.org/abs/2512.18542) | [Model Collection](https://huggingface.co/collections/scthornton/securecode) | [perfecXion.ai](https://perfecxion.ai)
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
36
 
37
+ </div>
38
 
39
+ ---
 
 
 
 
 
 
 
 
 
 
 
 
40
 
41
+ ## What This Model Does
42
 
43
+ This model generates **secure code** when developers ask about building features. Instead of producing vulnerable implementations (like 45% of AI-generated code does), it:
44
 
45
+ - Identifies the security risks in common coding patterns
46
+ - Provides vulnerable *and* secure implementations side by side
47
+ - Explains how attackers would exploit the vulnerability
48
+ - Includes defense-in-depth guidance: logging, monitoring, SIEM integration, infrastructure hardening
49
 
50
+ The model was fine-tuned on **2,372 security training examples** covering both traditional web security (OWASP Top 10 2021) and AI/ML security (OWASP LLM Top 10 2025).
51
 
52
+ ## Model Details
53
 
54
+ | | |
55
+ |---|---|
56
+ | **Base Model** | [Gemma 4 E4B Instruct](https://huggingface.co/google/gemma-4-E4B-it) |
57
+ | **Parameters** | E4B (~8B raw, ~4B effective via per-layer embeddings) |
58
+ | **Architecture** | Gemma 4 (multimodal base; fine-tuned and intended for text-only use) |
59
+ | **Tier** | Tier 1: Accessible |
60
+ | **Method** | bf16 LoRA (no quantization) |
61
+ | **LoRA Rank** | 16 (alpha=32) |
62
+ | **Target Modules** | `q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj` on the language model decoder (the 18 KV-shared layers own no k/v weights, so k_proj/v_proj are adapted on the 24 layers that have them) |
63
+ | **Training Data** | [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) (2,372 examples) |
64
+ | **Hardware** | NVIDIA DGX Spark GB10 (Blackwell, unified memory) |
65
+
66
+ Newest member of the SecureCode collection. Requires **transformers >= 5.13** (earlier 5.x versions have Gemma 4 training bugs; see notes below).
67
+
68
+ ## Quick Start
69
+
70
+ ```python
71
+ from peft import PeftModel
72
+ from transformers import AutoModelForCausalLM, AutoTokenizer
73
+ import torch
74
+
75
+ # Requires transformers >= 5.13
76
+ base_model = AutoModelForCausalLM.from_pretrained(
77
+ "google/gemma-4-E4B-it",
78
+ dtype=torch.bfloat16,
79
+ device_map="auto",
80
+ )
81
+ tokenizer = AutoTokenizer.from_pretrained("scthornton/gemma-4-e4b-securecode")
82
+ model = PeftModel.from_pretrained(base_model, "scthornton/gemma-4-e4b-securecode")
83
+
84
+ # Ask a security-relevant coding question (chat template required)
85
+ messages = [
86
+ {"role": "user", "content": "How do I implement JWT authentication with refresh tokens in Python?"}
87
+ ]
88
+
89
+ inputs = tokenizer.apply_chat_template(
90
+ messages, add_generation_prompt=True, return_tensors="pt"
91
+ ).to(model.device)
92
+ outputs = model.generate(inputs, max_new_tokens=2048, temperature=0.7)
93
+ print(tokenizer.decode(outputs[0], skip_special_tokens=True))
94
+ ```
95
 
96
  ## Training Details
97
 
98
+ ### Dataset
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
99
 
100
+ Trained on the full **[SecureCode](https://huggingface.co/datasets/scthornton/securecode)** unified dataset (audited release):
101
 
102
+ - **2,372 total examples** (1,625 web security + 747 AI/ML security)
103
+ - **20 vulnerability categories** across OWASP Top 10 2021 and OWASP LLM Top 10 2025
104
+ - **12+ programming languages** and **49+ frameworks**
105
+ - **4-turn conversational structure**: feature request, vulnerable/secure implementations, advanced probing, operational guidance
106
+ - **100% incident grounding**: every example tied to real CVEs, vendor advisories, or published attack research
107
 
108
+ Unlike the rest of the collection (trained with `### User:` / `### Assistant:` role markers), this model was trained through **Gemma 4's own chat template**, matching its instruction tuning.
109
 
110
+ ### Hyperparameters
 
 
 
 
111
 
112
+ | Parameter | Value |
113
+ |-----------|-------|
114
+ | LoRA rank | 16 |
115
+ | LoRA alpha | 32 |
116
+ | LoRA dropout | 0.05 |
117
+ | Target modules | language model decoder projections (see Model Details) |
118
+ | Quantization | None (bf16 base weights) |
119
+ | Learning rate | 2e-4 |
120
+ | LR scheduler | Cosine with 100-step warmup |
121
+ | Epochs | 3 |
122
+ | Per-device batch size | 1 |
123
+ | Gradient accumulation | 16x |
124
+ | Effective batch size | 16 |
125
+ | Max sequence length | 4096 tokens |
126
+ | Optimizer | adamw_torch_fused |
127
+ | Attention | PyTorch SDPA (fused) |
128
+ | Precision | bf16 |
129
 
130
+ **Notes:** Gradient checkpointing is deliberately OFF: Gemma 4 E4B's KV-shared layers read earlier layers' KV cache entries within a single forward pass, and checkpointing force-disables that cache, silently corrupting training. transformers 5.13+ also fixes `num_items_in_batch` loss normalization for this architecture. Trained text-only; the vision and audio towers are untouched by the LoRA adapter.
131
 
132
+ ## Security Coverage
133
 
134
+ ### Web Security (1,625 examples)
135
 
136
+ OWASP Top 10 2021: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Software Integrity Failures, Logging/Monitoring Failures, SSRF.
137
 
138
+ Languages: Python, JavaScript, Java, Go, PHP, C#, TypeScript, Ruby, Rust, Kotlin, YAML.
139
 
140
+ ### AI/ML Security (747 examples)
141
 
142
+ OWASP LLM Top 10 2025: Prompt Injection, Sensitive Information Disclosure, Supply Chain Vulnerabilities, Data/Model Poisoning, Improper Output Handling, Excessive Agency, System Prompt Leakage, Vector/Embedding Weaknesses, Misinformation, Unbounded Consumption.
143
 
144
+ Frameworks: LangChain, OpenAI, Anthropic, HuggingFace, LlamaIndex, ChromaDB, Pinecone, FastAPI, Flask, vLLM, CrewAI, and 30+ more.
145
 
146
+ ## SecureCode Model Collection
147
 
148
+ This model is part of the **SecureCode** collection of 9 security-specialized models:
149
 
150
+ | Model | Base | Size | Tier | HuggingFace |
151
+ |-------|------|------|------|-------------|
152
+ | Llama 3.2 SecureCode | meta-llama/Llama-3.2-3B-Instruct | 3B | Accessible | [`llama-3.2-3b-securecode`](https://huggingface.co/scthornton/llama-3.2-3b-securecode) |
153
+ | Gemma 4 E4B SecureCode | google/gemma-4-E4B-it | E4B (8B raw) | Accessible | [`gemma-4-e4b-securecode`](https://huggingface.co/scthornton/gemma-4-e4b-securecode) |
154
+ | Qwen2.5 Coder SecureCode | Qwen/Qwen2.5-Coder-7B-Instruct | 7B | Mid-size | [`qwen2.5-coder-7b-securecode`](https://huggingface.co/scthornton/qwen2.5-coder-7b-securecode) |
155
+ | DeepSeek Coder SecureCode | deepseek-ai/deepseek-coder-6.7b-instruct | 6.7B | Mid-size | [`deepseek-coder-6.7b-securecode`](https://huggingface.co/scthornton/deepseek-coder-6.7b-securecode) |
156
+ | CodeGemma SecureCode | google/codegemma-7b-it | 7B | Mid-size | [`codegemma-7b-securecode`](https://huggingface.co/scthornton/codegemma-7b-securecode) |
157
+ | CodeLlama SecureCode | codellama/CodeLlama-13b-Instruct-hf | 13B | Large | [`codellama-13b-securecode`](https://huggingface.co/scthornton/codellama-13b-securecode) |
158
+ | Qwen2.5 Coder 14B SecureCode | Qwen/Qwen2.5-Coder-14B-Instruct | 14B | Large | [`qwen2.5-coder-14b-securecode`](https://huggingface.co/scthornton/qwen2.5-coder-14b-securecode) |
159
+ | StarCoder2 SecureCode | bigcode/starcoder2-15b-instruct-v0.1 | 15B | Large | [`starcoder2-15b-securecode`](https://huggingface.co/scthornton/starcoder2-15b-securecode) |
160
+ | Granite 20B Code SecureCode | ibm-granite/granite-20b-code-instruct-8k | 20B | XL | [`granite-20b-code-securecode`](https://huggingface.co/scthornton/granite-20b-code-securecode) |
161
 
162
+ Choose based on your deployment constraints: **3B/E4B** for edge and resource-constrained use, **7B** for general use, **13B-15B** for deeper reasoning, **20B** for maximum capability.
163
 
164
+ ## SecureCode Dataset Family
165
 
166
+ | Dataset | Examples | Focus | Link |
167
+ |---------|----------|-------|------|
168
+ | **SecureCode** | 2,372 | Unified (web + AI/ML) | [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) |
169
+ | SecureCode Web | 1,625 | Web security (OWASP Top 10 2021) | [scthornton/securecode-web](https://huggingface.co/datasets/scthornton/securecode-web) |
170
+ | SecureCode AI/ML | 747 | AI/ML security (OWASP LLM Top 10 2025) | [scthornton/securecode-aiml](https://huggingface.co/datasets/scthornton/securecode-aiml) |
171
 
172
+ ## Intended Use
173
 
174
+ **Use this model for:**
175
+ - Training AI coding assistants to write secure code
176
+ - Security education and training
177
+ - Vulnerability research and secure code review
178
+ - Building security-aware development tools
179
 
180
+ **Do not use this model for:**
181
+ - Offensive exploitation or automated attack generation
182
+ - Circumventing security controls
183
+ - Any activity that violates the base model's license
184
 
185
+ ## Changelog
186
 
187
+ - **2026-07 (v1, current)**: Initial release. Trained on the audited SecureCode release (**2,372 examples**: 1,625 web + 747 AI/ML) using **bf16 LoRA on an NVIDIA DGX Spark GB10 (Blackwell)**. Added to the SecureCode family alongside the 2026-07 refresh of the original 8 models.
188
 
189
+ ## Citation
190
 
191
+ ```bibtex
192
+ @misc{thornton2026securecode,
193
+ title={SecureCode: A Production-Grade Multi-Turn Dataset for Training Security-Aware Code Generation Models},
194
+ author={Thornton, Scott},
195
+ year={2026},
196
+ publisher={perfecXion.ai},
197
+ url={https://huggingface.co/datasets/scthornton/securecode},
198
+ note={arXiv:2512.18542}
199
+ }
200
+ ```
201
 
202
+ ## Links
203
 
204
+ - **Dataset**: [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode)
205
+ - **Paper**: [arXiv:2512.18542](https://arxiv.org/abs/2512.18542)
206
+ - **Collection**: [SecureCode models](https://huggingface.co/collections/scthornton/securecode)
207
+ - **perfecXion.ai**: [https://perfecxion.ai](https://perfecxion.ai)