Hugging Face's logo

scthornton
/
gemma4-26b-securecode

Text Generation
PEFT
Safetensors
security
secure-code
cybersecurity
qlora
gemma4
code-generation
owasp
ai-security
conversational
Model card Files
xet
 Community
gemma4-26b-securecode / README.md
scthornton's picture
scthornton
Upload folder using huggingface_hub
d64e837 verified
preview code
|
raw
history blame contribute delete
6.69 kB
---
library_name: peft
license: gemma
base_model: google/gemma-4-26b-a4b-it
tags:
 - security
 - secure-code
 - cybersecurity
 - qlora
 - gemma4
 - code-generation
 - owasp
 - ai-security
datasets:
 - scthornton/securecode
 - scthornton/securecode-web
pipeline_tag: text-generation
model-index:
 - name: gemma4-26b-securecode
 results: []
---
# Gemma 4 26B-A4B SecureCode
**Security-specialized code generation model** fine-tuned on the [SecureCode](https://huggingface.co/datasets/scthornton/securecode) and [SecureCode Web](https://huggingface.co/datasets/scthornton/securecode-web) datasets.
Part of the [SecureCode model collection](https://huggingface.co/collections/scthornton/securecode) by [perfecXion.ai](https://perfecxion.ai).
## Model Details
| Property | Value |
|----------|-------|
| **Base Model** | [google/gemma-4-26b-a4b-it](https://huggingface.co/google/gemma-4-26b-a4b-it) |
| **Architecture** | Gemma 4 Mixture-of-Experts (26B total, 4B active per token) |
| **Method** | QLoRA (4-bit NormalFloat quantization) |
| **Parameters Trained** | ~1-2% via LoRA adapters |
| **Tier** | Tier 3: Large Security Specialist |
## Training Configuration
### QLoRA Settings
| Parameter | Value |
|-----------|-------|
| Quantization | 4-bit NormalFloat (NF4) |
| Compute Dtype | bfloat16 |
| Double Quantization | Enabled |
| LoRA Rank | 16 |
| LoRA Alpha | 32 |
| LoRA Dropout | 0.05 |
| Target Modules | q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj |
### Training Hyperparameters
| Parameter | Value |
|-----------|-------|
| Learning Rate | 2e-4 |
| LR Scheduler | Cosine with 100-step warmup |
| Epochs | 3 |
| Per-device Batch Size | 2 |
| Gradient Accumulation | 8x |
| Effective Batch Size | 16 |
| Max Sequence Length | 4,096 tokens |
| Optimizer | paged_adamw_8bit |
| Precision | bf16 |
### Hardware
| Component | Specification |
|-----------|--------------|
| System | NVIDIA DGX Spark |
| GPU | NVIDIA GB10 |
| Memory | 128 GB Unified (CPU/GPU) |
## Training Data
Combined and deduplicated from two datasets:
| Dataset | Examples | Focus |
|---------|----------|-------|
| [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) | 2,185 | Web + AI/ML security (OWASP Top 10 2021 + LLM Top 10 2025) |
| [scthornton/securecode-web](https://huggingface.co/datasets/scthornton/securecode-web) | 1,378 | Web security with framework-specific patterns |
### Coverage
**Vulnerability Standards:**
- OWASP Top 10 2021 (Web/Application Security)
- OWASP LLM Top 10 2025 (AI/ML Security)
- 92+ CWEs mapped
**Programming Languages:** Python, JavaScript, Java, Go, PHP, TypeScript, C#, Ruby, Rust, Kotlin, YAML, HCL
**Frameworks:** 49+ including LangChain, OpenAI, Anthropic, HuggingFace, Django, Express.js, Spring Boot, FastAPI, and more
**Training Format:** 4-turn conversational examples:
1. Developer asks about implementing a feature
2. Assistant provides vulnerable + secure implementations with attack demonstrations
3. Developer asks about testing and edge cases
4. Assistant delivers defense-in-depth operational guidance
Every example is grounded in real CVEs and published security incidents.
## Usage
```python
from peft import PeftModel
from transformers import AutoModelForCausalLM, AutoTokenizer, BitsAndBytesConfig
import torch
# Load with 4-bit quantization (matches training)
bnb_config = BitsAndBytesConfig(
 load_in_4bit=True,
 bnb_4bit_quant_type="nf4",
 bnb_4bit_compute_dtype=torch.bfloat16,
)
base_model = AutoModelForCausalLM.from_pretrained(
 "google/gemma-4-26b-a4b-it",
 quantization_config=bnb_config,
 device_map="auto",
)
tokenizer = AutoTokenizer.from_pretrained("scthornton/gemma4-26b-securecode")
model = PeftModel.from_pretrained(base_model, "scthornton/gemma4-26b-securecode")
messages = [
 {"role": "user", "content": "How do I implement JWT authentication with refresh tokens in Python?"}
]
inputs = tokenizer.apply_chat_template(messages, return_tensors="pt").to(model.device)
outputs = model.generate(inputs, max_new_tokens=2048, temperature=0.7)
print(tokenizer.decode(outputs[0], skip_special_tokens=True))
```
## What Makes This Different
Standard code models generate functional but often **insecure** code. SecureCode-trained models:
- Generate **secure implementations by default** with proper input validation, parameterized queries, and cryptographic best practices
- Provide **vulnerable AND secure** code side-by-side so developers understand the risk
- Include **defense-in-depth guidance**: logging, monitoring, SIEM integration, and infrastructure hardening
- Cover **AI/ML-specific vulnerabilities**: prompt injection defenses, RAG security, model supply chain protection
## SecureCode Model Collection
| Model | Parameters | Base |
|-------|-----------|------|
| [llama-3.2-3b-securecode](https://huggingface.co/scthornton/llama-3.2-3b-securecode) | 3B | Llama 3.2 3B |
| [codegemma-7b-securecode](https://huggingface.co/scthornton/codegemma-7b-securecode) | 7B | CodeGemma 7B IT |
| [deepseek-coder-6.7b-securecode](https://huggingface.co/scthornton/deepseek-coder-6.7b-securecode) | 6.7B | DeepSeek Coder |
| [qwen-coder-7b-securecode](https://huggingface.co/scthornton/qwen-coder-7b-securecode) | 7B | Qwen Coder 7B |
| [codellama-13b-securecode](https://huggingface.co/scthornton/codellama-13b-securecode) | 13B | Code Llama 13B |
| [qwen2.5-coder-14b-securecode](https://huggingface.co/scthornton/qwen2.5-coder-14b-securecode) | 14B | Qwen 2.5 Coder 14B |
| [starcoder2-15b-securecode](https://huggingface.co/scthornton/starcoder2-15b-securecode) | 15B | StarCoder2 15B |
| [granite-20b-code-securecode](https://huggingface.co/scthornton/granite-20b-code-securecode) | 20B | Granite 20B Code |
| **gemma4-26b-securecode** | **26B (4B active)** | **Gemma 4 26B-A4B IT** |
## Limitations
- Training data focuses on defensive security patterns; not designed for offensive security tooling
- 4-turn conversation format may not generalize to all coding interaction patterns
- MoE architecture means only 4B parameters are active per token despite 26B total
- Security guidance reflects best practices as of early 2026; new vulnerabilities may not be covered
## License
- **Model:** Gemma license (inherited from base model)
- **Dataset:** CC BY-NC-SA 4.0
- **Adapters:** CC BY-NC-SA 4.0
## Citation
```bibtex
@misc{thornton2026securecode,
 title={SecureCode: A Production-Grade Multi-Turn Dataset for Training Security-Aware Code Generation Models},
 author={Thornton, Scott},
 year={2026},
 publisher={perfecXion.ai},
 url={https://huggingface.co/datasets/scthornton/securecode},
 note={arXiv:2512.18542}
}
```