Hugging Face's logo

scthornton
/
qwen2.5-coder-14b-securecode

Text Generation
PEFT
Safetensors
code
English
security
cybersecurity
secure-coding
ai-security
owasp
code-generation
qlora
lora
fine-tuned
securecode
conversational
Model card Files
xet
 Community
2
scthornton commited on
Commit
589c1e9
·
verified ·
1 Parent(s): 0961a79

Model save

Browse files
Files changed (3) hide show
  1. README.md +37 -184
  2. tokenizer.json +2 -2
  3. tokenizer_config.json +7 -185
README.md CHANGED
@@ -1,207 +1,60 @@
1
  ---
 
2
  license: apache-2.0
3
  base_model: Qwen/Qwen2.5-Coder-14B-Instruct
4
  tags:
5
- - security
6
- - cybersecurity
7
- - secure-coding
8
- - ai-security
9
- - owasp
10
- - code-generation
11
- - qlora
12
- - lora
13
- - fine-tuned
14
- - securecode
15
- datasets:
16
- - scthornton/securecode
17
- library_name: peft
18
  pipeline_tag: text-generation
19
- language:
20
- - code
21
- - en
22
  ---
23
 
24
- # Qwen2.5 Coder 14B SecureCode
25
-
26
- <div align="center">
27
-
28
- ![Parameters](https://img.shields.io/badge/params-14B-blue.svg)
29
- ![Dataset](https://img.shields.io/badge/dataset-2,185_examples-green.svg)
30
- ![OWASP](https://img.shields.io/badge/OWASP-Top_10_2021_+_LLM_Top_10_2025-orange.svg)
31
- ![Method](https://img.shields.io/badge/method-QLoRA_4--bit-purple.svg)
32
-
33
- **Security-specialized code model fine-tuned on the [SecureCode](https://huggingface.co/datasets/scthornton/securecode) dataset**
34
-
35
- [Dataset](https://huggingface.co/datasets/scthornton/securecode) | [Paper (arXiv:2512.18542)](https://arxiv.org/abs/2512.18542) | [Model Collection](https://huggingface.co/collections/scthornton/securecode) | [perfecXion.ai](https://perfecxion.ai)
36
-
37
- </div>
38
-
39
- ---
40
-
41
- ## What This Model Does
42
-
43
- This model generates **secure code** when developers ask about building features. Instead of producing vulnerable implementations (like 45% of AI-generated code does), it:
44
-
45
- - Identifies the security risks in common coding patterns
46
- - Provides vulnerable *and* secure implementations side by side
47
- - Explains how attackers would exploit the vulnerability
48
- - Includes defense-in-depth guidance: logging, monitoring, SIEM integration, infrastructure hardening
49
-
50
- The model was fine-tuned on **2,185 security training examples** covering both traditional web security (OWASP Top 10 2021) and AI/ML security (OWASP LLM Top 10 2025).
51
-
52
- ## Model Details
53
-
54
- | | |
55
- |---|---|
56
- | **Base Model** | [Qwen2.5 Coder 14B Instruct](https://huggingface.co/Qwen/Qwen2.5-Coder-14B-Instruct) |
57
- | **Parameters** | 14B |
58
- | **Architecture** | Qwen2 |
59
- | **Tier** | Tier 3: Large Model |
60
- | **Method** | QLoRA (4-bit NormalFloat quantization) |
61
- | **LoRA Rank** | 16 (alpha=32) |
62
- | **Target Modules** | `q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj` (7 modules) |
63
- | **Training Data** | [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) (2,185 examples) |
64
- | **Hardware** | NVIDIA A100 40GB |
65
-
66
- Largest Qwen Coder variant. Excellent code generation with extended context and strong multi-language support.
67
-
68
- ## Quick Start
69
-
70
- ```python
71
- from peft import PeftModel
72
- from transformers import AutoModelForCausalLM, AutoTokenizer, BitsAndBytesConfig
73
- import torch
74
-
75
- # Load with 4-bit quantization (matches training)
76
- bnb_config = BitsAndBytesConfig(
77
- load_in_4bit=True,
78
- bnb_4bit_quant_type="nf4",
79
- bnb_4bit_compute_dtype=torch.bfloat16,
80
- )
81
-
82
- base_model = AutoModelForCausalLM.from_pretrained(
83
- "Qwen/Qwen2.5-Coder-14B-Instruct",
84
- quantization_config=bnb_config,
85
- device_map="auto",
86
- )
87
- tokenizer = AutoTokenizer.from_pretrained("scthornton/qwen2.5-coder-14b-securecode")
88
- model = PeftModel.from_pretrained(base_model, "scthornton/qwen2.5-coder-14b-securecode")
89
-
90
- # Ask a security-relevant coding question
91
- messages = [
92
- {"role": "user", "content": "How do I implement JWT authentication with refresh tokens in Python?"}
93
- ]
94
-
95
- inputs = tokenizer.apply_chat_template(messages, return_tensors="pt").to(model.device)
96
- outputs = model.generate(inputs, max_new_tokens=2048, temperature=0.7)
97
- print(tokenizer.decode(outputs[0], skip_special_tokens=True))
98
- ```
99
-
100
- ## Training Details
101
-
102
- ### Dataset
103
-
104
- Trained on the full **[SecureCode](https://huggingface.co/datasets/scthornton/securecode)** unified dataset:
105
-
106
- - **2,185 total examples** (1,435 web security + 750 AI/ML security)
107
- - **20 vulnerability categories** across OWASP Top 10 2021 and OWASP LLM Top 10 2025
108
- - **12+ programming languages** and **49+ frameworks**
109
- - **4-turn conversational structure**: feature request, vulnerable/secure implementations, advanced probing, operational guidance
110
- - **100% incident grounding**: every example tied to real CVEs, vendor advisories, or published attack research
111
-
112
- ### Hyperparameters
113
-
114
- | Parameter | Value |
115
- |-----------|-------|
116
- | LoRA rank | 16 |
117
- | LoRA alpha | 32 |
118
- | LoRA dropout | 0.05 |
119
- | Target modules | 7 linear layers |
120
- | Quantization | 4-bit NormalFloat (NF4) |
121
- | Learning rate | 2e-4 |
122
- | LR scheduler | Cosine with 100-step warmup |
123
- | Epochs | 3 |
124
- | Per-device batch size | 1 |
125
- | Gradient accumulation | 16x |
126
- | Effective batch size | 16 |
127
- | Max sequence length | 4096 tokens |
128
- | Optimizer | paged_adamw_8bit |
129
- | Precision | bf16 |
130
-
131
- **Notes:** Gradient checkpointing enabled for memory efficiency. Batch size 1 with 16x gradient accumulation. Requires `trust_remote_code=True`.
132
-
133
- ## Security Coverage
134
 
135
- ### Web Security (1,435 examples)
136
 
137
- OWASP Top 10 2021: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Software Integrity Failures, Logging/Monitoring Failures, SSRF.
138
 
139
- Languages: Python, JavaScript, Java, Go, PHP, C#, TypeScript, Ruby, Rust, Kotlin, YAML.
140
 
141
- ### AI/ML Security (750 examples)
142
 
143
- OWASP LLM Top 10 2025: Prompt Injection, Sensitive Information Disclosure, Supply Chain Vulnerabilities, Data/Model Poisoning, Improper Output Handling, Excessive Agency, System Prompt Leakage, Vector/Embedding Weaknesses, Misinformation, Unbounded Consumption.
144
-
145
- Frameworks: LangChain, OpenAI, Anthropic, HuggingFace, LlamaIndex, ChromaDB, Pinecone, FastAPI, Flask, vLLM, CrewAI, and 30+ more.
146
-
147
- ## SecureCode Model Collection
148
-
149
- This model is part of the **SecureCode** collection of 8 security-specialized models:
150
-
151
- | Model | Base | Size | Tier | HuggingFace |
152
- |-------|------|------|------|-------------|
153
- | Llama 3.2 SecureCode | meta-llama/Llama-3.2-3B-Instruct | 3B | Accessible | [`llama-3.2-3b-securecode`](https://huggingface.co/scthornton/llama-3.2-3b-securecode) |
154
- | Qwen2.5 Coder SecureCode | Qwen/Qwen2.5-Coder-7B-Instruct | 7B | Mid-size | [`qwen2.5-coder-7b-securecode`](https://huggingface.co/scthornton/qwen2.5-coder-7b-securecode) |
155
- | DeepSeek Coder SecureCode | deepseek-ai/deepseek-coder-6.7b-instruct | 6.7B | Mid-size | [`deepseek-coder-6.7b-securecode`](https://huggingface.co/scthornton/deepseek-coder-6.7b-securecode) |
156
- | CodeGemma SecureCode | google/codegemma-7b-it | 7B | Mid-size | [`codegemma-7b-securecode`](https://huggingface.co/scthornton/codegemma-7b-securecode) |
157
- | CodeLlama SecureCode | codellama/CodeLlama-13b-Instruct-hf | 13B | Large | [`codellama-13b-securecode`](https://huggingface.co/scthornton/codellama-13b-securecode) |
158
- | Qwen2.5 Coder 14B SecureCode | Qwen/Qwen2.5-Coder-14B-Instruct | 14B | Large | [`qwen2.5-coder-14b-securecode`](https://huggingface.co/scthornton/qwen2.5-coder-14b-securecode) |
159
- | StarCoder2 SecureCode | bigcode/starcoder2-15b-instruct-v0.1 | 15B | Large | [`starcoder2-15b-securecode`](https://huggingface.co/scthornton/starcoder2-15b-securecode) |
160
- | Granite 20B Code SecureCode | ibm-granite/granite-20b-code-instruct-8k | 20B | XL | [`granite-20b-code-securecode`](https://huggingface.co/scthornton/granite-20b-code-securecode) |
161
 
162
- Choose based on your deployment constraints: **3B** for edge/mobile, **7B** for general use, **13B-15B** for deeper reasoning, **20B** for maximum capability.
163
 
164
- ## SecureCode Dataset Family
165
 
166
- | Dataset | Examples | Focus | Link |
167
- |---------|----------|-------|------|
168
- | **SecureCode** | 2,185 | Unified (web + AI/ML) | [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) |
169
- | SecureCode Web | 1,435 | Web security (OWASP Top 10 2021) | [scthornton/securecode-web](https://huggingface.co/datasets/scthornton/securecode-web) |
170
- | SecureCode AI/ML | 750 | AI/ML security (OWASP LLM Top 10 2025) | [scthornton/securecode-aiml](https://huggingface.co/datasets/scthornton/securecode-aiml) |
171
-
172
- ## Intended Use
173
 
174
- **Use this model for:**
175
- - Training AI coding assistants to write secure code
176
- - Security education and training
177
- - Vulnerability research and secure code review
178
- - Building security-aware development tools
179
 
180
- **Do not use this model for:**
181
- - Offensive exploitation or automated attack generation
182
- - Circumventing security controls
183
- - Any activity that violates the base model's license
184
 
185
- ## Citation
 
 
 
 
 
 
 
 
 
 
186
 
187
- ```bibtex
188
- @misc{thornton2026securecode,
189
- title={SecureCode: A Production-Grade Multi-Turn Dataset for Training Security-Aware Code Generation Models},
190
- author={Thornton, Scott},
191
- year={2026},
192
- publisher={perfecXion.ai},
193
- url={https://huggingface.co/datasets/scthornton/securecode},
194
- note={arXiv:2512.18542}
195
- }
196
- ```
197
 
198
- ## Links
199
 
200
- - **Dataset**: [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode)
201
- - **Research Paper**: [arXiv:2512.18542](https://arxiv.org/abs/2512.18542)
202
- - **Model Collection**: [huggingface.co/collections/scthornton/securecode](https://huggingface.co/collections/scthornton/securecode)
203
- - **Author**: [perfecXion.ai](https://perfecxion.ai)
204
 
205
- ## License
206
 
207
- This model is released under the **apache-2.0** license (inherited from the base model). The training dataset ([SecureCode](https://huggingface.co/datasets/scthornton/securecode)) is licensed under **CC BY-NC-SA 4.0**.
 
 
 
 
 
1
  ---
2
+ library_name: peft
3
  license: apache-2.0
4
  base_model: Qwen/Qwen2.5-Coder-14B-Instruct
5
  tags:
6
+ - base_model:adapter:Qwen/Qwen2.5-Coder-14B-Instruct
7
+ - lora
8
+ - transformers
 
 
 
 
 
 
 
 
 
 
9
  pipeline_tag: text-generation
10
+ model-index:
11
+ - name: qwen2.5-coder-14b-securecode
12
+ results: []
13
  ---
14
 
15
+ <!-- This model card has been generated automatically according to the information the Trainer had access to. You
16
+ should probably proofread and complete it, then remove this comment. -->
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
17
 
18
+ # qwen2.5-coder-14b-securecode
19
 
20
+ This model is a fine-tuned version of [Qwen/Qwen2.5-Coder-14B-Instruct](https://huggingface.co/Qwen/Qwen2.5-Coder-14B-Instruct) on the None dataset.
21
 
22
+ ## Model description
23
 
24
+ More information needed
25
 
26
+ ## Intended uses & limitations
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
27
 
28
+ More information needed
29
 
30
+ ## Training and evaluation data
31
 
32
+ More information needed
 
 
 
 
 
 
33
 
34
+ ## Training procedure
 
 
 
 
35
 
36
+ ### Training hyperparameters
 
 
 
37
 
38
+ The following hyperparameters were used during training:
39
+ - learning_rate: 0.0002
40
+ - train_batch_size: 1
41
+ - eval_batch_size: 8
42
+ - seed: 42
43
+ - gradient_accumulation_steps: 16
44
+ - total_train_batch_size: 16
45
+ - optimizer: Use paged_adamw_8bit with betas=(0.9,0.999) and epsilon=1e-08 and optimizer_args=No additional optimizer arguments
46
+ - lr_scheduler_type: cosine
47
+ - lr_scheduler_warmup_steps: 100
48
+ - num_epochs: 3
49
 
50
+ ### Training results
 
 
 
 
 
 
 
 
 
51
 
 
52
 
 
 
 
 
53
 
54
+ ### Framework versions
55
 
56
+ - PEFT 0.18.1
57
+ - Transformers 5.1.0
58
+ - Pytorch 2.7.1+cu128
59
+ - Datasets 2.21.0
60
+ - Tokenizers 0.22.2
tokenizer.json CHANGED
@@ -1,3 +1,3 @@
1
  version https://git-lfs.github.com/spec/v1
2
- oid sha256:7ef098fb53e76cfa06a012b3826f5889a5ab693afa875d97c3353ae1edb9a1dc
3
- size 11422173
 
1
  version https://git-lfs.github.com/spec/v1
2
+ oid sha256:768a09fb93557beef6f0f1a7647212243c8f235aaece26cf6332f7dfff223289
3
+ size 11422169
tokenizer_config.json CHANGED
@@ -1,185 +1,11 @@
1
  {
2
- "add_bos_token": false,
3
  "add_prefix_space": false,
4
- "added_tokens_decoder": {
5
- "151643": {
6
- "content": "<|endoftext|>",
7
- "lstrip": false,
8
- "normalized": false,
9
- "rstrip": false,
10
- "single_word": false,
11
- "special": true
12
- },
13
- "151644": {
14
- "content": "<|im_start|>",
15
- "lstrip": false,
16
- "normalized": false,
17
- "rstrip": false,
18
- "single_word": false,
19
- "special": true
20
- },
21
- "151645": {
22
- "content": "<|im_end|>",
23
- "lstrip": false,
24
- "normalized": false,
25
- "rstrip": false,
26
- "single_word": false,
27
- "special": true
28
- },
29
- "151646": {
30
- "content": "<|object_ref_start|>",
31
- "lstrip": false,
32
- "normalized": false,
33
- "rstrip": false,
34
- "single_word": false,
35
- "special": true
36
- },
37
- "151647": {
38
- "content": "<|object_ref_end|>",
39
- "lstrip": false,
40
- "normalized": false,
41
- "rstrip": false,
42
- "single_word": false,
43
- "special": true
44
- },
45
- "151648": {
46
- "content": "<|box_start|>",
47
- "lstrip": false,
48
- "normalized": false,
49
- "rstrip": false,
50
- "single_word": false,
51
- "special": true
52
- },
53
- "151649": {
54
- "content": "<|box_end|>",
55
- "lstrip": false,
56
- "normalized": false,
57
- "rstrip": false,
58
- "single_word": false,
59
- "special": true
60
- },
61
- "151650": {
62
- "content": "<|quad_start|>",
63
- "lstrip": false,
64
- "normalized": false,
65
- "rstrip": false,
66
- "single_word": false,
67
- "special": true
68
- },
69
- "151651": {
70
- "content": "<|quad_end|>",
71
- "lstrip": false,
72
- "normalized": false,
73
- "rstrip": false,
74
- "single_word": false,
75
- "special": true
76
- },
77
- "151652": {
78
- "content": "<|vision_start|>",
79
- "lstrip": false,
80
- "normalized": false,
81
- "rstrip": false,
82
- "single_word": false,
83
- "special": true
84
- },
85
- "151653": {
86
- "content": "<|vision_end|>",
87
- "lstrip": false,
88
- "normalized": false,
89
- "rstrip": false,
90
- "single_word": false,
91
- "special": true
92
- },
93
- "151654": {
94
- "content": "<|vision_pad|>",
95
- "lstrip": false,
96
- "normalized": false,
97
- "rstrip": false,
98
- "single_word": false,
99
- "special": true
100
- },
101
- "151655": {
102
- "content": "<|image_pad|>",
103
- "lstrip": false,
104
- "normalized": false,
105
- "rstrip": false,
106
- "single_word": false,
107
- "special": true
108
- },
109
- "151656": {
110
- "content": "<|video_pad|>",
111
- "lstrip": false,
112
- "normalized": false,
113
- "rstrip": false,
114
- "single_word": false,
115
- "special": true
116
- },
117
- "151657": {
118
- "content": "<tool_call>",
119
- "lstrip": false,
120
- "normalized": false,
121
- "rstrip": false,
122
- "single_word": false,
123
- "special": false
124
- },
125
- "151658": {
126
- "content": "</tool_call>",
127
- "lstrip": false,
128
- "normalized": false,
129
- "rstrip": false,
130
- "single_word": false,
131
- "special": false
132
- },
133
- "151659": {
134
- "content": "<|fim_prefix|>",
135
- "lstrip": false,
136
- "normalized": false,
137
- "rstrip": false,
138
- "single_word": false,
139
- "special": false
140
- },
141
- "151660": {
142
- "content": "<|fim_middle|>",
143
- "lstrip": false,
144
- "normalized": false,
145
- "rstrip": false,
146
- "single_word": false,
147
- "special": false
148
- },
149
- "151661": {
150
- "content": "<|fim_suffix|>",
151
- "lstrip": false,
152
- "normalized": false,
153
- "rstrip": false,
154
- "single_word": false,
155
- "special": false
156
- },
157
- "151662": {
158
- "content": "<|fim_pad|>",
159
- "lstrip": false,
160
- "normalized": false,
161
- "rstrip": false,
162
- "single_word": false,
163
- "special": false
164
- },
165
- "151663": {
166
- "content": "<|repo_name|>",
167
- "lstrip": false,
168
- "normalized": false,
169
- "rstrip": false,
170
- "single_word": false,
171
- "special": false
172
- },
173
- "151664": {
174
- "content": "<|file_sep|>",
175
- "lstrip": false,
176
- "normalized": false,
177
- "rstrip": false,
178
- "single_word": false,
179
- "special": false
180
- }
181
- },
182
- "additional_special_tokens": [
183
  "<|im_start|>",
184
  "<|im_end|>",
185
  "<|object_ref_start|>",
@@ -194,11 +20,7 @@
194
  "<|image_pad|>",
195
  "<|video_pad|>"
196
  ],
197
- "bos_token": null,
198
- "clean_up_tokenization_spaces": false,
199
- "eos_token": "<|im_end|>",
200
- "errors": "replace",
201
- "extra_special_tokens": {},
202
  "model_max_length": 32768,
203
  "pad_token": "<|im_end|>",
204
  "split_special_tokens": false,
 
1
  {
 
2
  "add_prefix_space": false,
3
+ "backend": "tokenizers",
4
+ "bos_token": null,
5
+ "clean_up_tokenization_spaces": false,
6
+ "eos_token": "<|im_end|>",
7
+ "errors": "replace",
8
+ "extra_special_tokens": [
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
9
  "<|im_start|>",
10
  "<|im_end|>",
11
  "<|object_ref_start|>",
 
20
  "<|image_pad|>",
21
  "<|video_pad|>"
22
  ],
23
+ "is_local": false,
 
 
 
 
24
  "model_max_length": 32768,
25
  "pad_token": "<|im_end|>",
26
  "split_special_tokens": false,