Instructions to use vitorallo/securereview-coder-32B-FP8 with libraries, inference providers, notebooks, and local apps. Follow these links to get started.

Libraries

How to use vitorallo/securereview-coder-32B-FP8 with Transformers:

# Use a pipeline as a high-level helper
from transformers import pipeline

pipe = pipeline("text-generation", model="vitorallo/securereview-coder-32B-FP8")
messages = [
    {"role": "user", "content": "Who are you?"},
]
pipe(messages)

# Load model directly
from transformers import AutoTokenizer, AutoModelForCausalLM

tokenizer = AutoTokenizer.from_pretrained("vitorallo/securereview-coder-32B-FP8")
model = AutoModelForCausalLM.from_pretrained("vitorallo/securereview-coder-32B-FP8")
messages = [
    {"role": "user", "content": "Who are you?"},
]
inputs = tokenizer.apply_chat_template(
	messages,
	add_generation_prompt=True,
	tokenize=True,
	return_dict=True,
	return_tensors="pt",
).to(model.device)

outputs = model.generate(**inputs, max_new_tokens=40)
print(tokenizer.decode(outputs[0][inputs["input_ids"].shape[-1]:]))

Notebooks
Google Colab
Kaggle
Local Apps Settings

vLLM

How to use vitorallo/securereview-coder-32B-FP8 with vLLM:

Install from pip and serve model

# Install vLLM from pip:
pip install vllm
# Start the vLLM server:
vllm serve "vitorallo/securereview-coder-32B-FP8"
# Call the server using curl (OpenAI-compatible API):
curl -X POST "http://localhost:8000/v1/chat/completions" \
	-H "Content-Type: application/json" \
	--data '{
		"model": "vitorallo/securereview-coder-32B-FP8",
		"messages": [
			{
				"role": "user",
				"content": "What is the capital of France?"
			}
		]
	}'

Use Docker

docker model run hf.co/vitorallo/securereview-coder-32B-FP8

SGLang

How to use vitorallo/securereview-coder-32B-FP8 with SGLang:

Install from pip and serve model

# Install SGLang from pip:
pip install sglang
# Start the SGLang server:
python3 -m sglang.launch_server \
    --model-path "vitorallo/securereview-coder-32B-FP8" \
    --host 0.0.0.0 \
    --port 30000
# Call the server using curl (OpenAI-compatible API):
curl -X POST "http://localhost:30000/v1/chat/completions" \
	-H "Content-Type: application/json" \
	--data '{
		"model": "vitorallo/securereview-coder-32B-FP8",
		"messages": [
			{
				"role": "user",
				"content": "What is the capital of France?"
			}
		]
	}'

Use Docker images

docker run --gpus all \
    --shm-size 32g \
    -p 30000:30000 \
    -v ~/.cache/huggingface:/root/.cache/huggingface \
    --env "HF_TOKEN=<secret>" \
    --ipc=host \
    lmsysorg/sglang:latest \
    python3 -m sglang.launch_server \
        --model-path "vitorallo/securereview-coder-32B-FP8" \
        --host 0.0.0.0 \
        --port 30000
# Call the server using curl (OpenAI-compatible API):
curl -X POST "http://localhost:30000/v1/chat/completions" \
	-H "Content-Type: application/json" \
	--data '{
		"model": "vitorallo/securereview-coder-32B-FP8",
		"messages": [
			{
				"role": "user",
				"content": "What is the capital of France?"
			}
		]
	}'

Docker Model Runner
How to use vitorallo/securereview-coder-32B-FP8 with Docker Model Runner:
```
docker model run hf.co/vitorallo/securereview-coder-32B-FP8
```

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

securereview-coder-32B (FP8)

A security-focused fine-tune of Qwen2.5-Coder-32B-Instruct, quantized to FP8 for efficient, near-lossless inference. It performs function-level security code review, emitting structured JSON findings (category, CWE, severity, line, recommendation) for use in automated SAST pipelines.

This is the model that powers the Foil code-review engine. It is trained to read a function (plus light call-graph context and a short list of candidate security rules) and report real, exploitable vulnerabilities.

Base model & license. Derived from Qwen/Qwen2.5-Coder-32B-Instruct, licensed under Apache 2.0. This derivative is released under Apache 2.0; see NOTICE for attribution. No Qwen-restricted weights are included.

Intended use

Automated security code review / SAST as part of a scanner that supplies per-function context and a candidate rule set.
Languages: Python, JavaScript/TypeScript, Java, Go, Ruby, PHP, C#, and C/C++ (memory-safety classes).

Out of scope: standalone chat, non-security code tasks, dependency-CVE (SCA) analysis, and runtime/config issues that are not visible in source.

Vulnerability classes detected

Injection (SQL, command, code/eval), insecure deserialization (RCE), path traversal, SSRF, XXE, XSS, open redirect, broken access control, IDOR / broken object-level authorization (BOLA), broken authentication (incl. weak password-reset tokens), CSRF, sensitive-data exposure, and C/C++ memory-safety (buffer overflow, UAF, integer overflow).

Evaluation

Held-out test set (1,887 examples, served FP8 via vLLM):

Metric	Value
Precision	41.0%
Recall	40.9%
F1	40.9%
False-positive rate (clean code)	0.7%
JSON-schema compliance	98.8%

The very low false-positive rate (0.7%) is the headline characteristic — the model is calibrated to stay quiet on clean code rather than over-flag, which is what makes it usable in an automated pipeline. Recall (~41%) is per-function single-pass; scanner-level recall is higher because functions are reviewed with call-graph context and candidate rules.

Per-language recall (test set): C# 65%, Rust 53%, Ruby 52%, JS 45%, Python 44%, Java 43%, TypeScript 42%, Go 40%, C++ 39%, C 32%.

Qualitative check with the Foil scanner against DVNA (OWASP Top-10 reference app): the model identified the documented data-flow and access-control vulns — SQL/command/code injection, XXE (RCE), insecure deserialization (RCE), broken access control, IDOR/BOLA (with ownership-fix reasoning), the A2 MD5-of-login reset-token logic flaw, and unvalidated redirect.

Known limitations. Reflected XSS whose sink lives in a separate view template (.ejs/.hbs unescaped output) can be missed when only the handler is in context — supply template context for full coverage. The model is thorough and may surface advisory findings (rate-limiting, headers) beyond a strict vuln set; triage accordingly. Dependency-CVE (A9), runtime misconfiguration (A6), and logging (A10) are out of scope for source-only review.

Serving (vLLM, OpenAI-compatible)

This is a compressed-tensors FP8 checkpoint (FP8_DYNAMIC) — vLLM auto-detects the quantization from the checkpoint, so no --quantization flag is needed:

vllm serve vitorallo/securereview-coder-32B-FP8 \
  --served-model-name securereview \
  --max-model-len 32768

The model emits a JSON object: {"findings": [{"severity", "category", "line", "code", "description", "recommendation", "confidence", "cwe_id"}]}. For best results with this fine-tune, do not force guided/constrained decoding — it was trained on a fixed JSON schema and grammar-constrained decoding can degrade output (over-flagging / missed classes).

Quantization recipe: FP8_DYNAMIC (per-channel static weight scales + per-token dynamic activation scales), lm_head kept in higher precision.

Citation / attribution

Built on Qwen2.5-Coder. Please cite the base model:

@article{hui2024qwen2coder, title={Qwen2.5-Coder Technical Report}, author={Qwen Team}, year={2024}}

Downloads last month: -

Safetensors

Model size

33B params

Tensor type

BF16

F8_E4M3

Model tree for vitorallo/securereview-coder-32B-FP8

Base model

Qwen/Qwen2.5-32B

Finetuned

Qwen/Qwen2.5-Coder-32B

Finetuned

Qwen/Qwen2.5-Coder-32B-Instruct

Quantized

(125)

this model