Text Generation
Transformers
Safetensors
English
qwen2
security
code-review
sast
vulnerability-detection
qwen2.5-coder
fp8
conversational
text-generation-inference
compressed-tensors
Instructions to use vitorallo/securereview-coder-32B-FP8 with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- Transformers
How to use vitorallo/securereview-coder-32B-FP8 with Transformers:
# Use a pipeline as a high-level helper from transformers import pipeline pipe = pipeline("text-generation", model="vitorallo/securereview-coder-32B-FP8") messages = [ {"role": "user", "content": "Who are you?"}, ] pipe(messages)# Load model directly from transformers import AutoTokenizer, AutoModelForCausalLM tokenizer = AutoTokenizer.from_pretrained("vitorallo/securereview-coder-32B-FP8") model = AutoModelForCausalLM.from_pretrained("vitorallo/securereview-coder-32B-FP8") messages = [ {"role": "user", "content": "Who are you?"}, ] inputs = tokenizer.apply_chat_template( messages, add_generation_prompt=True, tokenize=True, return_dict=True, return_tensors="pt", ).to(model.device) outputs = model.generate(**inputs, max_new_tokens=40) print(tokenizer.decode(outputs[0][inputs["input_ids"].shape[-1]:])) - Notebooks
- Google Colab
- Kaggle
- Local Apps Settings
- vLLM
How to use vitorallo/securereview-coder-32B-FP8 with vLLM:
Install from pip and serve model
# Install vLLM from pip: pip install vllm # Start the vLLM server: vllm serve "vitorallo/securereview-coder-32B-FP8" # Call the server using curl (OpenAI-compatible API): curl -X POST "http://localhost:8000/v1/chat/completions" \ -H "Content-Type: application/json" \ --data '{ "model": "vitorallo/securereview-coder-32B-FP8", "messages": [ { "role": "user", "content": "What is the capital of France?" } ] }'Use Docker
docker model run hf.co/vitorallo/securereview-coder-32B-FP8
- SGLang
How to use vitorallo/securereview-coder-32B-FP8 with SGLang:
Install from pip and serve model
# Install SGLang from pip: pip install sglang # Start the SGLang server: python3 -m sglang.launch_server \ --model-path "vitorallo/securereview-coder-32B-FP8" \ --host 0.0.0.0 \ --port 30000 # Call the server using curl (OpenAI-compatible API): curl -X POST "http://localhost:30000/v1/chat/completions" \ -H "Content-Type: application/json" \ --data '{ "model": "vitorallo/securereview-coder-32B-FP8", "messages": [ { "role": "user", "content": "What is the capital of France?" } ] }'Use Docker images
docker run --gpus all \ --shm-size 32g \ -p 30000:30000 \ -v ~/.cache/huggingface:/root/.cache/huggingface \ --env "HF_TOKEN=<secret>" \ --ipc=host \ lmsysorg/sglang:latest \ python3 -m sglang.launch_server \ --model-path "vitorallo/securereview-coder-32B-FP8" \ --host 0.0.0.0 \ --port 30000 # Call the server using curl (OpenAI-compatible API): curl -X POST "http://localhost:30000/v1/chat/completions" \ -H "Content-Type: application/json" \ --data '{ "model": "vitorallo/securereview-coder-32B-FP8", "messages": [ { "role": "user", "content": "What is the capital of France?" } ] }' - Docker Model Runner
How to use vitorallo/securereview-coder-32B-FP8 with Docker Model Runner:
docker model run hf.co/vitorallo/securereview-coder-32B-FP8
| license: apache-2.0 | |
| base_model: Qwen/Qwen2.5-Coder-32B-Instruct | |
| tags: | |
| - security | |
| - code-review | |
| - sast | |
| - vulnerability-detection | |
| - qwen2.5-coder | |
| - fp8 | |
| language: | |
| - en | |
| pipeline_tag: text-generation | |
| library_name: transformers | |
| # securereview-coder-32B (FP8) | |
| A security-focused fine-tune of **Qwen2.5-Coder-32B-Instruct**, quantized to **FP8** for | |
| efficient, near-lossless inference. It performs **function-level security code review**, | |
| emitting structured JSON findings (category, CWE, severity, line, recommendation) for use | |
| in automated SAST pipelines. | |
| This is the model that powers the **Foil** code-review engine. It is trained to read a | |
| function (plus light call-graph context and a short list of candidate security rules) and | |
| report real, exploitable vulnerabilities. | |
| > **Base model & license.** Derived from | |
| > [`Qwen/Qwen2.5-Coder-32B-Instruct`](https://huggingface.co/Qwen/Qwen2.5-Coder-32B-Instruct), | |
| > licensed under **Apache 2.0**. This derivative is released under Apache 2.0; see `NOTICE` | |
| > for attribution. No Qwen-restricted weights are included. | |
| ## Intended use | |
| - Automated security code review / SAST as part of a scanner that supplies per-function | |
| context and a candidate rule set. | |
| - Languages: Python, JavaScript/TypeScript, Java, Go, Ruby, PHP, C#, and C/C++ | |
| (memory-safety classes). | |
| **Out of scope:** standalone chat, non-security code tasks, dependency-CVE (SCA) analysis, | |
| and runtime/config issues that are not visible in source. | |
| ## Vulnerability classes detected | |
| Injection (SQL, command, code/`eval`), insecure deserialization (RCE), path traversal, | |
| SSRF, XXE, XSS, open redirect, broken access control, IDOR / broken object-level | |
| authorization (BOLA), broken authentication (incl. weak password-reset tokens), CSRF, | |
| sensitive-data exposure, and C/C++ memory-safety (buffer overflow, UAF, integer overflow). | |
| ## Evaluation | |
| Held-out test set (1,887 examples, served FP8 via vLLM): | |
| | Metric | Value | | |
| |---|---:| | |
| | Precision | 41.0% | | |
| | Recall | 40.9% | | |
| | F1 | 40.9% | | |
| | False-positive rate (clean code) | **0.7%** | | |
| | JSON-schema compliance | 98.8% | | |
| The **very low false-positive rate (0.7%)** is the headline characteristic β the model is | |
| calibrated to stay quiet on clean code rather than over-flag, which is what makes it usable | |
| in an automated pipeline. Recall (~41%) is per-function single-pass; scanner-level recall is | |
| higher because functions are reviewed with call-graph context and candidate rules. | |
| Per-language recall (test set): C# 65%, Rust 53%, Ruby 52%, JS 45%, Python 44%, Java 43%, | |
| TypeScript 42%, Go 40%, C++ 39%, C 32%. | |
| Qualitative check with the Foil scanner against **DVNA** (OWASP Top-10 reference app): the | |
| model identified the documented data-flow and access-control vulns β SQL/command/code | |
| injection, XXE (RCE), insecure deserialization (RCE), broken access control, IDOR/BOLA | |
| (with ownership-fix reasoning), the A2 MD5-of-login reset-token logic flaw, and unvalidated | |
| redirect. | |
| **Known limitations.** Reflected XSS whose sink lives in a separate view template | |
| (`.ejs`/`.hbs` unescaped output) can be missed when only the handler is in context β supply | |
| template context for full coverage. The model is thorough and may surface advisory findings | |
| (rate-limiting, headers) beyond a strict vuln set; triage accordingly. Dependency-CVE (A9), | |
| runtime misconfiguration (A6), and logging (A10) are out of scope for source-only review. | |
| ## Serving (vLLM, OpenAI-compatible) | |
| This is a **compressed-tensors FP8** checkpoint (`FP8_DYNAMIC`) β vLLM auto-detects the | |
| quantization from the checkpoint, so **no `--quantization` flag is needed**: | |
| ```bash | |
| vllm serve vitorallo/securereview-coder-32B-FP8 \ | |
| --served-model-name securereview \ | |
| --max-model-len 32768 | |
| ``` | |
| The model emits a JSON object: `{"findings": [{"severity", "category", "line", "code", | |
| "description", "recommendation", "confidence", "cwe_id"}]}`. For best results with this | |
| fine-tune, **do not** force guided/constrained decoding β it was trained on a fixed JSON | |
| schema and grammar-constrained decoding can degrade output (over-flagging / missed classes). | |
| Quantization recipe: `FP8_DYNAMIC` (per-channel static weight scales + per-token dynamic | |
| activation scales), `lm_head` kept in higher precision. | |
| ## Citation / attribution | |
| Built on Qwen2.5-Coder. Please cite the base model: | |
| ``` | |
| @article{hui2024qwen2coder, title={Qwen2.5-Coder Technical Report}, author={Qwen Team}, year={2024}} | |
| ``` | |