Hugging Face's logo

scthornton
/
codegemma-7b-securecode

Text Generation
PEFT
Safetensors
code
English
security
cybersecurity
secure-coding
ai-security
owasp
code-generation
qlora
lora
fine-tuned
securecode
conversational
Model card Files
xet
Community
2
codegemma-7b-securecode
File size: 9,028 Bytes 
953ffa0
23afc6c
953ffa0
 
9714372
 
 
 
 
 
 
 
 
 
 
 
 
953ffa0
9714372
 
 
953ffa0
 
9714372
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
77a7c21
9714372
77a7c21
9714372
77a7c21
9714372
6f99acd
9714372
6f99acd
9714372
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
6f99acd
9714372
6f99acd
9714372
6f99acd
9714372
 
 
 
 
 
 
6f99acd
9714372
 
 
 
 
6f99acd
9714372
 
 
 
6f99acd
9714372
6f99acd
9714372
 
 
 
 
 
 
 
 
 
6f99acd
9714372
6f99acd
9714372
 
 
 
6f99acd
9714372
6f99acd
9714372
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
 
---
license: gemma
base_model: google/codegemma-7b-it
tags:
  - security
  - cybersecurity
  - secure-coding
  - ai-security
  - owasp
  - code-generation
  - qlora
  - lora
  - fine-tuned
  - securecode
datasets:
  - scthornton/securecode
library_name: peft
pipeline_tag: text-generation
language:
  - code
  - en
---

# CodeGemma 7B SecureCode

<div align="center">

![Parameters](https://img.shields.io/badge/params-7B-blue.svg)
![Dataset](https://img.shields.io/badge/dataset-2,185_examples-green.svg)
![OWASP](https://img.shields.io/badge/OWASP-Top_10_2021_+_LLM_Top_10_2025-orange.svg)
![Method](https://img.shields.io/badge/method-QLoRA_4--bit-purple.svg)

**Security-specialized code model fine-tuned on the [SecureCode](https://huggingface.co/datasets/scthornton/securecode) dataset**

[Dataset](https://huggingface.co/datasets/scthornton/securecode) | [Paper (arXiv:2512.18542)](https://arxiv.org/abs/2512.18542) | [Model Collection](https://huggingface.co/collections/scthornton/securecode) | [perfecXion.ai](https://perfecxion.ai)

</div>

---

## What This Model Does

This model generates **secure code** when developers ask about building features. Instead of producing vulnerable implementations (like 45% of AI-generated code does), it:

- Identifies the security risks in common coding patterns
- Provides vulnerable *and* secure implementations side by side
- Explains how attackers would exploit the vulnerability
- Includes defense-in-depth guidance: logging, monitoring, SIEM integration, infrastructure hardening

The model was fine-tuned on **2,185 security training examples** covering both traditional web security (OWASP Top 10 2021) and AI/ML security (OWASP LLM Top 10 2025).

## Model Details

| | |
|---|---|
| **Base Model** | [CodeGemma 7B IT](https://huggingface.co/google/codegemma-7b-it) |
| **Parameters** | 7B |
| **Architecture** | Gemma |
| **Tier** | Tier 2: Mid-size Code Specialist |
| **Method** | QLoRA (4-bit NormalFloat quantization) |
| **LoRA Rank** | 16 (alpha=32) |
| **Target Modules** | `q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj` (7 modules) |
| **Training Data** | [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) (2,185 examples) |
| **Hardware** | NVIDIA A100 40GB |

Google's code-specialized Gemma variant. Strong instruction following with efficient architecture.

## Quick Start

```python
from peft import PeftModel
from transformers import AutoModelForCausalLM, AutoTokenizer, BitsAndBytesConfig
import torch

# Load with 4-bit quantization (matches training)
bnb_config = BitsAndBytesConfig(
    load_in_4bit=True,
    bnb_4bit_quant_type="nf4",
    bnb_4bit_compute_dtype=torch.bfloat16,
)

base_model = AutoModelForCausalLM.from_pretrained(
    "google/codegemma-7b-it",
    quantization_config=bnb_config,
    device_map="auto",
)
tokenizer = AutoTokenizer.from_pretrained("scthornton/codegemma-7b-securecode")
model = PeftModel.from_pretrained(base_model, "scthornton/codegemma-7b-securecode")

# Ask a security-relevant coding question
messages = [
    {"role": "user", "content": "How do I implement JWT authentication with refresh tokens in Python?"}
]

inputs = tokenizer.apply_chat_template(messages, return_tensors="pt").to(model.device)
outputs = model.generate(inputs, max_new_tokens=2048, temperature=0.7)
print(tokenizer.decode(outputs[0], skip_special_tokens=True))
```

## Training Details

### Dataset

Trained on the full **[SecureCode](https://huggingface.co/datasets/scthornton/securecode)** unified dataset:

- **2,185 total examples** (1,435 web security + 750 AI/ML security)
- **20 vulnerability categories** across OWASP Top 10 2021 and OWASP LLM Top 10 2025
- **12+ programming languages** and **49+ frameworks**
- **4-turn conversational structure**: feature request, vulnerable/secure implementations, advanced probing, operational guidance
- **100% incident grounding**: every example tied to real CVEs, vendor advisories, or published attack research

### Hyperparameters

| Parameter | Value |
|-----------|-------|
| LoRA rank | 16 |
| LoRA alpha | 32 |
| LoRA dropout | 0.05 |
| Target modules | 7 linear layers |
| Quantization | 4-bit NormalFloat (NF4) |
| Learning rate | 2e-4 |
| LR scheduler | Cosine with 100-step warmup |
| Epochs | 3 |
| Per-device batch size | 2 |
| Gradient accumulation | 8x |
| Effective batch size | 16 |
| Max sequence length | 4096 tokens |
| Optimizer | paged_adamw_8bit |
| Precision | bf16 |

**Notes:** Requires `trust_remote_code=True`. Extended 4096-token context for full security conversations.

## Security Coverage

### Web Security (1,435 examples)

OWASP Top 10 2021: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Software Integrity Failures, Logging/Monitoring Failures, SSRF.

Languages: Python, JavaScript, Java, Go, PHP, C#, TypeScript, Ruby, Rust, Kotlin, YAML.

### AI/ML Security (750 examples)

OWASP LLM Top 10 2025: Prompt Injection, Sensitive Information Disclosure, Supply Chain Vulnerabilities, Data/Model Poisoning, Improper Output Handling, Excessive Agency, System Prompt Leakage, Vector/Embedding Weaknesses, Misinformation, Unbounded Consumption.

Frameworks: LangChain, OpenAI, Anthropic, HuggingFace, LlamaIndex, ChromaDB, Pinecone, FastAPI, Flask, vLLM, CrewAI, and 30+ more.

## SecureCode Model Collection

This model is part of the **SecureCode** collection of 8 security-specialized models:

| Model | Base | Size | Tier | HuggingFace |
|-------|------|------|------|-------------|
| Llama 3.2 SecureCode | meta-llama/Llama-3.2-3B-Instruct | 3B | Accessible | [`llama-3.2-3b-securecode`](https://huggingface.co/scthornton/llama-3.2-3b-securecode) |
| Qwen2.5 Coder SecureCode | Qwen/Qwen2.5-Coder-7B-Instruct | 7B | Mid-size | [`qwen2.5-coder-7b-securecode`](https://huggingface.co/scthornton/qwen2.5-coder-7b-securecode) |
| DeepSeek Coder SecureCode | deepseek-ai/deepseek-coder-6.7b-instruct | 6.7B | Mid-size | [`deepseek-coder-6.7b-securecode`](https://huggingface.co/scthornton/deepseek-coder-6.7b-securecode) |
| CodeGemma SecureCode | google/codegemma-7b-it | 7B | Mid-size | [`codegemma-7b-securecode`](https://huggingface.co/scthornton/codegemma-7b-securecode) |
| CodeLlama SecureCode | codellama/CodeLlama-13b-Instruct-hf | 13B | Large | [`codellama-13b-securecode`](https://huggingface.co/scthornton/codellama-13b-securecode) |
| Qwen2.5 Coder 14B SecureCode | Qwen/Qwen2.5-Coder-14B-Instruct | 14B | Large | [`qwen2.5-coder-14b-securecode`](https://huggingface.co/scthornton/qwen2.5-coder-14b-securecode) |
| StarCoder2 SecureCode | bigcode/starcoder2-15b-instruct-v0.1 | 15B | Large | [`starcoder2-15b-securecode`](https://huggingface.co/scthornton/starcoder2-15b-securecode) |
| Granite 20B Code SecureCode | ibm-granite/granite-20b-code-instruct-8k | 20B | XL | [`granite-20b-code-securecode`](https://huggingface.co/scthornton/granite-20b-code-securecode) |

Choose based on your deployment constraints: **3B** for edge/mobile, **7B** for general use, **13B-15B** for deeper reasoning, **20B** for maximum capability.

## SecureCode Dataset Family

| Dataset | Examples | Focus | Link |
|---------|----------|-------|------|
| **SecureCode** | 2,185 | Unified (web + AI/ML) | [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) |
| SecureCode Web | 1,435 | Web security (OWASP Top 10 2021) | [scthornton/securecode-web](https://huggingface.co/datasets/scthornton/securecode-web) |
| SecureCode AI/ML | 750 | AI/ML security (OWASP LLM Top 10 2025) | [scthornton/securecode-aiml](https://huggingface.co/datasets/scthornton/securecode-aiml) |

## Intended Use

**Use this model for:**
- Training AI coding assistants to write secure code
- Security education and training
- Vulnerability research and secure code review
- Building security-aware development tools

**Do not use this model for:**
- Offensive exploitation or automated attack generation
- Circumventing security controls
- Any activity that violates the base model's license

## Citation

```bibtex
@misc{thornton2026securecode,
  title={SecureCode: A Production-Grade Multi-Turn Dataset for Training Security-Aware Code Generation Models},
  author={Thornton, Scott},
  year={2026},
  publisher={perfecXion.ai},
  url={https://huggingface.co/datasets/scthornton/securecode},
  note={arXiv:2512.18542}
}
```

## Links

- **Dataset**: [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode)
- **Research Paper**: [arXiv:2512.18542](https://arxiv.org/abs/2512.18542)
- **Model Collection**: [huggingface.co/collections/scthornton/securecode](https://huggingface.co/collections/scthornton/securecode)
- **Author**: [perfecXion.ai](https://perfecxion.ai)

## License

This model is released under the **gemma** license (inherited from the base model). The training dataset ([SecureCode](https://huggingface.co/datasets/scthornton/securecode)) is licensed under **CC BY-NC-SA 4.0**.