scthornton
/

starcoder2-15b-securecode

@@ -1,384 +1,207 @@
 ---
-license: apache-2.0
 base_model: bigcode/starcoder2-15b-instruct-v0.1
 tags:
-- code
-- security
-- starcoder
-- bigcode
-- securecode
-- owasp
-- vulnerability-detection
 datasets:
-- scthornton/securecode-v2
-language:
-- en
-library_name: transformers
 pipeline_tag: text-generation
-arxiv: 2512.18542
 ---
-# StarCoder2 15B - SecureCode Edition
 <div align="center">
-[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-[![Training Dataset](https://img.shields.io/badge/dataset-SecureCode%20v2.0-green.svg)](https://huggingface.co/datasets/scthornton/securecode-v2)
-[![Base Model](https://img.shields.io/badge/base-StarCoder2%2015B-orange.svg)](https://huggingface.co/bigcode/starcoder2-15b-instruct-v0.1)
-[![perfecXion.ai](https://img.shields.io/badge/by-perfecXion.ai-purple.svg)](https://perfecxion.ai)
-**The most powerful multi-language security model - 600+ programming languages**
-[📄 Paper](https://arxiv.org/abs/2512.18542) | [🤗 Model Card](https://huggingface.co/scthornton/starcoder2-15b-securecode) | [📊 Dataset](https://huggingface.co/datasets/scthornton/securecode-v2) | [💻 perfecXion.ai](https://perfecxion.ai)
 </div>
 ---
-## 🎯 What is This?
-This is **StarCoder2 15B Instruct** fine-tuned on the **SecureCode v2.0 dataset** - the most comprehensive multi-language code model available, trained on **4 trillion tokens** across **600+ programming languages**, now enhanced with production-grade security knowledge.
-StarCoder2 represents the cutting edge of open-source code generation, developed by BigCode (ServiceNow + Hugging Face). Combined with SecureCode training, this model delivers:
-✅ **Unprecedented language coverage** - Security awareness across 600+ languages
-✅ **State-of-the-art code generation** - Best open-source model performance
-✅ **Complex security reasoning** - 15B parameters for sophisticated vulnerability analysis
-✅ **Production-ready quality** - Trained on The Stack v2 with rigorous data curation
-**The Result:** The most powerful and versatile security-aware code model in the SecureCode collection.
-**Why StarCoder2 15B?** This model offers:
-- 🌍 **600+ languages** - From mainstream to niche (Solidity, Kotlin, Swift, Haskell, etc.)
-- 🏆 **SOTA performance** - Best open-source code model
-- 🧠 **Complex reasoning** - 15B parameters for sophisticated security analysis
-- 🔬 **Research-grade** - Built on The Stack v2 with extensive curation
-- 🌟 **Community-driven** - BigCode initiative backed by ServiceNow + HuggingFace
----
-## 🚨 The Problem This Solves
-**AI coding assistants produce vulnerable code in 45% of security-relevant scenarios** (Veracode 2025). For organizations using diverse tech stacks, this problem multiplies across dozens of languages and frameworks.
-**Multi-language security challenges:**
-- Solidity smart contracts: **$3+ billion** stolen in Web3 exploits (2021-2024)
-- Mobile apps (Kotlin/Swift): Frequent authentication bypass vulnerabilities
-- Legacy systems (COBOL/Fortran): Undocumented security flaws
-- Emerging languages (Rust/Zig): New security patterns needed
-StarCoder2 SecureCode Edition addresses security across the entire programming language spectrum.
----
-## 💡 Key Features
-### 🌍 Unmatched Language Coverage
-StarCoder2 15B trained on **600+ programming languages**:
-- **Mainstream:** Python, JavaScript, Java, C++, Go, Rust
-- **Web3:** Solidity, Vyper, Cairo, Move
-- **Mobile:** Kotlin, Swift, Dart
-- **Systems:** C, Rust, Zig, Assembly
-- **Functional:** Haskell, OCaml, Scala, Elixir
-- **Legacy:** COBOL, Fortran, Pascal
-- **And 580+ more...**
-Now enhanced with **1,209 security-focused examples** covering OWASP Top 10:2025.
-### 🏆 State-of-the-Art Performance
-StarCoder2 15B delivers cutting-edge results:
-- HumanEval: **72.6%** pass@1 (best open-source at release)
-- MultiPL-E: **52.3%** average across languages
-- Leading performance on long-context code tasks
-- Trained on The Stack v2 (4T tokens)
-### 🔐 Comprehensive Security Training
-Trained on real-world security incidents:
-- **224 examples** of Broken Access Control
-- **199 examples** of Authentication Failures
-- **125 examples** of Injection attacks
-- **115 examples** of Cryptographic Failures
-- Complete **OWASP Top 10:2025** coverage
-### 📋 Advanced Security Analysis
-Every response includes:
-1. **Multi-language vulnerability patterns**
-2. **Secure implementations** with language-specific best practices
-3. **Attack demonstrations** with realistic exploits
-4. **Cross-language security guidance** - patterns that apply across languages
----
-## 📊 Training Details
-| Parameter | Value |
-|-----------|-------|
-| **Base Model** | bigcode/starcoder2-15b-instruct-v0.1 |
-| **Fine-tuning Method** | LoRA (Low-Rank Adaptation) |
-| **Training Dataset** | [SecureCode v2.0](https://huggingface.co/datasets/scthornton/securecode-v2) |
-| **Dataset Size** | 841 training examples |
-| **Training Epochs** | 3 |
-| **LoRA Rank (r)** | 16 |
-| **LoRA Alpha** | 32 |
-| **Learning Rate** | 2e-4 |
-| **Quantization** | 4-bit (bitsandbytes) |
-| **Trainable Parameters** | ~78M (0.52% of 15B total) |
-| **Total Parameters** | 15B |
-| **Context Window** | 16K tokens |
-| **GPU Used** | NVIDIA A100 40GB |
-| **Training Time** | ~125 minutes (estimated) |
-### Training Methodology
-**LoRA fine-tuning** preserves StarCoder2's exceptional multi-language capabilities:
-- Trains only 0.52% of parameters
-- Maintains SOTA code generation quality
-- Adds cross-language security understanding
-- Efficient deployment for 15B model
-**4-bit quantization** enables deployment on 24GB+ GPUs while maintaining quality.
----
-## 🚀 Usage
-### Quick Start
 ```python
-from transformers import AutoModelForCausalLM, AutoTokenizer
 from peft import PeftModel
-# Load base model
-base_model = "bigcode/starcoder2-15b-instruct-v0.1"
-model = AutoModelForCausalLM.from_pretrained(
-    base_model,
-    device_map="auto",
-    torch_dtype="auto",
-    trust_remote_code=True
-)
-tokenizer = AutoTokenizer.from_pretrained(base_model, trust_remote_code=True)
-# Load SecureCode adapter
-model = PeftModel.from_pretrained(model, "scthornton/starcoder2-15b-securecode")
-# Generate secure Solidity smart contract
-prompt = """### User:
-Write a secure ERC-20 token contract with protection against reentrancy, integer overflow, and access control vulnerabilities.
-### Assistant:
-"""
-inputs = tokenizer(prompt, return_tensors="pt").to(model.device)
-outputs = model.generate(**inputs, max_new_tokens=2048, temperature=0.7)
-response = tokenizer.decode(outputs[0], skip_special_tokens=True)
-print(response)
-```
-### Multi-Language Security Analysis
-```python
-# Analyze Rust code for memory safety issues
-rust_prompt = """### User:
-Review this Rust web server code for security vulnerabilities:
-```rust
-use actix_web::{web, App, HttpResponse, HttpServer};
-async fn user_profile(user_id: web::Path<String>) -> HttpResponse {
-    let query = format!("SELECT * FROM users WHERE id = '{}'", user_id);
-    let result = execute_query(&query).await;
-    HttpResponse::Ok().json(result)
-}
-```
-### Assistant:
-"""
-# Analyze Kotlin Android code
-kotlin_prompt = """### User:
-Identify authentication vulnerabilities in this Kotlin Android app:
-```kotlin
-class LoginActivity : AppCompatActivity() {
-    fun login(username: String, password: String) {
-        val prefs = getSharedPreferences("auth", MODE_PRIVATE)
-        prefs.edit().putString("token", generateToken(username, password)).apply()
-    }
-}
-```
-### Assistant:
-"""
-```
-### Production Deployment (4-bit Quantization)
-```python
 from transformers import AutoModelForCausalLM, AutoTokenizer, BitsAndBytesConfig
-from peft import PeftModel
-# 4-bit quantization - runs on 24GB+ GPU
 bnb_config = BitsAndBytesConfig(
     load_in_4bit=True,
-    bnb_4bit_use_double_quant=True,
     bnb_4bit_quant_type="nf4",
-    bnb_4bit_compute_dtype="bfloat16"
 )
-model = AutoModelForCausalLM.from_pretrained(
     "bigcode/starcoder2-15b-instruct-v0.1",
     quantization_config=bnb_config,
     device_map="auto",
-    trust_remote_code=True
 )
-model = PeftModel.from_pretrained(model, "scthornton/starcoder2-15b-securecode")
-tokenizer = AutoTokenizer.from_pretrained("bigcode/starcoder2-15b-instruct-v0.1", trust_remote_code=True)
-```
----
-## 🎯 Use Cases
-### 1. **Web3/Blockchain Security**
-Analyze smart contracts across multiple chains:
-```
-Audit this Solidity DeFi protocol for reentrancy, flash loan attacks, and access control issues
-```
-### 2. **Multi-Language Codebase Security**
-Review polyglot applications:
-```
-Analyze this microservices app (Go backend, TypeScript frontend, Rust services) for security vulnerabilities
 ```
-### 3. **Mobile App Security**
-Secure iOS and Android apps:
-```
-Review this Swift iOS app for authentication bypass and data exposure vulnerabilities
-```
-### 4. **Legacy System Modernization**
-Secure legacy code:
-```
-Identify security flaws in this COBOL mainframe application and provide modernization guidance
-```
-### 5. **Emerging Language Security**
-Security for new languages:
-```
-Write a secure Zig HTTP server with memory safety and input validation
-```
----
-## ⚠️ Limitations
-### What This Model Does Well
-✅ Multi-language security analysis (600+ languages)
-✅ State-of-the-art code generation
-✅ Complex security reasoning
-✅ Cross-language pattern recognition
-### What This Model Doesn't Do
-❌ Not a smart contract auditing firm
-❌ Cannot guarantee bug-free code
-❌ Not legal/compliance advice
-❌ Not a replacement for security experts
-### Resource Requirements
-- **Larger model** - Requires 24GB+ GPU for optimal performance
-- **Higher memory** - 40GB+ RAM recommended
-- **Longer inference** - Slower than smaller models
----
-## 📈 Performance Benchmarks
-### Hardware Requirements
-**Minimum:**
-- 40GB RAM
-- 24GB GPU VRAM (with 4-bit quantization)
-**Recommended:**
-- 64GB RAM
-- 40GB+ GPU (A100, RTX 6000 Ada)
-**Inference Speed (on A100 40GB):**
-- ~60 tokens/second (4-bit quantization)
-- ~85 tokens/second (bfloat16)
-### Code Generation (Base Model Scores)
-| Benchmark | Score | Rank |
-|-----------|-------|------|
-| HumanEval | 72.6% | Best open-source |
-| MultiPL-E | 52.3% | Top 3 overall |
-| Long context | SOTA | #1 |
----
-## 🔬 Dataset Information
-Trained on **[SecureCode v2.0](https://huggingface.co/datasets/scthornton/securecode-v2)**:
-- **1,209 examples** with real CVE grounding
-- **100% incident validation**
-- **OWASP Top 10:2025** complete coverage
-- **Multi-language security patterns**
----
-## 📄 License
-**Model:** Apache 2.0 | **Dataset:** CC BY-NC-SA 4.0
-Powered by the **BigCode OpenRAIL-M** license commitment.
----
-## 📚 Citation
 ```bibtex
-@misc{thornton2025securecode-starcoder2,
-  title={StarCoder2 15B - SecureCode Edition},
   author={Thornton, Scott},
-  year={2025},
   publisher={perfecXion.ai},
-  url={https://huggingface.co/scthornton/starcoder2-15b-securecode}
 }
 ```
----
-## 🙏 Acknowledgments
-- **BigCode Project** (ServiceNow + Hugging Face) for StarCoder2
-- **The Stack v2** contributors for dataset curation
-- **OWASP Foundation** for vulnerability taxonomy
-- **Web3 security community** for blockchain vulnerability research
----
-## 🔗 Related Models
-- **[llama-3.2-3b-securecode](https://huggingface.co/scthornton/llama-3.2-3b-securecode)** - Most accessible (3B)
-- **[qwen-coder-7b-securecode](https://huggingface.co/scthornton/qwen-coder-7b-securecode)** - Best code model (7B)
-- **[deepseek-coder-6.7b-securecode](https://huggingface.co/scthornton/deepseek-coder-6.7b-securecode)** - Security-optimized (6.7B)
-- **[codellama-13b-securecode](https://huggingface.co/scthornton/codellama-13b-securecode)** - Enterprise trusted (13B)
-[View Collection](https://huggingface.co/collections/scthornton/securecode)
----
-<div align="center">
-**Built with ❤️ for secure multi-language software development**
-[perfecXion.ai](https://perfecxion.ai) | [Contact](mailto:scott@perfecxion.ai)
-</div>

 ---
+license: bigcode-openrail-m
 base_model: bigcode/starcoder2-15b-instruct-v0.1
 tags:
+  - security
+  - cybersecurity
+  - secure-coding
+  - ai-security
+  - owasp
+  - code-generation
+  - qlora
+  - lora
+  - fine-tuned
+  - securecode
 datasets:
+  - scthornton/securecode
+library_name: peft
 pipeline_tag: text-generation
+language:
+  - code
+  - en
 ---
+# StarCoder2 15B SecureCode
 <div align="center">
+![Parameters](https://img.shields.io/badge/params-15B-blue.svg)
+![Dataset](https://img.shields.io/badge/dataset-2,185_examples-green.svg)
+![OWASP](https://img.shields.io/badge/OWASP-Top_10_2021_+_LLM_Top_10_2025-orange.svg)
+![Method](https://img.shields.io/badge/method-QLoRA_4--bit-purple.svg)
+**Security-specialized code model fine-tuned on the [SecureCode](https://huggingface.co/datasets/scthornton/securecode) dataset**
+[Dataset](https://huggingface.co/datasets/scthornton/securecode) | [Paper (arXiv:2512.18542)](https://arxiv.org/abs/2512.18542) | [Model Collection](https://huggingface.co/collections/scthornton/securecode) | [perfecXion.ai](https://perfecxion.ai)
 </div>
 ---
+## What This Model Does
+This model generates **secure code** when developers ask about building features. Instead of producing vulnerable implementations (like 45% of AI-generated code does), it:
+- Identifies the security risks in common coding patterns
+- Provides vulnerable *and* secure implementations side by side
+- Explains how attackers would exploit the vulnerability
+- Includes defense-in-depth guidance: logging, monitoring, SIEM integration, infrastructure hardening
+The model was fine-tuned on **2,185 security training examples** covering both traditional web security (OWASP Top 10 2021) and AI/ML security (OWASP LLM Top 10 2025).
+## Model Details
+| | |
+|---|---|
+| **Base Model** | [StarCoder2 15B Instruct](https://huggingface.co/bigcode/starcoder2-15b-instruct-v0.1) |
+| **Parameters** | 15B |
+| **Architecture** | StarCoder2 |
+| **Tier** | Tier 3: Large Model |
+| **Method** | QLoRA (4-bit NormalFloat quantization) |
+| **LoRA Rank** | 16 (alpha=32) |
+| **Target Modules** | `q_proj, k_proj, v_proj, o_proj` (4 modules) |
+| **Training Data** | [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) (2,185 examples) |
+| **Hardware** | NVIDIA A100 40GB |
+BigCode's flagship model trained on The Stack v2. Broad language coverage with strong code understanding.
+## Quick Start
 ```python
 from peft import PeftModel
 from transformers import AutoModelForCausalLM, AutoTokenizer, BitsAndBytesConfig
+import torch
+# Load with 4-bit quantization (matches training)
 bnb_config = BitsAndBytesConfig(
     load_in_4bit=True,
     bnb_4bit_quant_type="nf4",
+    bnb_4bit_compute_dtype=torch.bfloat16,
 )
+base_model = AutoModelForCausalLM.from_pretrained(
     "bigcode/starcoder2-15b-instruct-v0.1",
     quantization_config=bnb_config,
     device_map="auto",
 )
+tokenizer = AutoTokenizer.from_pretrained("scthornton/starcoder2-15b-securecode")
+model = PeftModel.from_pretrained(base_model, "scthornton/starcoder2-15b-securecode")
+# Ask a security-relevant coding question
+messages = [
+    {"role": "user", "content": "How do I implement JWT authentication with refresh tokens in Python?"}
+]
+inputs = tokenizer.apply_chat_template(messages, return_tensors="pt").to(model.device)
+outputs = model.generate(inputs, max_new_tokens=2048, temperature=0.7)
+print(tokenizer.decode(outputs[0], skip_special_tokens=True))
 ```
+## Training Details
+### Dataset
+Trained on the full **[SecureCode](https://huggingface.co/datasets/scthornton/securecode)** unified dataset:
+- **2,185 total examples** (1,435 web security + 750 AI/ML security)
+- **20 vulnerability categories** across OWASP Top 10 2021 and OWASP LLM Top 10 2025
+- **12+ programming languages** and **49+ frameworks**
+- **4-turn conversational structure**: feature request, vulnerable/secure implementations, advanced probing, operational guidance
+- **100% incident grounding**: every example tied to real CVEs, vendor advisories, or published attack research
+### Hyperparameters
+| Parameter | Value |
+|-----------|-------|
+| LoRA rank | 16 |
+| LoRA alpha | 32 |
+| LoRA dropout | 0.05 |
+| Target modules | 4 linear layers |
+| Quantization | 4-bit NormalFloat (NF4) |
+| Learning rate | 2e-4 |
+| LR scheduler | Cosine with 100-step warmup |
+| Epochs | 3 |
+| Per-device batch size | 1 |
+| Gradient accumulation | 16x |
+| Effective batch size | 16 |
+| Max sequence length | 4096 tokens |
+| Optimizer | paged_adamw_8bit |
+| Precision | bf16 |
+**Notes:** Compact LoRA targeting attention layers only (4 modules). Tight A100 40GB memory budget.
+## Security Coverage
+### Web Security (1,435 examples)
+OWASP Top 10 2021: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Software Integrity Failures, Logging/Monitoring Failures, SSRF.
+Languages: Python, JavaScript, Java, Go, PHP, C#, TypeScript, Ruby, Rust, Kotlin, YAML.
+### AI/ML Security (750 examples)
+OWASP LLM Top 10 2025: Prompt Injection, Sensitive Information Disclosure, Supply Chain Vulnerabilities, Data/Model Poisoning, Improper Output Handling, Excessive Agency, System Prompt Leakage, Vector/Embedding Weaknesses, Misinformation, Unbounded Consumption.
+Frameworks: LangChain, OpenAI, Anthropic, HuggingFace, LlamaIndex, ChromaDB, Pinecone, FastAPI, Flask, vLLM, CrewAI, and 30+ more.
+## SecureCode Model Collection
+This model is part of the **SecureCode** collection of 8 security-specialized models:
+| Model | Base | Size | Tier | HuggingFace |
+|-------|------|------|------|-------------|
+| Llama 3.2 SecureCode | meta-llama/Llama-3.2-3B-Instruct | 3B | Accessible | [`llama-3.2-3b-securecode`](https://huggingface.co/scthornton/llama-3.2-3b-securecode) |
+| Qwen2.5 Coder SecureCode | Qwen/Qwen2.5-Coder-7B-Instruct | 7B | Mid-size | [`qwen2.5-coder-7b-securecode`](https://huggingface.co/scthornton/qwen2.5-coder-7b-securecode) |
+| DeepSeek Coder SecureCode | deepseek-ai/deepseek-coder-6.7b-instruct | 6.7B | Mid-size | [`deepseek-coder-6.7b-securecode`](https://huggingface.co/scthornton/deepseek-coder-6.7b-securecode) |
+| CodeGemma SecureCode | google/codegemma-7b-it | 7B | Mid-size | [`codegemma-7b-securecode`](https://huggingface.co/scthornton/codegemma-7b-securecode) |
+| CodeLlama SecureCode | codellama/CodeLlama-13b-Instruct-hf | 13B | Large | [`codellama-13b-securecode`](https://huggingface.co/scthornton/codellama-13b-securecode) |
+| Qwen2.5 Coder 14B SecureCode | Qwen/Qwen2.5-Coder-14B-Instruct | 14B | Large | [`qwen2.5-coder-14b-securecode`](https://huggingface.co/scthornton/qwen2.5-coder-14b-securecode) |
+| StarCoder2 SecureCode | bigcode/starcoder2-15b-instruct-v0.1 | 15B | Large | [`starcoder2-15b-securecode`](https://huggingface.co/scthornton/starcoder2-15b-securecode) |
+| Granite 20B Code SecureCode | ibm-granite/granite-20b-code-instruct-8k | 20B | XL | [`granite-20b-code-securecode`](https://huggingface.co/scthornton/granite-20b-code-securecode) |
+Choose based on your deployment constraints: **3B** for edge/mobile, **7B** for general use, **13B-15B** for deeper reasoning, **20B** for maximum capability.
+## SecureCode Dataset Family
+| Dataset | Examples | Focus | Link |
+|---------|----------|-------|------|
+| **SecureCode** | 2,185 | Unified (web + AI/ML) | [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode) |
+| SecureCode Web | 1,435 | Web security (OWASP Top 10 2021) | [scthornton/securecode-web](https://huggingface.co/datasets/scthornton/securecode-web) |
+| SecureCode AI/ML | 750 | AI/ML security (OWASP LLM Top 10 2025) | [scthornton/securecode-aiml](https://huggingface.co/datasets/scthornton/securecode-aiml) |
+## Intended Use
+**Use this model for:**
+- Training AI coding assistants to write secure code
+- Security education and training
+- Vulnerability research and secure code review
+- Building security-aware development tools
+**Do not use this model for:**
+- Offensive exploitation or automated attack generation
+- Circumventing security controls
+- Any activity that violates the base model's license
+## Citation
 ```bibtex
+@misc{thornton2026securecode,
+  title={SecureCode: A Production-Grade Multi-Turn Dataset for Training Security-Aware Code Generation Models},
   author={Thornton, Scott},
+  year={2026},
   publisher={perfecXion.ai},
+  url={https://huggingface.co/datasets/scthornton/securecode},
+  note={arXiv:2512.18542}
 }
 ```
+## Links
+- **Dataset**: [scthornton/securecode](https://huggingface.co/datasets/scthornton/securecode)
+- **Research Paper**: [arXiv:2512.18542](https://arxiv.org/abs/2512.18542)
+- **Model Collection**: [huggingface.co/collections/scthornton/securecode](https://huggingface.co/collections/scthornton/securecode)
+- **Author**: [perfecXion.ai](https://perfecxion.ai)
+## License
+This model is released under the **bigcode-openrail-m** license (inherited from the base model). The training dataset ([SecureCode](https://huggingface.co/datasets/scthornton/securecode)) is licensed under **CC BY-NC-SA 4.0**.