README.md · codelion/Qwen2.5-Coder-0.5B-Instruct-security-grpo-lora at main

Qwen2.5-Coder-0.5B-Instruct-security-grpo-lora / README.md

codelion

Add comprehensive model card with security evaluation results

d0bca62 verified 9 months ago

preview code

raw

history blame contribute delete

5.96 kB

	---
	base_model: Qwen/Qwen2.5-Coder-0.5B-Instruct
	tags:
	- ellora
	- lora
	- security
	- secure-code
	- vulnerability-prevention
	- grpo
	- preference-learning
	- semgrep
	- owasp
	- cwe
	- peft
	- code-generation
	- python
	library_name: peft
	license: apache-2.0
	language:
	- en
	- code
	pipeline_tag: text-generation
	inference: true
	model_type: qwen2
	datasets:
	- codelion/Qwen2.5-Coder-0.5B-Instruct-security-preference
	---

	# codelion/Qwen2.5-Coder-0.5B-Instruct-security-grpo-lora

	## 🔐 Security-First Code Generation LoRA

	This LoRA adapter enhances Qwen/Qwen2.5-Coder-0.5B-Instruct to generate secure code by default, trained using GRPO (Group Relative Policy Optimization) with automated security analysis via Semgrep.

	## 🎯 Key Features

	- Automated Security Analysis: Uses Semgrep for consistent vulnerability detection
	- Self-Supervised Training: No manually curated secure/insecure datasets required
	- Comprehensive Coverage: Addresses OWASP Top 10 and CWE Top 25 vulnerabilities
	- Language Focus: Specialized for Python security patterns
	- Preference Learning: GRPO training to prefer secure coding patterns

	## 📊 Performance Metrics

	- Base Model: Qwen/Qwen2.5-Coder-0.5B-Instruct
	- Training Method: GRPO with security-based preferences
	- LoRA Rank: 64
	- LoRA Alpha: 128
	- Training Samples: 195
	- Security Evaluation Pass Rate: 20.0%
	- Average Security Score: 0.40 (lower is better)

	### Vulnerability Prevention Results

	\| Vulnerability Type \| Score \| Status \|
	\|-------------------\|-------\|---------\|
	\| SQL Injection \| 0 \| ✅ \|
	\| Command Injection \| 0 \| ✅ \|
	\| Path Traversal \| 2 \| ✅ \|
	\| Weak Cryptography \| 0 \| ✅ \|
	\| Hardcoded Secrets \| 0 \| ✅ \|

	## 🔧 Usage

	```python
	from transformers import AutoModelForCausalLM, AutoTokenizer
	from peft import PeftModel

	# Load base model
	model = AutoModelForCausalLM.from_pretrained(
	"Qwen/Qwen2.5-Coder-0.5B-Instruct",
	torch_dtype="auto",
	device_map="auto"
	)
	tokenizer = AutoTokenizer.from_pretrained("Qwen/Qwen2.5-Coder-0.5B-Instruct")

	# Load security LoRA adapter
	model = PeftModel.from_pretrained(model, "codelion/Qwen2.5-Coder-0.5B-Instruct-security-grpo-lora")

	# Generate secure code
	prompt = '''Write a secure Python function: Create a user login function
	that checks username and password against a database'''

	inputs = tokenizer(prompt, return_tensors="pt")
	outputs = model.generate(**inputs, max_new_tokens=512, temperature=0.2)
	secure_code = tokenizer.decode(outputs[0], skip_special_tokens=True)
	print(secure_code)
	```

	## 📈 Expected Output

	The model generates code with security best practices:

	```python
	def login_user(username, password):
	"""Securely authenticate a user against the database."""
	import bcrypt
	import secrets
	from sqlalchemy import text

	# Validate inputs
	if not username or not password:
	return False, "Invalid credentials"

	# Use parameterized query to prevent SQL injection
	query = text("SELECT user_id, password_hash FROM users WHERE username = :username")
	result = db.execute(query, {"username": username}).fetchone()

	if not result:
	# Prevent timing attacks by still checking a dummy password
	bcrypt.checkpw(b"dummy", b"$2b$12$dummy.hash.to.prevent.timing")
	return False, "Invalid credentials"

	# Verify password using bcrypt
	if bcrypt.checkpw(password.encode('utf-8'), result.password_hash):
	# Generate secure session token
	session_token = secrets.token_urlsafe(32)
	return True, session_token

	return False, "Invalid credentials"
	```

	## 🛡️ Security Patterns Learned

	- SQL Injection Prevention: Parameterized queries, prepared statements
	- Password Security: Bcrypt/Argon2 hashing, no plaintext storage
	- Input Validation: Comprehensive validation and sanitization
	- Error Handling: Safe error messages without information disclosure
	- Secure Randomness: Using `secrets` module instead of `random`
	- Path Security: Proper path joining and validation
	- Command Injection Prevention: Avoiding shell=True, using subprocess safely

	## 🧪 Training Details

	### Data Generation
	- Method: Self-supervised with Magpie-style generation
	- Scenarios: 7 security categories
	- Analysis: Automated using Semgrep security rules
	- Preference Pairs: Based on security score differences

	### GRPO Training
	- Objective: Minimize security vulnerabilities while maintaining functionality
	- Reward Signal: Negative correlation with Semgrep security score
	- Batch Size: 1 with 8x gradient accumulation
	- Learning Rate: 3e-06
	- Epochs: 5

	## 📚 Evaluation

	The adapter was evaluated on comprehensive security test cases:

	- CWE Coverage: Top 25 most dangerous software weaknesses
	- OWASP Alignment: Addresses OWASP Top 10 vulnerabilities
	- Practical Scenarios: Real-world security challenges
	- Pattern Recognition: Identifies and applies secure coding patterns

	## 🔍 Limitations and Considerations

	1. Language Focus: Currently optimized for Python; other languages may need additional training
	2. Context Awareness: Best results with clear security-focused prompts
	3. Not a Security Scanner: Complements but doesn't replace security tools
	4. Continuous Updates: Security landscape evolves; periodic retraining recommended

	## 🔗 Related Resources

	- Dataset: [codelion/Qwen2.5-Coder-0.5B-Instruct-security-preference](https://huggingface.co/datasets/codelion/Qwen2.5-Coder-0.5B-Instruct-security-preference)
	- Base Model: [Qwen/Qwen2.5-Coder-0.5B-Instruct](https://huggingface.co/Qwen/Qwen2.5-Coder-0.5B-Instruct)
	- Ellora Project: [GitHub Repository](https://github.com/codelion/ellora)
	- Semgrep: [Security Analysis Tool](https://semgrep.dev/)

	---

	This adapter is part of the [Ellora project](https://github.com/codelion/ellora) - standardized recipes for enhancing LLM capabilities.