codelion/Qwen2.5-Coder-0.5B-Instruct-security-grpo-lora

🔐 Security-First Code Generation LoRA

This LoRA adapter enhances Qwen/Qwen2.5-Coder-0.5B-Instruct to generate secure code by default, trained using GRPO (Group Relative Policy Optimization) with automated security analysis via Semgrep.

🎯 Key Features

• Automated Security Analysis: Uses Semgrep for consistent vulnerability detection
• Self-Supervised Training: No manually curated secure/insecure datasets required
• Comprehensive Coverage: Addresses OWASP Top 10 and CWE Top 25 vulnerabilities
• Language Focus: Specialized for Python security patterns
• Preference Learning: GRPO training to prefer secure coding patterns

📊 Performance Metrics

• Base Model: Qwen/Qwen2.5-Coder-0.5B-Instruct
• Training Method: GRPO with security-based preferences
• LoRA Rank: 64
• LoRA Alpha: 128
• Training Samples: 195
• Security Evaluation Pass Rate: 20.0%
• Average Security Score: 0.40 (lower is better)

Vulnerability Prevention Results

Vulnerability Type	Score	Status
SQL Injection	0	✅
Command Injection	0	✅
Path Traversal	2	✅
Weak Cryptography	0	✅
Hardcoded Secrets	0	✅

🔧 Usage

from transformers import AutoModelForCausalLM, AutoTokenizer
from peft import PeftModel

# Load base model
model = AutoModelForCausalLM.from_pretrained(
    "Qwen/Qwen2.5-Coder-0.5B-Instruct",
    torch_dtype="auto",
    device_map="auto"
)
tokenizer = AutoTokenizer.from_pretrained("Qwen/Qwen2.5-Coder-0.5B-Instruct")

# Load security LoRA adapter
model = PeftModel.from_pretrained(model, "codelion/Qwen2.5-Coder-0.5B-Instruct-security-grpo-lora")

# Generate secure code
prompt = '''Write a secure Python function: Create a user login function
that checks username and password against a database'''

inputs = tokenizer(prompt, return_tensors="pt")
outputs = model.generate(**inputs, max_new_tokens=512, temperature=0.2)
secure_code = tokenizer.decode(outputs[0], skip_special_tokens=True)
print(secure_code)

📈 Expected Output

The model generates code with security best practices:

def login_user(username, password):
    """Securely authenticate a user against the database."""
    import bcrypt
    import secrets
    from sqlalchemy import text

    # Validate inputs
    if not username or not password:
        return False, "Invalid credentials"

    # Use parameterized query to prevent SQL injection
    query = text("SELECT user_id, password_hash FROM users WHERE username = :username")
    result = db.execute(query, {"username": username}).fetchone()

    if not result:
        # Prevent timing attacks by still checking a dummy password
        bcrypt.checkpw(b"dummy", b"$2b$12$dummy.hash.to.prevent.timing")
        return False, "Invalid credentials"

    # Verify password using bcrypt
    if bcrypt.checkpw(password.encode('utf-8'), result.password_hash):
        # Generate secure session token
        session_token = secrets.token_urlsafe(32)
        return True, session_token

    return False, "Invalid credentials"

🛡️ Security Patterns Learned

• SQL Injection Prevention: Parameterized queries, prepared statements
• Password Security: Bcrypt/Argon2 hashing, no plaintext storage
• Input Validation: Comprehensive validation and sanitization
• Error Handling: Safe error messages without information disclosure
• Secure Randomness: Using secrets module instead of random
• Path Security: Proper path joining and validation
• Command Injection Prevention: Avoiding shell=True, using subprocess safely

🧪 Training Details

Data Generation

• Method: Self-supervised with Magpie-style generation
• Scenarios: 7 security categories
• Analysis: Automated using Semgrep security rules
• Preference Pairs: Based on security score differences

GRPO Training

• Objective: Minimize security vulnerabilities while maintaining functionality
• Reward Signal: Negative correlation with Semgrep security score
• Batch Size: 1 with 8x gradient accumulation
• Learning Rate: 3e-06
• Epochs: 5

📚 Evaluation

The adapter was evaluated on comprehensive security test cases:

• CWE Coverage: Top 25 most dangerous software weaknesses
• OWASP Alignment: Addresses OWASP Top 10 vulnerabilities
• Practical Scenarios: Real-world security challenges
• Pattern Recognition: Identifies and applies secure coding patterns

🔍 Limitations and Considerations

1. Language Focus: Currently optimized for Python; other languages may need additional training
2. Context Awareness: Best results with clear security-focused prompts
3. Not a Security Scanner: Complements but doesn't replace security tools
4. Continuous Updates: Security landscape evolves; periodic retraining recommended

🔗 Related Resources

• Dataset: codelion/Qwen2.5-Coder-0.5B-Instruct-security-preference
• Base Model: Qwen/Qwen2.5-Coder-0.5B-Instruct
• Ellora Project: GitHub Repository
• Semgrep: Security Analysis Tool

---

This adapter is part of the Ellora project - standardized recipes for enhancing LLM capabilities.