SovereignSec-Auditor LoRA — Qwen2.5-Coder-32B

A 4-bit QLoRA adapter for structured, calibrated code-security audit output, trained locally on a single RTX 5090 on 879 real vulnerability→patch pairs mined from public CVE fix commits (Django / Flask / Werkzeug, via the GitHub Advisory Database, CC-BY-4.0). This is the 32B sibling of the 7B adapter.

Part of SovereignSec-AI — a fully local, air-gapped, agentic code-security auditor.

⚠️ Read this first — what this adapter does and does NOT do

This project was built measurement-first, and the honest result matters:

  • It does NOT add detection capability. On a fair, post-cutoff (leak-resistant) eval, the fine-tuned model's vulnerability-detection delta over the base Qwen2.5-Coder was ≈ 0.0. The base model already detects as well; the adapter does not make it "smarter."
  • What it DOES add: output discipline. It emits clean, terse, parseable, calibrated findings (FINDING: {"cwe": "...", "severity": "...", "confidence": ...} or {"no_finding": true}) instead of the base model's verbose, inconsistent JSON/prose. That consistency is what lets an agent loop and downstream parsers consume the output reliably.
  • Detection capability lives in the system, not the adapter. In our benchmarks the winning architecture is a hybrid: the LLM for breadth + a deterministic system (cross-file taint + SAST) for precision and proof — merged. See the field report.

We publish this for reproducibility and as an honest artifact — not as a "SOTA vuln detector." For numbers to trust, read the eval reports.

Usage

from peft import PeftModel
from transformers import AutoModelForCausalLM, AutoTokenizer

base = "Qwen/Qwen2.5-Coder-32B-Instruct"
tok = AutoTokenizer.from_pretrained(base)
model = AutoModelForCausalLM.from_pretrained(base, device_map="auto", load_in_4bit=True)
model = PeftModel.from_pretrained(model, "MushiSenpai/SovereignSec-Auditor-LoRA-Qwen2.5-Coder-32B")

msgs = [
    {"role": "system", "content": "You are a security auditor. Trace taint and report findings as JSON, or say no finding when safe."},
    {"role": "user", "content": "Audit:\n```python\nname = request.args.get('name')\nq = \"SELECT * FROM u WHERE n='%s'\" % name\ncur.execute(q)\n```"},
]
ids = tok.apply_chat_template(msgs, add_generation_prompt=True, return_tensors="pt").to(model.device)
print(tok.decode(model.generate(ids, max_new_tokens=80)[0][ids.shape[1]:], skip_special_tokens=True))
# -> FINDING: {"cwe": "CWE-89", "severity": "high", "confidence": 0.9}

Training

  • Base: Qwen/Qwen2.5-Coder-32B-Instruct (Apache-2.0)
  • Method: QLoRA (4-bit), rank 16, Unsloth + TRL — 120 steps, ~19.94 GiB peak VRAM on one RTX 5090 (fits in 32 GB with headroom)
  • Data: 890 conversational records from 879 real mined CVE vuln→patch pairs (taint-reasoning + calibration negatives)
  • Final loss: 0.562 (vs 0.686 for the 7B — lower train loss; detection delta over base remains ≈ 0.0, consistent with the 7B finding)

License & attribution

Adapter: Apache-2.0. Base model: Apache-2.0. Training data derived from the GitHub Advisory Database / CVEfixes (CC-BY-4.0). A 7B variant (Qwen2.5-Coder-7B, loss 0.686) was also trained — see the 7B card.

Downloads last month
9
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support

Model tree for MushiSenpai/SovereignSec-Auditor-LoRA-Qwen2.5-Coder-32B

Base model

Qwen/Qwen2.5-32B
Adapter
(71)
this model