Instructions to use MushiSenpai/SovereignSec-Auditor-LoRA-Qwen2.5-Coder-7B with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- PEFT
How to use MushiSenpai/SovereignSec-Auditor-LoRA-Qwen2.5-Coder-7B with PEFT:
from peft import PeftModel from transformers import AutoModelForCausalLM base_model = AutoModelForCausalLM.from_pretrained("unsloth/qwen2.5-coder-7b-instruct-bnb-4bit") model = PeftModel.from_pretrained(base_model, "MushiSenpai/SovereignSec-Auditor-LoRA-Qwen2.5-Coder-7B") - Notebooks
- Google Colab
- Kaggle
SovereignSec-Auditor LoRA — Qwen2.5-Coder-7B
A 4-bit QLoRA adapter for structured, calibrated code-security audit output, trained locally on a single RTX 5090 on 879 real vulnerability→patch pairs mined from public CVE fix commits (Django / Flask / Werkzeug, via the GitHub Advisory Database, CC-BY-4.0).
Part of SovereignSec-AI — a fully local, air-gapped, agentic code-security auditor.
⚠️ Read this first — what this adapter does and does NOT do
This project was built measurement-first, and the honest result matters:
- It does NOT add detection capability. On a fair, post-cutoff (leak-resistant) eval, the
fine-tuned model's vulnerability-detection delta over the base
Qwen2.5-Coderwas ≈ 0.0. The base model already detects as well; the adapter does not make it "smarter." - What it DOES add: output discipline. It emits clean, terse, parseable, calibrated findings
(
FINDING: {"cwe": "...", "severity": "...", "confidence": ...}or{"no_finding": true}) instead of the base model's verbose, inconsistent JSON/prose. That consistency is what lets an agent loop and downstream parsers consume the output reliably. - Detection capability lives in the system, not the adapter. In our benchmarks the winning architecture is a hybrid: the LLM for breadth + a deterministic system (cross-file taint + SAST) for precision and proof — merged. See the field report.
We publish this for reproducibility and as an honest artifact — not as a "SOTA vuln detector." For numbers to trust, read the eval reports.
Usage
from peft import PeftModel
from transformers import AutoModelForCausalLM, AutoTokenizer
base = "Qwen/Qwen2.5-Coder-7B-Instruct"
tok = AutoTokenizer.from_pretrained(base)
model = AutoModelForCausalLM.from_pretrained(base, device_map="auto", load_in_4bit=True)
model = PeftModel.from_pretrained(model, "MushiSenpai/SovereignSec-Auditor-LoRA-Qwen2.5-Coder-7B")
msgs = [
{"role": "system", "content": "You are a security auditor. Trace taint and report findings as JSON, or say no finding when safe."},
{"role": "user", "content": "Audit:\n```python\nname = request.args.get('name')\nq = \"SELECT * FROM u WHERE n='%s'\" % name\ncur.execute(q)\n```"},
]
ids = tok.apply_chat_template(msgs, add_generation_prompt=True, return_tensors="pt").to(model.device)
print(tok.decode(model.generate(ids, max_new_tokens=80)[0][ids.shape[1]:], skip_special_tokens=True))
# -> FINDING: {"cwe": "CWE-89", "severity": "high", "confidence": 0.9}
Training
- Base:
Qwen/Qwen2.5-Coder-7B-Instruct(Apache-2.0) - Method: QLoRA (4-bit), rank 16, Unsloth + TRL — ~63 s for 120 steps, ~6 GiB peak VRAM on one RTX 5090
- Data: 890 conversational records from 879 real mined CVE vuln→patch pairs (taint-reasoning + calibration negatives)
- Final loss: 0.686
License & attribution
Adapter: Apache-2.0. Base model: Apache-2.0. Training data derived from the GitHub Advisory
Database / CVEfixes (CC-BY-4.0). A 32B variant (Qwen2.5-Coder-32B, loss 0.562) was also trained.
- Downloads last month
- 12